Regression 4.3: Symfony security is called with null object #7896
Description
API Platform version(s) affected: 4.3.0
Description
After upgrading to version 4.3.x my whole chain of security checks stopped working.
Most of my checks are like:
<resource class="My/Thing">
<operations>
<operation class="ApiPlatform\Metadata\Get"
security="is_granted('ROLE_SOMETHING') and is_granted('CAN_VIEW', object)">
</operation>
<!-- ... -->
</resource>But the profilers logged that the decision maker received is_granted('CAN_VIEW', null), thus denying the request.
How to reproduce
I'm still struggling to reproduce the issue on my side using your unit tests, but failed to identify the current steps.
I can confirm that a simple git checkout 359a128cd56934aeb3aefc13040fcd1206907157^ -- src/Symfony/Security/State/AccessCheckerProvider.php con my project completely resolve the whole checks.
I get back to you with a MR or some feedback as soon as I have it, but maybe @soyuka know something more since it's the author of #7500