* 3.4:
[Validator] fix access to uninitialized property when getting value
[HttpKernel] Fix stale-if-error behavior, add tests
Improved error message when no supported user provider is found
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] suggest a non-deprecated function replacement
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#35437
| License | MIT
| Doc PR |
Commits
-------
731730fe2f suggest a non-deprecated function replacement
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Use supportsClass in addition to UnsupportedUserException
| Q | A
| ------------- | ---
| Branch? | 3.4+
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#35045
| License | MIT
| Doc PR | ~
This PR fixes the issue where user providers rely on just the UnsupportedUserException from `refreshUser()`, causing a flow where users are wrongfully re-authenticated.
There's one issue where `refreshUser()` can do far more sophisticated checks on the user class, which it will never reach if the class is not supported. As far as I know it was never intended to support instances that are rejected by `supportsClass()`, though people could've implemented this (by accident). So the question is more if we should add a BC layer for this; for example:
```php
try {
$refreshedUser = $provider->refreshUser($user);
$newToken = clone $token;
$newToken->setUser($refreshedUser);
if (!$provider->supportsClass($userClass)) {
if ($this->shouldCheckSupportsClass) {
continue;
}
// have to think of a proper deprecation here for 6.0
@trigger_error('Provider %s does not support user class %s via supportsClass() while it does support it via refreshUser .. please set option X and fix %s::supportsUser() ', E_USER_DEPRECATED);
}
```
This would prevent behavior from breaking but also means we can't fix this on anything less than 5.1.
Commits
-------
d3942cbe17 Use supportsClass where possible
* 4.3:
chown and chgrp should also accept int as owner and group
Fix RememberMe with null password
[Validator] Fix plurals for sr_Latn (Serbian language written in latin script) validation messages
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove some unneeded code
fix PHP const mapping keys using the inline notation
Fix that no-cache requires positive validation with the origin, even for fresh responses
* 3.4:
chown and chgrp should also accept int as owner and group
Fix RememberMe with null password
[Validator] Fix plurals for sr_Latn (Serbian language written in latin script) validation messages
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove some unneeded code
fix PHP const mapping keys using the inline notation
Fix that no-cache requires positive validation with the origin, even for fresh responses
* 5.0:
[Debug] fix ClassNotFoundFatalErrorHandler
[FrameworkBundle] Document the router.cache_class_prefix parameter removal
[Routing] Fix using a custom matcher & generator dumper class
[Notifier] Add more specific types at documentation level when php engine can't
[Serializer] Fix cache in MetadataAwareNameConverter
[Dotenv] Fixed infinite loop with missing quote followed by quoted value
[HttpClient] Added missing sprintf
[TwigBridge] button_widget now has its title attr translated even if its label = null or false
[PhpUnitBridge] When using phpenv + phpenv-composer plugin, composer executable is wrapped into a bash script
[Messenger] Added check if json_encode succeeded
[Messenger] Added check if json_encode succeeded
[FrameworkBundle][ContainerLintCommand] Only skip .errored. services
[HttpClient] fix exception in case of PSR17 discovery failure
[DependencyInjection] Handle ServiceClosureArgument for callable in container linting
fix processing chain adapter based cache pool
[HttpKernel] release lock explicitly
[Security] Prevent canceled remember-me cookie from being accepted
[FrameworkBundle][TranslationUpdateCommand] Do not output positive feedback on stderr
[Security\Guard] Fix missing typehints
do not render preferred choices as selected
* 4.4:
[Debug] fix ClassNotFoundFatalErrorHandler
[Routing] Fix using a custom matcher & generator dumper class
[Serializer] Fix cache in MetadataAwareNameConverter
[Dotenv] Fixed infinite loop with missing quote followed by quoted value
[HttpClient] Added missing sprintf
[TwigBridge] button_widget now has its title attr translated even if its label = null or false
[PhpUnitBridge] When using phpenv + phpenv-composer plugin, composer executable is wrapped into a bash script
[Messenger] Added check if json_encode succeeded
[Messenger] Added check if json_encode succeeded
[FrameworkBundle][ContainerLintCommand] Only skip .errored. services
[HttpClient] fix exception in case of PSR17 discovery failure
[DependencyInjection] Handle ServiceClosureArgument for callable in container linting
fix processing chain adapter based cache pool
[HttpKernel] release lock explicitly
[Security] Prevent canceled remember-me cookie from being accepted
[FrameworkBundle][TranslationUpdateCommand] Do not output positive feedback on stderr
[Security\Guard] Fix missing typehints
do not render preferred choices as selected
* 4.3:
[Debug] fix ClassNotFoundFatalErrorHandler
[Routing] Fix using a custom matcher & generator dumper class
[Dotenv] Fixed infinite loop with missing quote followed by quoted value
[HttpClient] Added missing sprintf
[TwigBridge] button_widget now has its title attr translated even if its label = null or false
[PhpUnitBridge] When using phpenv + phpenv-composer plugin, composer executable is wrapped into a bash script
[Messenger] Added check if json_encode succeeded
[Security] Prevent canceled remember-me cookie from being accepted
[FrameworkBundle][TranslationUpdateCommand] Do not output positive feedback on stderr
[Security\Guard] Fix missing typehints
* 3.4:
[Debug] fix ClassNotFoundFatalErrorHandler
[Dotenv] Fixed infinite loop with missing quote followed by quoted value
[TwigBridge] button_widget now has its title attr translated even if its label = null or false
[PhpUnitBridge] When using phpenv + phpenv-composer plugin, composer executable is wrapped into a bash script
[Security] Prevent canceled remember-me cookie from being accepted
[FrameworkBundle][TranslationUpdateCommand] Do not output positive feedback on stderr
* 5.0: (31 commits)
[HttpClient] NativeHttpClient should not send >1.1 protocol version
[HttpClient] fix support for non-blocking resource streams
[Mailer] Make sure you can pass custom headers to Mailgun
[Mailer] Remove line breaks in email attachment content
Update links to documentation
[Validator] Add the missing translations for the Arabic (ar) locale
ensure to expect no validation for the right reasons
[Security-Guard] fixed 35203 missing name tag in param docblock
[HttpClient] fix casting responses to PHP streams
[PhpUnitBridge] Add test case for @expectedDeprecation annotation
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove $testsWithWarnings stack
[FrameworkBundle] Fix getUser() phpdoc in AbstractController
[Mailer] Fix addresses management in Sendgrid API payload
[Mailer][MailchimpBridge] Fix missing attachments when sending via Mandrill API
[Mailer][MailchimpBridge] Fix incorrect sender address when sender has name
[HttpClient] fix capturing SSL certificates with NativeHttpClient
Update year in license files
Update year in license files
[TwigBridge][Form] Added missing help messages in form themes
Update year in license files
...
* 4.4: (26 commits)
[HttpClient] NativeHttpClient should not send >1.1 protocol version
[HttpClient] fix support for non-blocking resource streams
[Mailer] Make sure you can pass custom headers to Mailgun
[Mailer] Remove line breaks in email attachment content
Update links to documentation
[Validator] Add the missing translations for the Arabic (ar) locale
ensure to expect no validation for the right reasons
[Security-Guard] fixed 35203 missing name tag in param docblock
[HttpClient] fix casting responses to PHP streams
[PhpUnitBridge] Add test case for @expectedDeprecation annotation
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove $testsWithWarnings stack
[Mailer] Fix addresses management in Sendgrid API payload
[Mailer][MailchimpBridge] Fix missing attachments when sending via Mandrill API
[Mailer][MailchimpBridge] Fix incorrect sender address when sender has name
[HttpClient] fix capturing SSL certificates with NativeHttpClient
Update year in license files
[TwigBridge][Form] Added missing help messages in form themes
Update year in license files
Update year in license files
fix version when "anonymous: lazy" was introduced
...
* 4.3:
[Mailer] Remove line breaks in email attachment content
Update links to documentation
[Validator] Add the missing translations for the Arabic (ar) locale
ensure to expect no validation for the right reasons
[PhpUnitBridge] Add test case for @expectedDeprecation annotation
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove $testsWithWarnings stack
[Mailer][MailchimpBridge] Fix missing attachments when sending via Mandrill API
[Mailer][MailchimpBridge] Fix incorrect sender address when sender has name
[HttpClient] fix capturing SSL certificates with NativeHttpClient
[TwigBridge][Form] Added missing help messages in form themes
Update year in license files
Update year in license files
[HttpClient] fix typo
[Console][FormatterHelper] Use helper strlen statically and remove duplicated code
[Routing] Fix i18n routing when the url contains the locale
Fix BC issue in phpDoc Reflection library
[Translator] Performance improvement in MessageCatalogue and catalogue operations.
* 3.4:
Update links to documentation
[Validator] Add the missing translations for the Arabic (ar) locale
ensure to expect no validation for the right reasons
[PhpUnitBridge] Add test case for @expectedDeprecation annotation
Update year in license files
[Console][FormatterHelper] Use helper strlen statically and remove duplicated code
Fix BC issue in phpDoc Reflection library
[Translator] Performance improvement in MessageCatalogue and catalogue operations.
* 5.0: (24 commits)
Removing unused variable
Fixed#35084
Add missing use statement
[HttpClient] fix scheduling pending NativeResponse
do not overwrite variable value
[Profiler] wording
Use spaces correctly to display options in DebugCommand
Add supported schemes doc blocks type
X-Accel Nginx URL updated
ticket-30197 [Validator] Add the missing translations for the Chinese (Taiwan) ("zh_TW") locale
Fixed test added in #35022
Use locale_parse for computing fallback locales
[Console] Fix filtering out identical alternatives when there is a command loader
[String][UnicodeString] Remove unneeded flag in chunk regex pattern
add note about HTTP status code change
Migrate server:log command away from WebServerBundle
[DependencyInjection][CheckTypeDeclarationsPass] Handle \Closure for callable
[Security] Fix missing defaults for auto-migrating encoders
bumped Symfony version to 5.0.3
updated VERSION for 5.0.2
...
* 4.4:
Fixed#35084
Add missing use statement
[HttpClient] fix scheduling pending NativeResponse
do not overwrite variable value
[Profiler] wording
Use spaces correctly to display options in DebugCommand
X-Accel Nginx URL updated
ticket-30197 [Validator] Add the missing translations for the Chinese (Taiwan) ("zh_TW") locale
Fixed test added in #35022
Use locale_parse for computing fallback locales
[Console] Fix filtering out identical alternatives when there is a command loader
add note about HTTP status code change
Migrate server:log command away from WebServerBundle
[DependencyInjection][CheckTypeDeclarationsPass] Handle \Closure for callable
[Security] Fix missing defaults for auto-migrating encoders
bumped Symfony version to 4.4.3
updated VERSION for 4.4.2
updated CHANGELOG for 4.4.2
This PR was squashed before being merged into the 5.1-dev branch (closes#34548).
Discussion
----------
Added access decision strategy to respect voter priority
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | _will happily do if this is of interest/to be merged 🙃_
The priority-based access decision strategy will decide based on the first voter that does not abstain from the decision. Security voters can be registered with priority (`PriorityTaggedServiceTrait`), so a voter with higher priority can overrule other voters.
In [Contao CMS](https://github.com/contao/contao), the core system should provide security voters that provide the "default permissions", but extensions/bundles can override almost anything and therefore need to be able to override the core decision. None of the existing strategies allow for something like that.
/ping @chalasr @Toflar @leofeyer @ausi
#SymfonyHackday
Commits
-------
0b8028a0ec Added access decision strategy to respect voter priority
This PR was merged into the 5.1-dev branch.
Discussion
----------
[EventDispatcher] Deprecate LegacyEventDispatcherProxy
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | Cleanup of #28920
| License | MIT
| Doc PR | N/A
> This class should be deprecated in Symfony 5.1
Well, here you go. 😃
Commits
-------
c7e612d4ad [EventDispatcher] Deprecate LegacyEventDispatcherProxy.
This PR was merged into the 3.4 branch.
Discussion
----------
Use `::class` constants instead of `__NAMESPACE__` when possible
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Related to #34987
| License | MIT
| Doc PR | no
Form component has a lot of built-in form types. Some of them were implemented from the very beginning. In most of them there is a such method
```php
/**
* {@inheritdoc}
*/
public function getParent()
{
return __NAMESPACE__.'\TextType';
}
```
This `getParent()` method was refactored in Symfony 2.8. The upgrade instructions are given here https://github.com/symfony/symfony/blob/2.8/UPGRADE-2.8.md#form
I think the `__NAMESPACE__.'\TextType';` expression was used because Symfony 2.8 was using `"php": ">=5.3.9"`, and the constant `::class` was added only in PHP 5.5
Now this line can be refactored into
```php
/**
* {@inheritdoc}
*/
public function getParent()
{
return TextType::class;
}
```
For example new form types, that were added later, already using the `::class` constant.
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Form/Extension/Core/Type/ColorType.php#L23https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Form/Extension/Core/Type/TelType.php#L23
So, in this pull request I propose to refactor all old form types to use `::class` constant. It will give a benefit during the future refactoring, because IDE or static analysers will find all usages of parent class. Unlike the `__NAMESPACE__.'\TextType';` line, which doesn't show the real link to the class for IDE or static analysers, and it could complicate finding all usages of parent class.
Commits
-------
32bf50abca Use `::class` constants instead of `__NAMESPACE__` when possible
* 5.0: (21 commits)
fix merge
CS
[FrameworkBundle][ContainerLintCommand] Improve messages when the kernel or the container is not supported
[Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer
stop using deprecated Doctrine persistence classes
[Cache] Fix wrong classname in deprecation message
Fix regex lookahead syntax in ApplicationTest
Fixed syntax in comment
[SecurityBundle][FirewallMap] Remove unused property
[Messenger][AMQP] Use delivery_mode=2 by default
[FrameworkBundle][DependencyInjection] Skip removed ids in the lint container command and its associated pass
[SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of #28462"
[FrameworkBundle][Secrets] Hook configured local dotenv file
[DI] Improve performance of processDefinition
fix redis multi host dsn not recognized
fix constructor argument type declaration
Fix invalid Windows path normalization
[Validator][ConstraintValidator] Safe fail on invalid timezones
[DoctrineBridge] Fixed submitting invalid ids when using queries with limit
[FrameworkBundle] Add info & example to auto_mapping config
...
* 4.4: (21 commits)
fix merge
CS
[FrameworkBundle][ContainerLintCommand] Improve messages when the kernel or the container is not supported
[Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer
stop using deprecated Doctrine persistence classes
[Cache] Fix wrong classname in deprecation message
Fix regex lookahead syntax in ApplicationTest
Fixed syntax in comment
[SecurityBundle][FirewallMap] Remove unused property
[Messenger][AMQP] Use delivery_mode=2 by default
[FrameworkBundle][DependencyInjection] Skip removed ids in the lint container command and its associated pass
[SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of #28462"
[FrameworkBundle][Secrets] Hook configured local dotenv file
[DI] Improve performance of processDefinition
fix redis multi host dsn not recognized
fix constructor argument type declaration
Fix invalid Windows path normalization
[Validator][ConstraintValidator] Safe fail on invalid timezones
[DoctrineBridge] Fixed submitting invalid ids when using queries with limit
[FrameworkBundle] Add info & example to auto_mapping config
...
* 4.3:
fix merge
CS
[Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer
stop using deprecated Doctrine persistence classes
[Cache] Fix wrong classname in deprecation message
Fix regex lookahead syntax in ApplicationTest
Fixed syntax in comment
[SecurityBundle][FirewallMap] Remove unused property
[Messenger][AMQP] Use delivery_mode=2 by default
[DI] Improve performance of processDefinition
Fix invalid Windows path normalization
[Validator][ConstraintValidator] Safe fail on invalid timezones
[DoctrineBridge] Fixed submitting invalid ids when using queries with limit
[FrameworkBundle] Add info & example to auto_mapping config
fix comparisons with null values at property paths
This PR was merged into the 3.4 branch.
Discussion
----------
CS for AccessDecisionManager
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | #34548
| License | MIT
| Doc PR | -
As discussed in #34548 with @nicolas-grekas here's a CS change for the `AccessDecisionManager`
Commits
-------
b3742ec493 CS
* 5.0: (38 commits)
[Security] Check UserInterface::getPassword is not null before calling needsRehash
gracefully handle missing event dispatchers
Fix TokenStorage::reset not called in stateless firewall
[DotEnv] Remove `usePutEnv` property default value
[HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
Set up typo fix
[DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
[Cache] fix memory leak when using PhpArrayAdapter
[Validator] Allow underscore character "_" in URL username and password
[TwigBridge] Update bootstrap_4_layout.html.twig
[DoctrineBridge] Removed QueryBuilder type hint in getLoader()
[FrameworkBundle][SodiumVault] Create secrets directory only when needed
fix parsing negative octal numbers
[String] implement __sleep()/__wakeup() on strings
Fixed translations file dumper behavior
[Routing][ObjectLoader] Remove forgotten deprecation after merge
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
[DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
[SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass
do not validate passwords when the hash is null
...
* 4.4: (30 commits)
[Security] Check UserInterface::getPassword is not null before calling needsRehash
gracefully handle missing event dispatchers
Fix TokenStorage::reset not called in stateless firewall
[DotEnv] Remove `usePutEnv` property default value
[HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
Set up typo fix
[DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
[Cache] fix memory leak when using PhpArrayAdapter
[Validator] Allow underscore character "_" in URL username and password
[TwigBridge] Update bootstrap_4_layout.html.twig
[FrameworkBundle][SodiumVault] Create secrets directory only when needed
fix parsing negative octal numbers
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
[DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
[SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass
do not validate passwords when the hash is null
[DI] fix resolving bindings for named TypedReference
[Config] never try loading failed classes twice with ClassExistenceResource
[Mailer] Fix SMTP Authentication when using STARTTLS
[DI] Fix making the container path-independent when the app is in /app
...
* 4.3:
[DotEnv] Remove `usePutEnv` property default value
Set up typo fix
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] fix resolving bindings for named TypedReference
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 4.3.10
updated VERSION for 4.3.9
updated CHANGELOG for 4.3.9
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
Add test on ServerLogHandler
* 3.4:
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
* 5.0:
[Security/Core] Fix checking for SHA256/SHA512 passwords
[Cache][Lock] fix tests
bumped Symfony version to 5.0.2
updated VERSION for 5.0.1
updated CHANGELOG for 5.0.1
bumped Symfony version to 4.4.2
updated VERSION for 4.4.1
updated CHANGELOG for 4.4.1
* 4.4:
[Security/Core] Fix checking for SHA256/SHA512 passwords
[Cache][Lock] fix tests
bumped Symfony version to 4.4.2
updated VERSION for 4.4.1
updated CHANGELOG for 4.4.1
* 5.0:
[DI] auto-register singly implemented interfaces by default
[DI] fix overriding existing services with aliases for singly-implemented interfaces
remove service when base class is missing
do not depend on the QueryBuilder from the ORM
[Security/Http] call auth listeners/guards eagerly when they "support" the request
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[HttpClient] remove conflict rule with HttpKernel that prevents using the component in Symfony 3.4
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
Fix compatibility with Monolog 2
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
Changing the multipart form-data behavior to use the form name as an array, which makes it recognizable as an array by PHP on the $_POST globals once it is coming from the HttpClient component
* 4.4:
[DI] auto-register singly implemented interfaces by default
[DI] fix overriding existing services with aliases for singly-implemented interfaces
remove service when base class is missing
do not depend on the QueryBuilder from the ORM
[Security/Http] call auth listeners/guards eagerly when they "support" the request
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[HttpClient] remove conflict rule with HttpKernel that prevents using the component in Symfony 3.4
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
Changing the multipart form-data behavior to use the form name as an array, which makes it recognizable as an array by PHP on the $_POST globals once it is coming from the HttpClient component
* 4.3:
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Http] call auth listeners/guards eagerly when they "support" the request
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34614, Fix#34679
| License | MIT
| Doc PR | -
This fixes the form authenticator linked to #34614.
Since laziness is here to provide compatibility with HTTP caching, it should be disabled when the request cannot be cached.
Tests don't pass yet, but I'm on the path to something here.
The PR now introduces a new `AbstractListener` that splits the handling logic in two:
- `supports(Request): ?bool` is always called eagerly and tells whether the listener matches the request for an earger call or a lazy call
- `authenticate(RequestEvent)` does the rest of the job when `supports()` allows so - lazily or not depending on the return value of `supports()`.
Of course, this remains compatible with non-lazy logics, see `AbstractListener::__invoke()`.
Commits
-------
b20ebe6b90 [Security/Http] call auth listeners/guards eagerly when they "support" the request
* 5.0: (47 commits)
reset the kernel cache after each test
[HttpKernel] Ability to define multiple kernel.reset tags
[Routing] Continue supporting single colon in object route loaders
[FWBundle] Remove unused parameter
[Intl] [Workflow] fixes English grammar typos
[Filesystem] [Serializer] fixes English grammar typo
mailer: mailchimp bridge is throwing undefined index _id when setting message id in mandrill http transport
has_roles should be is_granted in security upgrade file
has_roles should be is_granted in upgrade files
[HttpClient] Fix early cleanup of pushed HTTP/2 responses
skip test on incompatible PHP versions
[HttpKernel] Don't cache "not-fresh" state
Drop WebServerBundle directory
[FrameworkBundle][Cache] Don't deep-merge cache pools configuration
[Messenger] Adding exception to amqp transport in case amqp ext is not installed
[SecurityBundle] Don't require a user provider for the anonymous listener
[DoctrineBridge] Fixed cs in DoctrineType
[Monolog Bridge] Fixed accessing static property as non static.
Improve Symfony description
[Mailer] Add UPGRADE entries about Envelope and MessageEvent
...
* 4.4: (38 commits)
reset the kernel cache after each test
[HttpKernel] Ability to define multiple kernel.reset tags
[Routing] Continue supporting single colon in object route loaders
[FWBundle] Remove unused parameter
[Intl] [Workflow] fixes English grammar typos
[Filesystem] [Serializer] fixes English grammar typo
mailer: mailchimp bridge is throwing undefined index _id when setting message id in mandrill http transport
has_roles should be is_granted in upgrade files
[HttpClient] Fix early cleanup of pushed HTTP/2 responses
skip test on incompatible PHP versions
[HttpKernel] Don't cache "not-fresh" state
[FrameworkBundle][Cache] Don't deep-merge cache pools configuration
[Messenger] Adding exception to amqp transport in case amqp ext is not installed
[SecurityBundle] Don't require a user provider for the anonymous listener
[Monolog Bridge] Fixed accessing static property as non static.
Improve Symfony description
[Mailer] Add UPGRADE entries about Envelope and MessageEvent
[FrameworkBundle] fix leftover mentioning "secret:" processor
Add DateTimeZoneNormalizer into Dependency Injection
[Messenger] Error when specified default bus is not among the configured
...
* 4.3:
[FWBundle] Remove unused parameter
[Intl] [Workflow] fixes English grammar typos
[Filesystem] [Serializer] fixes English grammar typo
[Messenger] Adding exception to amqp transport in case amqp ext is not installed
[Monolog Bridge] Fixed accessing static property as non static.
Improve Symfony description
Add DateTimeZoneNormalizer into Dependency Injection
[Messenger] Error when specified default bus is not among the configured
[Validator] Add Japanese translation
[Workflow] Apply the same logic of precedence between the apply() and the buildTransitionBlockerList() method
Remove some unused methods parameters
Avoid empty \"If-Modified-Since\" header in validation request
[Security] Fix SwitchUser is broken when the User Provider always returns a valid user
Fix error message according to the new regex
compatibility with DoctrineBundle 2
[Validator] ConstraintValidatorTestCase: add missing return value to mocked validate method calls
* 5.0:
[Routing] fix tests
[DI] minor cleanup
[Form] group constraints when calling the validator
Remove wrong @group legacy annotations
[DependencyInjection] Fix dumping multiple deprecated aliases
allow button names to start with uppercase letter
Allow PHP ^7.2.5
States that the HttpClient provides a Http Async implementation
[Routing] Fix ContainerLoader and ObjectLoaderTest
[HttpKernel] Make ErrorListener::onKernelException()'s dispatcher argument explicit
[HttpKernel] Drop deprecated ExceptionListener
Removed extra whitespace
[Security] Fix best encoder not wired using migrate_from
* 4.4:
[Routing] fix tests
[Form] group constraints when calling the validator
Remove wrong @group legacy annotations
[DependencyInjection] Fix dumping multiple deprecated aliases
allow button names to start with uppercase letter
States that the HttpClient provides a Http Async implementation
* 4.4:
[HttpKernel] Make ErrorListener::onKernelException()'s dispatcher argument explicit
Removed extra whitespace
[Security] Fix best encoder not wired using migrate_from
* 4.4: (23 commits)
[HttpFoundation] fix docblock
[HttpKernel] Flatten "exception" controller argument if not typed
Fix MySQL column type definition.
Link the right file depending on the new version
[Cache] Redis Tag Aware warn on wrong eviction policy
[HttpClient] fix HttpClientDataCollector
[HttpKernel] collect bundle classes, not paths
[Config] fix id-generation for GlobResource
[HttpKernel] dont check cache freshness more than once per process
[Finder] Allow ssh2 stream wrapper for sftp
[FrameworkBundle] fix wiring of httplug client
add FrameworkBundle requirement
[SecurityBundle] add tests with empty authenticator
[Security] always check the token on non-lazy firewalls
[DI] Use reproducible entropy to generate env placeholders
[WebProfilerBundle] Require symfony/twig-bundle
[Mailer] Add UPGRADE entry about the null transport DSN
bumped Symfony version to 4.3.9
updated VERSION for 4.3.8
updated CHANGELOG for 4.3.8
...
* 4.4:
[Console] Constant STDOUT might be undefined.
Add missing conflict with symfony/serializer <4.4
Allow returning null from NormalizerInterface::normalize
bumped Symfony version to 4.4.0
updated VERSION for 4.4.0-BETA1
updated CHANGELOG for 4.4.0-BETA1
[Security\Core] throw AccessDeniedException when switch user fails
[Mime] fix guessing mime-types of files with leading dash
[HttpFoundation] fix guessing mime-types of files with leading dash
[VarExporter] fix exporting some strings
[Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances
Use constant time comparison in UriSigner
* 4.3:
[Console] Constant STDOUT might be undefined.
Allow returning null from NormalizerInterface::normalize
[Security\Core] throw AccessDeniedException when switch user fails
[Mime] fix guessing mime-types of files with leading dash
[HttpFoundation] fix guessing mime-types of files with leading dash
[VarExporter] fix exporting some strings
[Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances
Use constant time comparison in UriSigner
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpKernel] make ExceptionEvent able to propagate any throwable
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | -
| License | MIT
| Doc PR | -
An alternative to #34306.
As a reminder, the goal of this series of PRs is to remove the `FatalThrowableError` wrapper that we introduced to seamlessly handle throwables when they were introduced in PHP 7.
From the changelog of `HttpKernel`:
* Deprecated methods `ExceptionEvent::get/setException()`, use `get/setThrowable()` instead
* Deprecated class `ExceptionListener`, use `ErrorListener` instead
And the final target: removed `Symfony\Component\ErrorHandler\Exception\ErrorException` (`FatalThrowableError` is already deprecated.)
Commits
-------
6f67f0e0c0 [HttpKernel] make ExceptionEvent able to propagate any throwable
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Fix defining multiple roles per access_control rule
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/12371 needs to be reverted
#33584 deprecated passing multiple attributes to `AccessDecisionManager::decide()`, but this change must not impact `access_control` as you cannot define multiple rules with the same criteria for request matching (the first match wins).
Commits
-------
338b3dfd9f [Security] Fix defining multiple roles per access_control rule
* 4.4: (39 commits)
[Console] Fix#33915, Detect dimensions using mode CON if vt100 is supported
[PhpUnitBridge] Also search for composer.phar in git root folder
[HttpKernel][DataCollectorInterface] Ease compatibility
Add tests to ensure defaultLocale is properly passed to the URL generator
[DependencyInjection] Fix broken references in tests
[VarDumper] display the method we're in when dumping stack traces
[HttpClient] Retry safe requests when then fail before the body arrives
[Console] Rename some methods related to redraw frequency
Avoid using of kernel after shutdown
Simplify PHP CS Fixer configuration
[PropertyInfo] Fixed type extraction for nullable collections of non-nullable elements
[FrameworkBundle] [HttpKernel] fixed correct EOL and EOM month
Fix CS
[Serializer] Fix property name usage for denormalization
Name test accordingly to the tested class
Fix MockFileSessionStorageTest::sessionDir being used after it's unset
[Security] Fix SwitchUserToken wrongly deauthenticated
Supporting Bootstrap 4 custom switches
Add new Form WeekType
bumped Symfony version to 4.3.7
...
* 4.4:
[OptionsResolve] Revert change in tests for a not-merged change in code
[HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
[Workflow] Made the configuration more robust for the 'property' key
[Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible
[FrameworkBundle] make SodiumVault report bad decryption key accurately
cs fix
[Security] Allow to set a fixed algorithm
[Security/Core] make encodedLength computation more generic
[Security/Core] add fast path when encoded password cannot match anything
#30432 fix an error message
fix paths to detect code owners
[HttpClient] ignore the body of responses to HEAD requests
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
[SecurityBundle] Fix wrong assertion
Remove unused local variables in tests
[Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
Make sure to collect child forms created on *_SET_DATA events
[WebProfilerBundle] Improve display in Email panel for dark theme
do not render errors for checkboxes twice
* 4.3:
[OptionsResolve] Revert change in tests for a not-merged change in code
[HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
[Workflow] Made the configuration more robust for the 'property' key
[Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible
#30432 fix an error message
fix paths to detect code owners
[HttpClient] ignore the body of responses to HEAD requests
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
[SecurityBundle] Fix wrong assertion
Remove unused local variables in tests
[Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
Make sure to collect child forms created on *_SET_DATA events
[WebProfilerBundle] Improve display in Email panel for dark theme
do not render errors for checkboxes twice
* 3.4:
#30432 fix an error message
fix paths to detect code owners
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
Remove unused local variables in tests
Make sure to collect child forms created on *_SET_DATA events
do not render errors for checkboxes twice
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Allow to stick to a specific password hashing algorithm
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#33054
| License | MIT
| Doc PR | todo
Allows using `argon2i`, `argon2id` and `bcrypt`.
Commits
-------
6712d1e504 [Security] Allow to set a fixed algorithm
* 4.4:
[Debug] remove return types that break FC badly
[Mailer][MailchimpBridge] Don't send address names if empty string
[ExpressionLanguage][Lexer] Exponential format for number
[Mailer] Fix SES Message Id retrieval
Add .gitignore to .gitattributes
* 4.4: (27 commits)
[Validator] add notice in UPGRADE file for new Range constraint option
[CssSelector] Support *:only-of-type pseudo class selector
[Intl] Update the ICU data to 65.1 (4.4 branch)
[Intl] Update the ICU data to 65.1 (4.3 branch)
Replace deprecated calls in tests
[Intl] Update the ICU data to 65.1
Delete 5_Security_issue.md
[DI] Whitelist error_renderer.renderer tag in UnusedTagsPass
[DI] Whitelist validator.auto_mapper in UnusedTagsPass
Update CHANGELOG.md
[HttpClient] Fixed#33832 NO_PROXY option ignored in NativeHttpClient::request() method
[EventDispatcher] A compiler pass for aliased userland events.
[Cache] give 100ms before starting the expiration countdown
[Cache] fix logger usage in CacheTrait::doGet()
[VarDumper] fix dumping uninitialized SplFileInfo
Added missing translations.
[Form] Added CountryType option for using alpha3 country codes
Fixed invalid changelog 4.0.0 for VarDumper
[Workflow] Fixed BC break on WorkflowInterface
Fix wrong expression language value
...
* 4.3:
[Intl] Update the ICU data to 65.1 (4.3 branch)
Replace deprecated calls in tests
[Intl] Update the ICU data to 65.1
Delete 5_Security_issue.md
[DI] Whitelist validator.auto_mapper in UnusedTagsPass
[HttpClient] Fixed#33832 NO_PROXY option ignored in NativeHttpClient::request() method
[Cache] give 100ms before starting the expiration countdown
[Cache] fix logger usage in CacheTrait::doGet()
[VarDumper] fix dumping uninitialized SplFileInfo
Added missing translations.
Fixed invalid changelog 4.0.0 for VarDumper
Fixed invalid VarDumper upgrade doc.
[HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array
Don't let falsey usernames slip through
* 3.4:
[Intl] Update the ICU data to 65.1
[VarDumper] fix dumping uninitialized SplFileInfo
Added missing translations.
Fixed invalid VarDumper upgrade doc.
[HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array
Don't let falsey usernames slip through
* 4.4: (24 commits)
[Console] Command::execute() should always return int - deprecate returning null
[FrameworkBundle] Fix wrong returned status code in ConfigDebugCommand
[AnnotationCacheWarmer] add RedirectController to annotation cache
[WebProfilerBundle] Try to display the most useful panel by default
Add note about deprecating the XmlEncoder::TYPE_CASE_ATTRIBUTES constant in the upgrade guide
fix merge
[DI] add tests loading calls with returns-clone
[DI] dont mandate a class on inline services with a factory
Fixed Redis Sentinel usage when only one Sentinel specified
[EventDispatcher] Added tests for aliased events.
Sync Twig templateExists behaviors
Fix the :only-of-type pseudo class selector
Deprecate the XmlEncoder::TYPE_CASE_ATTRIBUTES constant
[Mailer] Tweak some code
[Serializer] Add CsvEncoder tests for PHP 7.4
Copy phpunit.xsd to a predictable path
[WebserverBundle] Remove duplicated deprecation message
remove duplicated test
[Security/Http] fix parsing X509 emailAddress
[FrameworkBundle] conflict with VarDumper < 4.4
...
* 4.3:
Sync Twig templateExists behaviors
Fix the :only-of-type pseudo class selector
[Serializer] Add CsvEncoder tests for PHP 7.4
Copy phpunit.xsd to a predictable path
[Security/Http] fix parsing X509 emailAddress
[Serializer] fix denormalization of string-arrays with only one element #33731
[Cache] fix known tag versions ttl check
* 3.4:
Sync Twig templateExists behaviors
Fix the :only-of-type pseudo class selector
[Serializer] Add CsvEncoder tests for PHP 7.4
Copy phpunit.xsd to a predictable path
[Security/Http] fix parsing X509 emailAddress
[Serializer] fix denormalization of string-arrays with only one element #33731
[Cache] fix known tag versions ttl check
* 4.4:
sync phpunit script with master
[HttpFoundation] allow additinal characters in not raw cookies
[Console] Deprecate abbreviating hidden command names using Application->find()
Do not include hidden commands in suggested alternatives
[Messenger] Improve error message when routing to an invalid transport (closes#31613)
[DependencyInjection] Fix wrong exception when service is synthetic
[Security] add "anonymous: lazy" mode to firewalls
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] add "anonymous: lazy" mode to firewalls
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fixes#26769 et al.
| License | MIT
| Doc PR | -
Contains #33663 until it is merged.
This PR allows defining a firewall as such:
```yaml
security:
firewalls:
main:
anonymous: lazy
```
This means that the corresponding area should not start the session / load the user unless the application actively gets access to it. On pages that don't fetch the user at all, this means the session is not started, which means the corresponding token neither is. Lazily, when the user is accessed, e.g. via a call to `is_granted()`, the user is loaded, starting the session if needed.
See #27817 for previous explanations on the topic also.
Note that thanks to the logic in #33633, this PR doesn't have the drawback spotted in #27817: here, the profiler works as expected.
Recipe update pending at https://github.com/symfony/recipes/pull/649
Commits
-------
5cd1d7b4cc [Security] add "anonymous: lazy" mode to firewalls
* 4.4: (28 commits)
[FrameworkBundle] Fix framework bundle lock configuration not working as expected
[Validator] Add the missing translations for the Azerbaijani locale
[HttpClient] workaround bad Content-Length sent by old libcurl
[Cache] dont override native Memcached options
Fix CS
Fix exceptions (PDOException) error code type
[ErrorHandler] fix return-type patching logic
[Messenger] Added support for `from_transport` attribute on `messenger.message_handler` tag
[ErrorHandler] don't throw deprecations for return-types by default
ensure legacy event dispatcher compatibility
ensure legacy event dispatcher compatibility
Fix return type of Process::restart().
[Cache] fail gracefully when locking is not supported
[HttpKernel] compress files generated by the profiler
tweak deprecation messages and changelog
fix version in @deprecated annotation
Use VarCloner data instead of legacy array for query params
[Security] use LegacyEventDispatcherProxy
[HttpClient] fix undefined index access
[HttpClient] fix race condition when reading response with informational status
...
* 4.4:
[Security/Http] fix typo in deprecation message
[Security] Deprecate isGranted()/decide() on more than one attribute
Fixed a minor typo in the UPGRADE to 5.0 guide
Various tweaks 3.4
Various tweaks 4.3
[Security] Make stateful firewalls turn responses private only when needed
[PhpUnit] Fix usleep mock return value
Revert \"feature #33507 [WebProfiler] Deprecated intercept_redirects in 4.4 (dorumd)\"
[TwigBundle] typo
[TwigBundle] fix test case
[Lock] use Predis\ClientInterface instead of Predis\Client
Allow Twig 3
Minor tweaks
Fix version typo in deprecation notice
[Form][SubmitType] Add "validate" option
hint to the --parse-tags when parsing tags fails
Make legacy "wrong" RFC2047 encoding apply only to one header
* 4.3:
[Security/Http] fix typo in deprecation message
Various tweaks 3.4
Various tweaks 4.3
[PhpUnit] Fix usleep mock return value
[Lock] use Predis\ClientInterface instead of Predis\Client
Fix version typo in deprecation notice
Make legacy "wrong" RFC2047 encoding apply only to one header
This PR was merged into the 4.3 branch.
Discussion
----------
[Security/Http] fix typo in deprecation message
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
spotted by @stof in #33676
Commits
-------
e70057aed4 [Security/Http] fix typo in deprecation message
This PR was squashed before being merged into the 4.4 branch (closes#33584).
Discussion
----------
[Security] Deprecate isGranted()/decide() on more than one attribute
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | -
| License | MIT
| Doc PR | tbd
While I expect it not be used much, it is currently possible to call `isGranted()` on more than one attribute:
```php
if ($this->authorizationChecker->isGranted(['ROLE_USER', 'ROLE_ADMIN'])) {
// ...
}
```
Supporting this includes a couple of problems/questions:
- It is not clear whether this is `OR` or `AND`;
- In fact, this is left over to the voter to decide upon. So it can vary for each voter and writers of new voters need to consider this (otherwise, you get issues like https://github.com/LeaseWeb/LswSecureControllerBundle/issues/4 );
- It promotes to vote over roles instead of actions.
I think we can do better. In the past, we've created all tooling for this to be self-explaining and easier:
```php
// ExpressionLanguage component (also includes other functions, like `is_granted('EDIT')`)
if ($this->authorizationChecker->isGranted("has_role('ROLE_USER') or has_role('ROLE_ADMIN')")) {
// ...
}
// calling it multiple times in PHP (may reduce performance)
if ($this->authorizationChecker->isGranted('ROLE_USER')
|| $this->authorizationChecker->isGranted('ROLE_ADMIN')
) {
// ...
}
// or by using Role Hierarchy, if a user really wants to vote on roles
```
This PR deprecates passing more than one attribute to `isGranted()` and `decide()` to remove this confusing bit in Security usage.
Backwards compatiblity help
---
I need some help in how to approach changing the `VoterInterface::vote(TokenInterface $token, $subject, array $attributes)` method in a backwards compatible way. Removing `array` breaks all Voters, so does changing it to `string` and removed the parameter all together.
Commits
-------
c64b0beffb [Security] Deprecate isGranted()/decide() on more than one attribute
* 4.4:
[Twig] Remove dead code
Minor updates in the new Welcome page
Add gitignore file for Symfony 4.3
Add gitignore file for Symfony 3.4
[Inflector] Add .gitignore file
[Messenger] Fix exception message of failed message is dropped on retry
Add default value for Accept header
[HttpClient] Add .gitignore file
[Finder] Adjust regex to correctly match comments in gitignore contents
[Security] Removed unused argument in Test
[Console] Get dimensions from stty on windows if possible
[Inflector] add support 'see' to 'ee' for singularize 'fees' to 'fee'
* 4.3:
[Twig] Remove dead code
Add gitignore file for Symfony 4.3
Add gitignore file for Symfony 3.4
[Inflector] Add .gitignore file
[Messenger] Fix exception message of failed message is dropped on retry
Add default value for Accept header
[HttpClient] Add .gitignore file
[Finder] Adjust regex to correctly match comments in gitignore contents
[Security] Removed unused argument in Test
[Console] Get dimensions from stty on windows if possible
[Inflector] add support 'see' to 'ee' for singularize 'fees' to 'fee'
* 3.4:
[Twig] Remove dead code
Add gitignore file for Symfony 3.4
[Inflector] Add .gitignore file
[Security] Removed unused argument in Test
[Console] Get dimensions from stty on windows if possible
[Inflector] add support 'see' to 'ee' for singularize 'fees' to 'fee'
After #32998 there was a minor left over, the `testHandleAuthenticationClearsToken`
`$tokenClass` argument is no longer used and can be safely removed.
* 4.4:
Update GitHub PR template
[DI] fix related to preloading
[HttpKernel] fix compat with legacy DebugClassLoader
[WebProfilerBundle] Assign automatic colors to custom Stopwatch categories
[DI] use dirname() when possible
Simplify usage of dirname()
Remove Google references when not needed
Simplify usage of dirname()
don't dump a scalar tag value on its own line
Remove Google references when not needed
[DI] fix Preloader
[HttpClient] fix calling the buffer-enabling callback
[HttpClient] fix php notice on push
do not perform string operations on null
Require exact match when reading from stdin with a dash
* 4.4: (21 commits)
[appveyor] exclude tty group
[HttpFoundation] Add types to private/final/internal methods and constructors.
Add types to private/final/internal methods and constructors.
SCA: minor code tweaks
Tweak output
[FrameworkBundle] Added --sort option for TranslationUpdateCommand
[HttpClient] fallbackto CURLMOPT_MAXCONNECTS when CURLMOPT_MAX_HOST_CONNECTIONS is not available
[DI] generate preload.php file for PHP 7.4 in cache folder
Allow version 2 of the contracts package.
[Serializer] Allow multi-dimenstion object array in AbstractObjectNormalizer
fixed typo
[HttpKernel] Fix Apache mod_expires Session Cache-Control issue
deprecated not passing dash symbol (-) to STDIN commands
[VarDumper] display ellipsed FQCN for nested classes
[VarDumper] Display fully qualified title
[Mailer] Change the syntax for DSNs using failover or roundrobin
Removed workaround introduced in 4.3
[Console] Added support for definition list
[OptionsResolver] Display full nested options hierarchy in exceptions
New welcome page
...
* 4.4:
[MonologBridge] Bump min version for monolog ^1.25 and drop dead code
[Bridge/Twig] use tty group on testLintDefaultPaths
fix tests mocking final events
This PR was merged into the 4.4 branch.
Discussion
----------
fix tests mocking final events
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR |
Fix tests in 4.4 extracted from #33297
Commits
-------
637461fd51 fix tests mocking final events
* 4.4:
[Debug] disable new DebugClassLoader when testing the legacy one
- updated AbstractToken to compare Roles - Updated isEqualTo method to match roles as default User implements EquatableInterface - added test case - bumped symfony/security-core to 4.4
typos bis
typos
Fix more bad tests
Fix test fixtures with deprecated method signatures.
Fix 4.3 tests forward compat
[Messenger] fix empty amqp body returned as false
[Mailer] Added messenger to dev dependencies.
[Validator] Update "suggest" section in composer.json.
Fix routing cache broken when using generator_class
* 4.3:
Fix more bad tests
Fix test fixtures with deprecated method signatures.
Fix 4.3 tests forward compat
[Messenger] fix empty amqp body returned as false
Fix routing cache broken when using generator_class
This PR was merged into the 5.0-dev branch.
Discussion
----------
Parameter type leftovers
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32179
| License | MIT
| Doc PR | N/A
Commits
-------
34eda04866 Added more parameter type declarations.
This PR was merged into the 4.4 branch.
Discussion
----------
Mark all dispatched event classes as final
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets |
| License | MIT
| Doc PR |
I think we should mark all our Event classes as final. There is no point in people extending them as the libraries that use the event, will only dispatch this event. So extending events in user-land achieves nothing as the subclasses won't be dispatched.
I'm not talking about the base events that are meant to be extended like KernelEvent, but the leaf events like ExceptionEvent, ResponseEvent etc.
Then we can also make them real final in 5.0 as the events are value objects that should not be mocked.
Commits
-------
4bb38eec89 Mark all dispatched event classes as final
* 4.4:
Do not extend the new SF 4.3 ControllerEvent so we can make it final
Backported return type violation bugfixes.
fix deprecated call to setLocale with null
[FrameworkBundle] Fix BrowserKit assertions to make them compatible with Panther
[HttpKernel] deprecate global dir to load resources from
* 4.3:
Do not extend the new SF 4.3 ControllerEvent so we can make it final
Backported return type violation bugfixes.
[FrameworkBundle] Fix BrowserKit assertions to make them compatible with Panther
This PR was merged into the 3.4 branch.
Discussion
----------
[Security/Core] UserInterface::getPassword() can return null
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Our very own `User` class can return null already.
Commits
-------
00d7f8cde7 [Security/Core] UserInterface::getPassword() can return null
* 4.4:
[Routing] Add a param annotation for $annot.
[DI] fix docblock
[Console] fix docblock
Add missing translations for Armenian locale
[Process] Added missing return type.
[Process] Doc block backport.
Added doc block for Registry::supports().
[Cache] Fix predis test
Don't duplicate addresses in Sendgrid Transport
Remove unnecessary statement
Fix some docblocks.
[Messenger] make delay exchange and queues durable like the normal ones by default
Cancel delayed message if handler fails
Added tests for #32370
* 4.3:
[Routing] Add a param annotation for $annot.
[DI] fix docblock
[Console] fix docblock
Add missing translations for Armenian locale
[Process] Added missing return type.
[Process] Doc block backport.
Added doc block for Registry::supports().
[Cache] Fix predis test
Don't duplicate addresses in Sendgrid Transport
Remove unnecessary statement
Fix some docblocks.
[Messenger] make delay exchange and queues durable like the normal ones by default
Cancel delayed message if handler fails
Added tests for #32370
* 3.4:
[Routing] Add a param annotation for $annot.
[DI] fix docblock
Add missing translations for Armenian locale
[Process] Doc block backport.
Fix some docblocks.
* 4.4:
[Mailer] simplified the way TLS/SSL/StartTls work
[VarDumper] Add test dump image
Allow exchange type headers binding
Add types to private and final methods.
[Messenger] InMemoryTransport handle acknowledged and rejected messages
[Intl] Validate region preferred alpha code mapping
Added ErrorHandler::call() method utility to turns any PHP warnings into `\ErrorException`
[Intl] Full alpha3 language support
[Monolog] Added ElasticsearchLogstashHandler
* 4.4:
cs fix
Fix return statements
[TwigBridge] add missing dep
Add type declarations to private DefaultChoiceListFactory methods
Add false type to ChoiceListFactoryInterface::createView $label argument
Update UPGRADE guide of 4.3 for EventDispatcher
[SecurityBundle] display the correct class name on the deprecated notice
* 4.3:
cs fix
Fix return statements
[TwigBridge] add missing dep
Add false type to ChoiceListFactoryInterface::createView $label argument
Update UPGRADE guide of 4.3 for EventDispatcher
[SecurityBundle] display the correct class name on the deprecated notice
* 4.4:
cleanups
Disable PHPUnit result cache on the CI
[Security] Cleanup "Digest nonce has expired." translation
[Translation] Highlight invalid translation status
Added translations in validator for Serbian Cyrillic
Added translations in validator for Serbian Latin
[EventDispatcher] wrong Request class
[DependencyInjection] improved exception message
* 4.3:
cleanups
Disable PHPUnit result cache on the CI
[Security] Cleanup "Digest nonce has expired." translation
[Translation] Highlight invalid translation status
Added translations in validator for Serbian Cyrillic
Added translations in validator for Serbian Latin
[EventDispatcher] wrong Request class
[DependencyInjection] improved exception message
* 4.4:
[Debug] Improve UPGRADE files
remove wrongly added legacy group from test
consistently throw NotSupportException
[HttpKernel] Clarify error handler restoring process again
[HttpClient] Remove CURLOPT_CONNECTTIMEOUT_MS curl opt
add missing conflict rule
[Intl] fix nullable phpdocs and useless method visibility of internal class
remove some more useless phpdocs
Resilience against file_get_contents() race conditions.
Turned return type annotations of private methods into php return types.
This PR was merged into the 4.4 branch.
Discussion
----------
remove some more useless phpdocs
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Fix some leftovers from #32974 and #32786
Commits
-------
9be4d171e0 remove some more useless phpdocs
* 4.4:
fix merge
Fix inconsistent return points.
pass translation parameters to the trans filter
[Mime] fixed wrong mimetype
[ProxyManagerBridge] Polyfill for unmaintained version
[HttpClient] Declare `$active` first to prevent weird issue
Remove deprecated assertContains
[HttpClient] fix tests
SCA: dropped unused mocks, duplicate import and a function alias usage
Added correct plural for box -> boxes
[Config] fix test
Fix remaining tests
fix getName() when transport is null
[Console] Check for ErrorHandler classes
Improve fa (persian) translation
* 4.3:
Fix inconsistent return points.
pass translation parameters to the trans filter
[Mime] fixed wrong mimetype
[ProxyManagerBridge] Polyfill for unmaintained version
[HttpClient] Declare `$active` first to prevent weird issue
Remove deprecated assertContains
[HttpClient] fix tests
SCA: dropped unused mocks, duplicate import and a function alias usage
Added correct plural for box -> boxes
[Config] fix test
Fix remaining tests
Improve fa (persian) translation
* 3.4:
[ProxyManagerBridge] Polyfill for unmaintained version
SCA: dropped unused mocks, duplicate import and a function alias usage
[Config] fix test
Improve fa (persian) translation
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Improve fa (persian) translation
| Q | A
| ------------- | ---
| Branch? | >= 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | N/A <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
4afdfd765d Improve fa (persian) translation
* 4.4:
bump phpunit-bridge cache-id
removed unneeded phpdocs
Use assertStringContainsString when needed
Use assert assertContainsEquals when needed
Use assertEqualsWithDelta when required
* 4.3:
bump phpunit-bridge cache-id
Use assertStringContainsString when needed
Use assert assertContainsEquals when needed
Use assertEqualsWithDelta when required
* 3.4:
bump phpunit-bridge cache-id
Use assertStringContainsString when needed
Use assert assertContainsEquals when needed
Use assertEqualsWithDelta when required
* 4.4:
Minor fixes
[Mailer] fixed dispatcher not available in Mailer
[HttpClient] Minor fixes
Use namespaced Phpunit classes
Add polyfill for PhpUnit namespace
[Messenger] Fixed ConsumeMessagesCommand configuration
[Form] remove leftover int child phpdoc
Support DateTimeInterface in IntlDateFormatter::format
[PhpUnitBridge] fixed PHPUnit 8.3 compatibility: method handleError was renamed to __invoke
[Yaml] Removed unused $nullAsTilde property
[Security] add support for opportunistic password migrations
[Lock] Legacy test should implement legacy interface
fixed phpdocs
Use PHPunit assertion
[Intl] Order alpha2 to alpha3 mapping + phpdoc fixes
* 4.4:
fix case
[Messenger] Removed named parameters and replaced with `?` placeholders for sqlsrv compatibility
[FrameworkBundle] Detect indirect env vars in routing
[Form] type cannot be a FormTypeInterface anymore
[HttpClient] use "idle" instead of "inactivity" when telling about the timeout option
Create mailBody with only attachments part present
Remove calls to deprecated function assertAttributeX
[PhpUnitBridge] make the bridge act as a polyfill for newest PHPUnit features
[Intl] Order alpha2 to alpha3 mapping
[Routing] added a warning about the getRouteCollection() method
Allow sutFqcnResolver to return array
[Messenger] Fix incompatibility with FrameworkBundle <4.3.1
Created alias to FlattenException to avoid BC break
[Ldap] Add security LdapUser and provider
[HttpFoundation] Revert getClientIp @return docblock
This PR was merged into the 4.4 branch.
Discussion
----------
[Ldap] Add security LdapUser and provider
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Moves `LdapUserProvider` from `Security\Core` to the Ldap component, the provider now deals with a new `LdapUser` aware of its ldap `Entry` (should help in #31843).
Commits
-------
6736cdfec3 [Ldap] Add security LdapUser and provider
This PR was merged into the 4.3 branch.
Discussion
----------
Sync "not implementing the method" deprecations messages
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Suggested in https://github.com/symfony/symfony/pull/32747#discussion_r309307289
Useful for consistency and for future reference for similar messages.
Commits
-------
f6fae1c361 Sync "not implementing the method" deprecations messages
* 4.4:
Fix assertInternalType deprecation in phpunit 9
Fix assertInternalType deprecation in phpunit 9
Ensure signatures for setUp|tearDown|setUpAfterClass|tearDownAfterClass methods in tests are compatible with phpunit 8.2
* 4.3:
Fix assertInternalType deprecation in phpunit 9
Ensure signatures for setUp|tearDown|setUpAfterClass|tearDownAfterClass methods in tests are compatible with phpunit 8.2
This PR was merged into the 4.4 branch.
Discussion
----------
add parameter type declarations to private methods
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Commits
-------
1b2aaa4a06 add parameter type declarations to private methods
* 4.4:
[Cache] fix cs
Make tests support phpunit 8
Allow Travis CI to build on PHP 7.4
[DI] Allow dumping the container in one file instead of many files
* 4.4:
[Security] Revise UserPasswordEncoderInterface::needsRehash()
[Form] update type of form $name arguments
[HttpClient] Preserve the case of headers when sending them
[Ldap][Security] use right arguments count in sercurity factories
This PR was squashed before being merged into the 4.4 branch (closes#32831).
Discussion
----------
[Security] Revise UserPasswordEncoderInterface::needsRehash()
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
This reuses the encoded password from the user for the `UserPasswordEncoderInterface`, similar we dont pass the encoded string to `isPasswordValid()`.
This differs from the non-user aware `PasswordEncoderInterface`
cc @nicolas-grekas did i miss something?
Commits
-------
c5a283d417 [Security] Revise UserPasswordEncoderInterface::needsRehash()
* 4.4:
Fix travis script
[Contracts] Fix branch alias
minor fix for wrong case
[HttpFoundation] Fix `getMaxFilesize`
[Cache] fix warning on PHP 7.4
[Console] fix warning on PHP 7.4
let BlockingStoreInterface extend PersistingStoreInterface
Don't add value of (default/static) objects to the signature
fix(yml): fix comment in milti line value
Make sure trace_level is always defined
Ensure $request->hasSession() is always checked before calling getSession()
Fix bindings and tagged_locator
Recompile container when translations directory changes
* 4.3:
Fix travis script
minor fix for wrong case
[HttpFoundation] Fix `getMaxFilesize`
[Cache] fix warning on PHP 7.4
[Console] fix warning on PHP 7.4
Don't add value of (default/static) objects to the signature
fix(yml): fix comment in milti line value
Make sure trace_level is always defined
Fix bindings and tagged_locator
Recompile container when translations directory changes
* 3.4:
Fix travis script
minor fix for wrong case
[HttpFoundation] Fix `getMaxFilesize`
[Cache] fix warning on PHP 7.4
[Console] fix warning on PHP 7.4
Don't add value of (default/static) objects to the signature
fix(yml): fix comment in milti line value
* 4.4:
[Form][Validator] Generate accept attribute with file constraint and mime types option
[Security/Core] align defaults for sodium with PHP 7.4
fix inline handling when dumping tagged values
[HttpClient] fix canceling responses in a streaming loop
[Messenger] Flatten collection of stamps collected by the traceable middleware
[Messenger][Profiler] Remove cutting caster to dump full objects
[WebProfilerBundle] mark all classes as internal
Decoupling TwigBundle and using the new ErrorRenderer mechanism
[HttpClient] rewind streams created from strings
[PropertyAccess] Fix PropertyAccessorCollectionTest
[HttpClient] rewind stream when using Psr18Client
Typo in web profiler
[4.3] Remove dead test fixtures
[Routing] Fix CHANGELOG
relax some date parser patterns
adapt tests
[Form] Repeat preferred choices in the main list
Avoid getting right to left style
* 4.3:
[Security/Core] align defaults for sodium with PHP 7.4
fix inline handling when dumping tagged values
[HttpClient] fix canceling responses in a streaming loop
[Messenger] Flatten collection of stamps collected by the traceable middleware
[PropertyAccess] Fix PropertyAccessorCollectionTest
[HttpClient] rewind stream when using Psr18Client
Typo in web profiler
[4.3] Remove dead test fixtures
[Routing] Fix CHANGELOG
relax some date parser patterns
Avoid getting right to left style
* 4.4: (22 commits)
[FrameworkBundle] [SecurityBundle] Rename internal WebTestCase to avoid confusion
ignore not existing translator service
[FrameworkBundle] [SecurityBundle] Rename internal WebTestCase to avoid confusion
revert private properties handling
[Lock] Add missing changelog entry for Factory deprecation
[ErrorRenderer] Improving the exception page provided by HtmlErrorRenderer
[HttpFoundation] Fix URLs
[VarDumper] finish PHP 7.4 support and add tests
[VarDumper] Use \ReflectionReference for determining if a key is a reference (php >= 7.4)
Fixed the priority order of the error renderers registration
[Routing] Deprecate ServiceRouterLoader and ObjectRouteLoader in favor of ContainerLoader and ObjectLoader
Ignore missing translation dependency in FrameworkBundle
[Security/Http] Don't mark AbstractAuthenticationListener as internal
Making debug = false by default and cleanup
Remove hack to access class scope inside closures
Remove dead tests fixtures
Remove more dead tests fixtures
[Mailer][DX] Improve exception message for unsupported scheme
[Mime] Add missing changelog entry for BC-break
[Messenger] fix transport_name option not passing validation
...
* 4.3:
[FrameworkBundle] [SecurityBundle] Rename internal WebTestCase to avoid confusion
ignore not existing translator service
[FrameworkBundle] [SecurityBundle] Rename internal WebTestCase to avoid confusion
revert private properties handling
[HttpFoundation] Fix URLs
[VarDumper] finish PHP 7.4 support and add tests
[VarDumper] Use \ReflectionReference for determining if a key is a reference (php >= 7.4)
Ignore missing translation dependency in FrameworkBundle
[Security/Http] Don't mark AbstractAuthenticationListener as internal
Remove dead tests fixtures
Remove more dead tests fixtures
[Mime] Add missing changelog entry for BC-break
[Messenger] fix transport_name option not passing validation
Remove dead tests fixtures
[Debug][ExceptionHandler] Add tests for custom handlers
* 4.2:
[FrameworkBundle] [SecurityBundle] Rename internal WebTestCase to avoid confusion
ignore not existing translator service
[FrameworkBundle] [SecurityBundle] Rename internal WebTestCase to avoid confusion
revert private properties handling
[HttpFoundation] Fix URLs
[VarDumper] finish PHP 7.4 support and add tests
[VarDumper] Use \ReflectionReference for determining if a key is a reference (php >= 7.4)
Ignore missing translation dependency in FrameworkBundle
Remove dead tests fixtures
Remove more dead tests fixtures
Remove dead tests fixtures
[Debug][ExceptionHandler] Add tests for custom handlers
* 4.4:
fixed CS
[Validator] Add a new constraint message when there is both min and max
fixed CS
[Bundles] Rename getPublicPath() as getPublicDir()
Remove experimental notice from components
[LDAP] add new option implemented in php 7.1
Replace missing message parameter
* 4.4: (53 commits)
Fix Twig 1.x compatibility
Deprecating templateExists method
[Translator] Improve farsi(persian) translations for Form
[Validator] Fix Changelog for #31511
[Lock][Console] bump lock requirement in console
[Lock] minor: add missing alias for PersistenStoreInterface
Improve fa translations
Dynamic bundle assets
[Lock] rename and deprecate Factory into LockFactory
[Debug] Restoring back the state of the Debug component (1st step)
Spell "triggering" properly
[Lock] Fix tests
Added tests to cover the possibility of having scalars as services.
fixed CS
[Lock] Split \"StoreInterface\" into multiple interfaces with less responsability
[VarDumper] Let browsers trigger their own search on double CMD/CTRL + F hit
[Validator] Allow to use property paths to get limits in range constraint
Fix missing deprecations
fixed tests on old PHP versions
[FrameworkBundle] Inform the user when save_path will be ignored
...
* 4.3: (26 commits)
Fix Twig 1.x compatibility
[Translator] Improve farsi(persian) translations for Form
Improve fa translations
Spell "triggering" properly
Added tests to cover the possibility of having scalars as services.
fixed tests on old PHP versions
[FrameworkBundle] Inform the user when save_path will be ignored
fixed CS
[SecurityBundle] Fix profiler dump for non-invokable security listeners
fixed CS
[Messenger] Doctrine Transport: Support setting auto_setup from DSN
[Translator] Load plurals from po files properly
[Serializer]: AbstractObjectNormalizer ignores the property types of discriminated classes
[EventDispatcher] Add tag kernel.rest on 'debug.event_dispatcher' service
[Console] Update to inherit and add licence
Add missing test for workflow dump description
[Intl] Remove --dev from intl compile autoloader
[Messenger] fix publishing headers set on AmqpStamp
Remove call to deprecated method
[Intl] Init compile tmp volume
...
This PR was merged into the 4.4 branch.
Discussion
----------
[SECURITY] AbstractAuthenticationListener.php error instead info. Rebase of #28462
| Q | A
| ------------- | ---
| Branch? | 4.4
| -- | --
| Bug fix? | yes
| New feature? | no
| BC breaks? | no I think
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ...
| License | MIT
Rebase of #28462. Origin description:
> ```
> [2018-09-13 20:43:38] security.INFO: Authentication request failed. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException(code: 0): An exception occurred while executing
> ...
> Doctrine\\DBAL\\Driver\\PDOException(code: 42S22): SQLSTATE[42S22]: Column not found: 1054 Unknown column 't0.phone' in 'field list' at
> ```
>
> Definitely I think this is NOT info, but error.
> And since it's info, it's not logged in production because of `fingers_crossed` with `action_level: error` - so to actually see the real error behind `Authentication request could not be processed due to a system problem.` I had to debug on production. Very bad practice IMHO.
Commits
-------
867eb78cfe [SECURITY] AbstractAuthenticationListener.php error instead info. Rebase of #28462
This PR was merged into the 5.0-dev branch.
Discussion
----------
[Security] Added type-hints to auth providers, tokens and voters
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32179
| License | MIT
| Doc PR | N/A
This PR adds type declarations to authentication providers, tokens and voters.
Commits
-------
8c46b95ec2 [Security] Added type-hints to auth providers, tokens and voters.
This PR was merged into the 5.0-dev branch.
Discussion
----------
[Security] Added type-hints to password encoders
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32179
| License | MIT
| Doc PR | N/A
This PR adds type declarations to all implementations of `PasswordEncoderInterface` and `UserPasswordEncoderInterface`.
Commits
-------
d763e63210 [Security] Added type-hints to password encoders.
This PR was merged into the 5.0-dev branch.
Discussion
----------
[CSRF] add more parameter types
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | /no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #32179
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Those have been missing in #32208
Commits
-------
d442028063 [CSRF] add more parameter types
* 4.4:
[Mailer] fixed tests on Windows
[PhpUnitBridge] fix tests
[Mailer] fixed error message when connecting to a stream raises an error before connect()
[Mailer] fixed timeout type hint
improve error messages in the event dispatcher
[Security/Core] work around sodium_compat issue
bumped Symfony version to 4.3.3
updated VERSION for 4.3.2
updated CHANGELOG for 4.3.2
bumped Symfony version to 4.2.11
updated VERSION for 4.2.10
updated CHANGELOG for 4.2.10
bumped Symfony version to 3.4.30
updated VERSION for 3.4.29
update CONTRIBUTORS for 3.4.29
updated CHANGELOG for 3.4.29
Fixed type annotation.
* 4.3:
[Mailer] fixed tests on Windows
[PhpUnitBridge] fix tests
[Mailer] fixed error message when connecting to a stream raises an error before connect()
[Mailer] fixed timeout type hint
improve error messages in the event dispatcher
[Security/Core] work around sodium_compat issue
bumped Symfony version to 4.3.3
updated VERSION for 4.3.2
updated CHANGELOG for 4.3.2
bumped Symfony version to 4.2.11
updated VERSION for 4.2.10
updated CHANGELOG for 4.2.10
bumped Symfony version to 3.4.30
updated VERSION for 3.4.29
update CONTRIBUTORS for 3.4.29
updated CHANGELOG for 3.4.29
Fixed type annotation.
* 4.2:
[Security/Core] work around sodium_compat issue
bumped Symfony version to 4.2.11
updated VERSION for 4.2.10
updated CHANGELOG for 4.2.10
bumped Symfony version to 3.4.30
updated VERSION for 3.4.29
update CONTRIBUTORS for 3.4.29
updated CHANGELOG for 3.4.29
* 3.4:
[Security/Core] work around sodium_compat issue
bumped Symfony version to 3.4.30
updated VERSION for 3.4.29
update CONTRIBUTORS for 3.4.29
updated CHANGELOG for 3.4.29
* 4.4: (43 commits)
[PhpunitBridge] Read environment variable from superglobals
[Bridge/PhpUnit] Fix PHP5.5 compat
[PhpUnitBridge] More accurate grouping
fixed CS
[Form] remove comment about to-be-removed method as it is used in master by ButtonBuilder
Extract unrecoverable exception to interface
[FrameworkBundle] Fix calling Client::getProfile() before sending a request
Fix type error
[Security/Core] require libsodium >= 1.0.14
[Workflow] re-add workflow.definition tag to workflow services
[Security/Core] Don't use ParagonIE_Sodium_Compat
revert #30525 due to performance penalty
collect called listeners information only once
[Lock] fix missing inherit docs in RedisStore
[Messenger] fix retrying handlers using DoctrineTransactionMiddleware
[Mailgun Mailer] fixed issue when using html body
[Messenger] make all stamps final and mark stamp not meant to be sent
[HttpClient] fix timing measurements with NativeHttpClient
add return type declaration
use proper return types in ErrorHandler and ArgumentResolver
...
* 4.3: (34 commits)
[PhpunitBridge] Read environment variable from superglobals
[Bridge/PhpUnit] Fix PHP5.5 compat
[PhpUnitBridge] More accurate grouping
fixed CS
Extract unrecoverable exception to interface
[FrameworkBundle] Fix calling Client::getProfile() before sending a request
Fix type error
[Security/Core] require libsodium >= 1.0.14
[Workflow] re-add workflow.definition tag to workflow services
[Security/Core] Don't use ParagonIE_Sodium_Compat
revert #30525 due to performance penalty
collect called listeners information only once
[Lock] fix missing inherit docs in RedisStore
[Messenger] fix retrying handlers using DoctrineTransactionMiddleware
[Mailgun Mailer] fixed issue when using html body
[HttpClient] fix timing measurements with NativeHttpClient
[HttpClient] fix dealing with 1xx informational responses
add test to avoid regressions
fix mirroring directory into parent directory
fix typos
...
* 4.2:
[FrameworkBundle] Fix calling Client::getProfile() before sending a request
Fix type error
[Security/Core] Don't use ParagonIE_Sodium_Compat
collect called listeners information only once
add test to avoid regressions
fix typos
Turkish translation added to Form Component
* 3.4:
[FrameworkBundle] Fix calling Client::getProfile() before sending a request
Fix type error
[Security/Core] Don't use ParagonIE_Sodium_Compat
collect called listeners information only once
add test to avoid regressions
fix typos
Turkish translation added to Form Component
This PR was merged into the 5.0-dev branch.
Discussion
----------
[5.0] Add return types in final classes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes/no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no
| Tests pass? | no
| Fixed tickets | #31981
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
This is the first step for the issue #31981
I have some questions:
- ~I have not added type for methods with `@inheritdoc` annotation, should I?~
- ~Don't we want to type also functions without `@return` annotation? (still in `final` classes)~
- ~If yes is the answer of the previous one, do we also want the `void` return type?~
- ~I have also added the return type in the `DependencyInjection` PhpDumper, but is it also wanted? (if yes, I will clean a bit the code changed)~
- ~Should we update the documentation's code samples when they display `final` classes?~
Todo:
- [x] Adjust the PR, following the answers of the questions
- [x] Add return type also when there is no `@return`, or with `@inheritdoc`
- [x] [src/Symfony/Component/Debug/ErrorHandler.php#L383](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Debug/ErrorHandler.php#L383) `@return` annotation is not correct according to the return, investigate and adjust if needed
- [x] [src/Symfony/Component/HttpKernel/ControllerMetadata/ArgumentMetadataFactory.php#L50](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpKernel/ControllerMetadata/ArgumentMetadataFactory.php#L50) `@return` annotation is not correct according to the return, investigate and adjust if needed
- [x] Do a PR on documentation to add return type on code snippets with final classes => unneeded as they were already typed
Commits
-------
ca5ae1989e Replace @return annotation by return type in final classes
This PR was merged into the 4.4 branch.
Discussion
----------
[Ldap] Add users extraFields in ldap component
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | yes <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #28873, #19329 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | todo when validated, before merge <!-- required for new features -->
As I'm using ldap too in some personal project, It seems that this feature is a really good nice to have IMHO.
Adding the wanted field in the `user_metadata` array transform them as field -> value in the `metadata` field of the user.
Commits
-------
bcfff04797 [Ldap] Add users extra_fields in ldap component
* 4.4:
fix order of items in upgrade file
fix translation domain
tag the FileType service as a form type
don't validate IP addresses from env var placeholders
[Validator] Fix GroupSequenceProvider annotation
[Messenger] fix delay exchange recreation after disconnect
Update ajax security cheat sheet link
Fix AuthenticationException::getToken typehint
* 4.3:
fix translation domain
tag the FileType service as a form type
don't validate IP addresses from env var placeholders
[Validator] Fix GroupSequenceProvider annotation
[Messenger] fix delay exchange recreation after disconnect
Update ajax security cheat sheet link
Fix AuthenticationException::getToken typehint
* 4.2:
fix translation domain
tag the FileType service as a form type
[Validator] Fix GroupSequenceProvider annotation
Update ajax security cheat sheet link
Fix AuthenticationException::getToken typehint
* 3.4:
fix translation domain
tag the FileType service as a form type
[Validator] Fix GroupSequenceProvider annotation
Update ajax security cheat sheet link
Fix AuthenticationException::getToken typehint
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Fix AuthenticationException::getToken typehint
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
The token may be not set when throwing AuthenticationException.
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
a9705a0143 Fix AuthenticationException::getToken typehint
* 4.4:
fixed CS
fixed CS
fixed CS
fixed CS
Do not log or call the proxy function when the locale is the same
Added missing required dependencies on psr/cache and psr/container in symfony/cache-contracts and symfony/service-contracts respectively.
[HttpClient] fix closing debug stream prematurely
[Mailer] made code more robust
Restore compatibility with php 5.5
fixed sender/recipients in SMTP Envelope
collect called listeners information only once
[HttpClient] add HttplugClient for compat with libs that need httplug v1 or v2
[HttpKernel] Remove TestEventDispatcher.
* 4.3:
fixed CS
fixed CS
fixed CS
Do not log or call the proxy function when the locale is the same
Added missing required dependencies on psr/cache and psr/container in symfony/cache-contracts and symfony/service-contracts respectively.
[HttpClient] fix closing debug stream prematurely
[Mailer] made code more robust
Restore compatibility with php 5.5
fixed sender/recipients in SMTP Envelope
collect called listeners information only once
[HttpKernel] Remove TestEventDispatcher.
* 4.4:
[Cache] Fixed undefined variable in ArrayTrait
[HttpClient] revert bad logic around JSON_THROW_ON_ERROR
[HttpKernel] Fix handling non-catchable fatal errors
Fix json-encoding when JSON_THROW_ON_ERROR is used
[HttpFoundation] work around PHP 7.3 bug related to json_encode()
[HttpClient] add $response->cancel()
[Security] added support for updated \"distinguished name\" format in x509 authentication
* 4.3:
[Cache] Fixed undefined variable in ArrayTrait
[HttpClient] revert bad logic around JSON_THROW_ON_ERROR
[HttpKernel] Fix handling non-catchable fatal errors
Fix json-encoding when JSON_THROW_ON_ERROR is used
[HttpFoundation] work around PHP 7.3 bug related to json_encode()
[HttpClient] add $response->cancel()
[Security] added support for updated \"distinguished name\" format in x509 authentication
* 4.2:
[HttpKernel] Fix handling non-catchable fatal errors
Fix json-encoding when JSON_THROW_ON_ERROR is used
[HttpFoundation] work around PHP 7.3 bug related to json_encode()
[Security] added support for updated \"distinguished name\" format in x509 authentication
* 3.4:
Fix json-encoding when JSON_THROW_ON_ERROR is used
[HttpFoundation] work around PHP 7.3 bug related to json_encode()
[Security] added support for updated \"distinguished name\" format in x509 authentication
* 4.4:
[Console] Add check for Konsole/Yakuake to disable hyperlinks
[HTTP Foundation] Deprecate passing argument to method Request::isMethodSafe()
[HttpClient] work around PHP 7.3 bug related to json_encode()
[VarDumper] fix dumping the cloner itself
Rename the Symfony Mailer service config to avoid conflict with SwitMailer
Set default crypto method - Fix#31105
[Form] add missing symfony/service-contracts dependency
[HttpClient] Don't throw InvalidArgumentException on bad Location header
* 4.4:
Extract Abstract Doctrine Middleware
[Translation] refactor ArrayLoader::flatten
[TwigBundle] mark TemplateIterator as internal
Improved error message on create a form builder with invalid options
[Security] add PasswordEncoderInterface::needsRehash()
[HttpClient] add $response->cancel()
Add clear Entity Manager middleware (closes#29662)
[FrameworkBundle] Add missing BC layer for deprecated ControllerNameParser injections
[Validator] Improve TypeValidator to handle array of types
Add exception as HTML comment to beginning and end of `exception_full.html.twig`
[Validator] Add compared value path to violation parameters
* 4.4:
[Translation] Fixed case sensitivity of lint:xliff command
fix type hint for salt in PasswordEncoderInterface
Add missing deprecations for PHP templating layer
Simplify code - catch \Throwable capture all exceptions
Collect locale details earlier in the process in TranslationDataCollector
fix typo in PR #31802
update italian validator translation
Add missing translations
[Messenger] Deprecate passing a bus locator to ConsumeMessagesCommand constructor
[SecurityBundled] Forbid security-http >= 5.0
[Security][Guard] Forbid security-http >= 5.0
[TwigBridge] suggest Translation Component when TranslationExtension is used
[Monolog] Setup the LoggerProcessor after all other processor
* 4.3:
[Translation] Fixed case sensitivity of lint:xliff command
fix type hint for salt in PasswordEncoderInterface
Simplify code - catch \Throwable capture all exceptions
Collect locale details earlier in the process in TranslationDataCollector
fix typo in PR #31802
update italian validator translation
Add missing translations
[TwigBridge] suggest Translation Component when TranslationExtension is used
* 4.2:
[Translation] Fixed case sensitivity of lint:xliff command
fix type hint for salt in PasswordEncoderInterface
Simplify code - catch \Throwable capture all exceptions
fix typo in PR #31802
update italian validator translation
Add missing translations
* 4.4:
[SecurityBundle][Workflow] Forbid security-core 5.x
[Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords
[MonologBridge] RouteProcessor class is now final to ease the the removal of deprecated event
[Validator] Fix TimezoneValidator default option
[Messenger] Inject RoutableMessageBus instead of bus locator
[DomCrawler] Fix type error with null Form::$currentUri
[Contracts] Fixed typos
[Security][Http] Forbid security-core 5.x
do not enable validator auto mapping by default
[HttpClient] remove unused argument
* 4.3:
[Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords
[Validator] Fix TimezoneValidator default option
[Messenger] Inject RoutableMessageBus instead of bus locator
[DomCrawler] Fix type error with null Form::$currentUri
[Contracts] Fixed typos
do not enable validator auto mapping by default
[HttpClient] remove unused argument
* 4.3:
[github] Implement the new security policy.
[Finder] fix wrong method call casing
Make tempfile path unique
minor: fix phpdocs in the ldap component
[Process] Fix infinite waiting for stopped process
Use absolute URL for when the profiler's domain differs from the controller's domain which initialises the profiler.
fix phpdoc
[DI] fix using bindings with locators of service subscribers
* 4.2:
[github] Implement the new security policy.
[Finder] fix wrong method call casing
Make tempfile path unique
minor: fix phpdocs in the ldap component
[Process] Fix infinite waiting for stopped process
Use absolute URL for when the profiler's domain differs from the controller's domain which initialises the profiler.
fix phpdoc
[DI] fix using bindings with locators of service subscribers
* 3.4:
[github] Implement the new security policy.
[Finder] fix wrong method call casing
Make tempfile path unique
minor: fix phpdocs in the ldap component
[Process] Fix infinite waiting for stopped process
Use absolute URL for when the profiler's domain differs from the controller's domain which initialises the profiler.
fix phpdoc
[DI] fix using bindings with locators of service subscribers
* 4.3: (22 commits)
[Messenger] Fix incorrect error when symfony/serializer is missing
Allow WrappedListener to describe uncallable listeners.
[HttpClient] fix handling exceptions thrown before first mock chunk
[Filesystem] fix wrong method call casing
[HttpClient] fix test
[Translation] Fixed issue with new vs old TranslatorInterface in TranslationDataCollector
Don't reference symfony/security
[HttpClient] display proper error message on TransportException when curl is used
[FrameworkBundle] fix named autowiring aliases for TagAwareCacheInterface
[Cache] improve logged messages
[FrameworkBundle] improve cs
[Mime][HttpFoundation] Added mime type audio/x-hx-aac-adts
bumped Symfony version to 4.3.0
updated VERSION for 4.3.0-BETA2
updated CHANGELOG for 4.3.0-BETA2
[HttpClient] Only use CURLMOPT_MAX_HOST_CONNECTIONS & CURL_VERSION_HTTP2 if defined
[Security] fixed a fatal error when upgrading from 4.2
[HttpClient] Allow arrays as query parameters
Throws UnrecoverableMessageHandlingException when passed invalid entity manager name for Doctrine middlewares
[Messenger] Make redis Connection::get() non blocking by default
...
* 4.2:
[Console] Fix auto-complete for ChoiceQuestion (multi-select answers)
Translated form, security, validators resources into Belarusian (be)
[WebProfilerBundle] Don't filter submitted IP values
[Intl] Cleanup
bumped Symfony version to 4.2.9
updated VERSION for 4.2.8
updated CHANGELOG for 4.2.8
bumped Symfony version to 3.4.28
updated VERSION for 3.4.27
update CONTRIBUTORS for 3.4.27
updated CHANGELOG for 3.4.27
* 3.4:
[Console] Fix auto-complete for ChoiceQuestion (multi-select answers)
Translated form, security, validators resources into Belarusian (be)
[WebProfilerBundle] Don't filter submitted IP values
bumped Symfony version to 3.4.28
updated VERSION for 3.4.27
update CONTRIBUTORS for 3.4.27
updated CHANGELOG for 3.4.27
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] Dispatch an event when "logout user on change" steps in
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #26902 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/11450 <!-- required for new features -->
<!--
Write a short README entry for your feature/bugfix here (replace this comment block.)
This will help people understand your PR and can be used as a start of the Doc PR.
Additionally:
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
-->
This adds a new event when the user has been changed and has been log out from the apps, it allow someone to register to this event and do something with either to token or the refreshedUser.
Commits
-------
40e42183b8 [Security] Dispatch an event when "logout user on change" steps in
* 4.2:
[TwigBridge] Require twig ^1.40|^2.9
[Serializer] Fix tests
Use the apply tag instead of the filter tag
Updated some translation files
[Translator] Preserve default domain when extracting strings from php files
* 3.4:
[TwigBridge] Require twig ^1.40|^2.9
[Serializer] Fix tests
Use the apply tag instead of the filter tag
Updated some translation files
[Translator] Preserve default domain when extracting strings from php files
* 4.2:
Fix url matcher edge cases with trailing slash
[Form] Fix author tag + exception messages
[TwigBridge] Fix deprecation on twig 2.9
Fix left-associative ternary deprecation warnings for PHP 7.4
[Validator] Fixed imprecise translations
[Validator] Add Dutch translations
[Security] Cleanup "Digest nonce has expired." translation
Intercept redirections only for HTML format
[PhpUnitBridge] fix reading phpunit.xml on bootstrap
resolve class name parameters
Fix name and phpdoc of ContainerBuilder::removeBindings
[Intl] Update the ICU data to 64.2
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] Add NativePasswordEncoder
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This PR adds a new `NativePasswordEncoder` that defaults to the best available hashing algo to `password_hash()`. Best is determined by "us" or "php", the goal being that this will change in the future as new algos are published.
This provides a native encoder that we should recommend using by default.
Commits
-------
28f7961c55 [Security] Add NativePasswordEncoder
* 4.2:
Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)"
[FrameworkBundle] minor: remove a typo from changelog
[VarDumper] fix tests with ICU 64.1
[VarDumper][Ldap] relax some locally failing tests
[Validator] #30192 Added the missing translations for the Tagalog ("tl") locale.
Make MimeTypeExtensionGuesser case insensitive
Fix get session when the request stack is empty
[Routing] fix trailing slash redirection with non-greedy trailing vars
[FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy
* 3.4:
Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)"
[FrameworkBundle] minor: remove a typo from changelog
[VarDumper][Ldap] relax some locally failing tests
[Validator] #30192 Added the missing translations for the Tagalog ("tl") locale.
Make MimeTypeExtensionGuesser case insensitive
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Add a separator in the remember me cookie hash
Based on #89
Commits
-------
a29ce2817c [Security] Add a separator in the remember me cookie hash
* 4.2:
fixed bad merge
Show more accurate message in profiler when missing stopwatch
CS Fixes: Not double split with one array argument
[Serializer] Add default object class resolver
Remove redundant animation prefixes
Remove redundant `box-sizing` prefixes
[VarExporter] support PHP7.4 __serialize & __unserialize
Rework firewall access denied rule
MetadataAwareNameConverter: Do not assume that property names are strings
[VarExporter] fix exporting classes with private constructors
fixed CS
Fix missing $extraDirs when open_basedir returns
* 3.4:
Show more accurate message in profiler when missing stopwatch
CS Fixes: Not double split with one array argument
Remove redundant animation prefixes
Remove redundant `box-sizing` prefixes
Rework firewall access denied rule
fixed CS
Fix missing $extraDirs when open_basedir returns
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Rework firewall's access denied rule
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~~#30099~~, #28229
| License | MIT
| Doc PR |
Follow tickets provided above to reproduce bugs. (there are also some project examples)
~~In addition, I'm looking for someone who knows an answer to [this](https://github.com/symfony/symfony/issues/30099#issuecomment-468693492) regarding rework in this PR.~~
Commits
-------
5790859275 Rework firewall access denied rule
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] Add Argon2idPasswordEncoder
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #28093
| License | MIT
| Doc PR | TODO
Currently we have a `Argon2iPasswordEncoder` that may hash passwords using `argon2id` instead of `argon2i` (platform-dependent) which is not good.
This deprecates producing/validating `argon2id` hashed passwords using the `Argon2iPasswordEncoder`, and adds a `Argon2idPasswordEncoder` able to produce/validate `argon2id` hashed passwords only.
#EUFOSSA
Commits
-------
0c82173b24 [Security] Add Argon2idPasswordEncoder
* 4.2: (45 commits)
[Form] various minor fixes
Ensure the parent process is always killed
bugfix: the terminal state was wrong and not reseted
[Console] Fix inconsistent result for choice questions in non-interactive mode
Define null return type for Constraint::getDefaultOption()
[Routing] Fix: annotation loader ignores method's default values
[HttpKernel] Fix DebugHandlersListener constructor docblock
Skip Glob brace test when GLOB_BRACE is unavailable
bumped Symfony version to 4.2.6
updated VERSION for 4.2.5
updated CHANGELOG for 4.2.5
bumped Symfony version to 3.4.25
updated VERSION for 3.4.24
update CONTRIBUTORS for 3.4.24
updated CHANGELOG for 3.4.24
[EventDispatcher] cleanup
fix testIgnoredAttributesInContext
Re-generate icu 64.1 data
Improve PHPdoc / IDE autocomplete for config tree builder
[Bridge][Twig] DebugCommand - fix escaping and filter
...
Instead of deprecating the interface it is sufficient to deprecate its
getReachableRoles() method and add a new getReachableRoleNames() method
in Symfony 5.
* 4.2:
[Phpunit] fixed support for PHP 5.3
Response prepare method update
[Workflow] Added missing license header
Fix case when multiple loaders are providing paths for the same namespace
Check if Client exists when test.client does not exist, to provide clearer exception message
throw TypeErrors to prepare for type hints in 5.0
[Form] Preventing validation of children if parent with Valid constraint has no validation groups
[Form] Added ResetInterface to CachingFactoryDecorator
Remove deprecated usage
[Tests] fixed compatbility of assertEquals(): void
Fixed usage of TranslatorInterface in form extension (fixes#30591)
[Intl][4.2] Fix test
[Intl] Fix test
[Validator] Add the missing translations for the Arabic (ar) locale
[Intl] Add compile binary
Fix DebugCommand when chain loader is involved
[Form] Fixed some phpdocs
This PR was merged into the 4.3-dev branch.
Discussion
----------
[EventDispatcher] swap arguments of dispatch() to allow registering events by FQCN
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
PR green and ready. From UPGRADE files:
EventDispatcher
---------------
* The signature of the `EventDispatcherInterface::dispatch()` method should be updated to `dispatch($event, string $eventName = null)`, not doing so is deprecated
HttpKernel
----------
* Renamed `FilterControllerArgumentsEvent` to `ControllerArgumentsEvent`
* Renamed `FilterControllerEvent` to `ControllerEvent`
* Renamed `FilterResponseEvent` to `ResponseEvent`
* Renamed `GetResponseEvent` to `RequestEvent`
* Renamed `GetResponseForControllerResultEvent` to `ViewEvent`
* Renamed `GetResponseForExceptionEvent` to `ExceptionEvent`
* Renamed `PostResponseEvent` to `TerminateEvent`
Security
---------
* The `ListenerInterface` is deprecated, turn your listeners into callables instead.
* The `Firewall::handleRequest()` method is deprecated, use `Firewall::callListeners()` instead.
Commits
-------
75369dabb8 [EventDispatcher] swap arguments of dispatch() to allow registering events by FQCN
* 4.2:
Fix Cache error while using anonymous class
[Cache] fix LockRegistry
Update validators.cs.xlf
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
* 3.4:
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] deprecate the Role and SwitchUserRole classes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #20824
| License | MIT
| Doc PR | symfony/symfony-docs#11047
In #20801, we deprecated the `RoleInterface`. The next logical step would be to also deprecate the `Role` class. However, we currently have the `SwitchUserRole` class (a sub-class of `Role`) that acts as an indicator to check whether or not the authenticated user switched to another user.
This PR proposes an alternative solution to the usage of the special `SwitchUserRole` class by storing the original token inside the `UsernamePasswordToken`. This PR is not complete, but rather acts as a proof of concept of how we could get rid of the `Role` and the `SwitchUserRole` classes.
Please share your opinions whether you think this is a valid approach and I will be happy to finalise the PR.
Commits
-------
d7aaa615b9 deprecate the Role and SwitchUserRole classes
* 4.2: (26 commits)
Apply php-cs-fixer rule for array_key_exists()
[Cache] fix warming up cache.system and apcu
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
...
* 3.4: (24 commits)
Apply php-cs-fixer rule for array_key_exists()
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
[Validator] Add the missing translations for the Greek (el) locale
...
* 4.2:
[Console] Fix command testing with missing inputs
[Validator] Sync no/nb translation files
[Translation] Added a script to display the status of translations
[Validator] Added missing translations for Norwegian (\"no\") locale #30179
[Security\Guard] bump lowest version of security-core
[TwigBridge] Fix test
Remove unnecessary ProgressBar stdout writes (fixes flickering)
[Validator] improve translations for albanian ("sq") locale
[VarDumper] fix serializing Stub instances
[Validator] Added missing use statement for UnexpectedTypeException
Don't resolve the Deprecation error handler mode until a deprecation is triggered
bug #30245 fix lost namespace in eval (fizzka)
fix lost namespace in eval
[Twig] removed usage of non-namespaced classes
added missing dot
Update validators.lt.xlf
#30172 Add the missing validation translations for the Luxembourgish …
[Debug][ErrorHandler] Preserve next error handler
* 3.4:
[Console] Fix command testing with missing inputs
[Validator] Sync no/nb translation files
[Translation] Added a script to display the status of translations
[Validator] Added missing translations for Norwegian (\"no\") locale #30179
[Security\Guard] bump lowest version of security-core
* 4.2: (25 commits)
Add missing ID_id validators translation
fixed CS
Added missing translations in validators.tr.xlf
Update validators.es.xlf
Update validators.hu.xlf
[Validator] Add the missing translations for the Welsh (cy) locale
[Validator] Add missing DE validator translations
[Validator] Add the missing translations for the Dutch (nl) locale
Add missing PL translation
Add missing translations.
Add missing translations for IT to Validator
minor #30184 [Validator] Add the missing translations for the Russian (ru) locale (antonch1989)
[Validator] Add the missing translations for the Arabic (ar) locale
add_missing_translations_for_portuguese : [Validator] Add the missing translations for the Portuguese ("pt") locale
[Validator] Add the missing translations for the French (fr) locale
[Validator] Add some missing contents to the English translation
use PropertyAccessorInterface instead of PropertyAccessor
Fix KernelTestCase compatibility for PhpUnit 8 (bis)
add xabbuh as code owner of the Form component
[Validator] Added a missing translation
...
* 3.4: (25 commits)
Add missing ID_id validators translation
fixed CS
Added missing translations in validators.tr.xlf
Update validators.es.xlf
Update validators.hu.xlf
[Validator] Add the missing translations for the Welsh (cy) locale
[Validator] Add missing DE validator translations
[Validator] Add the missing translations for the Dutch (nl) locale
Add missing PL translation
Add missing translations.
Add missing translations for IT to Validator
minor #30184 [Validator] Add the missing translations for the Russian (ru) locale (antonch1989)
[Validator] Add the missing translations for the Arabic (ar) locale
add_missing_translations_for_portuguese : [Validator] Add the missing translations for the Portuguese ("pt") locale
[Validator] Add the missing translations for the French (fr) locale
[Validator] Add some missing contents to the English translation
use PropertyAccessorInterface instead of PropertyAccessor
Fix KernelTestCase compatibility for PhpUnit 8 (bis)
add xabbuh as code owner of the Form component
[Validator] Added a missing translation
...
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Declare exceptions that are already thrown by implementations
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #29650
| License | MIT
| Doc PR |
Adding exception declarations for PasswordEncoderInterface. I think it's a matter of opinion whether this change is a BC break. The BC promise doesn't cover such a case; I'd see it as a BC break to add exceptions in general, but in this case it's more of a "documentation" issue, as most implementations of the interface have been throwing those exceptions for years.
Commits
-------
f4cc30b72b Declare exceptions that are already thrown by implementations
* 4.2:
[DI] Fix dumping Doctrine-like service graphs
fix serialization workaround in CustomUserMessageAuthenticationException
PHPUnit Bridge: Rollback to traditional array syntax.
[Form] fix some docblocks and type checks
* 3.4:
[DI] Fix dumping Doctrine-like service graphs
fix serialization workaround in CustomUserMessageAuthenticationException
PHPUnit Bridge: Rollback to traditional array syntax.
[Form] fix some docblocks and type checks
* 4.2:
[Routing] dont redirect routes with greedy trailing vars with no explicit slash
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
[MonologBridge] Remove unused local variable
Remove unreachable code
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Fix format strings for deprecation notices
Remove a harmless duplicate array key from VarDumper
[VarDumper] Fixed search bar
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 4.1:
[Routing] dont redirect routes with greedy trailing vars with no explicit slash
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
[MonologBridge] Remove unused local variable
Remove unreachable code
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 3.4:
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 4.2:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
Avoid dots in generated class names.
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
* 4.1:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
* 3.4:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Do not mix password_*() API with libsodium one
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | n/a
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Argon2IPasswordEncoder uses native `password_hash()` and `password_verify()` functions if the current PHP installation embeds Argon2 support (>=7.2, compiled `--with-password-argon2`).
Otherwise, it fallbacks to the libsodium extension.
This was fine at time the encoder was introduced, but meanwhile libsodium changed the algorithm used by `sodium_crypto_pwhash_str()` which is now argon2id, that goes outside of the scope of the encoder which was designed to deal with `argon2i` only.
Nothing we can do as databases may already contain passwords hashed with argon2id, the encoder must keep validating those.
However, the PHP installation may change as time goes by, and could suddenly embed the Argon2 core integration. In this case, the encoder would use the `password_verify()` function which would fail in case the password was not hashed using argon2i.
This PR prevents it by detecting that argon2id was used, avoiding usage of `password_verify()`.
See https://github.com/jedisct1/libsodium-php/issues/194 and https://github.com/symfony/symfony/issues/28093 for references.
Patch cannot be tested as it is platform dependent.
Side note: I'm currently working on a new implementation for 4.3 that will properly supports argon2id (which has been added to the PHP core sodium integration in 7.3) and argon2i, distinctively.
Commits
-------
d6cfde94b4 [Security] Do not mix usage of password_*() functions and sodium_*() ones
* 3.4:
fixed CS
fixed short array CS in comments
fixed CS in ExpressionLanguage fixtures
fixed CS in generated files
fixed CS on generated container files
fixed CS on Form PHP templates
fixed CS on YAML fixtures
fixed fixtures
switched array() to []
* 4.2:
update years in license files
Fix: Adjust DocBlock
\"ParserTest->getParserTestData()\" -> only some more tests
access the container getting it from the kernel
Replace slave and master by replica and primary
Fix erasing cookies issue
[Lock] Pedantic improvements for lock
[EventDispatcher] Fixed phpdoc on interface
update year in license files
[VarExporter] fix exporting array indexes
[SecurityBundle] Fix traceable voters
[Console] Fix help text for single command applications
Fix random test failure on lock
improve error message when using test client without the BrowserKit component
Fixed minor typos in an error message
[Event Dispatcher] fixed 29703: TraceableEventDispatcher reset now sets callStack to null with test to dispatch after reset.
Fixed minor typos
Fix: Method can also return null
[Stopwatch] Fixed phpdoc for category name
* 4.1:
Fix: Adjust DocBlock
\"ParserTest->getParserTestData()\" -> only some more tests
access the container getting it from the kernel
[Lock] Pedantic improvements for lock
[EventDispatcher] Fixed phpdoc on interface
update year in license files
[Console] Fix help text for single command applications
Fix random test failure on lock
improve error message when using test client without the BrowserKit component
[Event Dispatcher] fixed 29703: TraceableEventDispatcher reset now sets callStack to null with test to dispatch after reset.
Fixed minor typos
Fix: Method can also return null
[Stopwatch] Fixed phpdoc for category name
* 3.4:
Fix: Adjust DocBlock
\"ParserTest->getParserTestData()\" -> only some more tests
[Lock] Pedantic improvements for lock
[EventDispatcher] Fixed phpdoc on interface
update year in license files
[Console] Fix help text for single command applications
Fix random test failure on lock
improve error message when using test client without the BrowserKit component
[Event Dispatcher] fixed 29703: TraceableEventDispatcher reset now sets callStack to null with test to dispatch after reset.
Fixed minor typos
Fix: Method can also return null
[Stopwatch] Fixed phpdoc for category name
* 4.2:
[Twig] Remove spaces to fix whitespace in tags
[Twig] Replace for-loops with blocks for attributes
fixed CS
[Tests] Change to willThrowException
[Console] fix PHPDoc in Command
Update FileLoaderLoadException.php
Fix wrong calls to clearstatcache
Add Vietnamese translation for validators
Allow running PHPUnit with "xdebug.scream" ON
[VarDumper] Add descriptors tests
[Cache] fix bad optim
[Yaml] detect circular references
[DI] fix reporting bindings on overriden services as unused
[Routing] minor fix or previous PR
* 4.2:
[Routing] fix trailing slash redirections involving a trailing var
[EventDispatcher] Revers event tracing order
[Security] Prefer clone over unserialize(serialize()) for user refreshment
[Console] OutputFormatter: move strtolower to createStyleFromString
Adjust tests to work in the armhf architecture. Fixes#29281.
Vietnamese translations improvement
[Form] Fixed FormErrorIterator class phpdoc
Renamed test controller from Controller to TestController so it doesn't show up in the IDE autocomplete.
Don't use he in docs when its not needed
EventSubscriberInterface isn't a man
Fix undefined variable in cache ArrayTrait
fixed public directory of web server and assets install when configured in composer.json
* 4.1:
[Routing] fix trailing slash redirections involving a trailing var
[EventDispatcher] Revers event tracing order
[Security] Prefer clone over unserialize(serialize()) for user refreshment
[Console] OutputFormatter: move strtolower to createStyleFromString
Adjust tests to work in the armhf architecture. Fixes#29281.
Vietnamese translations improvement
[Form] Fixed FormErrorIterator class phpdoc
Renamed test controller from Controller to TestController so it doesn't show up in the IDE autocomplete.
Don't use he in docs when its not needed
EventSubscriberInterface isn't a man
fixed public directory of web server and assets install when configured in composer.json
* 3.4:
[EventDispatcher] Revers event tracing order
[Security] Prefer clone over unserialize(serialize()) for user refreshment
[Console] OutputFormatter: move strtolower to createStyleFromString
Adjust tests to work in the armhf architecture. Fixes#29281.
Vietnamese translations improvement
[Form] Fixed FormErrorIterator class phpdoc
Renamed test controller from Controller to TestController so it doesn't show up in the IDE autocomplete.
Don't use he in docs when its not needed
EventSubscriberInterface isn't a man
fixed public directory of web server and assets install when configured in composer.json
* 4.2: (27 commits)
[VarExporter] dont call userland code with uninitialized objects
Fix typos in doc blocks
[Debug] ignore underscore vs backslash namespaces in DebugClassLoader
[TwigBridge][Form] Prevent multiple rendering of form collection prototypes
[FrameworkBundle] fix describing routes with no controllers
[DI] move RegisterServiceSubscribersPass before DecoratorServicePass
Update ValidationListener.php
[Yaml] ensures that the mb_internal_encoding is reset to its initial value
[Messenger] Restore message handlers laziness
[WebLink] Fixed documentation link
[Security] getTargetPath of TargetPathTrait must return string or null
[Hackday][Serializer] Deserialization ignores argument type hint from phpdoc for array in constructor argument
Optimize perf by replacing call_user_func with dynamic vars
[Cache] Fix dsn parsing
[Routing] fix dumping same-path routes with placeholders
[WebProfilerBundle][TwigBundle] CSS fixes
Add a docblock for FormFactoryInterface
[Security] defer log message in guard authenticator
[Validator] Added IBAN format for Vatican City State
merge conflicts
...
* 4.1:
Fix typos in doc blocks
[Debug] ignore underscore vs backslash namespaces in DebugClassLoader
[TwigBridge][Form] Prevent multiple rendering of form collection prototypes
[FrameworkBundle] fix describing routes with no controllers
[DI] move RegisterServiceSubscribersPass before DecoratorServicePass
Update ValidationListener.php
[Yaml] ensures that the mb_internal_encoding is reset to its initial value
[WebLink] Fixed documentation link
[Security] getTargetPath of TargetPathTrait must return string or null
[Hackday][Serializer] Deserialization ignores argument type hint from phpdoc for array in constructor argument
Optimize perf by replacing call_user_func with dynamic vars
[Routing] fix dumping same-path routes with placeholders
[Security] defer log message in guard authenticator
[Validator] Added IBAN format for Vatican City State
merge conflicts
filter out invalid Intl values
filter out invalid language values
[Validator] Fixed grouped composite constraints
[Form] Filter arrays out of scalar form types
Fix HeaderBag::get phpdoc
* 3.4:
[Debug] ignore underscore vs backslash namespaces in DebugClassLoader
[TwigBridge][Form] Prevent multiple rendering of form collection prototypes
[FrameworkBundle] fix describing routes with no controllers
[DI] move RegisterServiceSubscribersPass before DecoratorServicePass
Update ValidationListener.php
[Yaml] ensures that the mb_internal_encoding is reset to its initial value
[WebLink] Fixed documentation link
[Security] getTargetPath of TargetPathTrait must return string or null
[Hackday][Serializer] Deserialization ignores argument type hint from phpdoc for array in constructor argument
[Security] defer log message in guard authenticator
merge conflicts
Fix HeaderBag::get phpdoc
This PR was squashed before being merged into the 3.4 branch (closes#29408).
Discussion
----------
[Security] getTargetPath of TargetPathTrait must return string or null
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes (possible bug)
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
Since the return type is string the default return value must be also string.
Commits
-------
8d4b787dd9 [Security] getTargetPath of TargetPathTrait must return string or null
* 4.2:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 4.1:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 3.4:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 2.8:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 2.7:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 4.1:
[Form] Hardened test suite for empty data
Bump phpunit XSD version to 5.2
[Fwb][EventDispatcher][HttpKernel] Fix getClosureScopeClass usage to describe callables
Add required key attribute
* 3.4:
[Form] Hardened test suite for empty data
Bump phpunit XSD version to 5.2
[Fwb][EventDispatcher][HttpKernel] Fix getClosureScopeClass usage to describe callables
Add required key attribute
Some attributes being used in the phpunit configuration files, namely
failOnRisky and failOnWarning were introduced in phpunit 5.2.0. The
Composer configuration shows that tests should run with old versions of
phpunit, but phpunit only validates the configuration against the XSD
since phpunit 7.2.0.
These changes can be tested as follows:
wget http://schema.phpunit.de/5.2/phpunit.xsd
xargs xmllint --schema phpunit.xsd 1>/dev/null
find src -name phpunit.xml.dist| xargs xmllint --schema phpunit.xsd 1>/dev/null
See 7e06a82806
See 46e3745a03/composer.json (L98)
* 4.1:
SCA: removed unused variables
Remove duplicate condition
fix useless space in docblock
remove unneeded tearDown method
[Intl] Update the ICU data to 63.1
[FrameworkBundle] Fix broken exception message
[Messenger] send using the routing_key for AMQP transport
also clean away the NO_AUTO_CACHE_CONTROL_HEADER if we have no session
[TwigBundle] Fix usage of TwigBundle without FrameworkBundle
Revert "fixed CS"
[Serializer] Reduce class discriminator overhead
Skip empty proxy code
[Security] Fix "exclude-from-classmap"
[Security] Removed unsed trait import
[Config] Fix @method annotation
add missing double-quotes to extra_fields output message
[DI] Default undefined env to empty string during compile
Convert InsufficientAuthenticationException to HttpException
The "/Tests/" directory doesn't exist in the Security Component, tests are located within the Security components folders and none of the tests were being excluded in an --classmap-authoritative dump of the autoload.
* 4.1: (27 commits)
Added the Code of Conduct file
do not override custom access decision configs
[Security] Do not deauthenticate user when the first refreshed user has changed
fix a return type hint
invalidate stale commits for PRs too
add missing cache prefix seed attribute to XSD
fix command description
Fix class documentation
[Validator] Add a missing translation
[FrameworkBundle] Fix 3.4 tests
[DI] fix dumping inline services again
Rename consumer to receiver
Register messenger before the profiler
Fix phpdocs
[EventDispatcher] Remove template method in test case
Added LB translation for #27993 (UUID validator message translation)
Replace deprecated validateValue with validate
[FWBundle] Automatically enable PropertyInfo when using Flex
[Process] fix locking of pipe files on Windows
Correct PHPDoc type for float ttl
...
* 3.4: (21 commits)
Added the Code of Conduct file
do not override custom access decision configs
[Security] Do not deauthenticate user when the first refreshed user has changed
invalidate stale commits for PRs too
add missing cache prefix seed attribute to XSD
fix command description
Fix class documentation
[Validator] Add a missing translation
[FrameworkBundle] Fix 3.4 tests
[DI] fix dumping inline services again
Fix phpdocs
[EventDispatcher] Remove template method in test case
Added LB translation for #27993 (UUID validator message translation)
Replace deprecated validateValue with validate
[FWBundle] Automatically enable PropertyInfo when using Flex
[Process] fix locking of pipe files on Windows
Correct PHPDoc type for float ttl
bumped Symfony version to 3.4.18
updated VERSION for 3.4.17
updated CHANGELOG for 3.4.17
...
This PR was squashed before being merged into the 3.4 branch (closes#28072).
Discussion
----------
[Security] Do not deauthenticate user when the first refreshed user has changed
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Currently the token is deauthenticated when the first refreshed user has changed. In theory, a second user provider could find a user that is the same than the user stored in the token.
Also, the deauthentication is currently affected by the order of the user providers in the security.yaml and IMHO it does not make sense.
Commits
-------
95dce67 [Security] Do not deauthenticate user when the first refreshed user has changed
* 4.1: (21 commits)
[php_cs] disable fopen_flags
[DI] fix error in dumped container
[CS] Remove unused variables passed to closures
[DI] fix dumping setters before their inlined instances
[CS] Remove empty comment
[CS] Enforces null type hint on last position in phpDocs
[CS] Use combined assignment operators when possible
Fix a typo in error messages
Don't return early as this bypasses the auto exit feature
[Console] Add missing null to input values allowed types
[PHPUnitBridge] Fix microtime() format
bumped Symfony version to 4.1.6
updated VERSION for 4.1.5
updated CHANGELOG for 4.1.5
bumped Symfony version to 3.4.17
updated VERSION for 3.4.16
updated CHANGELOG for 3.4.16
bumped Symfony version to 2.8.47
update CONTRIBUTORS for 2.8.46
updated VERSION for 2.8.46
...
* 3.4:
[php_cs] disable fopen_flags
[DI] fix error in dumped container
[CS] Remove unused variables passed to closures
[DI] fix dumping setters before their inlined instances
[CS] Remove empty comment
[CS] Enforces null type hint on last position in phpDocs
[CS] Use combined assignment operators when possible
Fix a typo in error messages
Don't return early as this bypasses the auto exit feature
[Console] Add missing null to input values allowed types
[PHPUnitBridge] Fix microtime() format
bumped Symfony version to 3.4.17
updated VERSION for 3.4.16
updated CHANGELOG for 3.4.16
bumped Symfony version to 2.8.47
update CONTRIBUTORS for 2.8.46
updated VERSION for 2.8.46
updated CHANGELOG for 2.8.46
* 2.8:
[php_cs] disable fopen_flags
[CS] Remove unused variables passed to closures
[CS] Remove empty comment
[CS] Enforces null type hint on last position in phpDocs
[CS] Use combined assignment operators when possible
Fix a typo in error messages
[Console] Add missing null to input values allowed types
[PHPUnitBridge] Fix microtime() format
bumped Symfony version to 2.8.47
update CONTRIBUTORS for 2.8.46
updated VERSION for 2.8.46
updated CHANGELOG for 2.8.46
* 4.1:
[Console] simplified code
removed useless phpdoc
improve docblocks around group sequences
[Cache] prevent getting older entries when the version key is evicted
[WebProfilerBundle] added a note in the README
[Yaml] Skip parser test with root user
[Filesystem] Skip tests on readable file when run with root user
[FWBundle] Fix an error in WebTestCase::createClient's PHPDoc
[HttpFoundation][Security] forward locale and format to subrequests
[Console] Send the right exit code to console.terminate listeners
[HttpFoundation] fix hidding warnings from session handlers
Caching missed templates on cache warmup
* 3.4:
[Console] simplified code
removed useless phpdoc
improve docblocks around group sequences
[Cache] prevent getting older entries when the version key is evicted
[WebProfilerBundle] added a note in the README
[Yaml] Skip parser test with root user
[Filesystem] Skip tests on readable file when run with root user
[FWBundle] Fix an error in WebTestCase::createClient's PHPDoc
[HttpFoundation][Security] forward locale and format to subrequests
[Console] Send the right exit code to console.terminate listeners
[HttpFoundation] fix hidding warnings from session handlers
Caching missed templates on cache warmup
* 2.8:
improve docblocks around group sequences
[WebProfilerBundle] added a note in the README
[Filesystem] Skip tests on readable file when run with root user
[FWBundle] Fix an error in WebTestCase::createClient's PHPDoc
[HttpFoundation][Security] forward locale and format to subrequests
[Console] Send the right exit code to console.terminate listeners
Caching missed templates on cache warmup
This PR was merged into the 4.2-dev branch.
Discussion
----------
[HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #26731
| License | MIT
| Doc PR | -
By creating Cookie instances using `null` for the `$secure` argument, this PR allows making cookies inherit their "secure" attribute from the request.
This PR also adds a forward to make $secure=null and samesite=lax the defaults in Symfony 5.0:
- either define all constructor's arguments explicitly
- or use the new `Cookie::create()` factory
Commits
-------
9493cfd5f2 [HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0
* 4.1:
[DI] configure inlined services before injecting them when dumping the container
Consistently throw exceptions on a single line
fix fopen calls
Update .editorconfig
* 3.4:
[DI] configure inlined services before injecting them when dumping the container
Consistently throw exceptions on a single line
fix fopen calls
Update .editorconfig
This PR was merged into the 4.2-dev branch.
Discussion
----------
Mark ExceptionInterfaces throwable #2
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This has been reverted in beta of 4.1 because of lack of support in prophecy, which has been fixed since then (incl. release). Can be merged again.
References:
https://github.com/symfony/symfony/pull/26702https://github.com/symfony/symfony/pull/27420https://github.com/symfony/symfony/issues/27419https://github.com/phpspec/prophecy/pull/412
ping @dunglas @ciaranmcnulty @dkarlovi @Wirone @teohhanhui @stof @nicolas-grekas @ondrejmirtes
Commits
-------
17c3675226 Mark ExceptionInterfaces throwable
* 4.1:
Use the real image URL for the filesystem tests
[Finder] Update PHPdoc append()
[DI] Fix phpdoc
Fix code examples in PHPDoc
[HttpKernel] Fix inheritdocs
bumped Symfony version to 3.4.16
updated VERSION for 3.4.15
updated CHANGELOG for 3.4.15
* 3.4:
Use the real image URL for the filesystem tests
[Finder] Update PHPdoc append()
[DI] Fix phpdoc
Fix code examples in PHPDoc
[HttpKernel] Fix inheritdocs
bumped Symfony version to 3.4.16
updated VERSION for 3.4.15
updated CHANGELOG for 3.4.15
* 2.8:
Use the real image URL for the filesystem tests
[Finder] Update PHPdoc append()
[DI] Fix phpdoc
Fix code examples in PHPDoc
[HttpKernel] Fix inheritdocs
* 4.1:
fix merge
[travis][appveyor] use symfony/flex to accelerate builds
Add missing stderr redirection
clean up unused code
Remove the HTML5 validation from the profiler URL search form
[Filesystem] Add test to prevent regression when using array|resource with dumpFile
Add help texts for checkboxes in horizontal bootstrap 4 forms
[Security] Call AccessListener after LogoutListener