Core: DTO model not validated before transforming

As far as I understand, using a DTO with a data transformer requires you to validate the DTO manually: https://api-platform.com/docs/core/dto/#validating-data-transfer-objects.

I was about to open a similar issue. This also applies to custom controllers: the deserialized payload that is passed to the controller is not validated by API Platform, only the result of the controller is. Adding a listener that automatically performs the validation for DTOs in this scenario is quite trivial but I think it would be nice if API Platform could handle it natively.

i missed the docs, sorry :) fair point though. But it's not a doc issue; IMHO not validating user input by default is a footgun.

Indeed this is in our pipeline but we're still trying to find how to implement this properly. Indeed, we can't provide a default "Transformer" unless we have some kind of AutoMapper between DTOs and entities.

Why would an auto mapper be needed? The object to validate should be the deserialized object itself, not the updated resource. Wouldn't an event listener similar to current ValidateListener but on event kernel.request (after DeserializeListener) be enough? If the DTO is invalid, the data transformer won't be called anyway.

In case of using input DTO we may even avoid validating the result in the kernel.view listener: if the DTO is valid but the entity became invalid, then the issue is in the data transformer, not in the HTTP request and thus should trigger a 500 response instead of 400. I'm wondering if validating on kernel.view would remain relevant if we validate on kernel.request but maybe there are use cases I am not aware of.