If a application have 100 users with the same roles Vendor.App:RegisteredUser but what they can see is limited by a property, they will all generate the same contextHash and all see the same cached (from first hit) response.
Yes (though doctrine query cache doesn’t cache results, but the generated SQL queries). And that is fully plausible under the general assumptions about how role based authorization works.
If that is correct, I see don’t see roles as valid, when considering ex, EntityPrivilege where a property (not being roles) is what says what’s is right or wrong.
Well, the difference is, that the property on the entity you are checking against is not a global variable which ends up in the query cache. Anything you check against in your models is no issue.
It’s a bit difficult, and I still don’t fully grasp when the issue really occurs, but for now just consider this: as long as your privileges (implicitly) only depend on the authenticated roles, everything works as expected. For the other case, where the privilege is different for each account, we should probably introduce some switch to support this mode.