This PR was merged into the 2.8 branch.
Discussion
----------
[Security][Guard] Check whether $this->logger is not null on GuardAuthenticationListener
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #16415
| License | MIT
| Doc PR |
Commits
-------
ebc751d Write the log message on a single line againn
713b99f Check whether $this->logger is not null on GuardAuthenticationListener
* 2.8:
[Security] Clean deps
[Security][2.7] Clean deps
[HttpKernel] Fix time-sensitive test case
[travis] Fail early when an invalid composer.json is found
Conflicts:
src/Symfony/Component/Security/Core/composer.json
src/Symfony/Component/Security/composer.json
* 2.7:
[Security][2.7] Clean deps
[HttpKernel] Fix time-sensitive test case
[travis] Fail early when an invalid composer.json is found
Conflicts:
src/Symfony/Component/Security/Core/composer.json
src/Symfony/Component/Security/composer.json
* 2.8:
removed @covers annotations in tests
removed @covers annotations in tests
removed all @covers annotations
checkCredentials() force it to be an affirmative yes!
[PropertyAccess] Major performance improvement
This PR was merged into the 2.3 branch.
Discussion
----------
removed all @covers annotations
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Some unit tests have a `@covers` PHPUnit annotations. Most of them were added a very long time ago, but since then, we did not use them anymore and the existing ones are not maintained (see #16413). So, I propose to remove them all.
Commits
-------
1e0af36 removed all @covers annotations
This PR was squashed before being merged into the 2.8 branch (closes#16395).
Discussion
----------
checkCredentials() force it to be an affirmative yes!
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no (because 2.8 isn't released)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
This changes `GuardAuthenticatorInterface::checkCredentials()`: you now *must* return true in order for authentication to pass.
Before: You could do nothing (i.e. return null) and authentication would pass. You threw an AuthenticationException to cause a failure.
New: You *must* return `true` for authentication to pass. If you do nothing, we will throw a `BadCredentialsException` on your behalf. You can still throw your own exception.
This was a suggestion at symfony_live to make things more secure. I think it makes sense.
Commits
-------
14acadd checkCredentials() force it to be an affirmative yes!
* 2.8:
added the new Composer exclude-from-classmap option
added the new Composer exclude-from-classmap option
fix docblock description for the build() method
fix expected argument type docblock
Set back libxml settings after testings.
fixed Twig deprecation notices
* 2.7:
added the new Composer exclude-from-classmap option
added the new Composer exclude-from-classmap option
fix expected argument type docblock
Set back libxml settings after testings.
fixed Twig deprecation notices
* 2.3:
added the new Composer exclude-from-classmap option
fix expected argument type docblock
Set back libxml settings after testings.
fixed Twig deprecation notices
This PR was merged into the 2.3 branch.
Discussion
----------
added the new Composer exclude-from-classmap option
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Commits
-------
65bef75 added the new Composer exclude-from-classmap option
This PR was merged into the 3.0-dev branch.
Discussion
----------
remove polyfills for unsupported php versions
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Remove obsolete polyfills in master as introduced in #16317
Commits
-------
78512cc remove polyfills for unsupported php versions
* 2.7:
added missing quotes in YAML files
[HttpKernel] Add `@group time-sensitive` on some transient tests
[DoctrineBridge] Fix issue which prevent the profiler to explain a query
Use mb_detect_encoding with $strict = true
don't allow to install the split Security packages
bumped Symfony version to 2.3.35
updated VERSION for 2.3.34
update CONTRIBUTORS for 2.3.34
updated CHANGELOG for 2.3.34
* 2.3:
added missing quotes in YAML files
[HttpKernel] Add `@group time-sensitive` on some transient tests
[DoctrineBridge] Fix issue which prevent the profiler to explain a query
Use mb_detect_encoding with $strict = true
don't allow to install the split Security packages
bumped Symfony version to 2.3.35
updated VERSION for 2.3.34
update CONTRIBUTORS for 2.3.34
updated CHANGELOG for 2.3.34
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] don't allow to install the split Security packages
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #16134
| License | MIT
| Doc PR |
Currently, you would be able to install the Security component fromm
Symfony 2.3 together with one of the split packages from a higher
Symfony vesion like this:
```json
{
"require": {
"symfony/symfony": "2.3.*",
"symfony/security-core": "~2.7"
}
}
```
However, you will end up with classes being present twice.
This must be reverted after merging up in the `2.7` branch.
Commits
-------
0d14064 don't allow to install the split Security packages
Currently, you would be able to install the Security component fromm
Symfony 2.3 together with one of the split packages from a higher
Symfony vesion like this:
```json
{
"require": {
"symfony/symfony": "2.3.*",
"symfony/security-core": "~2.7"
}
}
```
However, you will end up with classes being present twice.
This must be reverted after merging up in the `2.7` branch.
* 2.8:
Fix the FrameworkBundle dependencies
[DoctrineBridge] Fix required guess of boolean fields
[DI] don't use array_map to resolve services
Remove dead code in the PropertyPath constructor
[EventDispatcher] fix docblock
[Process] Inherit env vars by default in PhpProcess
Changed one console output style to avoid visual issues
[VarDumper] Fix return type and anonymous classes dumping
[FrameworkBundle] PropertyInfo support
[HttpFoundation] Fixes /0 subnet handling in IpUtils
[Form] Simplify DateTimeToStringTransformer Avoid unneeded catch and re-throw of the same exception.
[Minor] [Serializer] Removed second license header
[TwigBundle] added a Twig templates warmer when templating is disabled
[HttpKernel] Remove a duplicate test for the EsiFragmentRenderer
[Templating] deprecate low-level RouterHelper::generate method as it's cumbersome to use constants in templates
[Templating] introduce path and url methods in php templates to be in line with twig templates
[Routing] deprecate the old url generator reference type values
[Routing] use constant in a test that is new in 2.7
[FrameworkBundle] Add a new ClassCache cache warmer
[Validator] Add expressionLanguage to ExpressionValidator constructor
Conflicts:
src/Symfony/Bundle/FrameworkBundle/Resources/config/services.xml
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
src/Symfony/Bundle/FrameworkBundle/composer.json
src/Symfony/Component/BrowserKit/composer.json
src/Symfony/Component/ClassLoader/ClassCollectionLoader.php
src/Symfony/Component/EventDispatcher/EventDispatcher.php
* 2.8:
[Routing] use constants in tests
[Process] tweaked README
[TwigBundle] Fix Twig cache is not properly warmed
[Validator] Allow an empty path in a URL with only a fragment or a query
[Security] Use SessionAuthenticationStrategy on RememberMe login
[HttpFoundation] Fix some typo in the Request doc
fixed CS
Added separated handling of root paths
* 2.7:
[Routing] use constants in tests
[Process] tweaked README
[Validator] Allow an empty path in a URL with only a fragment or a query
[HttpFoundation] Fix some typo in the Request doc
fixed CS
Added separated handling of root paths
* 2.3:
[Routing] use constants in tests
[Validator] Allow an empty path in a URL with only a fragment or a query
[HttpFoundation] Fix some typo in the Request doc
fixed CS
Added separated handling of root paths
* 2.8:
Added UserLoaderInterface for loading users through Doctrine.
Fix the detection of the deprecated usage of the ValidationListener
Use entry_type instead of type
[Form] Fix missing notice for deprecated `type`
[DI] Autowiring: w/a https://bugs.php.net/62715
* 2.8:
[PhpUnit] Auto-register SymfonyTestsListener
[phpunit] Upgrade when a change is detected and when install subcommand is used
[Filesystem] Fix test on Windows
Fix merge
[HttpFoundation] Extend ClockMock to session storage tests
[Process] Don't use @requires on abstract class
[VarDumper] Fix wordwrap with Bootstrap
Fix the BC layer for the key->secret renaming for remember_me
Fix potential access to undefined index
Conflicts:
src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/LegacyPdoSessionHandlerTest.php
src/Symfony/Component/Locale/phpunit.xml.dist
This PR was merged into the 2.7 branch.
Discussion
----------
[2.7][tests] Use @requires annotation when possible
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
b028aea [tests] Use @requires annotation when possible
* 2.8: (21 commits)
[Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]
[ci] Use current PHP_BINARY when running ./phpunit
Fixed typos
[UPGRADE-3.0] fix bullet indentation
Throw exception if tempnam returns false in ProcessPipes
[DomCrawler] Deprecated using /_root/ in XPath expressions
Pass missing request template variables
Simplify AbstractVoter
[Form] add missing deprecation triggers
Throw exception if tempnam returns false
Fix PropertyAccessor modifying array in object when array key does not exist
[DependencyInjection] Add autowiring capabilities
Fixing typo in variable name
Add a few additional tests for the Crawler
[Form] remove obsolete deprecation comments
Updated the style of the event commands
[Debug] Deprecate providing $fileLinkFormat as second argument
[Form] minor CS fix
Updated PHPDoc of the AbstractVoter class
[Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
...
* 2.7:
[Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]
[ci] Use current PHP_BINARY when running ./phpunit
Fixed typos
[UPGRADE-3.0] fix bullet indentation
Fix PropertyAccessor modifying array in object when array key does not exist
[Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
* 2.3:
[Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]
[ci] Use current PHP_BINARY when running ./phpunit
Fixed typos
[UPGRADE-3.0] fix bullet indentation
[Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
This PR was squashed before being merged into the 2.3 branch (closes#14842).
Discussion
----------
[Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #14822
| License | MIT
| Doc PR | ~
* test now always pass "secure" and "httponly" options, as they are required
* could be considered BC, but [`RememberMeFactory` passes them](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php#L21), so they should've always been treated as required
* I can squash the commits before merging
* Alternative solution: #14843
Commits
-------
18b1c6a [Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
When a user has changed own password, I want to logout any sessions which is authenticated by its user except changer itself.
[DaoAuthenticationManager::checkAuthentication()](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php#L59) method seems to concern about it.
But, this situation actually never happens because both users that will be passed to this method are always identical in re-authentication.
It's because the token refreshes own user via [ContextListener](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L90) before re-authentication.
Commits
-------
729902a [Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
This PR was merged into the 2.8 branch.
Discussion
----------
Simplify AbstractVoter
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no, just simplification
| BC breaks? | no, because 2.8 is not yet released
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
93de659 Simplify AbstractVoter
* 2.8:
Updated the stlyes of the YAML commands
[Security] Configuring a user checker per firewall
[PropertyInfo] Test behavior when an extractor return null.
This PR was squashed before being merged into the 2.8 branch (closes#14721).
Discussion
----------
[Security] Configuring a user checker per firewall
_Changed my base branch to avoid issues, closed old PR_
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed ticket | #11090 and helps #14673
| License | MIT
| Doc PR | symfony/symfony-docs/pull/5530
This pull request adds support for a configurable user checker per firewall. An example could be:
```yml
services:
app.user_checker:
class: App\Security\UserChecker
arguments:
- "@request_stack"
security:
firewalls:
secured_area:
pattern: ^/
anonymous: ~
basic_auth: ~
user_checker: app.user_checker
```
The above example will use the `UserChecker` defined as `app.user_checker`. If the `user_checker` option is left empty, `security.user_checker` will be used. If the `user_checkers` option is not defined, it will fall back to the original behavior to not break backwards compatibility and will validate using the existing `UserChecker`: `security.user_checker`.
I left the default argument in the service definitions to be `security.user_checker` to include backwards compatibility for people who for some reason don't have the extension executed. You can obtain the checker for a specific firewall by appending the firewall name to it. For the firewall `secured_area`, this would be `security.user_checker.secured_area`.
Commits
-------
76bc662 [Security] Configuring a user checker per firewall
This PR was merged into the 3.0-dev branch.
Discussion
----------
[3.0][Security] Remove deprecated features (follow up of #15899)
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #15899
| License | MIT
| Doc PR | -
- updated UPGRADE-3.0.md
- removed unused `supportsClass` methods
- changed visibility of `supportsAttribute` methods from public to private, removed `inheritdoc` annotation from them because there is no definition for this methods in parent interface
- removed tests for `supportsClass` and `supportsAttribute` method
- removed unused mock creation
Commits
-------
437398d [3.0][Security] Remove deprecated features (follow up of #15899)
This PR was merged into the 3.0-dev branch.
Discussion
----------
[HttpFoundation] removed the ParameterBag::get() deep argument
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Commits
-------
317f7b4 [HttpFoundation] removed the ParameterBag::get() deep argument
* 2.8:
add dependency required by a replaced package
Add a way to group toolbar info pieces
Added general sf-toolbar-block-right class
Bind input before executing the COMMAND event
Since #16007, the Security HTTP component requires the PropertyAccess
component to access nested parameter bag values. Since the Security
component replaces the Security HTTP component, all dependencies of the
replaced packages must be mirrored here.
* 2.8:
Remove profiler storages
deprecate finding deep items in request parameters
[CssSelector] updated README
[CssSelector] remove ConverterInterface
[DependencyInjection] improved a comment for reading fluency
[HttpKernel] change a class in tests to avoid depending on SQLite
[FrameworkBundle] Fix tests
[Bridge\Twig] Fix form lowest version
[ci] Display fastest results first when running tests in parallel
[Yaml] Improve newline handling in folded scalar blocks
* The `LegacyAbstractVoterTest` class is not needed anymore, tests have
been moved to the `AbstractVoterTest` class tagging them with the
legacy group.
* Tests are applied on `stdClass` object instances. Thus, the legacy
voter fixture class must not support `AbstractVoterTest_Object`
instances, but support `stdClass` objects instead.
* 2.8:
[Finder] simplified code
Fix tests in 2.8
[Validator] Sync polish translation file
Adding a class to make it easier to set custom authentication error messages
Readd the correct tests
"Fiş" is a correct translation for "token", however "bilet" is also used, I fixed that inconsistency. Moreover, "kimlik bilgileri" is a better translation for "credentials" than "girdiler". "Girdiler" is the translation of "inputs", so I fixed sentences with "credentials". "Hesap engellenmiş" is better than "Hesap devre dışı bırakılmış" for "Account is disabled.". "Digest nonce has expired" can be translated better as "Derleme zaman aşımına uğradı." because "Derleme zaman aşımı gerçekleşti" has a confirmation sense like user requested it to expire and it has expired.
References:
token: http://tureng.com/search/token (3rd entry)
credentials: http://www2.zargan.com/tr/q/credentials-ceviri-nedir (1st entry)
disable: http://tureng.com/search/disable (15th entry)
This PR was merged into the 2.8 branch.
Discussion
----------
Easier Custom Authentication errors
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | not yet
This makes failing authentication with a custom message much easier:
```php
throw CustomAuthenticationException::createWithSafeMessage(
'That was a ridiculous username'
);
// or
$e = new CustomAuthenticationException();
$e->setSafeMessage('That was a ridiculous username');
throw $e;
```
Currently, to do this, you'd need to create a new sub-class of `AuthenticationException`, which is way more work than it needs to be. The original design was so that all messages exposed are safe, which is why I've named the methods like I have.
Thanks!
Commits
-------
d7c1463 Adding a class to make it easier to set custom authentication error messages
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Improve AbstractVoter tests
Applying the improved tests from https://github.com/symfony/symfony/pull/15932 into the oldest possible branch.
Merge conflicts from 2.7 into 2.8 caused by this PR do not need to be done carefully, I'll create a new PR for 2.8 updating the tests as soon as these changes are merged up.
| Q | A
| ------------- | ---
| Fixed tickets | -
| License | MIT
Commits
-------
5ff741d Readd the correct tests
* 2.8: (28 commits)
Detect Mintty for color support on Windows
Detect Mintty for color support on Windows
[WebProfilerBundle] Fix search button click listener
[Form][Type Date/Time] added choice_translation_domain option.
Massively simplifying the BC and deprecated-throwing code thanks to suggestions by stof in #15870
Making all "debug" messages use the debug router
Making GuardTokenInterface extend TokenInterface
Updating behavior to not continue after an authenticator has set the response
Add a group for tests of the finder against the FTP server
Fix trigger_error calls
Fix legacy security tests
tweaking message related to configuration edge case that we want to be helpful with
Minor tweaks - lowering the required security-http requirement and nulling out a test field
Fix license headers
Fix license headers
Fix license headers
Ensure the ClockMock is loaded before using it in the testsuite
Allow serializer 3.0 in the PropertyInfo component
Add the replace rules for the security-guard component
Forbid serializing a Crawler
...
* 2.7:
Detect Mintty for color support on Windows
Detect Mintty for color support on Windows
Add a group for tests of the finder against the FTP server
Fix license headers
Forbid serializing a Crawler
Fix phpdoc block of NativeSessionStorage class
Added exception when setAutoInitialize is called when locked
[FrameworkBundle] Advanced search templates of bundles
[Security] Allow user providers to be defined in many files
Use random_bytes function if it is available for random number generation
* 2.3:
Detect Mintty for color support on Windows
Add a group for tests of the finder against the FTP server
Fix license headers
Forbid serializing a Crawler
Fix phpdoc block of NativeSessionStorage class
Added exception when setAutoInitialize is called when locked
[FrameworkBundle] Advanced search templates of bundles
[Security] Allow user providers to be defined in many files
Use random_bytes function if it is available for random number generation
This PR was merged into the 2.8 branch.
Discussion
----------
Updating behavior to not continue after an authenticator has set the response
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/14673/files#r40492765
| License | MIT
| Doc PR | n/a
This mirrors the behavior in core: *if* a listener sets a response (on success or failure),
then the other listeners are not called. But if a response is *not* set
(which is sometimes the case for success, like in BasicAuthenticationListener),
then the other listeners are called, and can even fail.
It's all a bit of an edge-case, as only one authenticator (like authentication listener) would normally be doing any work on a request, but I think matching the other listeners (since I'm not aware of anyone having issues with its behavior) is best.
Commits
-------
5fa2684 Making all "debug" messages use the debug router
f403444 Updating behavior to not continue after an authenticator has set the response
This PR was merged into the 2.8 branch.
Discussion
----------
Abstract voter tweaks
| Q | A
| ------------- | ---
| Bug fix? | yes (a little)
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Based on suggestions from stof in #15870, this simplifies the BC and deprecation throwing code. This also adds a BadMethodCallException in case the user doesn't override `isGranted` *or* `voteOnAttribute`, because that's just plain wrong (as is calling `isGranted()` on the parent class directly, since that was formerly abstract).
Commits
-------
c03f5c2 Massively simplifying the BC and deprecated-throwing code thanks to suggestions by stof in #15870
This PR was merged into the 2.8 branch.
Discussion
----------
Making GuardTokenInterface extend TokenInterface
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #15884
| License | MIT
| Doc PR | n/a
See #15884
Commits
-------
7f04fbb Making GuardTokenInterface extend TokenInterface
This PR was merged into the 2.8 branch.
Discussion
----------
Guard minor tweaks
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Various completely minor things, most from suggestions on #14673
Commits
-------
869d5a7 tweaking message related to configuration edge case that we want to be helpful with
da4758a Minor tweaks - lowering the required security-http requirement and nulling out a test field
This PR was merged into the 2.8 branch.
Discussion
----------
Add the replace rules for the security-guard component
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
The update of composer replacements was forgotten in #14673
Commits
-------
5ef8abc Add the replace rules for the security-guard component
This PR was merged into the 2.8 branch.
Discussion
----------
Fix legacy security tests
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
when merging legacy test classes together in #15893, use statements where not copied, making the tests fail.
Commits
-------
8b615bb Fix legacy security tests
This mirrors the behavior in core: *if* a listener sets a response (on success or failure),
then the other listeners are not called. But if a response is *not* set
(which is sometimes the case for success, like in BasicAuthenticationListener),
then the other listeners are called, and can even fail.
This PR was merged into the 2.8 branch.
Discussion
----------
Merged LegacySecurityContext tests
I've no idea why this test was introduced in the wrong namespace in 2.8, but I merged it in the correct test case now.
Commits
-------
2c4da3c Merged LegacySecurityContext tests
* 2.8: (23 commits)
[Validator] added BIC (SWIFT-BIC) validation constraint
[TwigBridge] Foundation form layout integration
[Security] Deprecated supportsAttribute and supportsClass methods
bumped Symfony version to 2.7.6
updated VERSION for 2.7.5
updated CHANGELOG for 2.7.5
bumped Symfony version to 2.3.34
updated VERSION for 2.3.33
update CONTRIBUTORS for 2.3.33
updated CHANGELOG for 2.3.33
[Console] Fix transient HHVM test
[OptionsResolver] Fix catched exception along the dependency tree mistakenly detects cyclic dependencies
fixed tests
[DI] Support deprecated definitions in decorators
[DI] Allow to change the deprecation message in Definition
[DI] Trigger a deprecated error on the container builder
[DI] Dump the deprecated status
[DI] Supports the deprecated tag in loaders
[DI] Add a deprecated status to definitions
Fixing test locations
...
This PR was squashed before being merged into the 2.8 branch (closes#15151).
Discussion
----------
[Security] Deprecated supportsAttribute and supportsClass methods
These methods aren't used at all in a Symfony application and don't make sense to use in the application. They are only used internally in the voters. This means the voter interface can be made much easier.
I'm not sure how we do these deprecations, should we remove the methods from the interface now already? Also, I don't think it's possible to trigger deprecation notices for the voter methods?
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | one of #11742
| License | MIT
| Doc PR | -
Abstract Voter
---
There is one remaining question about the abstract voter. This currently has abstract `getSupportedAttributes()` and `getSupportedClass()` methods. One of the reasons to remove the methods for the interface was that these methods are not flexible. Does it make sense to deprecate these methods as well and replace them by an abstract `protected vote(array $attributes, $class)` method in the `AbstractVoter` (which is called from `AbstractVoter#vote()`) ?
Commits
-------
6588708 [Security] Deprecated supportsAttribute and supportsClass methods
* 2.7:
[Console] Fix transient HHVM test
[OptionsResolver] Fix catched exception along the dependency tree mistakenly detects cyclic dependencies
fixed tests
Fixing test locations
[VarDumper] Fix dump comparison on large arrays
[expression-language] Code Cleanup for GetAttrNode
* 2.8: (29 commits)
Updating AbstractVoter so that the method receives the TokenInterface
Adding the necessary files so that Guard can be its own installable component
Fix syntax in a test
Normalize the way we check versions
Avoid errors when generating the logout URL when there is no firewall key
Removing unnecessary override
fabbot
Adding a new exception and throwing it when the User changes
Fixing a bug where having an authentication failure would log you out.
Tweaks thanks to Wouter
Adding logging on this step and switching the order - not for any huge reason
Adding a base class to assist with form login authentication
Allowing for other authenticators to be checked
meaningless author and license changes
Adding missing factory registration
Thanks again fabbot!
A few more changes thanks to @iltar
Splitting the getting of the user and checking credentials into two steps
Tweaking docblock on interface thanks to @iltar
Adding periods at the end of exceptions, and changing one class name to LogicException thanks to @iltar
...
Conflicts:
UPGRADE-2.8.md
src/Symfony/Bridge/Twig/Tests/Node/DumpNodeTest.php
src/Symfony/Bundle/FrameworkBundle/Command/ServerCommand.php
src/Symfony/Component/Validator/Tests/Constraints/AbstractComparisonValidatorTestCase.php
src/Symfony/Component/Validator/Tests/Constraints/IdenticalToValidatorTest.php
src/Symfony/Component/Validator/Tests/Constraints/RangeValidatorTest.php
This PR was merged into the 2.8 branch.
Discussion
----------
New Guard Authentication System (e.g. putting the joy back into security)
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | at least partially: #14300, #11158, #11451, #10035, #10463, #8606, probably more
| License | MIT
| Doc PR | symfony/symfony-docs#5265
Hi guys!
Though it got much easier in 2.4 with `pre_auth`, authentication is a pain in Symfony. This introduces a new authentication provider called guard, with one goal in mind: put everything you need for *any* authentication system into one spot.
### How it works
With guard, you can perform custom authentication just by implementing the [GuardAuthenticatorInterface](https://github.com/weaverryan/symfony/blob/guard/src/Symfony/Component/Security/Guard/GuardAuthenticatorInterface.php) and registering it as a service. It has methods for every part of a custom authentication flow I can think of.
For a working example, see https://github.com/weaverryan/symfony-demo/tree/guard-auth. This uses 2 authenticators simultaneously, creating a system that handles [form login](https://github.com/weaverryan/symfony-demo/blob/guard-auth/src/AppBundle/Security/FormLoginAuthenticator.php) and [api token auth](https://github.com/weaverryan/symfony-demo/blob/guard-auth/src/AppBundle/Security/TokenAuthenticator.php) with a respectable amount of code. The [security.yml](https://github.com/weaverryan/symfony-demo/blob/guard-auth/app/config/security.yml) is also quite simple.
This also supports "manual login" without jumping through hoops: https://github.com/weaverryan/symfony-demo/blob/guard-auth/src/AppBundle/Controller/SecurityController.php#L45
I've also tested with "remember me" and "switch user" - no problems with either.
I hope you like it :).
### What's Needed
1) **Other Use-Cases?**: Please think about the code and try it. What use-cases are we *not* covering? I want Guard to be simple, but cover the 99.9% use-cases.
2) **Remember me** functionality cannot be triggered via manual login. That's true now, and it's not fixed, and it's tricky.
### Deprecations?
This is a new feature, so no deprecations. But, creating a login form with a guard authenticator is a whole heck of a lot easier to understand than `form_login` or even `simple_form`. In a perfect world, we'd either deprecate those or make them use "guard" internally so that we have just **one** way of performing authentication.
Thanks!
Commits
-------
a01ed35 Adding the necessary files so that Guard can be its own installable component
d763134 Removing unnecessary override
e353833 fabbot
dd485f4 Adding a new exception and throwing it when the User changes
302235e Fixing a bug where having an authentication failure would log you out.
396a162 Tweaks thanks to Wouter
c9d9430 Adding logging on this step and switching the order - not for any huge reason
31f9cae Adding a base class to assist with form login authentication
0501761 Allowing for other authenticators to be checked
293c8a1 meaningless author and license changes
81432f9 Adding missing factory registration
7a94994 Thanks again fabbot!
7de05be A few more changes thanks to @iltar
ffdbc66 Splitting the getting of the user and checking credentials into two steps
6edb9e1 Tweaking docblock on interface thanks to @iltar
d693721 Adding periods at the end of exceptions, and changing one class name to LogicException thanks to @iltar
eb158cb Updating interface method per suggestion - makes sense to me, Request is redundant
c73c32e Thanks fabbot!
6c180c7 Adding an edge case - this should not happen anyways
180e2c7 Properly handles "post auth" tokens that have become not authenticated
873ed28 Renaming the tokens to be clear they are "post" and "pre" auth - also adding an interface
a0bceb4 adding Guard tests
05af97c Initial commit (but after some polished work) of the new Guard authentication system
330aa7f Improving phpdoc on AuthenticationEntryPointInterface so people that implement this understand it
This is quite technical. As you can see in the provider, the method is called
sometimes when the User changes, and so the token becomes de-authenticated (e.g.
someone else changes the password between requests).
In practice, the user should be unauthenticated. Using the anonymous token did this,
but throwing an AccountStatusException seems like a better idea. It needs to be an
AccountStatusException because the ExceptionListener from the Firewall looks for exceptions
of this class and logs the user out when they are found (because this is their purpose).
This solution is a copy of what AbstractAuthenticationListener does. Scenario:
1) Login
2) Go back to the log in page
3) Put in a bad user/pass
You *should* still be logged in after a failed attempt. This commit gives that behavior.
This looks like a subjective change (one more method, but the method implementations are
simpler), but it wasn't. The problem was that the UserChecker checkPreAuth should happen
*after* we get the user, but *before* the credentials are checked, and that wasn't possible
before this change. Now it is.
Here is the flow:
A) You login using guard and are given a PostAuthGuardToken
B) Your user changes between requests - AbstractToken::setUser() and hasUserChanged() - which
results in the Token becoming "not authenticated"
C) Something calls out to the security system, which then passes the no-longer-authed
token back into the AuthenticationProviderManager
D) Because the PostauthGuardToken implements GuardTokenInterface, the provider responds
to it. But, seeing that this is a no-longer-authed PostAuthGuardToken, it returns
an AnonymousToken, which triggers logout
The reason is that the GuardAuthenticationProvider *must* respond to *all* tokens
created by the system - both "pre auth" and "post auth" tokens. The reason is that
if a "post auth" token becomes not authenticated (e.g. because the user changes between
requests), then it may be passed to the provider system. If no providers respond (which
was the case before this commit), then AuthenticationProviderManager throws an exception.
The next commit will properly handle these "post auth" + "no-longer-authenticated" tokens,
which should cause a log out.
* 2.8:
bumped minimal version in appveyor to 5.3.9
[VarDumper] Fix missing support for dumping PHP7 return type
Require security-acl 2.7 for BC
[travis] disable symfony_debug ext when deps!=no
Require actual version of ACL component until ACL/2.8 branch released
Do not normalize the kernel root directory path (see symfony/symfony#15474).
Don't trigger deprecation on interfaces
[Debug] Ignore silencing for deprecations
[ci] Run minimal versions on appveyor only
Deprecated Security ClassUtils in favor of Acl ClassUtils
Fix appveyor file
consistently use str_replace to unify directory separators (remaining)
* 2.7:
[VarDumper] Fix missing support for dumping PHP7 return type
[travis] disable symfony_debug ext when deps!=no
Do not normalize the kernel root directory path (see symfony/symfony#15474).
Don't trigger deprecation on interfaces
[Debug] Ignore silencing for deprecations
[ci] Run minimal versions on appveyor only
Fix appveyor file
consistently use str_replace to unify directory separators (remaining)
* 2.8: (21 commits)
Fix merge
Fix typo
Various fixes esp. on Windows
Fix the validation of form resources to register the default theme
Fix the retrieval of the value with property path when using a loader
[appveyor] minor enhancements
[Process] Disable failing tests on Windows
[Translation] Fix the string casting in the XliffFileLoader
Windows and Intl fixes
Add appveyor.yml for C.I. on Windows
[VarDumper] fixed HtmlDumper to target specific the head tag
[travis] merge php: nightly and deps=high test-matrix lines
consistently use str_replace to unify directory separators
Support omitting the <target> node in an .xlf file.
Fix the handling of values for multiple choice types
moved PHP nightly to PHP 7.0
fixed tests using deprecation features
[Form] made deprecation notice more precise
fixed CS
Fix BC break after split of ACL from core
...
Conflicts:
.travis.yml
composer.json
src/Symfony/Bundle/TwigBundle/DependencyInjection/Configuration.php
src/Symfony/Component/Intl/DateFormatter/IntlDateFormatter.php
src/Symfony/Component/Intl/Tests/DateFormatter/AbstractIntlDateFormatterTest.php
src/Symfony/Component/Locale/Tests/LocaleTest.php
* 2.7:
Various fixes esp. on Windows
Fix the validation of form resources to register the default theme
Fix the retrieval of the value with property path when using a loader
[appveyor] minor enhancements
[Process] Disable failing tests on Windows
[Translation] Fix the string casting in the XliffFileLoader
Windows and Intl fixes
Add appveyor.yml for C.I. on Windows
[VarDumper] fixed HtmlDumper to target specific the head tag
[travis] merge php: nightly and deps=high test-matrix lines
consistently use str_replace to unify directory separators
Support omitting the <target> node in an .xlf file.
Fix the handling of values for multiple choice types
moved PHP nightly to PHP 7.0
[Security] Add missing docblock in PreAuthenticatedToken
Conflicts:
.travis.yml
* 2.3:
Windows and Intl fixes
Add appveyor.yml for C.I. on Windows
[travis] merge php: nightly and deps=high test-matrix lines
[Security] Add missing docblock in PreAuthenticatedToken
Conflicts:
.travis.yml
src/Symfony/Component/Filesystem/Tests/FilesystemTest.php
src/Symfony/Component/HttpFoundation/JsonResponse.php
src/Symfony/Component/Intl/DateFormatter/IntlDateFormatter.php
* 2.8:
[Locale] Add missing @group legacy annotations
[Form] Add missing @group legacy annotations
[Form] Use FQCN form types
Fix security-acl deps
Fix typo
[Security] Removed security-acl from the core
fixed typos
Fix doctrine mapping validation type error
Remove skipping of tests based on ICU data version whenever possible
Fix the handling of null as locale in the stub intl classes
do not dump leading backslashes in class names
fix issue #15377
Skip ::class constant
[Config] type specific check for emptiness
[Form] Deprecated FormTypeInterface::getName() and passing of type instances
Conflicts:
UPGRADE-2.8.md
composer.json
src/Symfony/Bridge/Doctrine/composer.json
src/Symfony/Bridge/Twig/composer.json
src/Symfony/Bundle/SecurityBundle/composer.json
src/Symfony/Component/ClassLoader/ClassMapGenerator.php
src/Symfony/Component/DependencyInjection/Tests/ContainerTest.php
src/Symfony/Component/Form/Tests/AbstractExtensionTest.php
src/Symfony/Component/Form/Tests/AbstractLayoutTest.php
src/Symfony/Component/Form/Tests/SimpleFormTest.php
src/Symfony/Component/Locale/Tests/LocaleTest.php
src/Symfony/Component/Locale/Tests/Stub/StubLocaleTest.php
src/Symfony/Component/Security/Acl/README.md
src/Symfony/Component/Security/Acl/composer.json
This PR was squashed before being merged into the 2.8 branch (closes#15013).
Discussion
----------
[Security] Removed security-acl from the core
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | part of #14718
| License | MIT
| Doc PR | ~
The `Security\Acl` is removed from the core and is loaded from its own repository. All tests were passing and this is fully backwards compatible. I have removed all but the Test files in the first step and added the dependency to verify the Test were still working with the package dependency. The second step was to remove the remaining test files and tests are still running for both the Bundle and the Framework. Once the Read-Only repository is a full standalone repository, this PR can be merged.
- [x] Remove component from the core
- [ ] Remove read-only from https://github.com/symfony/security-acl
Once this PR is merged, I can start working on splitting the SecurityBundle and extracting the ACL part to the AclBundle.
/cc @fabpot
Commits
-------
b26a449 [Security] Removed security-acl from the core
* 2.8: (63 commits)
[Debug] Deprecate ExceptionHandler::createResponse
[Debug] cleanup ExceptionHandlerTest
Reordered the toolbar elements via service priorities
bumped Symfony version to 2.7.4
Increased the z-index of .sf-toolbar-info
Removed an unused media query
updated VERSION for 2.7.3
updated CHANGELOG for 2.7.3
Redesigned "abbr" elements
Restored the old behavior for toolbars with lots of elements
Tweaks and bug fixes
Added some upgrade notes about the new toolbar design
fixed typo in translation keys
Fix the return value on error for intl methods returning arrays
Removed an useless CSS class and added styles for <hr>
Added a new profiler_markup_version to improve BC of the new toolbar
Fix merge
Removed an unused import
Reverted the feature to display different toolbar versions
Minor JavaScript optimizations
...
Conflicts:
CHANGELOG-2.7.md
UPGRADE-2.8.md
src/Symfony/Bundle/FrameworkBundle/Resources/config/collectors.xml
src/Symfony/Component/Debug/composer.json
src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php
* 2.7:
[php7] Fix for substr() always returning a string
[Security] Do not save the target path in the session for a stateless firewall
Fix calls to HttpCache#getSurrogate triggering E_USER_DEPRECATED errors.
[DependencyInjection] fixed FrozenParameterBag and improved Parameter…
* 2.3:
[php7] Fix for substr() always returning a string
[Security] Do not save the target path in the session for a stateless firewall
[DependencyInjection] fixed FrozenParameterBag and improved Parameter…
Conflicts:
src/Symfony/Component/Debug/Tests/ErrorHandlerTest.php
src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
* 2.8:
[Yaml] throw a ParseException on invalid data type
[TwigBridge] type-dependent path discovery
Resources as string have the same problem
Introduce failing test case when a SplFileInfo object is passed to the extract() method in the TwigExtractor.
#15331 add infos about deprecated classes to UPGRADE-3.0
[Asset] removed unused private property.
[Twig+FrameworkBundle] Fix forward compat with Form 2.8
[2.6] Static Code Analysis for Components
[Security/Http] Fix test relying on a private property
[Serializer] Fix bugs reported in b5990be491 (commitcomment-12301266)
[Form] Fix not-BC test assertion
[Security] Moved Simple{Form,Pre}AuthenticatorInterfaces to Security\Http
[Security] removed useless else condition in SwitchUserListener class.
[travis] Tests deps=low with PHP 5.6
Implement resettable containers
[Console] Fix console output with closed stdout
* 2.7:
[Yaml] throw a ParseException on invalid data type
[TwigBridge] type-dependent path discovery
Resources as string have the same problem
Introduce failing test case when a SplFileInfo object is passed to the extract() method in the TwigExtractor.
#15331 add infos about deprecated classes to UPGRADE-3.0
[Asset] removed unused private property.
[Security] removed useless else condition in SwitchUserListener class.
[travis] Tests deps=low with PHP 5.6
[Console] Fix console output with closed stdout
* 2.6:
[Yaml] throw a ParseException on invalid data type
#15331 add infos about deprecated classes to UPGRADE-3.0
[Security] removed useless else condition in SwitchUserListener class.
[travis] Tests deps=low with PHP 5.6
[Console] Fix console output with closed stdout
* 2.7:
[Twig+FrameworkBundle] Fix forward compat with Form 2.8
[2.6] Static Code Analysis for Components
[Security/Http] Fix test relying on a private property
[Serializer] Fix bugs reported in b5990be491 (commitcomment-12301266)
Conflicts:
src/Symfony/Bridge/Twig/Resources/views/Form/form_div_layout.html.twig
src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/widget_attributes.html.php
src/Symfony/Component/Security/Http/Tests/Firewall/AnonymousAuthenticationListenerTest.php
* 2.8: (27 commits)
[2.8] Fix 3.0 incompatible deps
[HttpKernel] Fix lowest dep
[Security] fix check for empty usernames
[Form] updated exception message of ButtonBuilder::setRequestHandler()
[travis] Fix deps=high jobs
Fix typo 'assets.package' => 'assets.packages' in UPGRADE-2.7
[Serializer] Simplify AbstractNormalizer::prepareForDenormalization()
[HttpFoundation] [PSR-7] Allow to use resources as content body and to return resources from string content
[DependencyInjection] Forbid container cloning
[HttpFoundation] Fix Response::closeOutputBuffers() for HHVM 3.3
[WebProfilerBundle] Add link to show profile of latest request
[DependencyInjection] Remove unused code in XmlFileLoader
[HttpFoundation] Behaviour change in PHP7 for substr
[Console] Set QuestionHelper max attempts in tests
[Form] Fix a BC break in the entity
fix broken ChoiceQuestion
bumped Symfony version to 2.7.3
updated VERSION for 2.7.2
updated CHANGELOG for 2.7.2
bumped Symfony version to 2.6.11
...
Conflicts:
.travis.yml
CHANGELOG-2.3.md
CHANGELOG-2.6.md
CHANGELOG-2.7.md
UPGRADE-2.7.md
src/Symfony/Bridge/Twig/composer.json
src/Symfony/Bundle/FrameworkBundle/Tests/Console/Descriptor/AbstractDescriptorTest.php
src/Symfony/Bundle/FrameworkBundle/composer.json
src/Symfony/Bundle/SecurityBundle/composer.json
src/Symfony/Component/Form/composer.json
src/Symfony/Component/HttpKernel/composer.json
This PR was squashed before being merged into the 2.8 branch (closes#15131).
Discussion
----------
[Security] Moved Simple{Form,Pre}AuthenticatorInterfaces to Security\Http
Description
---
The `SimpleFormAuthenticatorInterface` and `SimplePreAuthenticatorInterface` rely on `Request`, which means it's a Http land class. This means they don't belong in core.
Having a form login that doesn't depend on the request is an option as well (e.g. a console application might use the question helper to implement a "form" login). However, then there is a need for a new abstraction of the request. I don't think it's worth it.
Furthermore, the only classes typehinting/relying on this interfaces can be found in `Security\Http`.
Implementation
---
The new interfaces extend the old ones for better backwards compability. Symfony doesn't trigger deprecation errors for interfaces, see 6f57b7b552
PR Info Table
---
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
ebb2064 [Security] Moved Simple{Form,Pre}AuthenticatorInterfaces to Security\Http
* 2.7:
[HttpKernel] Fix lowest dep
[Security] fix check for empty usernames
[Form] updated exception message of ButtonBuilder::setRequestHandler()
[travis] Fix deps=high jobs
Fix typo 'assets.package' => 'assets.packages' in UPGRADE-2.7
[Serializer] Simplify AbstractNormalizer::prepareForDenormalization()
[HttpFoundation] [PSR-7] Allow to use resources as content body and to return resources from string content
[DependencyInjection] Remove unused code in XmlFileLoader
[HttpFoundation] Behaviour change in PHP7 for substr
bumped Symfony version to 2.3.32
updated VERSION for 2.3.31
update CONTRIBUTORS for 2.3.31
updated CHANGELOG for 2.3.31
Conflicts:
src/Symfony/Bridge/Twig/composer.json
src/Symfony/Bundle/FrameworkBundle/composer.json
src/Symfony/Component/HttpKernel/composer.json
* 2.6:
[Security] fix check for empty usernames
[Form] updated exception message of ButtonBuilder::setRequestHandler()
[travis] Fix deps=high jobs
[HttpFoundation] [PSR-7] Allow to use resources as content body and to return resources from string content
[DependencyInjection] Remove unused code in XmlFileLoader
[HttpFoundation] Behaviour change in PHP7 for substr
bumped Symfony version to 2.3.32
updated VERSION for 2.3.31
update CONTRIBUTORS for 2.3.31
updated CHANGELOG for 2.3.31
Conflicts:
src/Symfony/Bridge/Twig/composer.json
src/Symfony/Bundle/FrameworkBundle/composer.json
* 2.3:
[Security] fix check for empty usernames
[Form] updated exception message of ButtonBuilder::setRequestHandler()
[travis] Fix deps=high jobs
[HttpFoundation] [PSR-7] Allow to use resources as content body and to return resources from string content
[DependencyInjection] Remove unused code in XmlFileLoader
[HttpFoundation] Behaviour change in PHP7 for substr
bumped Symfony version to 2.3.32
updated VERSION for 2.3.31
update CONTRIBUTORS for 2.3.31
updated CHANGELOG for 2.3.31
Conflicts:
src/Symfony/Bridge/Twig/composer.json
src/Symfony/Bundle/FrameworkBundle/composer.json
src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php
src/Symfony/Component/HttpKernel/Kernel.php
* 2.8:
Added 'default' color
[HttpFoundation] Reload the session after regenerating its id
[HttpFoundation] Add a test case to confirm a bug in session migration
[Serializer] Fix ClassMetadata::sleep()
[2.6] Static Code Analysis for Components and Bundles
[Finder] Command::addAtIndex() fails with Command instance argument
[DependencyInjection] Freeze also FrozenParameterBag::remove
[Twig][Bridge] replaced `extends` with `use` in bootstrap_3_horizontal_layout.html.twig
fix CS
fixed CS
Add a way to reset the singleton
[Security] allow to use `method` in XML configs
[Serializer] Fix Groups tests.
Remove duplicate example
Remove var not used due to returning early (introduced in 8982c32)
[Serializer] Fix Groups PHPDoc
Enhance hhvm test skip message
fix for legacy asset() with EmptyVersionStrategy
[Form] Added upgrade notes for #15061
* 2.7:
Added 'default' color
[HttpFoundation] Reload the session after regenerating its id
[HttpFoundation] Add a test case to confirm a bug in session migration
[Serializer] Fix ClassMetadata::sleep()
[2.6] Static Code Analysis for Components and Bundles
[Finder] Command::addAtIndex() fails with Command instance argument
[DependencyInjection] Freeze also FrozenParameterBag::remove
[Twig][Bridge] replaced `extends` with `use` in bootstrap_3_horizontal_layout.html.twig
fix CS
fixed CS
Add a way to reset the singleton
[Security] allow to use `method` in XML configs
[Serializer] Fix Groups tests.
Remove duplicate example
Remove var not used due to returning early (introduced in 8982c32)
[Serializer] Fix Groups PHPDoc
Enhance hhvm test skip message
fix for legacy asset() with EmptyVersionStrategy
[Form] Added upgrade notes for #15061
* 2.6:
Added 'default' color
[HttpFoundation] Reload the session after regenerating its id
[HttpFoundation] Add a test case to confirm a bug in session migration
[2.6] Static Code Analysis for Components and Bundles
[Finder] Command::addAtIndex() fails with Command instance argument
[DependencyInjection] Freeze also FrozenParameterBag::remove
[Twig][Bridge] replaced `extends` with `use` in bootstrap_3_horizontal_layout.html.twig
fix CS
fixed CS
Add a way to reset the singleton
[Security] allow to use `method` in XML configs
Remove duplicate example
Remove var not used due to returning early (introduced in 8982c32)
Enhance hhvm test skip message
This PR was squashed before being merged into the 2.8 branch (closes#15141).
Discussion
----------
[DX] [Security] Renamed Token#getKey() to getSecret()
There are 2 very vague parameter names in the authentication process: `$providerKey` and `$key`. Some tokens/providers have the first one, some tokens/providers the second one and some both. An overview:
| Token | `providerKey` | `key`
| --- | --- | ---
| `AnonymousToken` | - | yes
| `PreAuth...Token` | yes | -
| `RememberMeToken` | yes | yes
| `UsernamePasswordToken` | yes | -
Both names are extremely general and their PHPdocs contains pure no-shit-sherlock-descriptions :squirrel: (like "The key."). This made me and @iltar think it's just an inconsistency and they have the same meaning.
...until we dived deeper into the code and came to the conclusion that `$key` has a Security task (while `$providerKey` doesn't really). If it takes people connected to Symfony internals 30+ minutes to find this out, it should be considered for an improvement imo.
So here is our suggestion: **Rename `$key` to `$secret`**. This explains much better what the value of the string has to be (for instance, it's important that the string is not easily guessable and cannot be found out, according to the Spring docs). It also explains the usage better (it's used as a replacement for credentials and to hash the RememberMeToken).
**Tl;dr**: `$key` and `$providerKey` are too general names, let's improve DX by renaming them. This PR tackles `$key` by renaming it to `$secret`.
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
*My excuse for the completely unrelated branch name*
Commits
-------
24e0eb6 [DX] [Security] Renamed Token#getKey() to getSecret()
* 2.6:
[2.6] Towards 100% HHVM compat
[Security/Http] Fix test
[Stopwatch] Fix test
Minor fixes
Towards 100% HHVM compat
unify default AccessDeniedExeption message
trigger event with right user (add test)
[Security] Initialize SwitchUserEvent::targetUser on attemptExitUser
[Form] Fixed: Data mappers always receive forms indexed by their names
Conflicts:
src/Symfony/Bundle/FrameworkBundle/Controller/Controller.php
src/Symfony/Component/VarDumper/Tests/CliDumperTest.php
src/Symfony/Component/VarDumper/Tests/HtmlDumperTest.php
* 2.3:
Minor fixes
Towards 100% HHVM compat
trigger event with right user (add test)
[Security] Initialize SwitchUserEvent::targetUser on attemptExitUser
[Form] Fixed: Data mappers always receive forms indexed by their names
Conflicts:
src/Symfony/Component/Debug/Tests/ErrorHandlerTest.php
src/Symfony/Component/Filesystem/Filesystem.php
src/Symfony/Component/Process/Tests/AbstractProcessTest.php
The `SwitchUserEvent` is triggered in case an account is switched. This works okay while switching to the user, but on exit the `SwitchUserEvent` is triggered again with the original User. That User was not initialized by the provider yet.
load user by UserInterface instead of username
* 2.3:
Fix quoting style consistency.
[DependencyInjection] Fail when dumping a Definition with no class nor factory
Normalizing recursively - see #9096
No change - the normalizeParams is a copy-and-paste of the earlier logic
fixes issue with logging array of non-utf8 data
fix validation for Maestro UK card numbers
* 2.7:
[FrameworkBundle] Reuse PropertyAccessor service for ObjectNormalizer
[VarDumper] Fix dump output for better readability
[PhpUnitBridge] Enforce @-silencing of deprecation notices according to new policy
* 2.8: (42 commits)
[DoctrineBridge] Bypass the db when no valid identifier is provided in ORMQueryBuilderLoader
[Serializer] Fixed typo in comment
[Form] Fixed: Filter non-integers when selecting entities by int ID
[Form] [EventListener] fixed sending non array data on submit to ResizeListener
Fix merge
Fix merge
Add test for HHVM FatalErrors
[2.6][Debug] Fix fatal-errors handling on HHVM
[Debug] Fix log level of stacked errors
[Form] Deprecated "cascade_validation"
[Form] Add "prototype_data" option to collection type
[VarDumper] Fix uninitialized id in HtmlDumper
[Form] Added the 'range' FormType
Fixed fluent interface
[Console] Fix tests on Windows
[2.7] Fix unsilenced deprecation notices
[2.3][Debug] Fix fatal-errors handling on HHVM
[Debug] fix debug class loader case test on windows
Standardize the name of the exception variables
[Debug+VarDumper] Fix handling of PHP7 exception/error model
...
Conflicts:
CHANGELOG-2.7.md
UPGRADE-2.7.md
UPGRADE-2.8.md
src/Symfony/Bridge/Twig/AppVariable.php
src/Symfony/Component/Console/Helper/DialogHelper.php
src/Symfony/Component/Debug/ErrorHandler.php
src/Symfony/Component/Debug/Tests/ErrorHandlerTest.php
src/Symfony/Component/DependencyInjection/Compiler/ResolveParameterPlaceHoldersPass.php
src/Symfony/Component/Form/AbstractType.php
src/Symfony/Component/Form/AbstractTypeExtension.php
src/Symfony/Component/HttpKernel/Tests/DependencyInjection/ContainerAwareHttpKernelTest.php
src/Symfony/Component/HttpKernel/Tests/Logger.php
src/Symfony/Component/PropertyAccess/Exception/UnexpectedTypeException.php
src/Symfony/Component/Routing/Route.php
* 2.7: (36 commits)
[DoctrineBridge] Bypass the db when no valid identifier is provided in ORMQueryBuilderLoader
[Serializer] Fixed typo in comment
[Form] Fixed: Filter non-integers when selecting entities by int ID
Fix merge
Fix merge
Add test for HHVM FatalErrors
[2.6][Debug] Fix fatal-errors handling on HHVM
[Debug] Fix log level of stacked errors
[VarDumper] Fix uninitialized id in HtmlDumper
Fixed fluent interface
[Console] Fix tests on Windows
[2.7] Fix unsilenced deprecation notices
[2.3][Debug] Fix fatal-errors handling on HHVM
[Debug] fix debug class loader case test on windows
Standardize the name of the exception variables
[Debug+VarDumper] Fix handling of PHP7 exception/error model
Do not trigger deprecation error in ResolveParameterPlaceHoldersPass
[2.3] Static Code Analysis for Components
Added a small Upgrade note regarding security.context
added missing deprecation in CHANGELOG
...
Conflicts:
src/Symfony/Bundle/WebProfilerBundle/Resources/views/Collector/logger.html.twig
src/Symfony/Component/HttpKernel/Kernel.php
* 2.6:
Add test for HHVM FatalErrors
[2.6][Debug] Fix fatal-errors handling on HHVM
[2.3][Debug] Fix fatal-errors handling on HHVM
Standardize the name of the exception variables
[2.3] Static Code Analysis for Components
Remove duplicated paths
Conflicts:
src/Symfony/Component/Debug/ErrorHandler.php
src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php
src/Symfony/Component/Security/Http/Firewall/ContextListener.php
src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php
src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php
* 2.3:
[2.3][Debug] Fix fatal-errors handling on HHVM
Standardize the name of the exception variables
[2.3] Static Code Analysis for Components
Remove duplicated paths
Conflicts:
src/Symfony/Component/Debug/ErrorHandler.php
src/Symfony/Component/HttpFoundation/Session/Storage/MockArraySessionStorage.php
src/Symfony/Component/Security/Acl/Dbal/AclProvider.php
src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
* 2.6:
[Debug] Fix log level of stacked errors
[VarDumper] Fix uninitialized id in HtmlDumper
Fixed fluent interface
[Debug] fix debug class loader case test on windows
[Debug+VarDumper] Fix handling of PHP7 exception/error model
[2.6][Security][Translation] #14920 update translations
[VarDumper] Cherry-pick code style fixes from 2.7
Bug #14836 [HttpFoundation] Moves default JSON encoding assignment from constructor to property
Conflicts:
src/Symfony/Component/Debug/Tests/DebugClassLoaderTest.php
src/Symfony/Component/VarDumper/Caster/DOMCaster.php
src/Symfony/Component/VarDumper/Caster/ExceptionCaster.php
src/Symfony/Component/VarDumper/Caster/PdoCaster.php
src/Symfony/Component/VarDumper/Caster/SplCaster.php
This PR was merged into the 2.7 branch.
Discussion
----------
added missing deprecation in CHANGELOG
Commits
-------
ddddeb5 added missing deprecation in CHANGELOG
* 2.7:
Fix test name
fixed CS
Allow new lines in Messages translated with transchoice() (replacement for #14867)
[Form] Swap new ChoiceView constructor arguments to ease migrating from the deprecated one
[2.3] Fix tests on Windows
[Yaml] remove partial deprecation annotation
Silence invasive deprecation warnings, opt-in for warnings
Documenting how to keep option value BC - see #14377
Conflicts:
src/Symfony/Bridge/Doctrine/composer.json
src/Symfony/Bridge/Twig/composer.json
