feature #16076 [HttpFoundation] change precedence of parameters in Request::get (Tobion)

This PR was merged into the 3.0-dev branch. Discussion ---------- [HttpFoundation] change precedence of parameters in Request::get | Q | A | ------------- | --- | Bug fix? | no | New feature? | no | BC breaks? | yes | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Allowing the request attributes to be overwritten via GET parameters is risky and made #8966 even worse. It is even more risky because it skips the requirements checks as configured in routing. So people that set requirements for routing placeholders like `\d+` or `html|json` can be sure it is validated when using the routing variables. But if developers use `$request->get()` to retrieve them, anybody from outside can set any value for those. Commits ------- e8d6764 [HttpFoundation] change precedence of parameters in Request::get
2015-10-05 09:30:19 +02:00 · 2015-10-05 09:30:19 +02:00 · 88e2d70df0
commit 88e2d70df0
parent 38c059fc03 e8d6764e32
3 changed files with 31 additions and 13 deletions
--- a/src/Symfony/Component/HttpFoundation/CHANGELOG.md
+++ b/src/Symfony/Component/HttpFoundation/CHANGELOG.md
@ -1,6 +1,11 @@
 CHANGELOG
 =========

+3.0.0
+-----
+
+ * The precedence of parameters returned from `Request::get()` changed from "GET, PATH, BODY" to "PATH, GET, BODY"
+
 2.8.0
 -----

--- a/src/Symfony/Component/HttpFoundation/Request.php
+++ b/src/Symfony/Component/HttpFoundation/Request.php
@ -700,19 +700,13 @@ class Request
    }

    /**
-     * Gets a "parameter" value.
+     * Gets a "parameter" value from any bag.
     *
-     * This method is mainly useful for libraries that want to provide some flexibility.
+     * This method is mainly useful for libraries that want to provide some flexibility. If you don't need the
+     * flexibility in controllers, it is better to explicitly get request parameters from the appropriate
+     * public property instead (attributes, query, request).
     *
-     * Order of precedence: GET, PATH, POST
-     *
-     * Avoid using this method in controllers:
-     *
-     *  * slow
-     *  * prefer to get from a "named" source
-     *
-     * It is better to explicitly get request parameters from the appropriate
-     * public property instead (query, attributes, request).
+     * Order of precedence: PATH (routing placeholders or custom attributes), GET, BODY
     *
     * @param string $key     the key
     * @param mixed  $default the default value
@ -721,11 +715,11 @@ class Request
     */
    public function get($key, $default = null)
    {
-        if ($this !== $result = $this->query->get($key, $this)) {
+        if ($this !== $result = $this->attributes->get($key, $this)) {
            return $result;
        }

-        if ($this !== $result = $this->attributes->get($key, $this)) {
+        if ($this !== $result = $this->query->get($key, $this)) {
            return $result;
        }

--- a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
+++ b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@ -1221,6 +1221,25 @@ class RequestTest extends \PHPUnit_Framework_TestCase
        $this->assertEquals('/path%20test/info', $request->getPathInfo());
    }

+    public function testGetParameterPrecedence()
+    {
+        $request = new Request();
+        $request->attributes->set('foo', 'attr');
+        $request->query->set('foo', 'query');
+        $request->request->set('foo', 'body');
+
+        $this->assertSame('attr', $request->get('foo'));
+
+        $request->attributes->remove('foo');
+        $this->assertSame('query', $request->get('foo'));
+
+        $request->query->remove('foo');
+        $this->assertSame('body', $request->get('foo'));
+
+        $request->request->remove('foo');
+        $this->assertNull($request->get('foo'));
+    }
+
    public function testGetPreferredLanguage()
    {
        $request = new Request();