Description
Hi!

In the Symfony security 5.2 (well, introduced in 5.1) "authenticator" system, anonymous users are gone, which means that when a user is not authenticated, there will be no "token" in the security system.

This causes a problem in API Platform: if an anonymous users tries to access an operation that is protected with a security attribute, they will get:

The current token must be set to use the "access_control" attribute (is the URL behind a firewall?

Solution

Fortunately, I think the solution is pretty simple :). In ResourceAccessChecker, a null token needs to be allowed, which would just pass a null token and user variables into the expression.

The only tricky part is that we probably (?) want to continue to throw the above exception for users that are using the "old" security system. If that is the case, then a new constructor flag will need to be passed to ResourceAccessChecker that tells it if this exception should be thrown (basically, this flag would be true if the "old" system is used and false if the "new" system is used). A similar thing is done in the core of Symfony: https://github.com/symfony/symfony/blob/494ef421c554a78b38c6779c4b7deb9a20d89923/src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php#L52

In order to set that argument, there is no parameter in Symfony that just says "the user is on the old/new system". I think the best way would be to, in a compiler pass, check for the existence of the security.authenticator.manager service. If that service exists, then the user is on the "new" system.

Sorry I can't create a PR for lack of time at the moment - but hopefully this description will help someone :).

Cheers!