fix(symfony): security regression when ResourceAccessChecker is decorated (#7896)

[giosh94mhz]

Q	A
Branch?	4.3
Tickets	Closes #7896
License	MIT
Doc PR

Commit 359a128 introduced a regression when ResourceAccessChecker is decorated, and security/securityPostDenormalize are using object in is_granted expression.

The issue arise since AccessCheckerProvider violates the Liskov substitution principle by assuming that if the (previously unknown) interface ObjectVariableCheckerInterface is not defined, then the pre_read optimization can be used without an object instance.

NOTE: this is a security evaluation regression that actually will blocks more then required, so not a security issue on the project itself.

The solution (in addition to this PR)

To preserve the implementation I had to implement ObjectVariableCheckerInterface in my codebased (which is not optimal, maybe should be documented or refactored). This is a workaround also for versions 4.3.0 => 4.3.3.

<?php

namespace Acme\ApiPlatform;

use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
use ApiPlatform\Symfony\Security\ObjectVariableCheckerInterface;

/** @note the references to `ObjectVariableCheckerInterface` and `usesObjectVariable` */
readonly class ResourceAccessCheckerDecorator implements ResourceAccessCheckerInterface, ObjectVariableCheckerInterface
{
    public function __construct(
        private ResourceAccessCheckerInterface&ObjectVariableCheckerInterface $resourceAccessChecker
    )
    {}

    public function isGranted(string $resourceClass, string $expression, array $extraVariables = []): bool
    {
        $extraVariables['my'] = $things;

        return $this->resourceAccessChecker->isGranted($resourceClass, $expression, $extraVariables);
    }

    public function usesObjectVariable(string $expression, array $variables = []): bool
    {
        $variables['my'] = null;
        return $this->resourceAccessChecker->usesObjectVariable($expression, $variables);
    }
}