feat(subresource): Link security (#1692)

* feat(subresource): Link security

* feat(subresource): Link security

* Update core/subresources.md

Fix spelling

Co-authored-by: Alexander Kim <[email protected]>

---------

Co-authored-by: Alexander Kim <[email protected]>

Author: 2 people

core/subresources.md

@@ -332,3 +332,28 @@ class Company {
     // ...
 }
 ```
+
+## Security
+
+In order to use Symfony's built-in security system on subresources the security option of the `Link` attribute can be used.
+
+To restrict the access to a subresource based on the parent object simply use the Symfony expression language as you would do normally, with the exception that the name defined in `toProperty` or `fromProperty` is used to access the object.
+
+Alternatively you can also use the `securityObjectName` to set a custom name
+
+```php
+<?php 
+#[ApiResource(
+    uriTemplate: '/employees/{employeeId}/company',
+    uriVariables: [
+        'employeeId' => new Link(fromClass: Employee::class, toProperty: 'company', security: "is_granted(some_voter, company)"),
+    ],
+    operations: [
+        new Get()
+    ]
+)]
+
+class Company {
+    // ...
+}
+```