Merge branch '5.0'

* 5.0:
  [HttpFoundation] Do not set the default Content-Type based on the Accept header
  [Security] Fix access_control behavior with unanimous decision strategy

Author: nicolas-grekas

Authorization/AccessDecisionManager.php

@@ -55,11 +55,16 @@ public function __construct(iterable $voters = [], string $strategy = self::STRA
     }
 
     /**
+     * @param bool $allowMultipleAttributes Whether to allow passing multiple values to the $attributes array
+     *
      * {@inheritdoc}
      */
-    public function decide(TokenInterface $token, array $attributes, $object = null)
+    public function decide(TokenInterface $token, array $attributes, $object = null/*, bool $allowMultipleAttributes = false*/)
     {
-        if (\count($attributes) > 1) {
+        $allowMultipleAttributes =  3 < func_num_args() && func_get_arg(3);
+
+        // Special case for AccessListener, do not remove the right side of the condition before 6.0
+        if (\count($attributes) > 1 && !$allowMultipleAttributes) {
             throw new InvalidArgumentException(sprintf('Passing more than one Security attribute to "%s()" is not supported.', __METHOD__));
         }