QueryParameterValidateListener should run before the provider

[wuchen90]

API Platform version(s) affected: 3.1.5

Description
Due to this PR #5473, the QueryParameterValidateListener is now running after the ReadListener and the state provider inside it.
This makes the QueryParameterValidateListener useless.

How to reproduce
See PR #5473 and

Registered Listeners for "kernel.request" Event
===============================================

 ------- ---------------------------------------------------------------------------------------------- ---------- 
  Order   Callable                                                                                       Priority  
 ------- ---------------------------------------------------------------------------------------------- ---------- 
  #1      Symfony\Component\HttpKernel\EventListener\DebugHandlersListener::configure()                  2048      
  #2      Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest()          256       
  #3      Nelmio\CorsBundle\EventListener\CorsListener::onKernelRequest()                                250       
  #4      Symfony\Component\HttpKernel\EventListener\SessionListener::onKernelRequest()                  128       
  #5      Symfony\Component\HttpKernel\EventListener\LocaleListener::setDefaultLocale()                  100       
  #6      Symfony\Component\HttpKernel\EventListener\RouterListener::onKernelRequest()                   32        
  #7      ApiPlatform\Symfony\EventListener\AddFormatListener::onKernelRequest()                         28        
  #8      Symfony\Component\HttpKernel\EventListener\LocaleListener::onKernelRequest()                   16        
  #9      Symfony\Component\HttpKernel\EventListener\LocaleAwareListener::onKernelRequest()              15        
  #10     Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener::configureLogoutUrlGenerator()   8         
  #11     Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener::onKernelRequest()               8         
  #12     ApiPlatform\Symfony\EventListener\ReadListener::onKernelRequest()                              4         
  #13     ApiPlatform\Symfony\EventListener\DenyAccessListener::onSecurity()                             3         
  #14     ApiPlatform\Symfony\EventListener\DeserializeListener::onKernelRequest()                       2         
  #15     ApiPlatform\Symfony\EventListener\QueryParameterValidateListener::onKernelRequest()            2         
  #16     ApiPlatform\Symfony\EventListener\DenyAccessListener::onSecurityPostDenormalize()              1         
  #17     ApiPlatform\Symfony\Bundle\EventListener\SwaggerUiListener::onKernelRequest()                  0         
 ------- ---------------------------------------------------------------------------------------------- ----------

Possible Solution
The PR introducing this bug #5473 wanted to resolve this issue #4389, so I don't know what to do.
According to this issue above, the QueryParameterValidateListener must be after DenyAccessListener.
And DenyAccessListener should be after ReadListener because it needs the object resolved by the provider to process security checks.

Additional Context

[soyuka]

Indeed this isn't good. feel free to change the priorities yourself while we find a solution for this... or probably I should just revert #5473?

[wuchen90]

@soyuka

Indeed this isn't good. feel free to change the priorities yourself while we find a solution for this... or probably I should just revert #5473?

Yes, I think better to revert #5473 and address a better fix for #4389

[soyuka]

let's follow this at #4389 please help us find a fix if you can, thanks!