access_control, expression language instance

[Toflar]

Can anybody elaborate on why the DenyAccessListener uses its own expression language instance and not the one of Symfony Security?

We're using https://github.com/api-platform/core/blob/master/src/Bridge/Symfony/Bundle/Resources/config/security_expression_language.xml#L7 instead of Symfony's security.expression_language.

I don't see why this is done. In Symfony I can easily add new expression languages by tagging the providers as security.expression_language_provider which of course do not end up in our DenyAccessListener.
Why would we want two different instances? Both are related to security, aren't they?

[Toflar]

@dunglas @soyuka @Simperfit can anyone just quickly tell me if there's any reason for it to be standalone and not the framework security.expression_language. I'll work on a PR then so we can get this done :)

[soyuka]

I really don't know unless it's to not be dependent of another symfony-tight library.

[Toflar]

I've created a PR in #2289, I guess that illustrates the issue/benefits a bit better :)