[Security] Document "pass controller object argument by name" behavior for IsGranted attribute #19589
Description
This code fragment correctly passes a Task object to the TaskVoter "by name":
// TaskController.php #[Route('/{task}', name: 'task_details', methods: ['GET'])] /* ↓↓↓↓ */ #[IsGranted(TaskVoter::ACCESS_TASK, 'task', 'No task found', 404)] public function taskDetails(Task $task): Response { // ... } // TaskVoter.php protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { if (TaskVoter::ACCESS_TASK === $attribute && $subject instanceof Task) { return $this->canAccessTask($subject, $token->getUser()); } }This is pretty handy, although I cannot find documentation about it anywhere. I'd expect it in (Security->Add Code to Deny Access) Securing Controllers and Other Code.
It is used throughout Voters->Setup: Checking for Access in a Controller.