This PR was merged into the 3.4 branch.
Discussion
----------
[Routing][ServiceRouterLoader] Remove an outdated comment
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Since 0043653ea8, this comment is technically false.
Commits
-------
a2b73489dd [Routing][ServiceRouterLoader] Remove an outdated comment
This PR was squashed before being merged into the 3.4 branch (closes#30392).
Discussion
----------
[PropertyAccess] Fixed PropertyPathBuilder remove that fails to reset internal indexes
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30389
| License | MIT
| Doc PR | -
In addition to the fix (first commit), this PR adds \ to all not-yet-prefixed native functions in the PropertyPathBuilder (second commit).
NB: the behavior fixed here actually appeared in 2.2
Commits
-------
479dff4f8a [PropertyAccess] Fixed PropertyPathBuilder remove that fails to reset internal indexes
This PR was merged into the 4.3-dev branch.
Discussion
----------
[FrameworkBundle][Routing] allow boolean container parameters for routes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30366
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/11059
This fixes https://github.com/symfony/symfony/issues/30366 and adds support for boolean container parameters in route conditions, defaults etc.
Commits
-------
21f4e38800 [FrameworkBundle][Routing] allow boolean container parameters for routes
This PR was squashed before being merged into the 4.3-dev branch (closes#29661).
Discussion
----------
[Filesystem] Support resources and deprecate using arrays in dumpFile() and appendToFile()
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Running PHPStan on my project picked up that passing a resource to `Filesystem::dumpFile()` didn't match the documented type.
I found this has been discussed in #20980 and #28019, without a clear result. But, my reading is that only strings should be supported. While I think that not supporting streams makes this a lot less useful (and I'm going to switch away from it), this does need to be resolved. So, I've deprecated using arrays and resources.
Commits
-------
0eaf9d2474 [Filesystem] Support resources and deprecate using arrays in dumpFile() and appendToFile()
* 4.2:
Removed non-existing parameters for LogoutUrlGenerator calls
[WebProfilerBundle] toolbar: invisible route name in Firefox
Drop spurious execution bit
[HttpKernel] Correctly merging cache directives in HttpCache/ResponseCacheStrategy
[Validator] Add the missing translations for the Latvian ("lv") locale
Fixed the DebugClassLoader compatibility with eval()'d code on Darwin
[Validator] Update Serbian translation file
* 3.4:
Removed non-existing parameters for LogoutUrlGenerator calls
[HttpKernel] Correctly merging cache directives in HttpCache/ResponseCacheStrategy
[Validator] Add the missing translations for the Latvian ("lv") locale
Fixed the DebugClassLoader compatibility with eval()'d code on Darwin
[Validator] Update Serbian translation file
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Form] be able to specify the input format for times
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
This expands the work started in #29887 to also allow to configure the input format for string inputs in the `TimeType`.
Commits
-------
2d9bc18c1b be able to specify the input format for times
This PR was merged into the 4.3-dev branch.
Discussion
----------
[PropertyInfo] Removes useless namespace
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Removes a duplicated namespace in test file. The target branch is `master` because [this feature](f6510cda40) was not released yet.
Commits
-------
b3d536f04d [PropertyInfo] Removed useless namespace
This PR was squashed before being merged into the 3.4 branch (closes#30406).
Discussion
----------
Removed non-existing parameters for LogoutUrlGenerator calls
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Is there a reason these arguments are in place, though they dont actually exist as parameters for `LogoutUrlGenerator::getLogoutPath` and `::getLogoutUrl`?
see https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/Security/Http/Logout/LogoutUrlGenerator.php#L76
and https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/Security/Http/Logout/LogoutUrlGenerator.php#L88
If there is no reason, this PR can be merged, because this parameter makes no sense there. ;-)
Commits
-------
d3ee2b676e Removed non-existing parameters for LogoutUrlGenerator calls
This PR was merged into the 4.3-dev branch.
Discussion
----------
Mime messages
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | many on Swiftmailer
| License | MIT
| Doc PR | upcoming
As announced today at SymfonyLive Lille, here is the new MIME component.
This PR is one step towards the new Symfony Mailer (announced at Symfony London). It started as a fork of Swiftmailer, but soon enough I rewrote almost everything to make it (hopefully) better and more flexible. I've removed all the complexity of Swiftmailer when it comes to multiparts for instance.
Some big differences with Swiftmailer:
* Way less complexity (no crazy dependency injection when not needed, less interfaces, no cache)
* Plain data object and no state (out are the observers for charset and encoding, in are POPO and serializable objects)
* No magic regarding multipart management, but a nice wrapper for the most common use cases
swiftmailer/swiftmailer#434swiftmailer/swiftmailer#775swiftmailer/swiftmailer#946swiftmailer/swiftmailer#615swiftmailer/swiftmailer#184swiftmailer/swiftmailer#56
and probably many others
* More Symfony-like
* Messages are built on-demand and we do not mess up with your headers/body (Swiftmailer add headers and change yours, but here, we generate needed headers when converting the message as a string, they are not stored -- it means for instance that generating an Email twice will give you 2 different Date headers)
* and probably more that I don't remember right now
I've also kept some nice features from Swiftmailer like support for any charset.
More information on the slides:
https://speakerdeck.com/fabpot/2-new-symfony-components-httpclient-and-mime
Commits
-------
ee787d17b4 [Mime] added classes for generating MIME messages
This PR was squashed before being merged into the 4.2 branch (closes#30383).
Discussion
----------
[WebProfilerBundle] toolbar: invisible route name in Firefox
| Q | A
| ------------- | ---
| Branch? | 4.2
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #29858
| License | MIT
| Doc PR | -
This fixes#29858, fixing a bug that prevents Route name displaying in debug toolbar on Firefox
Commits
-------
6b6bd453e1 [WebProfilerBundle] toolbar: invisible route name in Firefox
This PR was merged into the 4.2 branch.
Discussion
----------
Drop spurious execution bit
| Q | A
| ------------- | ---
| Branch? | 4.2 for bug fixes
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
| Doc PR | none
The execution bit seems to have been added by mistake in #28626.
Commits
-------
93dab5c381 Drop spurious execution bit
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] deprecate the Role and SwitchUserRole classes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #20824
| License | MIT
| Doc PR | symfony/symfony-docs#11047
In #20801, we deprecated the `RoleInterface`. The next logical step would be to also deprecate the `Role` class. However, we currently have the `SwitchUserRole` class (a sub-class of `Role`) that acts as an indicator to check whether or not the authenticated user switched to another user.
This PR proposes an alternative solution to the usage of the special `SwitchUserRole` class by storing the original token inside the `UsernamePasswordToken`. This PR is not complete, but rather acts as a proof of concept of how we could get rid of the `Role` and the `SwitchUserRole` classes.
Please share your opinions whether you think this is a valid approach and I will be happy to finalise the PR.
Commits
-------
d7aaa615b9 deprecate the Role and SwitchUserRole classes
This PR was merged into the 3.4 branch.
Discussion
----------
[Validator] Add the missing translations for the Latvian ("lv") locale #30174Fixes#30174
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30174
| License | MIT
| Doc PR | -
Commits
-------
86b8c253c7 [Validator] Add the missing translations for the Latvian ("lv") locale
This PR was squashed before being merged into the 3.4 branch (closes#26532).
Discussion
----------
[HttpKernel] Correctly merging cache directives in HttpCache/ResponseCacheStrategy
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #26245, #26352, #28872
| License | MIT
| Doc PR | -
This PR is a first draft to fix the incorrect merging of private and other cache-related headers that are not meant for the shared cache but the browser (see mentioned issues).
The existing implementation of `HttpFoundation\Response` is very much tailored to the `HttpCache`, for example `isCacheable` returns `false` if the response is `private`, which is not true for a browser cache. That is why my implementation does not longer use much of the response methods. They are however still used by the `HttpCache` and we should keep them as-is. FYI, the `ResponseCacheStrategy` does **not** affect the stored data of `HttpCache` but is only applied to the result of multiple merged subrequests/ESI responses.
I did read up a lot on RFC2616 as a reference. [Section 13.4](https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.4) gives an overall view of when a response MAY be cached. [Section 14.9.1](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1) has more insight into the `Cache-Control` directives.
Here's a summary of the relevant information I applied to the implementation:
- > Unless specifically constrained by a cache-control (section 14.9) directive, a caching system MAY always store a successful response (see section 13.8) as a cache entry, MAY return it without validation if it is fresh, and MAY return it after successful validation.
A response without cache control headers is totally fine, and it's up to the cache (shared or private) to decide what to do with it. That is why the implementation does not longer set `no-cache` if no `Cache-Control` headers are present.
- > A response received with a status code of 200, 203, 206, 300, 301 or 410 MAY be stored […] unless a cache-control directive prohibits caching.
> A response received with any other status code (e.g. status codes 302 and 307) MUST NOT be returned […] unless there are cache-control directives or another header(s) that explicitly allow it.
This is what `ResponseCacheStrategy::isUncacheable` implements to decide whether a response is not cacheable at all. It differs from `Response::isCacheable` which only returns true if there are actual `Cache-Control` headers.
- > [Section 13.2.3](https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.2.3): When a response is generated from a cache entry, the cache MUST include a single Age header field in the response with a value equal to the cache entry's current_age.
That's why the implementation **always** adds the `Age` header. It takes the oldest age of any of the responses as common denominator for the content.
- > [Section 14.9.3](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.3): If a response includes an s-maxage directive, then for a shared cache (but not for a private cache), the maximum age specified by this directive overrides the maximum age specified by either the max-age directive or the Expires header.
This effectively means that `max-age`, `s-maxage` and `Expires` must all be kept on the response. My implementation assumes that we can only do that if they exist in **all** of the responses, and then takes the lowest value of any of them. Be aware the implementation might look confusing at first. Due to the fact that the `Age` header might come from another subresponse than the lowest expiration value, the values are stored relative to the current response date and then re-calculated based on the age header.
The Symfony implementation did not and still does not implement the full RFC. As an example, some of the `Cache-Control` headers (like `private` and `no-cache`) MAY actually have a string value, but the implementation only supports boolean. Also, [Custom `Cache-Control` headers](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.6) are currently not merged into the final response.
**ToDo/Questions:**
1. [Section 13.5.2](https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.5.2) specifies that we must add a [`Warning 214 Transformation applied`](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.46) if we modify the response headers.
2. Should we add an `Expires` headers based on `max-age` if none is explicitly set in the responses? This would essentially provide the same information as `max-age` but with support for HTTP/1.0 proxies/clients.
3. I'm not sure about the implemented handling of the `private` directive. The directive is currently only added to the final response if it is present in all of the subresponses. This can effectively result in no cache-control directive, which does not tell a shared cache that the response must not be cached. However, adding a `private` might also tell a browser to actually cache it, even though non of the other responses asked for that.
4. > [Section 14.9.2](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2): The purpose of the `no-store` directive is to prevent the inadvertent release or retention of sensitive information […]. The `no-store` directive applies to the entire message, and MAY be sent either in a response or in a request. If sent in a request, a cache MUST NOT store any part of either this request or any response to it. If sent in a response, a cache MUST NOT store any part of either this response or the request that elicited it.
I have not (yet) validated whether the `HttpCache` implementation respects any of this.
5. As far as I understand, the current implementation of [`ResponseHeaderBag::computeCacheControlValue`](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/ResponseHeaderBag.php#L313) is incorrect. `no-cache` means a response [must not be cached by a shared or private cache](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1), which overrides `private` automatically.
5. The unit tests are still very limited and I want to add plenty more to test and sort-of describe the implementation or assumptions on the RFC.
/cc @nicolas-grekas
#SymfonyConHackday2018
Commits
-------
893118f978 [HttpKernel] Correctly merging cache directives in HttpCache/ResponseCacheStrategy
This PR was squashed before being merged into the 3.4 branch (closes#30363).
Discussion
----------
Fixed the DebugClassLoader compatibility with eval()'d code on Darwin
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30362
| License | MIT
When a class is defined in an `eval()` block, the reported file name is `file_name.php(123) : eval()'d code`, which prevents `DebugClassLoader::darwinRealpath()` from locating/normalizing the file name, and triggers a notice.
Commits
-------
6c2aa2446d Fixed the DebugClassLoader compatibility with eval()'d code on Darwin
This PR was merged into the 4.2 branch.
Discussion
----------
[FrameworkBundle] Removed eval() from KernelShutdownOnTearDownTrait
| Q | A
| ------------- | ---
| Branch? | 4.2
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
Apart from triggering the #30362 bug, the `eval()` block from #30124 also broke my workflow: static code analyzers don't like this, and the trait even crashes PHPStan.
It may also bring up other compatibility issues to other people (ie: I know companies that completely disable `eval()` on their servers).
As it was only required to keep the trait compatible with PHP 5.x, it is unnecessary on 4.x that requires PHP 7.1+, and this PR removes it on the 4.2 branch.
Commits
-------
324b70afa3 Removed eval() from KernelShutdownOnTearDownTrait