Fix isAnonymous() always returning false on Symfony 6.x#1240
Merged
Nyholm merged 2 commits intooverblog:masterfrom Mar 12, 2026
Merged
Fix isAnonymous() always returning false on Symfony 6.x#1240Nyholm merged 2 commits intooverblog:masterfrom
Nyholm merged 2 commits intooverblog:masterfrom
Conversation
IS_AUTHENTICATED_ANONYMOUSLY was removed from AuthenticatedVoter in
Symfony 6.x (deprecated since 5.4). When using #[GQL\Access('isAnonymous()')]
on a Provider field, the access check always returned false, causing every
request to get "Access denied to this field" regardless of auth state.
PUBLIC_ACCESS is the correct replacement since Symfony 5.4 and has the
same semantics: it always grants access.
Nyholm
reviewed
Mar 12, 2026
Collaborator
Nyholm
left a comment
Nyholm
left a comment
There was a problem hiding this comment.
Great. Thank you. But let's drop IS_AUTHENTICATED_ANONYMOUSLY completely.
mfaivre-simplis
force-pushed
the
fix/is-anonymous-symfony6
branch
from
047639f to
f387b69
Compare
Nyholm
approved these changes
Mar 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1205
BaseSecurity::isAnonymous()callsisGranted('IS_AUTHENTICATED_ANONYMOUSLY'), which was removed fromAuthenticatedVoterin Symfony 6.x (deprecated since 5.4) : https://github.com/symfony/symfony/blob/6.0/UPGRADE-6.0.md#security:~:text=Remove%20AuthenticatedVoter%3A%3AIS_AUTHENTICATED_ANONYMOUSLY%20and%20AuthenticatedVoter%3A%3AIS_ANONYMOUS%2C%20use%20AuthenticatedVoter%3A%3APUBLIC_ACCESS%20instead.The access decision manager does not work and returns
false. Every field annotated with#[GQL\Access('isAnonymous()')]gets "Access denied to this field" for all requests.The fix uses
PUBLIC_ACCESSon Symfony 6.x, which has the same behavior (IS_AUTHENTICATED_ANONYMOUSLYandPUBLIC_ACCESSboth always grant access) and is the official replacement.Changes
src/Security/Security.php: usePUBLIC_ACCESSon Symfony >= 6.0, keepIS_AUTHENTICATED_ANONYMOUSLYfor 5.xReproduction
A minimal reproduction repo is available at: https://github.com/mfaivre-simplis/graphqlbundle-issue-1205
With Symfony 6.x, querying
{ connectedUser }always returns"Access denied to this field"before this fix.