[Security] Document "pass controller object argument by name" behavior for IsGranted attribute

This code fragment correctly passes a `Task` object to the TaskVoter "by name":
```php
// TaskController.php

#[Route('/{task}', name: 'task_details', methods: ['GET'])]
/*                                   ↓↓↓↓                       */
#[IsGranted(TaskVoter::ACCESS_TASK, 'task', 'No task found', 404)]
public function taskDetails(Task $task): Response
{
    // ...
}

// TaskVoter.php
protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
{
    if (TaskVoter::ACCESS_TASK === $attribute && $subject instanceof Task) {
        return $this->canAccessTask($subject, $token->getUser());
    }
}
``` 

This is pretty handy, although I cannot find documentation about it anywhere. I'd expect it in  [(Security->Add Code to Deny Access) Securing Controllers and Other Code](https://symfony.com/doc/current/security.html#securing-controllers-and-other-code).
It is used throughout [Voters->Setup: Checking for Access in a Controller](https://symfony.com/doc/current/security/voters.html#setup-checking-for-access-in-a-controller).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Document "pass controller object argument by name" behavior for IsGranted attribute #19589

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security] Document "pass controller object argument by name" behavior for IsGranted attribute #19589

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions