Use instanceof NullToken in voters

l-vo · l-vo · commit 1d8564d18a08 · 2022-08-10T14:48:54.000+02:00
To test if the user is not logged.
diff --git a/reference/forms/types/datetime.rst b/reference/forms/types/datetime.rst
@@ -13,7 +13,7 @@ the data can be a ``DateTime`` object, a string, a timestamp or an array.
 +---------------------------+-----------------------------------------------------------------------------+
 | Underlying Data Type      | can be ``DateTime``, string, timestamp, or array (see the ``input`` option) |
 +---------------------------+-----------------------------------------------------------------------------+
-| Rendered as               | single text box or five select fields                                      |
+| Rendered as               | single text box or five select fields                                       |
 +---------------------------+-----------------------------------------------------------------------------+
 | Default invalid message   | Please enter a valid date and time.                                         |
 +---------------------------+-----------------------------------------------------------------------------+
diff --git a/security.rst b/security.rst
@@ -2346,12 +2346,13 @@ Granting Anonymous Users Access in a Custom Voter
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you're using a :doc:`custom voter </security/voters>`, you can allow
-anonymous users access by checking if there is no user set on the token::
+anonymous users access by checking if the token is an instance of :class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\NullToken`::
 
     // src/Security/PostVoter.php
     namespace App\Security;
 
     // ...
+    use Symfony\Component\Security\Core\Authentication\Token\NullToken;
     use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
     use Symfony\Component\Security\Core\Authentication\User\UserInterface;
     use Symfony\Component\Security\Core\Authorization\Voter\Voter;
@@ -2364,14 +2365,21 @@ anonymous users access by checking if there is no user set on the token::
         {
             // ...
 
-            if (!$token->getUser() instanceof UserInterface) {
+            if ($token instanceof NullToken) {
                 // the user is not authenticated, e.g. only allow them to
                 // see public posts
                 return $subject->isPublic();
             }
         }
     }
 
+.. caution::
+
+    :class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\NullToken` is only available in voters
+    (because :method:`Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::vote` can't          receive a null token). Outside of voters (controllers, other services...) there is no token in the
+    :class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\Storage\\TokenStorageInterface`
+    implementation when the user is not logged.
+
 Setting Individual User Permissions
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
