This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Http] call auth listeners/guards eagerly when they "support" the request
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34614, Fix#34679
| License | MIT
| Doc PR | -
This fixes the form authenticator linked to #34614.
Since laziness is here to provide compatibility with HTTP caching, it should be disabled when the request cannot be cached.
Tests don't pass yet, but I'm on the path to something here.
The PR now introduces a new `AbstractListener` that splits the handling logic in two:
- `supports(Request): ?bool` is always called eagerly and tells whether the listener matches the request for an earger call or a lazy call
- `authenticate(RequestEvent)` does the rest of the job when `supports()` allows so - lazily or not depending on the return value of `supports()`.
Of course, this remains compatible with non-lazy logics, see `AbstractListener::__invoke()`.
Commits
-------
b20ebe6b90 [Security/Http] call auth listeners/guards eagerly when they "support" the request
This PR was merged into the 4.4 branch.
Discussion
----------
improve upgrade instructions for twig.exception_controller configuration
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
This improves the upgrade instructions for the deprecated configuration of `twig.exception_controller`.
Or would it be better to make the default `null` on 4.4?
a8a9e69488/src/Symfony/Bundle/TwigBundle/DependencyInjection/Configuration.php (L41)
Commits
-------
bdc68fd894 improve upgrade instructions for twig.exception_controller configuration
This PR was squashed before being merged into the 4.4 branch.
Discussion
----------
[HttpFoundation] Update CHANGELOG for PdoSessionHandler BC BREAK in 4.4
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34491
| License | MIT
As explained in https://github.com/symfony/symfony/issues/34491, there was a BC BREAK between 4.3 and 4.4, when using `PdoSessionHandler` with MySQL, where the column `sess_lifetime` was modified from `MEDIUMINT` to `INTEGER UNSIGNED`.
This PR updates `UPGRADE-4.4.md` with a suggested query for updating the database accordingly.
Commits
-------
eda4d68f7d [HttpFoundation] Update CHANGELOG for PdoSessionHandler BC BREAK in 4.4
This PR was merged into the 4.4 branch.
Discussion
----------
[Routing][Config] Allow patterns of resources to be excluded from config loading
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #31516
| License | MIT
| Doc PR | not yet
The PR will fix the following RFC: #31516
Like resource loading for services, this PR offers a way to exclude patterns of resources like:
```yml
// config/routes/annotations.yaml
controllers:
resource: ../../src/Controller/*
type: annotation
exclude: '../src/Controller/{DebugEmailController}.php'
```
All the annotation routes inside `Controller/` will be loaded in this example except all the one present inside the `Controller/DebugEmailController.php`
Commits
-------
332ff8811c [Routing][Config] Allow patterns of resources to be excluded from config loading
- added deprecation message for non-int return value in Command::execute()
- fixed all core commands to return proper int values
- added proper return type-hint to Command::execute() method in all core Commands
This PR was merged into the 4.4 branch.
Discussion
----------
[DI] scope singly-implemented interfaces detection by file
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| License | MIT
[DependencyInjection] fixed handling singly implemented interfaces when importing multiple resources
for example:
```yaml
App\Adapter\:
resource: '../src/Adapter/*'
App\Port\:
resource: '../src/Port/*'
```
this configuration wont create service for interface (in other words singly implemented interface wont be autowired) and this chage fixes it
**Also** this will prevent false positives - for example if I had one implementation in \App\Port namespace and another in \App\Adapter then interface service would still be registered
but that could potentially break exisitng code not aware of this bug
Commits
-------
c1f39709ff [DI] add FileLoader::registerAliasesForSinglyImplementedInterfaces()
bec38900d8 [DI] scope singly-implemented interfaces detection by file
This PR was squashed before being merged into the 4.4 branch (closes#33584).
Discussion
----------
[Security] Deprecate isGranted()/decide() on more than one attribute
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | -
| License | MIT
| Doc PR | tbd
While I expect it not be used much, it is currently possible to call `isGranted()` on more than one attribute:
```php
if ($this->authorizationChecker->isGranted(['ROLE_USER', 'ROLE_ADMIN'])) {
// ...
}
```
Supporting this includes a couple of problems/questions:
- It is not clear whether this is `OR` or `AND`;
- In fact, this is left over to the voter to decide upon. So it can vary for each voter and writers of new voters need to consider this (otherwise, you get issues like https://github.com/LeaseWeb/LswSecureControllerBundle/issues/4 );
- It promotes to vote over roles instead of actions.
I think we can do better. In the past, we've created all tooling for this to be self-explaining and easier:
```php
// ExpressionLanguage component (also includes other functions, like `is_granted('EDIT')`)
if ($this->authorizationChecker->isGranted("has_role('ROLE_USER') or has_role('ROLE_ADMIN')")) {
// ...
}
// calling it multiple times in PHP (may reduce performance)
if ($this->authorizationChecker->isGranted('ROLE_USER')
|| $this->authorizationChecker->isGranted('ROLE_ADMIN')
) {
// ...
}
// or by using Role Hierarchy, if a user really wants to vote on roles
```
This PR deprecates passing more than one attribute to `isGranted()` and `decide()` to remove this confusing bit in Security usage.
Backwards compatiblity help
---
I need some help in how to approach changing the `VoterInterface::vote(TokenInterface $token, $subject, array $attributes)` method in a backwards compatible way. Removing `array` breaks all Voters, so does changing it to `string` and removed the parameter all together.
Commits
-------
c64b0beffb [Security] Deprecate isGranted()/decide() on more than one attribute
This PR was merged into the 4.4 branch.
Discussion
----------
Allow configuring class names through methods instead of class parameters in Doctrine extensions
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
While removing class parameters for DoctrineBundle 2.0 (see https://github.com/doctrine/DoctrineBundle/issues/630), I noticed that the DoctrineExtension still requires them. This PR adds a new method that keeps legacy behaviour, but will dropped in Symfony 5. Extending classes (mainly DoctrineBundle and DoctrineMongoDBBundle) must implement this method themselves to return the appropriate class names instead of declaring them as class parameters in their service configuration. I'll create a separate for the master branch to make this method abstract in 5.0.
The cache driver class names are not being replaced in this PR, as we're dropping support for `doctrine/cache` in DoctrineBundle 2.0. A separate PR will be created to handle those deprecations and to clean up the code.
Commits
-------
b53d8ccfc1 [DoctrineBridge] Allow configuring class names through methods instead of class parameters
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpKernel] deprecate global dir to load resources from
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | yes <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #31915 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR |
Replaces #31958
Here two example deprecations by adding files in the deprecated locations:
```
Overwriting the resource "@AcmeBundle/Resources/config/routing.yaml" with "/vagrant/src/Resources/AcmeBundle/config/routing.yaml" is deprecated since Symfony 4.4 and will be removed in 5.0.
Loading the file "foobar.yaml" from the global resource directory "/vagrant/src" is deprecated since Symfony 4.4 and will be removed in 5.0.
```
Commits
-------
aa82566f76 [HttpKernel] deprecate global dir to load resources from
This PR was merged into the 4.4 branch.
Discussion
----------
[Translation] deprecate support for null locales
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Commits
-------
e6b6a9d33a deprecate support for null locales