Security expression doc about check anonymous user is misleading

[andrew-demb]

Issue with page: https://symfony.com/doc/current/security/expressions.html

In https://symfony.com/doc/current/security.html#checking-to-see-if-a-user-is-logged-in-is-authenticated-fully docs are provide information, that IS_AUTHENTICATED_ANONYMOUSLY attribute are granted for anon. tokens and fully authenticated.

IS_AUTHENTICATED_ANONYMOUSLY: All users (even anonymous ones)

On https://symfony.com/doc/current/security/expressions.html we see, that is_anonymous() expression are the same as IS_AUTHENTICATED_ANONYMOUSLY.

is_anonymous
Equal to using IS_AUTHENTICATED_ANONYMOUSLY with the isGranted() function.

But in code we can see, that is_anonymous() returns true only for anon. tokens.

https://github.com/symfony/symfony/blob/ea92f38c52eaf5951911df6fa39eb258716ecd21/src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php#L30

return $variables['trust_resolver']->isAnonymous($variables['token']);

[wouterj]

Hi Andrew! You're 100% correct. is_anonymous() and IS_AUTHENTICATED_ANONYMOUSLY are different. The function is only true for anonymous authentication, while the attribute is true whenever the user is authenticated in any way.

Would it be possible for you to fix the expression documentation? (you can do so by clicking the blue "edit this page" button at the top right of the article). We should update to say something like "Whether the user is anonymous. This is different from IS_AUTHENTICATED_ANONYMOUSLY, see below."