Sending an empty body will bypass the validation

[Alexandre-Fernandez]

Sending a POST request with an empty body will bypass the validation and still call the controller, even if your DTO has #[Assert\NotBlank] decorators. This is counter intuitive and can lead to bugs since the controller is expecting a filled DTO.

[sfmok]

I'm going to reproduce and push a fix soon. Thanks, @Alexandre-Fernandez to report it.

[sfmok]

@Alexandre-Fernandez I couldn't reproduce this issue. If you could provide me with these details that would be great

PHP version
RequestInputBundle version
Request ContentType
A snippet code of invocable or action controller

Meanwhile, I can see 4 ways to bypass resolving and validating the input argument:
RequestInputBundle is disabled (it's enabled by default)
skip_validation config option is enabled (it's disabled by default)
the input DTO class not implemented the interface "InputInterface"
the request content type is not one of the supported formats "application/json, application/xml, multipart/form-data"

[Alexandre-Fernandez]

I tried making a reproduction repository and after further testing it seems that this only happens when the Content-Type header is missing.
If possible it would be nice to still have an error for this such as ["title" => "Deserialization Failed", "detail" => "Wrong format"].
Atleast that's the behaviour I was expecting, if the DTO could not be parsed, be it because of wrong headers or something else, then the controller shouldn't be called.

[sfmok]

Thanks @Alexandre-Fernandez, You're right this is actually a bug. I will fix it and release a patch soon

[sfmok]

Issue fixed.

throw UnsupportedMediaTypeHttpException in case Content-Type header is missing or unsupported.

[Alexandre-Fernandez]

great thanks