Description
When using ApiPlatform 3.2, a custom DTO created through an instance of QueryItemResolverInterface could run through the security checks after the DTO was created. Since using 3.3, the resolver is run after the security check, such that the validator does not have access to the instance of that DTO.
A voter that is responsible for handling the attribute submission_aggregation_read does not have access to the object yet, as it hasn't been initialized during the security checks.
Possible Solution
Like implemented for #6354, there could be something like securityAfterResolver which we could use instead of security
API Platform version(s) affected: 3.3.6
Description
When using ApiPlatform 3.2, a custom DTO created through an instance of
QueryItemResolverInterface
could run through the security checks after the DTO was created. Since using 3.3, the resolver is run after the security check, such that the validator does not have access to the instance of that DTO.How to reproduce
Configure a DTO like this:
A voter that is responsible for handling the attribute
submission_aggregation_read
does not have access to the object yet, as it hasn't been initialized during the security checks.Possible Solution
Like implemented for #6354, there could be something like
securityAfterResolver
which we could use instead ofsecurity