From 5b148a36ed08c19b611d2e909502697ce2995f2b Mon Sep 17 00:00:00 2001
From: Laurent VOULLEMIER <laurent.voullemier@gmail.com>
Date: Wed, 10 Aug 2022 14:43:03 +0200
Subject: [PATCH] Use instanceof NullToken in voters

To test if the user is not logged.
---
 reference/forms/types/datetime.rst |  2 +-
 security.rst                       | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/reference/forms/types/datetime.rst b/reference/forms/types/datetime.rst
index c189aceb2a6..524e61c8792 100644
--- a/reference/forms/types/datetime.rst
+++ b/reference/forms/types/datetime.rst
@@ -13,7 +13,7 @@ the data can be a ``DateTime`` object, a string, a timestamp or an array.
 +---------------------------+-----------------------------------------------------------------------------+
 | Underlying Data Type      | can be ``DateTime``, string, timestamp, or array (see the ``input`` option) |
 +---------------------------+-----------------------------------------------------------------------------+
-| Rendered as               | single text box or five select fields                                      |
+| Rendered as               | single text box or five select fields                                       |
 +---------------------------+-----------------------------------------------------------------------------+
 | Default invalid message   | Please enter a valid date and time.                                         |
 +---------------------------+-----------------------------------------------------------------------------+
diff --git a/security.rst b/security.rst
index 0f8145949a0..9e2c84dec82 100644
--- a/security.rst
+++ b/security.rst
@@ -2346,14 +2346,15 @@ Granting Anonymous Users Access in a Custom Voter
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you're using a :doc:`custom voter </security/voters>`, you can allow
-anonymous users access by checking if there is no user set on the token::
+anonymous users access by checking if the token is an instance of
+:class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\NullToken`::
 
     // src/Security/PostVoter.php
     namespace App\Security;
 
     // ...
+    use Symfony\Component\Security\Core\Authentication\Token\NullToken;
     use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-    use Symfony\Component\Security\Core\Authentication\User\UserInterface;
     use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 
     class PostVoter extends Voter
@@ -2364,7 +2365,7 @@ anonymous users access by checking if there is no user set on the token::
         {
             // ...
 
-            if (!$token->getUser() instanceof UserInterface) {
+            if ($token instanceof NullToken) {
                 // the user is not authenticated, e.g. only allow them to
                 // see public posts
                 return $subject->isPublic();
@@ -2372,6 +2373,13 @@ anonymous users access by checking if there is no user set on the token::
         }
     }
 
+.. caution::
+
+    :class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\NullToken` is only available in voters
+    (because the :method:`Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface::vote` can't receive a null token). Outside of voters (controllers, other services...) there is no token in the
+    :class:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\Storage\\TokenStorageInterface`
+    implementation when the user is not logged.
+
 Setting Individual User Permissions
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~