fix(symfony): securityPostValidation when use_symfony_listeners

features/authorization/deny.feature

@@ -305,3 +305,15 @@ Feature: Authorization checking
     Then the response status code should be 200
     And the response should contain "ownerOnlyProperty"
     And the response should contain "attributeBasedProperty"
+
+  Scenario: Security post validation should be hit
+    When I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "POST" request to "/issue_6446" with body:
+    """
+    {
+      "title": ""
+    }
+    """
+    Then the response status code should be 403
+

src/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php

@@ -958,7 +958,7 @@ private function registerSecurityConfiguration(ContainerBuilder $container, arra
 
         $loader->load('state/security.xml');
 
-        if (interface_exists(ValidatorInterface::class) && !$config['use_symfony_listeners']) {
+        if (interface_exists(ValidatorInterface::class)) {
             $loader->load('state/security_validator.xml');
         }
 

tests/Fixtures/TestBundle/ApiResource/Issue6446/SecurityPostValidation.php

@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource\Issue6446;
+
+use ApiPlatform\Metadata\Post;
+use Symfony\Component\Validator\Constraints\NotNull;
+
+#[Post(uriTemplate: 'issue_6446', securityPostValidation: 'is_granted(\'ROLE_ADMIN\')')]
+class SecurityPostValidation
+{
+    #[NotNull]
+    public string $title;
+}