This PR was merged into the 2.7 branch.
Discussion
----------
[FrameworkBundle] Specifically inject the debug dispatcher in the collector
| Q | A
| ------------- | ---
| Branch? | 2.7 <!-- see comment below -->
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | N/A <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
This ensures we always collect data about events, even when the `event_dispatcher` service is decorated, no matter the decoration order.
Commits
-------
7b3a641acc [FrameworkBundle] Specifically inject the debug dispatcher in the collector
This PR was merged into the 3.4 branch.
Discussion
----------
[DI] Add "container.hot_path" tag to flag the hot path and inline related services
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This PR is the result of my quest to squeeze some performance out of 3.4/4.0.
It builds on two ideas:
- a new `container.inline` tag that identifies the services that are *always* needed. This tag is only applied to a very short list of bootstrapping services (`router`, `event_dispatcher`, `http_kernel` and `request_stack` only). Then, it is propagated to all dependencies of these services, with a special case for event listeners, where only listed events are propagated to their related listeners.
- replacing the PHP autoloader by plain inlined `require_once` in generated service factories, with the benefit of completely bypassing the autoloader for services and their class hierarchy.
The end result is significant, even on a simple Hello World.
Here is the Blackfire profile, results are consistent with `ab` benchmarks:
https://blackfire.io/profiles/compare/b5fa5ef0-755c-4967-b990-572305f8f381/graph
![capture du 2017-11-08 16-54-28](https://user-images.githubusercontent.com/243674/32558666-a3f439b2-c4a5-11e7-83a3-db588c3e21e5.png)
Commits
-------
f7cb559a06 [DI] Add "container.hot_path" tag to flag the hot path and inline related services
* 3.3:
Random fixes
Docblock fixes
[HttpKernel] Enhance deprecation message
[SecurityBundle] Fix the datacollector to properly support decision.object being null
This PR was merged into the 3.3 branch.
Discussion
----------
[SecurityBundle] Fix the datacollector to properly support decision.object being null
| Q | A
| ------------- | ---
| Branch? | 3.3 <!-- see comment below -->
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | #24804 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
Similar to https://github.com/symfony/symfony/pull/23050, when accessing a `Data` clone property through `__get()` and the value is `null` for instance, you'll really get `null` instead of a `Data` instance. The solution is to use `seek` instead whenever we access and try to use `profiler_dump` on a `Data` property that can be a simple scalar like `null` or `false`. AFAIK, `decision.object` is the only one here.
Commits
-------
769a5f204f [SecurityBundle] Fix the datacollector to properly support decision.object being null
This PR was merged into the 2.8 branch.
Discussion
----------
Fix dump panel hidden when closing a dump
| Q | A
| ------------- | ---
| Branch? | 2.8
| Bug fix? | yes-ish
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
In the dump panel of the debug bar, when closing a dump the panel sometimes get hidden:
![before](https://user-images.githubusercontent.com/1736542/31867025-615e9c48-b788-11e7-8329-96716c211523.gif)
This is because when the size of the panel is reduced, if the mouse is not over it anymore, the `:hover` pseudo-class does not apply anymore.
I "fixed" it by setting a min-height on the panel when closing a dump. The min-height is removed when leaving the panel _on purpose_:
![after](https://user-images.githubusercontent.com/1736542/31867054-d01a01cc-b788-11e7-9ef7-8418ae2b3094.gif)
For now I only tested it on Firefox 56 on Arch Linux.
Commits
-------
2e0b263d9c Fix dump panel hidden when closing a dump
* 3.3:
[Serializer] Fix extra attributes when no group specified
[Intl] Make intl-data tests pass and save language aliases again
[Console] Fix CommandTester::setInputs() docblock
[Serializer] readd default argument value
[VarDumper] fix trailling comma when dumping an exception
Remove useless docblocks
[FrameworkBundle] Fix docblocks
[PropertyInfo] Remove useless docblocks
This PR was squashed before being merged into the 2.7 branch (closes#24666).
Discussion
----------
[WebProfilerBundle] add missing tests
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
This PR fixes one test in WebDebugToolbarListenerTest and adds one that was missing (more detailed description is available in the commits description)
Commits
-------
363d3a8cf2 [WebProfilerBundle] add missing tests
This PR was merged into the 2.7 branch.
Discussion
----------
[FrameworkBundle][Routing] Remove unused logger argument
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | N/A <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
This argument was never used as far as the FrameworkBundle Router was.
But actually don't we want to add the `$logger` argument to this class? It's used by the `UrlGenerator` when `router.strict_requirements` is `false` for instance:
<img width="1064" alt="screenshot 2017-10-29 a 09 57 31" src="https://user-images.githubusercontent.com/2211145/32142080-482bc64e-bc90-11e7-8382-b78b507bae48.PNG">
Commits
-------
dc9492eb6f [FrameworkBundle][Routing] Remove unused logger argument
This PR was merged into the 3.4 branch.
Discussion
----------
symfony/form auto-enables symfony/validator, even when not present
| Q | A
| ------------- | ---
| Branch? | 3.4 or master / 2.7, 2.8 or 3.3 <!-- see comment below -->
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | not needed
In #24303, we allowed form to be used without the validator component. But, there is a small problem with the logic: the validation system is set to enabled, even if it is not present. If you install form but NOT validator, you see the error:
> Validation support cannot be enabled as the Validator component is not installed.
Assuming the form system really is usable without validation, this should be an easy merge.
Commits
-------
03c0254296 Only enabling validation if it is present
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Move services reset to Kernel::handle()+boot()
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #24552
| License | MIT
| Doc PR | -
This is an alternative to #24697 (which uses middlewares).
This PR adds a new `services_resetter` service that the Kernel calls on 2nd root requests to reset services.
Instead of #24697 which plans for optional enabling of the services reset, this approach moves the responsibility of calling the services resetter to the core Kernel class, so that no configuration/middleware/etc. is required at all, and no overhead exists at all for regular requests.
Commits
-------
4501a3688b [HttpKernel] Move services reset to Kernel
* 3.3:
Fixing a bug where non-existent classes would cause issues
[SecurityBundle] hotfix: update phpdocs on logout url
[FrameworkBundle] Do not load property_access.xml if the component isn't installed
Fixed a few spelling mistakes in Luxembourgish translation
* 2.8:
[SecurityBundle] hotfix: update phpdocs on logout url
[FrameworkBundle] Do not load property_access.xml if the component isn't installed
Fixed a few spelling mistakes in Luxembourgish translation
This PR was squashed before being merged into the 2.7 branch (closes#24605).
Discussion
----------
[FrameworkBundle] Do not load property_access.xml if the component isn't installed
| Q | A
| ------------- | ---
| Branch? | 2.7 <!-- see comment below -->
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/24563#issuecomment-337549147 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
This PR actually aims to fix https://github.com/symfony/symfony/pull/24563#issuecomment-337549147 as the exception introduced in the PR can't be reached anyway when using the FrameworkBundle without the property access component as you'll get:
> Uncaught Symfony\Component\Debug\Exception\ClassNotFoundException: Attempted to load class "PropertyAccessor" from namespace "Symfony\Component\PropertyAccess".
With this fix, you properly get:
> The ObjectNormalizer class requires the "PropertyAccess" component. Install "symfony/property-access" to use it.
Not sure this change really belongs to a patch release, but the original PR was accepted in the 2.7 branch.
Also, I'd rather remove the ObjectNormalizer definition if the component isn't available, as suggested by @xabbuh (https://github.com/symfony/symfony/pull/24563#issuecomment-336795644). But in 2.7, this is the only normalizer registered by default and the [`SerializerPass` throws an exception if no normalizer is registered.](https://github.com/symfony/symfony/blob/2.7/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/SerializerPass.php#L46)
To sum up, either:
1. we completly prevent using the FrameworkBundle and the serializer without the property access component, even if you don't really care about the ObjectNormalizer because you only use your owns specific ones. (and you'll get the exception hinting to install the property access component)
2. we allow using the FrameworkBundle and the serializer without the property access component, so we remove the ObjectNormalizer definition, but the user'll get a `You must tag at least one service as "serializer.normalizer" to use the Serializer service` exception until he configures a normalizer (and we don't get the hint about installing the property access component to enable the ObjectNormalizer. We already have a suggest entry in the composer.json file, though).
To me option 2 looks better. WDYT?
Commits
-------
d297e27600 [FrameworkBundle] Do not load property_access.xml if the component isn't installed
* 3.3:
Ensure DeprecationErrorHandler::collectDeprecations() is triggered
[FrameworkBundle] Allow to disable assets via framework:assets xml configuration
fixed $_ENV/$_SERVER precedence in test framework
[HttpFoundation] Fix FileBag issue with associative arrays
[DI] Throw when a service name or an alias contains dynamic values (prevent an infinite loop)
fix the phpdoc that is not really inherited from response
Minor docblock cleanup
Remove redundant sprintf arguments.
* 2.8:
[HttpFoundation] Fix FileBag issue with associative arrays
fix the phpdoc that is not really inherited from response
Minor docblock cleanup
Remove redundant sprintf arguments.
* 2.7:
[HttpFoundation] Fix FileBag issue with associative arrays
fix the phpdoc that is not really inherited from response
Minor docblock cleanup
Remove redundant sprintf arguments.
This PR was squashed before being merged into the 3.4 branch (closes#24620).
Discussion
----------
[FrameworkBundle][Workflow] Fix deprectation when checking workflow.registry service in dump command
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
This PR will declare `workflow.registry` as a public service to avoid deprecation when `WorkflowDumpCommand` checks its existence. It only concerns 3.4 since this `isEnabled` method will be removed in 4.0.
Commits
-------
9e75847090 [FrameworkBundle][Workflow] Fix deprectation when checking workflow.registry service in dump command
* 3.3: (22 commits)
[Routing] Fix resource miss
[Security] Fixed auth provider authenticate() cannot return void
declare argument type
[FrameworkBundle][Serializer] Move normalizer/encoders definitions to xml file & remove unnecessary checks
streamed response should return $this
$isClientIpsVali is not used
content can be a resource
Adding the Form default theme files to be warmed up in Twig's cache
Remove BC Break label from `NullDumper` class
Username and password in basic auth are allowed to contain '.'
Remove obsolete PHPDoc from UriSigner
[Serializer] YamlEncoder: throw if the Yaml component isn't installed
[Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed
[PropertyInfo] Add support for the iterable type
pdo session fix
Fixed pathinfo calculation for requests starting with a question mark. - fix bad conflict resolving issue - port symfony/symfony#21968 to 3.3+
Fixed unsetting from loosely equal keys OrderedHashMap
add DOMElement as return type in Crawler::getIterator to support foreach support in ide
Fixed mistake in exception expectation
[Debug] Fix same vendor detection in class loader
...
* 2.8:
[Routing] Fix resource miss
[Security] Fixed auth provider authenticate() cannot return void
declare argument type
streamed response should return $this
content can be a resource
Adding the Form default theme files to be warmed up in Twig's cache
This PR was merged into the 3.4 branch.
Discussion
----------
adding AdapterInterface alias for cache.app
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no-ish
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | TODO
I'd like to add this alias for autowiring. If only `CacheItemPoolInterface` is available, then it's a bit weird to use the extra Symfony cache features (e.g. tagging), as I'm calling methods on the `CacheItemPoolInterface` that don't exist. I'd rather type-hint `AdapterInterface` and confidently call those (+ get auto-complete).
Commits
-------
454f65a77d adding AdapterInterface alias for cache.app
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpFoundation] Make sessions secure and lazy
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | not yet
| Fixed tickets | #6388, #6036, #12375, #12325
| License | MIT
| Doc PR | -
The `SessionUpdateTimestampHandlerInterface` (new to PHP 7.0) is mostly undocumented, and just not implemented anywhere. Yet, it's required to implement session fixation preventions and lazy write in userland session handlers (there is https://wiki.php.net/rfc/session-read_only-lazy_write which describes the behavior.)
By implementing it, we would make Symfony session handling much better and stronger. Meanwhile, doing some cookie headers management, this also gives the opportunity to fix the "don't start if session is only read issue".
So, here we are for the general idea. Now needs more (and green) tests, and review of course.
Commits
-------
347939c9b3 [HttpFoundation] Make sessions secure and lazy
* the `phpdocumentor/type-resolver` package was not PHP 7.2 compatible
before release 0.2.1 (see see phpDocumentor/TypeResolver@e224fb2)
* the validator must not call `get_class()` if no object but a class
name was passed to the `validatePropertyValue()` method
* 2.8:
fix merge
Fix 7.2 compat layer
Fix PHP 7.2 support
[HttpFoundation] Add missing session.lazy_write config option
[HttpFoundation] Combine Cache-Control headers
[Form] fix parsing invalid floating point numbers
Escape command usage when displaying it in the text descriptor
Use for=ID on radio/checkbox label.
* 2.7:
Fix 7.2 compat layer
Fix PHP 7.2 support
[HttpFoundation] Add missing session.lazy_write config option
[HttpFoundation] Combine Cache-Control headers
[Form] fix parsing invalid floating point numbers
Escape command usage when displaying it in the text descriptor
Use for=ID on radio/checkbox label.
This PR was merged into the 3.4 branch.
Discussion
----------
[Workflow] add guard is_valid() method support
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | Yes
| License | MIT
Workflow guard configuration support expression language like **is_fully_authenticated()**, **has_role()** or **is_granted()**, etc...
I would like to add the support for a new **is_valid()** expression.
Configuration allow to validate subject against specific validation groups to check if a transition can be applied.
In the next configuration exemple, my issue must validate "affectable" validation group to apply "affect" transistion:
```yaml
framework:
workflows:
issue:
marking_store:
type: single_state
arguments:
- state
supports: AppBundle\Entity\Issue
initial_place: created
places:
- created
- affected
- closed
transitions:
affect:
guard: "is_valid(subject, ['affectable'])"
from: created
to: affected
close:
from: completed
to: closed
```
Commits
-------
06d8198714 [Workflow] Added tests for the is_valid() guard expression
9499bc291c [Workflow] Added guard 'is_valid()' method support
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Look at headers for switch_user username
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #24260
| License | MIT
| Doc PR | n/a
Allowing `switch_user.parameter` config node to be a header name.
It's supported by SwitchUserStatelessBundle and I think it makes sense.
Forgotten in #24260 so targets 3.4 but not a blocker.
Commits
-------
3c801951c8 [Security] Look at headers for switch user username parameter
* 3.3:
[FrameworkBundle] Fix bad interface hint in AbstractController
[DI] Improve some deprecation messages
[Cache] Fix race condition in TagAwareAdapter
[Yaml] parse references on merge keys
treat trailing backslashes in multi-line strings
This PR was merged into the 3.4 branch.
Discussion
----------
[Bridge\Doctrine][FrameworkBundle] Deprecate some remaining uses of ContainerAwareTrait
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
With this PR, the last two remaining uses of ContainerAwareTrait will be `Symfony\Component\HttpKernel\Bundle\Bundle` and `Symfony\Bundle\FrameworkBundle\Controller\Controller`.
For Bundle, I think it's legitimate, for Controller, I think it's not, but that we should wait for 4.1 before considering its deprecation, alongside with `ContainerAwareCommand` (maybe).
Commits
-------
df9c8748e3 [Bridge\Doctrine][FrameworkBundle] Deprecate some remaining uses of ContainerAwareTrait
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Make Controller helpers final
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
I propose to make all ControllerTrait methods final so we can add type hints.
I also propose to add ControllerTrait::has/get so that AbstractController also has the methods.
This will help move from Controller to AbstractController.
Commits
-------
bbc52a1d14 [FrameworkBundle] Make Controller helpers final
* 3.3: (23 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
[PHPUnitBridge] don't remove when set to empty string
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
...
* 2.8: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
* 2.7: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Don't clear app pools on cache:clear
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no, but behavior change
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23685
| License | MIT
| Doc PR | -
The cache:clear command currently clears all cache pools by default.
This is not expected and is a bad default behavior (as explained in linked issue).
If we don't want to have that behavior forever, I see no other option than just doing the change, as done here, targeting 3.4.
Commits
-------
b0c04f8354 [FrameworkBundle] Don't clear app pools on cache:clear
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Register a NullLogger from test kernels
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see comment below -->
| Bug fix? | no
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | N/A <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
Relates to #24300
This will avoid unnecessary output on Travis or when running FrameworkBundle tests locally:
- before: https://travis-ci.org/symfony/symfony/jobs/281624658#L3594-L3635
- after: https://travis-ci.org/symfony/symfony/jobs/281643868#L3599-L3617
but also needed for anyone running functional tests on their project and using the default logger, in order to not get garbage output.
Do we need to find a more generic solution (like exposing a `framework.default_logger` option so users can set it to false for test)? Or just documenting this?
Commits
-------
c109dcd5ae [FrameworkBundle] Register a NullLogger from test kernels
This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] Deprecate auto picking the first provider
when no provider is explicitly configured on a firewall
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see comment below -->
| Bug fix? | no
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | yes <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | https://symfony-devs.slack.com/archives/C3A2XAQ20/p1506626210000345 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
From @Pierstoval on Slack:
> Hey, guys, I learnt a few days ago that if you don't specify a user provider in a firewall configuration, the security will use the first one in the list. Don't anyone think specifying the user provider should be mandatory ? Or at least mandatory if we have more than one provider registered?
- [x] UPGRADE files
- [x] CHANGELOG
- [x] Fix other tests
- [x] Removal PR #24380
Commits
-------
2d1e3347a6 [SecurityBundle] Deprecate auto picking the first provider
This PR was squashed before being merged into the 3.4 branch (closes#24300).
Discussion
----------
[HttpKernel][FrameworkBundle] Add a minimalist default PSR-3 logger
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
This PR provides a minimalist PSR-3 logger that is always available when FrameworkBundle is installed.
By default, it writes errors on `stderr`, regular logs on `stdout` and discards debug data (this is configurable).
This approach has several benefits:
- It's what expect from an app logging systems of major containerization and orchestration tools including [Docker](https://docs.docker.com/engine/admin/logging/view_container_logs/) and [Kubernetes](https://kubernetes.io/docs/concepts/cluster-administration/logging/), as well as most cloud providers such as [Heroku](https://devcenter.heroku.com/articles/logging#writing-to-your-log) and [Google Container Engine](https://kubernetes.io/docs/tasks/debug-application-cluster/logging-stackdriver/). If the app follows this standard (and it's not currently the case with Symfony by default) logs will be automatically collected, aggregated and stored.
- It's in sync with the "back to Unix roots" philosophy of Flex
- Logs are directly displayed in the console when running the integrated PHP web server (`bin/console server:start` or Flex's `make serve`), Create React App also do that for instance.
- It fixes a common problem when installing Flex recipes: many bundles expect a logger service but currently there is none available by default, and you usually get a `"logger" service not found error` (because packages depend of the PSR, but the PSR doesn't provide a logger service).
Commits
-------
9a06513ec7 [HttpKernel][FrameworkBundle] Add a minimalist default PSR-3 logger
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Argon2i Password Encoder
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | WIP
Since the [libsodium RFC](https://wiki.php.net/rfc/libsodium) passed with flying colours, I'd like to kick start a discussion about adding Argon2i as a password encoder to the security component. The initial code proposal in this PR supports both the upcoming public API confirmed for PHP 7.2, and the [libsodium PECL extension](https://pecl.php.net/package/libsodium) for those below 7.2 (available for PHP 5.4+).
#### Concerns
- Should the test cover hash length? At the moment the result of Argon2i is 96 characters, but because the hashing parameters are included in the result (`$argon2i$v=19$m=32768,t=4,p=1$...`) this is not guaranteed.
- I've used one password encoder class because the result *should* be the same whether running natively in 7.2 or from the PECL extension, but should the logic be split out into separate private methods (like `Argon2iPasswordEncoder::encodePassword()`) or not (like in `Argon2iPasswordEncoder::isPasswordValid()`)? Since I can't really find anything concrete on Symfony choosing one way over another I'm assuming it's down to personal preference?
#### The Future
Whilst the libsodium RFC has been approved and the public API confirmed, there has been no confirmation of Argon2i becoming an official algorithm for `passhword_hash()`. If that is confirmed, then the implementation should *absolutely* use the native `password_*` functions since the `sodium_*` functions do not have an equivalent to the `password_needs_rehash()` function.
Any feedback would be greatly appreciated 😃
Commits
-------
be093dd79a Argon2i Password Encoder
Add the Argon2i hashing algorithm provided by libsodium as a core encoder in the Security component, and enable it in the SecurityBundle.
Credit to @chalasr for help with unit tests.
This PR was merged into the 3.4 branch.
Discussion
----------
[TwigBundle] Improve the overriding of bundle templates
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #17557
| License | MIT
| Doc PR | -
### [Overriding a Template that also extends itself](https://twig.symfony.com/doc/2.x/recipes.html#overriding-a-template-that-also-extends-itself)
Now that bundles inheritance is deprecated and removed (#24160, #24161), I'm wondering if we can solve this old issue defining an exclusive namespace only for root bundles in `3.4` just bundles in `4.0`:
```yaml
twig:
paths:
# adding paths behind the scene into TwigExtension
app/Resources/FooBundle/views: Foo
vendor/acme/foo-bundle/Resources/views: Foo
vendor/acme/foo-bundle/Resources/views: !Foo # exclusive
```
Thus, one can decide when use the exclusive namespace to avoid the issue and then [we could to say also](http://symfony.com/doc/current/templating/overriding.html):
> To override the bundle template partially (which contains `block`) creates a new `index.html.twig` template in `app/Resources/AcmeBlogBundle/views/Blog/index.html.twig` and extends from `@!AcmeBlogBundle/Blog/index.html.twig` to customize the bundle template:
```twig
{# app/Resources/FooBundle/views/layout.html.twig #}
{# this does not work: circular reference to itself #}
{% extends '@Foo/layout.html.twig' %}
{# this will work: load bundle layout template #}
{% extends '@!Foo/layout.html.twig' %}
{% block title 'New title' %}
```
I hear other suggestions about the excluse namespace.
We will need to update http://symfony.com/doc/current/templating.html#referencing-templates-in-a-bundle too to add this convention.
WDYT?
Commits
-------
0a658c6eef Add exclusive Twig namespace for bundles path
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Deprecate some compiler passes in favor of tagged iterator args
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
More code that we can drop :)
Commits
-------
fa62e5068e [HttpKernel] Deprecate some compiler passes in favor of tagged iterator args
This PR was merged into the 3.4 branch.
Discussion
----------
[Lock] Use cache connection factories in lock
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no (feature removal)
| BC breaks? | no (if merged in 3.4)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
An alternative to https://github.com/symfony/symfony/pull/24267 to share code between cache and lock.
Commits
-------
95358ac98f Share connection factories between cache and lock
This PR was squashed before being merged into the 3.4 branch (closes#21027).
Discussion
----------
[Asset] Provide default context
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #19396
| License | MIT
| Doc PR | should be noted somewhere, ill create an issue
Allows configuring the default asset context to make things works on CLI for example. Same approach as the routing component.
Introduces
```yaml
# parameters.yml
asset.request_context.base_path: '/base/path'
asset.request_context.secure: false
```
Commits
-------
9137d57ecd [Asset] Provide default context
This PR was squashed before being merged into the 3.4 branch (closes#24337).
Discussion
----------
Adding a shortcuts for the main security functionality
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
| Doc PR | Big ol' TODO
I'd like one class that I can inject (especially with autowiring) to get access to the User and `isGranted()` methods. This is *really* important... because to get the User currently, you need to type-hint `TokenStorageInterface`... and there are *two*! That's really bad DX!
Questions:
A) I hi-jacked the existing `Security` class... I wanted a simple class called Security
B) I called the service `security.helper`... for lack of a better id.
C) I did not make `Security` implement the 2 other interfaces (`TokenStorageInterface`, `AuthorizationCheckerInterface`... but I suppose we could?)
Cheers!
Commits
-------
0851189 Adding a shortcuts for the main security functionality
This PR was merged into the 3.4 branch.
Discussion
----------
[TwigBundle] register an identity translator as fallback
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/24303#issuecomment-331864529
| License | MIT
| Doc PR |
The Form component can be used without the Translation component.
However, to be able to use the default form themes provided by the
TwigBridge you need to have the `trans` filter to be available.
This change ensure that there will always be a `trans` filter which as
a fallback will just return the message key if no translator is present.
Commits
-------
f0876e5927 register an identity translator as fallback
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] register class metadata factory alias
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #24296
| License | MIT
| Doc PR |
Commits
-------
d0235a00cc register class metadata factory alias
* 3.3:
Set a NullLogger in ApcuAdapter when Apcu is disabled in CLI
Minor reword
[HttpKernel] Make array vs "::" controller definitions consistent
Fix tests
[TwigBundle] Remove profiler related scripting
[TwigBundle][WebProfilerBundle] Switch to DOMContentLoaded event
[WebProfilerBundle] Hide inactive tabs from CSS
[TwigBundle] Make deprecations scream in logs
[TwigBundle] Hide logs if unavailable, i.e. webprofiler
[TwigBundle] Break long lines in exceptions
[WebProfilerBundle] Added missing link to profile token
[DI] Fix decorated service merge in ResolveInstanceofConditionalsPass
Preserve URI fragment in HttpUtils::generateUri()
[PhpUnitBridge] do not require an error context
The Form component can be used without the Translation component.
However, to be able to use the default form themes provided by the
TwigBridge you need to have the `trans` filter to be available.
This change ensure that there will always be a `trans` filter which as
a fallback will just return the message key if no translator is present.
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Saltless Encoder Interface
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
A new interface for encoders that do not require a user-generated salt (generate their own built-in) as suggested by @stof ([comment](https://github.com/symfony/symfony/pull/21604/files#r101225470)), this will become useful as more password encoders are added in the future (such as symfony/symfony#21604).
Commits
-------
7c4aa0bccb Saltless Encoder Interface
This PR was squashed before being merged into the 3.3 branch (closes#24244).
Discussion
----------
TwigBundle exception/deprecation tweaks
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes/no
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
- 1st commit) if you view a exception in the profiler, there is no logger available. Making the tab useless, disabled state is now triggered at zero log messages. There's a specialized panel here.
- 2nd commit) when an exception occurs this highlights deprecations in the log table outside the profiler with a warning status. This follows the same signal colors in the profiler.
- 3rd commit) hide the default inactive tabs from CSS to avoid scrollbar flickering.
- 4th commit) favors document.DOMContentLoaded over window.load, we dont want to wait for images to be loaded
Further out-of-scope improvements could be;
- From https://github.com/symfony/symfony/pull/24191; i think the logs table should show a direct `View file` link for every error/deprecation/red or yellow line in here. Traversing with `Show context` is tedious.
- links to file.php for your trigger_error() calls
- links to config.yml for trigger_error() calls by SF
- From #24151; having the same tooling on both sides is nice
- Events/Translations logs is noise, we have specialized panels for those. To further reduce the overall page size container logs can be moved away too, linked from Configuration and/or Logs. Also see #23247
Commits
-------
1c595fcf48 [TwigBundle][WebProfilerBundle] Switch to DOMContentLoaded event
ea4b0966ab [WebProfilerBundle] Hide inactive tabs from CSS
0c10f97f98 [TwigBundle] Make deprecations scream in logs
03cd9e553b [TwigBundle] Hide logs if unavailable, i.e. webprofiler
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Enable assets with templates only if the Asset component is installed
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | -
Commits
-------
5bc0b0527e [FrameworkBundle] Enable assets with templates only if the Asset component is installed
This PR was merged into the 3.3 branch.
Discussion
----------
[TwigBundle] Remove profiler related scripting
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
For sanity.
Also in case of an exception page we conflict with the profiler scripting/css.
```
Uncaught TypeError: Cannot set property 'className' of null
```
Happens because `Sfjs.createTabs` from the profiler tries to process tabs again, which twig has already done. The code doesnt handle this gracefully.
In case of ajax request (edgy yes) we see the CSS conflicting;
![image](https://user-images.githubusercontent.com/1047696/30712781-7680c8d2-9f0d-11e7-8a6c-27f460c1e780.png)
Note the table borders. Not sure how and if we want to solve this nor what it might affect otherwise; open for now.
Commits
-------
eb520e1e5b Minor reword
02dcdca014 [TwigBundle] Remove profiler related scripting
This PR was merged into the 3.4 branch.
Discussion
----------
Forward compatibility for the removal of bundle inheritance in 4.0
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Compat layer so that 3.4 and master combinations of framework/twig bundles and http-kernel work together.
Commits
-------
fba7e543d1 added foward compatibility for the removal of bundle inheritance in 4.0
This PR was squashed before being merged into the 3.4 branch (closes#24239).
Discussion
----------
[HttpFoundation] Deprecate compatibility with PHP <5.4 sessions
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This PR removes functionality added in Symfony 2.1 as a compatibility layer with sessions from PHP <5.4.
- [x] Fix tests
Commits
-------
3deb3940ab [HttpFoundation] Deprecate compatibility with PHP <5.4 sessions
This PR was squashed before being merged into the 3.4 branch (closes#23882).
Discussion
----------
[Security] Deprecated not being logged out after user change
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #17023
| License | MIT
| Doc PR | ~
This PR is an alternative approach to #19033. Due to a behavioral change that could break a lot of applications and websites, I've decided to trigger a deprecation instead of actually changing the behavior as that can be done for 4.0.
Whenever a user object is considered changed (`AbstractToken::hasUserChanged`) when setting a new user object after refreshing, it will now throw a deprecation, paving the way for a behavioral change in 4.0. The idea is that in 4.0 Symfony will simply trigger a logout when this case is encountered.
Commits
-------
22f525b [Security] Deprecated not being logged out after user change
This PR was merged into the 3.4 branch.
Discussion
----------
[Cache] Add ResettableInterface to allow resetting any pool's local state
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
To allow pools to leverage #24155 so that they can be used in multi-request loops.
Commits
-------
14c91f2 [Cache] Add ResettableInterface to allow resetting any pool's local state
This PR was merged into the 3.4 branch.
Discussion
----------
[DI] Turn services and aliases private by default, with BC layer
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #20048
| License | MIT
| Doc PR | -
With this PR, all services and aliases are made private by default.
This is done in a BC way, thanks to the layer introduced in #24104.
We will require bundles to explicitly opt-in for "public", either using "defaults", or stating `public="true"` explicitly. Same in DI extension, where calling `->setPublic(true)` will be required in 4.0.
Commits
-------
9948b09 [DI] Turn services and aliases private by default, with BC layer
This PR was merged into the 3.4 branch.
Discussion
----------
[DebugBundle] Fix the var-dumper requirement in composer.json
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
The v3.4 of the debug bundle calls `VarCloner::setMinDepth()` and thus requires v3.4+ of the var-dumper component. However, the composer file has not been updated in 30cd70d.
I upped the var-dumper requirement to `~3.4|~4.0`.
Commits
-------
d761a76 Require v3.4+ of the var-dumper component
This PR was squashed before being merged into the 3.4 branch (closes#23747).
Discussion
----------
[Serializer][FrameworkBundle] Add a DateInterval normalizer
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/8267
Could be useful for API needing to submit a duration.
Most code have been adapted from @MisatoTremor's DateInterval form type. Credits to him.
Commits
-------
6185cb1991 [Serializer][FrameworkBundle] Add a DateInterval normalizer
* 2.8:
[CS][2.7] yoda_style, no_unneeded_curly_braces, no_unneeded_final_method, semicolon_after_instruction
[Filesystem] mirror - fix copying content with same name as source/target.
.php_cs.dist - simplify config
[WebProfilerBundle] fixed TemplateManager when using Twig 2 without compat interfaces
* 2.7:
[Filesystem] mirror - fix copying content with same name as source/target.
.php_cs.dist - simplify config
[WebProfilerBundle] fixed TemplateManager when using Twig 2 without compat interfaces