Error 404 on route GET users/{id} when not logged in

[TeddyRoncin]

Description

When you make a request on route GET users/{id}, API returns an error 404 (Resource not found), even if user was found. It should return an error 401 (Unauthorized), both in the case the user does not exist and in the case it does exist

There is a problem that occurs in the same situation when doing tests :

However, the problem is not the same, this is an error, and the problem I described earlier was a bug

Investigation of the issue

I tried changing function supports of class App\DataProvider\UserDataVisibilityItemDataProvider to make it also check for login : $checkLogin = $this->security->getUser() != null;.
This fixes the issue in tests :

This fix does not change anything in a normal call. It seems like by changing this function, the getItem method of the same class is not called anymore (which is the behaviour we would expect). But APIPlateform still returns a 404 code instead of a 401 code

[TeddyRoncin]

The same error occurs on route DELETE /users/{id}. It seems like all routes which need to fetch a single User (maybe other Entities ?) have this problem

[TeddyRoncin]

I think the problem might be that the ApiPlatform\Symfony\EventListener\ReadListener listener is called before the security checks. The ReadListener is called when the kernel.request event is called, with a priority of 4. It may be possible to modify the order of events by fetching the main instance of Symfony\Component\EventDispatcher\EventDispatcher to add and remove listeners.