This PR was squashed before being merged into the 2.7 branch (closes#19373).
Discussion
----------
[Form] Skip CSRF validation on form when POST max size is exceeded
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #19140
| License | MIT
| Doc PR | N/A
In #19140 the CSRF validation listener was not aware that the POST max size had exceeded, and was adding a form error message that wasn't relevant to the actual error.
This introduces the `ServerParams` utility class into the `CsrfValidationListener` and checks that the POST max size has not been exceeded. If it has then it won't bother trying to validate the CSRF token.
My main concern with this change is that it opens up an attack vector around tokens, but I've encapsulated the request size validation in a single method in `ServerParams` now so that the request handlers are using the same logic.
Commits
-------
289531f [Form] Skip CSRF validation on form when POST max size is exceeded
This PR was merged into the 2.7 branch.
Discussion
----------
[Form] Consider a violation even if the form is not submitted
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | yes (only for the behavior)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11493
| License | MIT
| Doc PR |
Hey!
I'm currently implementing an API using the form component in order to validate the payload sent (in conjonction with the FOSRestBundle). Unfortunatelly, we dig into an issue about the PATCH request which don't map some of our validation rules to the form. Basically, the violations are lost in the middle of the process.
### Use case
We have an entity with the following fields "type", "image" & "video". The field "type"can be either "default", "image" or "video" and then accordingly we use the appropriate field (none for the "default" type, video for the "video" type and image for the "image" type. Then, in our form, we change the validation groups according to our entity type in order to make the "image" field mandatory if the type is "image" and the same for the video field if the type is "video".
### Current behavior
The current behavior (since 2.5) seems to not propages a violation to a form if this form is not submitted but in our use case, changing the field "type" via a PATCH request triggers some new validation which should be reported to end user (inform that a field (video or image) is missing in the PATCH request).
### Expected behavior
The current behavior was introduced in #10567 but IMO, this update is a bug as suggested by @webmozart in https://github.com/symfony/symfony/issues/11493#issuecomment-59549054 Instead, the form component should still map validation errors to the form even if the field was not submitted. If the initial data is not valid, then your initial data was buggy from the beginning but the form should not accept it and instead of silently ignoring the errors, end users should be informed and fix it.
WDYT?
Commits
-------
c483a0f [Form] Consider a violation even if the form is not submitted
fixes#14712 and #17789.
`ChoiceType` now always use `ChoiceToValueTransformer` or
`ChoicesToValuesTransformer` depending on `multiple` option.
Hence `CheckboxListMapper` and `RadioListMapper` don’t handle
the transformation anymore.
Fixes pre selection of choice with model values such as `null`,
`false` or empty string.
* 2.3:
[HttpFoundation] Improve phpdoc
[Logging] Add support for firefox in ChromePhpHandler
[Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken
[Form] fix "prototype" not required when parent form is not required
* 2.3:
[Form] NumberToLocalizedStringTransformer should return floats when possible
[DependencyInjection] Enabled alias for service_container
Conflicts:
src/Symfony/Component/DependencyInjection/Tests/Compiler/ReplaceAliasByActualDefinitionPassTest.php
* check for existance of `setMetadataFactory()` method (this is needed
for tests run with deps=high as the method was removed in Symfony
3.0)
* fix mock testing the `EngineInterface` as the `stream()` method cannot
be mocked when it is does not exist in the mocked interface
* 2.3:
Improved the PHPdoc of FileSystem::copy()
[Validator] Test DNS Email constraints using checkdnsrr() mock
[travis] Run real php subprocesses on hhvm for Process component tests
bug #18161 [Translation] Add support for fuzzy tags in PoFileLoader
[Form] Fix NumberToLocalizedStringTransformer::reverseTransform with big integers
[Form] Fix INT64 cast to float in IntegerType.
[SecurityBundle][PHPDoc] Added method doumentation for SecurityFactoryInterface
FrameworkBundle: Client: getContainer(): fixed phpdoc
[Validator] Updating inaccurate docblock comment
Conflicts:
.travis.yml
src/Symfony/Component/Validator/Tests/Constraints/EmailValidatorTest.php
* 2.3:
[HttpFoundation] Fix transient test
[HttpFoundation] Add a dependency on the mbstring polyfill
add readme files where missing
Don't use reflections when possible
[Form] Update form tests after the ICU data update
[Intl] Update tests and the number formatter to match behaviour of the intl extension
[Intl] Update the ICU data to version 55
[Intl] Fix the update-data.php script in preparation for ICU 5.5
Use constant instead of function call.
fixed test name
automatically generate safe fallback filename
Conflicts:
src/Symfony/Component/Debug/Debug.php
src/Symfony/Component/HttpFoundation/composer.json
src/Symfony/Component/Serializer/Tests/Normalizer/GetSetMethodNormalizerTest.php
This PR was squashed before being merged into the 2.7 branch (closes#16886).
Discussion
----------
[Form] [ChoiceType] Prefer placeholder to empty_value
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #16885
| License | MIT
| Doc PR | -
Prefer an explicitly set `placeholder` option (i.e. `false` or a non-empty
string) to an `empty_value` option when both are set.
The fix is to change the behaviour in the placeholder normalizer in
ChoiceType::configureOptions so that the value of the `empty_value` option is
used for placeholder only when the value of `placeholder` is null or an empty
string.
Commits
-------
a4d4c8a [Form] [ChoiceType] Prefer placeholder to empty_value
This PR was squashed before being merged into the 2.7 branch (closes#17568).
Discussion
----------
Improved Bootstrap form theme for hidden fields
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #16925
| License | MIT
| Doc PR | -
Commits
-------
ba5d7f9 Improved Bootstrap form theme for hidden fields
This PR was merged into the 2.7 branch.
Discussion
----------
[2.7] [Form] fix choice value "false" in ChoiceType
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #17292, #14712, #17789
| License | MIT
| Doc PR | -
- [x] Add tests for choices with `boolean` and `null` values, and with a placeholder
- [x] Fix FQCN in 2.8 tests, see #17759
- [x] Remove `choices_as_values` in 3.0 tests, see #17886
Commits
-------
8f918e5 [Form] refactor `RadioListMapper::mapDataToForm()`
3eac469 [Form] fix choice value "false" in ChoiceType
This PR was merged into the 2.7 branch.
Discussion
----------
[Form] Fix choice placeholder edge cases
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Fixing several problems with choice placeholder that enhances #9030 for more edge cases:
- A choice with an empty value manually added in the choices array should only be considered a placeholder when it is the first element in the final choice select.
This is part of the HTML spec and how browsers also behave. If you select a choice with an empty value that is not the first option, it will still pass the "required" check
and thus submit the empty value. So it's not a placeholder.
If in the example below you move the empty option to the first place, the browsers will error on submit that you
must select a value. So only then it is a placeholder to show as initial value.
```html
<select id="form_timezone" name="form[timezone]" required="required">
<option value="Africa/Abidjan">Abidjan</option>
<option value="">Empty</option>
</select>
```
Also the validator https://validator.w3.org/nu/ will mark the above code as error:
> The first child option element of a select element with a required attribute, and without a multiple attribute, and without a size attribute whose value is greater than 1, must have either an empty value attribute, or must have no text content. Consider either adding a placeholder option label, or adding a size attribute with a value equal to the number of option elements.
This is fixed by replacing`0 !== count($choiceList->getChoicesForValues(array('')))` with `$view->vars['placeholder_in_choices'] = $choiceListView->hasPlaceholder()`.
Which means, the required attribute is removed automatically because the select form element is required implicitly anyway due to the nature of the choice UI.
- As the above quote mentions, the `size` attribute also has impact. Namely for a select with size > 1 it can be possible to have a required attribute even without placeholder.
This is because when the size > 1, there is no default choice selected (similar to select with "multiple").
- A placeholder for required radio buttons or a select with size > 1 does not make sense as it would just be fake data that can be submitted (similar to the ignored placeholder for multi-select and checkboxes).
Commits
-------
0efbc30 [Form] fix edge cases with choice placeholder
This takes into account the changes to the `getErrors()` in Symfony 2.5
(the method rturns a `FormErrorIterator` instead of an array) as well as
the fact that non-submitted forms do not accept errors since #10567
anymore.
* 2.3:
[DependencyInjection] fix dumped YAML snytax
Remove InputOption::VALUE_REQUIRED mode from $default parameter description as InputOption::setDefault() throws an exception only when called in InputOption::VALUE_NONE mode. In practice the $default value could still be accessed in InputOption::VALUE_REQUIRED mode in case InputOption was never set but accessed from InputDefinition::getOption() method
[Form] Fixed violation mapping if multiple forms are using the same (or part of the same) property path
[TwigBridge] Symfony 3.1 forward compatibility
This PR was squashed before being merged into the 2.3 branch (closes#17099).
Discussion
----------
[Form] Fixed violation mapping if multiple forms are using the same (or part of the same) property path
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #5656
| License | MIT
| Doc PR |
Commits
-------
f005c80 [Form] Fixed violation mapping if multiple forms are using the same (or part of the same) property path