This PR was squashed before being merged into the 4.4 branch (closes#33584).
Discussion
----------
[Security] Deprecate isGranted()/decide() on more than one attribute
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | -
| License | MIT
| Doc PR | tbd
While I expect it not be used much, it is currently possible to call `isGranted()` on more than one attribute:
```php
if ($this->authorizationChecker->isGranted(['ROLE_USER', 'ROLE_ADMIN'])) {
// ...
}
```
Supporting this includes a couple of problems/questions:
- It is not clear whether this is `OR` or `AND`;
- In fact, this is left over to the voter to decide upon. So it can vary for each voter and writers of new voters need to consider this (otherwise, you get issues like https://github.com/LeaseWeb/LswSecureControllerBundle/issues/4 );
- It promotes to vote over roles instead of actions.
I think we can do better. In the past, we've created all tooling for this to be self-explaining and easier:
```php
// ExpressionLanguage component (also includes other functions, like `is_granted('EDIT')`)
if ($this->authorizationChecker->isGranted("has_role('ROLE_USER') or has_role('ROLE_ADMIN')")) {
// ...
}
// calling it multiple times in PHP (may reduce performance)
if ($this->authorizationChecker->isGranted('ROLE_USER')
|| $this->authorizationChecker->isGranted('ROLE_ADMIN')
) {
// ...
}
// or by using Role Hierarchy, if a user really wants to vote on roles
```
This PR deprecates passing more than one attribute to `isGranted()` and `decide()` to remove this confusing bit in Security usage.
Backwards compatiblity help
---
I need some help in how to approach changing the `VoterInterface::vote(TokenInterface $token, $subject, array $attributes)` method in a backwards compatible way. Removing `array` breaks all Voters, so does changing it to `string` and removed the parameter all together.
Commits
-------
c64b0beffb [Security] Deprecate isGranted()/decide() on more than one attribute
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Make stateful firewalls turn responses private only when needed
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #26769 *et al.*
| License | MIT
| Doc PR | -
Replaces #28089
By taking over session usage tracking and replacing it with token usage tracking, we can prevent responses that don't actually use the token from turning responses private without changing anything to the lifecycle of security listeners. This makes the behavior much more seamless, allowing to still log the user with the monolog processor, and display it in the profiler toolbar.
This works by using two separate token storage services:
- `security.token_storage` now tracks access to the token and increments the session usage tracker when needed. This is the service that is injected in userland.
- `security.untracked_token_storage` is a raw token storage that just stores the token and is disconnected from the session. This service is injected in places where reading the session doesn't impact the generated output in any way (as e.g. in Monolog processors, etc.)
Commits
-------
20df3a125c [Security] Make stateful firewalls turn responses private only when needed
This PR was merged into the 4.4 branch.
Discussion
----------
Fixed a minor typo in the UPGRADE to 5.0 guide
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
I tried to fix this in the 4.3 branch too ... but the `UPGRADE-5.0.md` is quite different. Should these two files be exactly the same?
* https://github.com/symfony/symfony/blob/4.3/UPGRADE-5.0.md
* https://github.com/symfony/symfony/blob/4.4/UPGRADE-5.0.md
Commits
-------
8532d62 Fixed a minor typo in the UPGRADE to 5.0 guide
This PR was merged into the 4.4 branch.
Discussion
----------
[Form][SubmitType] Add "validate" option
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/8763
| License | MIT
| Doc PR | TODO
The second part of the ticket requires more work but is kind of unrelated.
Commits
-------
a2bc06d811 [Form][SubmitType] Add "validate" option
This PR was merged into the 4.4 branch.
Discussion
----------
[Yaml] hint to the --parse-tags when parsing tags fails
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix https://github.com/symfony/symfony/issues/28465#issuecomment-533182079
| License | MIT
| Doc PR |
Commits
-------
012111524b hint to the --parse-tags when parsing tags fails
This PR was merged into the 3.4 branch.
Discussion
----------
[travis] more CI fixes
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
27b1986cc2 [travis] more CI fixes
This PR was merged into the 3.4 branch.
Discussion
----------
[travis] fix CI
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
a0961d3b99 [travis] fix CI
This PR was merged into the 4.4 branch.
Discussion
----------
[Twig] Remove deprecated tag usage
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
cd74cb32ef [Twig] Remove deprecated tag usage
This PR was merged into the 3.4 branch.
Discussion
----------
[travis] honor .gitattributes when building local packages
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
d7fbb0a4a4 [travis] honor .gitattributes when building local packages
This PR was merged into the 3.4 branch.
Discussion
----------
[travis] install from dist except for selected components
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
1de84836cf [travis] install from dist except for selected components
This PR was merged into the 4.4 branch.
Discussion
----------
[travis] checkout previous major and test with patched components on deps=high
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
On `deps=high`:
- for the `master` branch, we already checkout the previous one and run tests with patched components as deps
- this PR makes the job on 4.4 checkout 3.4 and run tests with patched components as deps too
Commits
-------
526915a55d [travis] checkout previous major and test with patched components on deps=high
This PR was merged into the 4.3 branch.
Discussion
----------
[Cache] skip igbinary on PHP 7.4.0
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Our CI currently fails because of that. I'm blacklisting 7.4.0 exactly so that we don't have to maintain these lines, betting on the issue being resolved before 7.4.1 is released.
See https://github.com/igbinary/igbinary/issues/237
Commits
-------
2c0c131142 [Cache] skip igbinary on PHP 7.4.0