@@ -23,6 +23,7 @@ and ``#[IsGranted()]`` attribute also accept an
2323 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
2424 use Symfony\Component\ExpressionLanguage\Expression;
2525 use Symfony\Component\HttpFoundation\Response;
26+ use Symfony\Component\Security\Http\Attribute\IsGranted;
2627
2728 class MyController extends AbstractController
2829 {
@@ -130,6 +131,69 @@ Additionally, you have access to a number of functions inside the expression:
130131 true if the user has actually logged in during this session (i.e. is
131132 full-fledged).
132133
134+ In case of the ``#[IsGranted()] `` attribute, the subject can also be an
135+ :class: `Symfony\\ Component\\ ExpressionLanguage\\ Expression ` object::
136+
137+ // src/Controller/MyController.php
138+ namespace App\Controller;
139+
140+ use App\Entity\Post;
141+ use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
142+ use Symfony\Component\ExpressionLanguage\Expression;
143+ use Symfony\Component\HttpFoundation\Response;
144+ use Symfony\Component\Security\Http\Attribute\IsGranted;
145+
146+ class MyController extends AbstractController
147+ {
148+ #[IsGranted(
149+ attribute: new Expression('user === subject'),
150+ subject: new Expression('args["post"].getAuthor()'),
151+ )]
152+ public function index(Post $post): Response
153+ {
154+ // ...
155+ }
156+ }
157+
158+ In this example, we fetch the author of the post and use it as the subject. If the subject matches
159+ the current user, then access will be granted.
160+
161+ The subject may also be an array where the key can be used as an alias for the result of an expression::
162+
163+ #[IsGranted(
164+ attribute: new Expression('user === subject["author"] and subject["post"].isPublished()'),
165+ subject: [
166+ 'author' => new Expression('args["post"].getAuthor()'),
167+ 'post',
168+ ],
169+ )]
170+ public function index(Post $post): Response
171+ {
172+ // ...
173+ }
174+
175+ Here, access will be granted if the author matches the current user
176+ and the post's ``isPublished() `` method returns ``true ``.
177+
178+ You can also use the current request as the subject::
179+
180+ #[IsGranted(
181+ attribute: '...',
182+ subject: new Expression('request'),
183+ )]
184+ public function index(): Response
185+ {
186+ // ...
187+ }
188+
189+ Inside the subject's expression, you have access to two variables:
190+
191+ ``request ``
192+ The:ref: `Symfony Request <component-http-foundation-request >` object that
193+ represents the current request.
194+ ``args ``
195+ An array of controller arguments that are passed to the controller.
196+
133197Learn more
134198----------
135199