From d6e6999049b28b9051e584b60333902e61f142b5 Mon Sep 17 00:00:00 2001
From: Valerio Colella <valerio.colella@linksmt.it>
Date: Fri, 3 May 2024 17:34:06 +0200
Subject: [PATCH] feature #19589 [Security] Document "pass controller object
 argument by name" behavior for IsGranted attribute

---
 security.rst        | 19 +++++++++++++++++++
 security/voters.rst |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/security.rst b/security.rst
index 2b4350e27ee..fa558af149a 100644
--- a/security.rst
+++ b/security.rst
@@ -2548,6 +2548,25 @@ the ``ROLE_SUPER_ADMIN`` permission:
         }
     }
 
+You can pass any controller argument to the #[IsGranted()] attribute by name:
+
+.. code-block:: php-attributes
+
+    // src/Controller/PostController.php
+    // ...
+
+    use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+    class PostController extends AbstractController
+    {
+        #[Route('/posts/{id}/edit', name: 'post_edit')]
+        #[IsGranted('edit', 'post')]
+        public function edit(Post $post): Response
+        {
+            // ...
+        }
+    }
+
 If you want to use a custom status code instead of the default one (which
 is 403), this can be done by setting with the ``statusCode`` argument::
 
diff --git a/security/voters.rst b/security/voters.rst
index 7d37aea2510..196ea529bd9 100644
--- a/security/voters.rst
+++ b/security/voters.rst
@@ -78,6 +78,7 @@ code like this:
         {
             #[Route('/posts/{id}', name: 'post_show')]
             // check for "view" access: calls all voters
+            // pass the Post entity by name
             #[IsGranted('view', 'post')]
             public function show(Post $post): Response
             {
@@ -86,6 +87,7 @@ code like this:
 
             #[Route('/posts/{id}/edit', name: 'post_edit')]
             // check for "edit" access: calls all voters
+            // pass the Post entity by name
             #[IsGranted('edit', 'post')]
             public function edit(Post $post): Response
             {