The documentation should be available even for operations that require authentication. There is nothing wrong with that. "Security by obscurity" is bad.

More importantly, the admin is broken in that case because it tries to fetch every resource in the hydra documentation.

Then that's a bug in the admin.

I agree. I first created an issue in the admin repository. I ended up overriding the documentation parser.
But still, I would like the ability to hide entrypoints from the swagger ui based on access control. It’s more of a feature request

Maybe it can be done in userland?

Just decorate documentation normalizer.

It's a very frequent request. It would be nice to have it in core (with a flag to enable or disable this feature).

Basically it means executing the security expression in the documentation normalizers.

I really need this and I’d need some directions to push a PR quickly. @dunglas what modifications and configuration options would you like to see?

I suggest to inject the Security Expression executor in DocumentationNormalizer, and to security expression of every resource class before this line and of every operation here.

If the security expression can be executed (it doesn't depend of the current object but only use is_granted() for instance), then I would skip generating the documentation of not allowed operations.

The same logic must be adapted for the OpenAPI DocumentationNormalizer.

I am working on it, i wanted to decorate DocumentationNormalizer but all functions are private !

Is there any news on this topic?