fix(symfony): security regression when ResourceAccessChecker is decorated (#7896)

giosh94mhz · giosh94mhz · commit 817d0e47f869 · 2026-03-31T12:42:26.000+02:00
Commit 359a128 introduced a regression when ResourceAccessChecker is decorated, and security/securityPostDenormalize are using object in is_granted expression. The issue arise since AccessCheckerProvider violates the Liskov substitution principle by assuming that if the (previously unknown) interface ObjectVariableCheckerInterface is not defined, then the pre_read optimization can be used without an object instance.
diff --git a/src/Symfony/Security/State/AccessCheckerProvider.php b/src/Symfony/Security/State/AccessCheckerProvider.php
@@ -68,6 +68,17 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             return $this->decorated->provide($operation, $uriVariables, $context);
         }
 
+        // Skip pre_read optimization when object is used via granted (or usage is not predicatable)
+        if (
+            'pre_read' === $this->event
+            && (
+                !$this->resourceAccessChecker instanceof ObjectVariableCheckerInterface
+                || !$this->resourceAccessChecker->usesObjectVariable($isGranted, ['object' => null, 'previous_object' => null])
+            )
+        ) {
+            return $this->decorated->provide($operation, $uriVariables, $context);
+        }
+
         $body = 'pre_read' === $this->event ? null : $this->decorated->provide($operation, $uriVariables, $context);
 
         if ($operation instanceof HttpOperation) {
@@ -85,10 +96,6 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             ];
         }
 
-        if ('pre_read' === $this->event && $this->resourceAccessChecker instanceof ObjectVariableCheckerInterface && $this->resourceAccessChecker->usesObjectVariable($isGranted, $resourceAccessCheckerContext)) {
-            return $this->decorated->provide($operation, $uriVariables, $context);
-        }
-
         if (!$this->resourceAccessChecker->isGranted($operation->getClass(), $isGranted, $resourceAccessCheckerContext)) {
             $operation instanceof GraphQlOperation ? throw new AccessDeniedHttpException($message ?? 'Access Denied.') : throw new AccessDeniedException($message ?? 'Access Denied.');
         }
