[Security] securityAfterResolver expression not being called

[DavidBennettUK]

API Platform version(s) affected: 3.3.8+

Description
The securityAfterResolver GraphQL operation attribute was introduced in #6444 to allow adding a security to check to run after the resolver. However, it does not seem to ever run the expression - meaning developers can think they are securing their API, but it silently not working.

How to reproduce
Example resource

#[ApiResource(
    // ....
    graphQlOperations: [
        new Mutation(
            resolver: MyCustomResolver::class,
            args: [
                // ...
            ],
            securityAfterResolver: 'is_granted("CREATE", object)',
            name: 'myCustomOperation',
        ),
    ])]
class MyResource {
    // ...
}

MyCustomResolver can just return $item. The securityAfterResolver expression is never called when running the operation.

Possible Solution
I think this may be due to a missing break in AccessCheckerProvider. This means that immediately after the securityAfterResolver expression is assigned to the $isGranted variable, it is immediately overwritten by the default case, where it sets $isGranted to the security expression. However, as there is a comment it looks like the missing break was intentional - but I don't see how it could work without it.

[soyuka]

We're working on this. The comment is php-cs-fixer adding a comment automatically I think.

[soyuka]

dc4fc84 got patched there I need to release it everywhere now.