This PR was merged into the 3.4 branch.
Discussion
----------
[Security]: Don't let falsy usernames slip through impersonation
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
When you try to impersonate users with a falsy username, `SwitchUserListener::handle()` would `return;` and impersonation would fail.
I'm using a third party OAuth provider that allows users to change their usernames with no guaranteed protection against re-use. To overcome that issue, I implemented `UserLoaderInterface::loadUserByUsername()` and query by a `providerId`.
After loading development fixtures, One user has `0` as it's `providerId`.
Commits
-------
64aecab0a7 Don't let falsey usernames slip through
This PR was submitted for the 4.3 branch but it was merged into the 3.4 branch instead (closes#33821).
Discussion
----------
Fixed invalid VarDumper upgrade-4.0 doc.
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| License | MIT
Updated upgrade-4.0 documentation to reflect actual changes in the code.
Commits
-------
afefc7104e Fixed invalid VarDumper upgrade doc.
This PR was merged into the 5.0-dev branch.
Discussion
----------
[WebProfilerBundle] Fix TemplateManager test
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
d1ed9685e1 [WebProfilerBundle] Fix TemplateManager test
This PR was merged into the 4.4 branch.
Discussion
----------
Fixing 'TypeError' in LdapUser::getSalt()
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | n/a
The following TypeError is returned as LdapUser::getSalt() returns no value.
Return value of Symfony\Component\Ldap\Security\LdapUser::getSalt() must be of the type string or null, none returned
Commits
-------
28e30b132b Fixing 'TypeError' in LdapUser::getSalt()
This PR was merged into the 4.4 branch.
Discussion
----------
[DependencyInjection] added Ability to define a priority method for tagged service
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#32976
| License | MIT
| Doc PR |
Commits
-------
c1917c2999 [DependencyInjection] added Ability to define a priority method for tagged service
This PR was merged into the 5.0-dev branch.
Discussion
----------
[Console] Throw a TypeError for non-int return value calling Command::execute()
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | yes <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#33747 <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | - <!-- required for new features -->
### Todo
- [x] needs to be rebased after 4.4 was merged into master (see: https://github.com/symfony/symfony/pull/33805)
Commits
-------
b3a3b0c235 [Console] Throw a TypeError for non-int return values on calling Command::execute()
This PR was merged into the 5.0-dev branch.
Discussion
----------
[String] Introduce a locale-aware Slugger in the String component
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This PR introduces a locale-aware Slugger in the new String component, based on transliterators provided by the PHP intl extension (or iconv if not available). It also wires this Slugger in the FrameworkBundle in order to use it easily as a service and to automatically inject the proper locale into it to choose the appropriate transliteration depending on the Request locale.
See https://github.com/unicode-org/cldr/tree/master/common/transforms for CLDR mappings.
Commits
-------
056d8ceed9 [String] Introduce a locale-aware Slugger in the String component with FrameworkBundle wiring
This PR was submitted for the 4.3 branch but it was merged into the 3.4 branch instead (closes#33814).
Discussion
----------
[HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array
[HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#33769 <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
If `$_SESSION['_sf2_attributes']` is set to a string, `SessionBagProxy::initialize` will throw an error since it's argument is type-hinted as array. So this change is to check before if the data to be passed is truly an array.
Commits
-------
38782bceff [HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array
This PR was merged into the 5.0-dev branch.
Discussion
----------
[Workflow] Fixed default marking store value of Workflow
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#33749
| License | MIT
| Doc PR |
Commits
-------
a2330b7a90 [Workflow] Fixed default marking store value of Workflow
* 4.4: (24 commits)
[Console] Command::execute() should always return int - deprecate returning null
[FrameworkBundle] Fix wrong returned status code in ConfigDebugCommand
[AnnotationCacheWarmer] add RedirectController to annotation cache
[WebProfilerBundle] Try to display the most useful panel by default
Add note about deprecating the XmlEncoder::TYPE_CASE_ATTRIBUTES constant in the upgrade guide
fix merge
[DI] add tests loading calls with returns-clone
[DI] dont mandate a class on inline services with a factory
Fixed Redis Sentinel usage when only one Sentinel specified
[EventDispatcher] Added tests for aliased events.
Sync Twig templateExists behaviors
Fix the :only-of-type pseudo class selector
Deprecate the XmlEncoder::TYPE_CASE_ATTRIBUTES constant
[Mailer] Tweak some code
[Serializer] Add CsvEncoder tests for PHP 7.4
Copy phpunit.xsd to a predictable path
[WebserverBundle] Remove duplicated deprecation message
remove duplicated test
[Security/Http] fix parsing X509 emailAddress
[FrameworkBundle] conflict with VarDumper < 4.4
...
This PR was merged into the 4.4 branch.
Discussion
----------
[Console] Add deprecation message for non-int statusCode
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | yes <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#33747 <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | -
### What was done:
- [x] added deprecation message for non-int return value in Command::execute()
- [x] fixed all core commands to return proper int values
- [x] added proper return type-hint to Command::execute() method in all core Commands
Commits
-------
98c4f6a06c [Console] Command::execute() should always return int - deprecate returning null
- added deprecation message for non-int return value in Command::execute()
- fixed all core commands to return proper int values
- added proper return type-hint to Command::execute() method in all core Commands
This PR was merged into the 4.3 branch.
Discussion
----------
[DI] Add CSV env var processor tests / support PHP 7.4
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Similar as #32051
Commits
-------
82f341864c [DI] Add CSV env var processor tests
This PR was merged into the 4.3 branch.
Discussion
----------
[EventDispatcher] Added tests for aliased events
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | N/A
| License | MIT
| Doc PR | N/A
While working on #33793 I discovered that I could remove the event alias feature of `RegisterListenersPass` without breaking the component's tests. This PR adds the missing tests.
Commits
-------
8e8a6ed99b [EventDispatcher] Added tests for aliased events.
This PR was merged into the 5.0-dev branch.
Discussion
----------
[Serializer] Remove XmlEncoder::TYPE_CASE_ATTRIBUTES constant
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | not really
| Deprecations? | yes (well, sort of)
| Tickets | N/A
| License | MIT
| Doc PR | N/A
There is a small typo in the `XmlEncoder` constant. This can only be fixed in the master branch for Symfony 5 as it is a breaking change. I'm not sure if it's possible to deprecate the usage of the old constant name in 4.4? As the constant just resolves to a string, there is no way of determining if someone used the constant or not (a quick search on Github, I can't find any direct usages of the constant outside of this class)
Commits
-------
001d0f1693 Remove XmlEncoder::TYPE_CASE_ATTRIBUTES constant
This PR was merged into the 4.4 branch.
Discussion
----------
[WebProfilerBundle] Try to display the most useful panel by default
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes
| Tickets | -
| License | MIT
| Doc PR | -
Alternative to https://github.com/symfony/symfony/pull/32491, the goal stays the same.
I think reserving a data collector name is fine, isn'it ? It's not likely that end users use this name (that's why I added an underscore) + shouldn't be hard for them to just rename it.
I don't think adding a configuration option to toggle the "_best" behavior is useful, should be by default for DX IMHO.
Not adding an extension point for now (for end users to set their panel as the "best"), maybe later if someone request it?
Commits
-------
a45dd98b73 [WebProfilerBundle] Try to display the most useful panel by default
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Fix wrong returned status code in ConfigDebugCommand
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix #33747<!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | -
This is a follow-up PR caused by https://github.com/symfony/symfony/pull/33775#discussion_r330463216
Commits
-------
9b5ced20bb [FrameworkBundle] Fix wrong returned status code in ConfigDebugCommand
This PR was submitted for the 4.3 branch but it was merged into the 3.4 branch instead (closes#33781).
Discussion
----------
[AnnotationCacheWarmer] add RedirectController to annotation cache
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#29357
| License | MIT
This prevents to exclude the RedirectController from the warmed annotation cache which would lead to warnings when trying to use the warmed cache on read only file systems
Commits
-------
6b6c246c72 [AnnotationCacheWarmer] add RedirectController to annotation cache
This prevents to exclude the RedirectController from the warmed annotation cache which would lead to warnings when trying to use the warmed cache on read only file systems
See #29357
This PR was merged into the 4.4 branch.
Discussion
----------
[DI] dont mandate a class on inline services with a factory
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This check is too strict, useless and boring for inline services :)
Commits
-------
a2665d17cd [DI] dont mandate a class on inline services with a factory