From 12af3dcc6b58e5f3f9a289ad274da93d9d69dc69 Mon Sep 17 00:00:00 2001 From: xavren Date: Fri, 23 Apr 2021 13:46:22 +0200 Subject: [PATCH] Update security ApiProperty variables --- core/security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/security.md b/core/security.md index eaea796af0f..72e62241306 100644 --- a/core/security.md +++ b/core/security.md @@ -105,8 +105,8 @@ In this example: Available variables are: * `user`: the current logged in object, if any -* `object`: the current resource, or collection of resources for collection operations -* `request`: the current request +* `object`: the current resource class during denormalization, the current resource during normalization, or collection of resources for collection operations + Access control checks in the `security` attribute are always executed before the [denormalization step](serialization.md). It means than for `PUT` requests, `object` doesn't contain the value submitted by the user, but values currently stored in [the persistence layer](data-persisters.md).