To enable compatibility with the RBAC plugin, ajax requests in admin should contain the "admin" prefix, to make sylius/symfony handle such requests with the "admin" firewall, rather than the "shop" firewall, which is selected for the status quo.
Since that firewall might have a current token (which is most likely not an admin) or no token, the request will be authenticated as "anon." which crashes the RBAC AccessCheckListener as well as it is not good practice.
To enable compatibility with the RBAC plugin, ajax requests in admin should contain the "admin" prefix, to make sylius/symfony handle such requests with the "admin" firewall, rather than the "shop" firewall, which is selected for the status quo.
Since that firewall might have a current token (which is most likely not an admin) or no token, the request will be authenticated as "anon." which crashes the RBAC AccessCheckListener as well as it is not good practice.