Fix Security 'this' variable on ExtendType fields (#801)

Fixes #653
Related to #792

When using #[Security] on a field declared in an #[ExtendType], the 'this'
variable was incorrectly set to the resolver instance instead of the source object.

This breaks authorization logic relying on the domain object.

Fix: preserve $source when injectSource=true.

Adds test coverage to ensure correct behavior.

Author: charly-ffss

src/Middlewares/SecurityFieldMiddleware.php

@@ -83,7 +83,12 @@ public function process(
         $injectSource = $queryFieldDescriptor->isInjectSource();
 
         $queryFieldDescriptor = $queryFieldDescriptor->withResolver(function (object|null $source, ...$args) use ($originalResolver, $securityAnnotations, $resolver, $failWith, $parameters, $queryFieldDescriptor, $injectSource) {
-            $variables = $this->getVariables($args, $parameters, $originalResolver->executionSource($source), $injectSource);
+            $variables = $this->getVariables(
+                $args,
+                $parameters,
+                $injectSource ? $source : $originalResolver->executionSource($source),
+                $injectSource,
+            );
 
             foreach ($securityAnnotations as $annotation) {
                 try {

src/Middlewares/SecurityInputFieldMiddleware.php

@@ -51,7 +51,12 @@ public function process(InputFieldDescriptor $inputFieldDescriptor, InputFieldHa
         $injectSource = $inputFieldDescriptor->isInjectSource();
 
         $inputFieldDescriptor = $inputFieldDescriptor->withResolver(function (object|null $source, ...$args) use ($originalResolver, $securityAnnotations, $resolver, $parameters, $inputFieldDescriptor, $injectSource) {
-            $variables = $this->getVariables($args, $parameters, $originalResolver->executionSource($source), $injectSource);
+            $variables = $this->getVariables(
+                $args,
+                $parameters,
+                $injectSource ? $source : $originalResolver->executionSource($source),
+                $injectSource,
+            );
 
             foreach ($securityAnnotations as $annotation) {
                 try {

tests/Fixtures/Integration/Types/ExtendedContactType.php

@@ -48,4 +48,15 @@ public function extendedSecretName(Contact $contact): string|null
     {
         return $contact->getName();
     }
+
+    /**
+     * Regression: in #[Security] on an #[ExtendType] field, `this` must be
+     * the source object, not the resolver instance.
+     */
+    #[Field]
+    #[Security("user && this.getName() == 'Joe'", failWith: null)]
+    public function sourceAwareSecretName(Contact $contact): string|null
+    {
+        return $contact->getName();
+    }
 }

tests/Integration/EndToEndTest.php

@@ -1360,6 +1360,7 @@ public function testEndToEndSecurityOnExtendTypeField(): void
             contacts {
                 name
                 extendedSecretName
+                sourceAwareSecretName
             }
         }
         ';
@@ -1368,6 +1369,7 @@ public function testEndToEndSecurityOnExtendTypeField(): void
         $data = $this->getSuccessResult($result);
         $this->assertSame('Joe', $data['contacts'][0]['name']);
         $this->assertNull($data['contacts'][0]['extendedSecretName']);
+        $this->assertNull($data['contacts'][0]['sourceAwareSecretName']);
 
         // Logged-in user with bar=42 → the Security expression passes and the field returns the name.
         $container = $this->createContainer([
@@ -1394,6 +1396,7 @@ public function getUser(): object|null
         $result = GraphQL::executeQuery($schema, $queryString);
         $data = $this->getSuccessResult($result);
         $this->assertSame('Joe', $data['contacts'][0]['extendedSecretName']);
+        $this->assertSame('Joe', $data['contacts'][0]['sourceAwareSecretName']);
     }
 
     public function testEndToEndUnions(): void