Instead of using `sessionUserService.getCurrentUser()`, or the
`ReactiveSecurityContextHolder.getContext` directly (which we are doing
in several places), this injection will let us get the principal
directly at controller-level.
Yes, it produces the anonymous user, when there's no session.
Why? Less code. More relying on letting Spring do the right thing for
us. 😛
Why aren't we making this change across the board everywhere? Sure,
eventually. Small PR like this helps me get consensus, be less daunting
to review, and most important of all, easy to revert if we notice
something going wrong. In a week or two, if we want to do this, we can
start rolling it out to more places in code.
/ok-to-test tags="@tag.Sanity"
d02c1edf6a