No "security" same as empty "security"

[jdomenechb]

I have an example of contract that has the following structure (summerized to highlight the relevant):

# [...]
paths:
  /path/one:
    post:
      # [...]
      security: []

  /path/two:
    post:
      # [...]
      # No security entry defined there

components:
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer
      bearerFormat: JWT

security:
  - Bearer: []

Theoreticaly, I expect:

• In /path/one:
  • __isset() in the Operation object returns true, and __get() returns empty array.
• In /path/two:
  • __isset() in the Operation object returns false, and __get() returns either empty array or null.
  • Alternativelly, I also might expect __isset() to return false, but __get() return the default security defined at contract root level. I consider this possibility as it is a solution similar like how references work in the scope of this library.

However, the problem is that what I actually get in both paths, is __isset() = true and __get() = empty array. As I get the same result in both, there is no way to determine that /path/one does not have at all security (and therefore, could be called directly), and that /path/two has default security.

[cebe]

Fixed, thanks for reporting!