api platform security check performed after custom provider code is already executed
I have encountered very unpleasant api platform behavior with security with custom providers.
I really need some explanation if this behavior is really intended or is it a security flaw.