Confusing key roles in security.yaml > access_control

[TomPradat]

Description
I know this is not a new topic but I find the key roles in the access_control part very disturbing, i spend hours to understand that i can put attributes there too.

I think this is not clear in the documentation.

Maybe we should juste update the documentation to make it clear or change the key name for something else

[TomPradat]

This is related to #21029

[linaori]

In particular relates to my comment in #21029 (comment): Problem 2 - Unintuitive behavior

[chalasr]

👍 for renaming

[wouterj]

I'm all in for renaming, but I don't think we've yet come up with a great alternative (we're also struggling with this in the documentation).

attribute is imho not very describing (and in fact confusing, as Token#getAttributes() is not related to this attribute concept, see also e.g. symfony/symfony-docs#4158).

[mab05k]

Is this syntax for configuring roles no longer acceptable? (since upgrading from 4.4.x to 5.x.x)

    access_control:
        - path: ^/api/instruments.*
          roles:
            - ROLE_PERFORMANCE_READ
            - ROLE_ACCOUNT_READ
            - ROLE_CONFIGURATION_READ
          methods: [ GET ]

Replacing the roles section with

allow_if: "is_granted('ROLE_PERFORMANCE_READ') or is_granted('ROLE_ACCOUNT_READ') or is_granted('ROLE_CONFIGURATION_READ')"

seems to fix my issue, but seems less intuitive and is not well documented.

[linaori]

@mab05k should be fixed in 5.0.8: #36283