TASK: only support Closures for callbacks in DefaultFieldResolver

When resolving an object through the "magic" ObjectAccess returning a property value that is callable, the resolver previously called this function. This was a risk when working with user input, or even lead to misbehaviour. E.g. user Max resolved and then called as max() function.

Classes/Service/DefaultFieldResolver.php

@@ -29,7 +29,7 @@ public static function resolve($source, array $args, $context, ResolveInfo $info
             $resolvedProperty = ObjectAccess::getProperty($source, $fieldName);
         }
 
-        if (is_callable($resolvedProperty)) {
+        if ($resolvedProperty instanceof \Closure) {
             return $resolvedProperty($source, $args, $context, $info);
         }