This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Fix dealing with self/parent in ArgumentMetadataFactory
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Applies CS fixes that where merged on 4.0 to 3.4, embeds a fix in ArgumentMetadataFactory, which couldn't deal with self/parent type hints.
Commits
-------
ba5cb1a245 fixed CS
* 2.8:
[Security] Fix logout
#27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later
[Profiler] Remove propel & event_listener_loading category identifiers
[Filesystem] Fix usages of error_get_last()
[Debug] Fix populating error_get_last() for handled silent errors
Suppress warnings when open_basedir is non-empty
* 2.7:
[Security] Fix logout
#27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later
[Profiler] Remove propel & event_listener_loading category identifiers
[Filesystem] Fix usages of error_get_last()
[Debug] Fix populating error_get_last() for handled silent errors
Suppress warnings when open_basedir is non-empty
* 2.8:
Another PR template tweak
[PropertyInfo] ReflectionExtractor: give a chance to other extractors if no properties
Clean calls to http_build_query()
[WebProfilerBundle] limit ajax request to 100 and remove the last one
[HttpFoundation] Fix missing "throw" in JsonResponse
Improve the documentation of
Suppress warning from sapi_windows_vt100_support on stream other than STDIO
removed extra-verbose comments
Fixes#26136: Avoid emitting warning in hasParameterOption()
Added a README entry to the PR template
[HttpFoundation] Add x-zip-compressed to MimeTypeExtensionGuesser.
[DI] Add null check for removeChild
* 2.7:
Clean calls to http_build_query()
[HttpFoundation] Fix missing "throw" in JsonResponse
Improve the documentation of
Suppress warning from sapi_windows_vt100_support on stream other than STDIO
removed extra-verbose comments
Fixes#26136: Avoid emitting warning in hasParameterOption()
Added a README entry to the PR template
[HttpFoundation] Add x-zip-compressed to MimeTypeExtensionGuesser.
[DI] Add null check for removeChild
* 2.8:
[SecurityBundle] Backport test
[Security] fix merge of 2.7 into 2.8 + add test case
backport regression test from 3.4
Fix misspelling variable
[DI] minor: use a strict comparision in setDecoratedService
Follow-on to #25825: Fix edge case in getParameterOption.
keep the context when validating forms
* 2.7:
[SecurityBundle] Backport test
Fix misspelling variable
[DI] minor: use a strict comparision in setDecoratedService
Follow-on to #25825: Fix edge case in getParameterOption.
keep the context when validating forms
* 3.3:
[appveyor] set memory_limit=-1
[Router] Skip anonymous classes when loading annotated routes
Fixed Request::__toString ignoring cookies
Make sure we only build once and have one time the prefix when importing routes
[Security] Fix fatal error on non string username
* 2.8:
[appveyor] set memory_limit=-1
[Router] Skip anonymous classes when loading annotated routes
Fixed Request::__toString ignoring cookies
[Security] Fix fatal error on non string username
* 2.7:
[appveyor] set memory_limit=-1
[Router] Skip anonymous classes when loading annotated routes
Fixed Request::__toString ignoring cookies
[Security] Fix fatal error on non string username
This PR was merged into the 2.7 branch.
Discussion
----------
[appveyor] set memory_limit=-1
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
10e33ac [appveyor] set memory_limit=-1
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Fix fatal error on non string username
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/25612
| License | MIT
| Doc PR | n/a
That's consistent with what #22569 did for the `json_login` listener.
Commits
-------
8f095683d0 [Security] Fix fatal error on non string username
* 3.3:
[Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
Tweaked some styles in the profiler tables
Add type string to docblock for Process::setInput()
[Security] Fail gracefully if the security token cannot be unserialized from the session
[Form] AbstractLayoutTest - fix DOMDocument casing
Run simple-phpunit with --no-suggest option
[FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
bumped Symfony version to 3.3.16
updated VERSION for 3.3.15
updated CHANGELOG for 3.3.15
bumped Symfony version to 2.8.34
updated VERSION for 2.8.33
updated CHANGELOG for 2.8.33
bumped Symfony version to 2.7.41
updated VERSION for 2.7.40
update CONTRIBUTORS for 2.7.40
updated CHANGELOG for 2.7.40
* 2.8:
[Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
Tweaked some styles in the profiler tables
[Security] Fail gracefully if the security token cannot be unserialized from the session
[Form] AbstractLayoutTest - fix DOMDocument casing
bumped Symfony version to 2.8.34
updated VERSION for 2.8.33
updated CHANGELOG for 2.8.33
bumped Symfony version to 2.7.41
updated VERSION for 2.7.40
update CONTRIBUTORS for 2.7.40
updated CHANGELOG for 2.7.40
* 2.7:
[Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
[Security] Fail gracefully if the security token cannot be unserialized from the session
[Form] AbstractLayoutTest - fix DOMDocument casing
bumped Symfony version to 2.7.41
updated VERSION for 2.7.40
update CONTRIBUTORS for 2.7.40
updated CHANGELOG for 2.7.40
* 3.3:
Clean up
Update return type in docblock.
PHP CS Fixer: no need to exclude xml and yml files
PHP CS Fixer: no need to exclude json file
Update LICENSE year... forever
* 3.3:
fixed some deprecation messages
fixed some deprecation messages
fixed some deprecation messages
fixed some deprecation messages
[2.7][DX] Use constant message contextualisation for deprecations
* 3.3:
fixed CS
fixed CS
[Security] Namespace generated CSRF tokens depending of the current scheme
ensure that submitted data are uploaded files
[Console] remove dead code
bumped Symfony version to 3.3.13
updated VERSION for 3.3.12
updated CHANGELOG for 3.3.12
bumped Symfony version to 2.8.31
updated VERSION for 2.8.30
updated CHANGELOG for 2.8.30
bumped Symfony version to 2.7.38
updated VERSION for 2.7.37
updated CHANGELOG for 2.7.37
[Security] Validate redirect targets using the session cookie domain
prevent bundle readers from breaking out of paths
* 2.8:
fixed CS
fixed CS
[Security] Namespace generated CSRF tokens depending of the current scheme
ensure that submitted data are uploaded files
[Console] remove dead code
bumped Symfony version to 2.8.31
updated VERSION for 2.8.30
updated CHANGELOG for 2.8.30
bumped Symfony version to 2.7.38
updated VERSION for 2.7.37
updated CHANGELOG for 2.7.37
[Security] Validate redirect targets using the session cookie domain
prevent bundle readers from breaking out of paths
* 2.7:
fixed CS
fixed CS
[Security] Namespace generated CSRF tokens depending of the current scheme
ensure that submitted data are uploaded files
[Console] remove dead code
bumped Symfony version to 2.7.38
updated VERSION for 2.7.37
updated CHANGELOG for 2.7.37
[Security] Validate redirect targets using the session cookie domain
prevent bundle readers from breaking out of paths
This PR was merged into the 2.7 branch.
Discussion
----------
Validate redirect targets using the session cookie domain
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Please fill in this template according to the PR you're about to submit.
- Replace this comment by a description of what your PR is solving.
-->
Commits
-------
52b06f1c21 [Security] Validate redirect targets using the session cookie domain
* 3.3:
[Serializer] Fix extra attributes when no group specified
[Intl] Make intl-data tests pass and save language aliases again
[Console] Fix CommandTester::setInputs() docblock
[Serializer] readd default argument value
[VarDumper] fix trailling comma when dumping an exception
Remove useless docblocks
[FrameworkBundle] Fix docblocks
[PropertyInfo] Remove useless docblocks
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Look at headers for switch_user username
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #24260
| License | MIT
| Doc PR | n/a
Allowing `switch_user.parameter` config node to be a header name.
It's supported by SwitchUserStatelessBundle and I think it makes sense.
Forgotten in #24260 so targets 3.4 but not a blocker.
Commits
-------
3c801951c8 [Security] Look at headers for switch user username parameter
* 3.3: (23 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
[PHPUnitBridge] don't remove when set to empty string
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
...
* 2.8: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
* 2.7: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
* 3.3:
Set a NullLogger in ApcuAdapter when Apcu is disabled in CLI
Minor reword
[HttpKernel] Make array vs "::" controller definitions consistent
Fix tests
[TwigBundle] Remove profiler related scripting
[TwigBundle][WebProfilerBundle] Switch to DOMContentLoaded event
[WebProfilerBundle] Hide inactive tabs from CSS
[TwigBundle] Make deprecations scream in logs
[TwigBundle] Hide logs if unavailable, i.e. webprofiler
[TwigBundle] Break long lines in exceptions
[WebProfilerBundle] Added missing link to profile token
[DI] Fix decorated service merge in ResolveInstanceofConditionalsPass
Preserve URI fragment in HttpUtils::generateUri()
[PhpUnitBridge] do not require an error context
This PR was merged into the 3.4 branch.
Discussion
----------
[Security][Firewall] Passing the newly generated security token to the event during user switching
Event allows listeners to easily switch out the token if custom token updates are required
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Updated SwitchUserEvent to include the generated security Token. Allows the listeners to replace the token with their own (in case an application has some custom logic for token generation). The SwitchUserListener will now use the token returned by the event, so if token was not changed the self generated token will be used. If token was changed in the event then the new token would get used.
Reasons for this feature
--------------------------
In our current project users can have different Role sets depending on which organization they switch to. Our `User->getRoles()` always returns ["ROLE_USER"] and after login user is presented with choice of organizations they want to work in. Based on selected organization roles get updated with then stored token.
Without the change proposed in this PR. The only way we can setup the proper roles during user switch is by replacing `security.authentication.switchuser_listener` service with our own implementation of the listener.
With the proposed change, we can replace the security token with the one having all the roles we require directly inside our listener for `security.switch_user` event that gets thrown by Symfony's `SwitchUserListener`
Commits
-------
4205f1b Passing the newly generated security token to the event during user switching.
This PR was merged into the 3.3 branch.
Discussion
----------
[Security] Preserve URI fragment in HttpUtils::generateUri()
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/23675
| License | MIT
| Doc PR | n/a
Commits
-------
4dd2e3e Preserve URI fragment in HttpUtils::generateUri()
* 2.8:
[CS][2.7] yoda_style, no_unneeded_curly_braces, no_unneeded_final_method, semicolon_after_instruction
[Filesystem] mirror - fix copying content with same name as source/target.
.php_cs.dist - simplify config
[WebProfilerBundle] fixed TemplateManager when using Twig 2 without compat interfaces
* 3.3:
Revert "bug #24105 [Filesystem] check permissions if dump target dir is missing (xabbuh)"
[Filesystem] skip tests if not applicable
[Fabbot] Do not run php-cs-fixer if there are no change in src/
[Security] Fix exception when use_referer option is true and referer is not set or empty
[HttpKernel] "controller.service_arguments" services should be public
Get KERNEL_DIR through $_ENV too for KernelTestCase
Get KERNEL_CLASS through $_ENV too
check permissions if dump target dir is missing
* 2.8:
Revert "bug #24105 [Filesystem] check permissions if dump target dir is missing (xabbuh)"
[Filesystem] skip tests if not applicable
[Fabbot] Do not run php-cs-fixer if there are no change in src/
[Security] Fix exception when use_referer option is true and referer is not set or empty
Get KERNEL_DIR through $_ENV too for KernelTestCase
check permissions if dump target dir is missing
* 2.7:
Revert "bug #24105 [Filesystem] check permissions if dump target dir is missing (xabbuh)"
[Filesystem] skip tests if not applicable
[Fabbot] Do not run php-cs-fixer if there are no change in src/
[Security] Fix exception when use_referer option is true and referer is not set or empty
Get KERNEL_DIR through $_ENV too for KernelTestCase
check permissions if dump target dir is missing
* 3.3:
Removed useless argument $definition
Fix comment
[Config] Fix checking class existence freshness
bumped Symfony version to 3.3.7
updated VERSION for 3.3.6
updated CHANGELOG for 3.3.6
Bump minimal PHP version to ^5.5.9|>=7.0.8
* 3.3:
use Precise on Travis to keep PHP LDAP support
Fix case sensitive sameSite cookie
[PropertyInfo] Use rawurlencode to escape PSR-6 keys
fix(security): ensure the 'route' index is set before attempting to use it
Fix the design of the profiler exceptions when there is no message
[Config] Minor fix
[WebProfilerBundle] Fix full sized dump hovering in toolbar
* 3.2:
use Precise on Travis to keep PHP LDAP support
Fix case sensitive sameSite cookie
[PropertyInfo] Use rawurlencode to escape PSR-6 keys
fix(security): ensure the 'route' index is set before attempting to use it
[WebProfilerBundle] Fix full sized dump hovering in toolbar
* 2.8:
use Precise on Travis to keep PHP LDAP support
fix(security): ensure the 'route' index is set before attempting to use it
[WebProfilerBundle] Fix full sized dump hovering in toolbar
* 3.3:
[Security] added more tests
[Security] fixed default target path when referer contains a query string
[Security] simplified tests
[Security] refactored tests
[WebProfilerBundle][TwigBundle] Fix infinite js loop on exception pages
[FrameworkBundle] fix ValidatorCacheWarmer: use serializing ArrayAdapter
Change "this" to "that" to avoid confusion
[VarDumper] Move locale sniffing to dump() time
[VarDumper] Use "C" locale when using "comma" flags
[Config] Make ClassExistenceResource throw on invalid parents