This PR was squashed before being merged into the 4.3-dev branch (closes#30901).
Discussion
----------
Renamed NotPwned to NotCompromisedPassword
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | -
| License | MIT
| Doc PR | -
<!--
Write a short README entry for your feature/bugfix here (replace this comment block.)
This will help people understand your PR and can be used as a start of the Doc PR.
Additionally:
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
-->
Commits
-------
2f648b04ae Renamed NotPwned to NotCompromisedPassword
* 4.2: (45 commits)
[Form] various minor fixes
Ensure the parent process is always killed
bugfix: the terminal state was wrong and not reseted
[Console] Fix inconsistent result for choice questions in non-interactive mode
Define null return type for Constraint::getDefaultOption()
[Routing] Fix: annotation loader ignores method's default values
[HttpKernel] Fix DebugHandlersListener constructor docblock
Skip Glob brace test when GLOB_BRACE is unavailable
bumped Symfony version to 4.2.6
updated VERSION for 4.2.5
updated CHANGELOG for 4.2.5
bumped Symfony version to 3.4.25
updated VERSION for 3.4.24
update CONTRIBUTORS for 3.4.24
updated CHANGELOG for 3.4.24
[EventDispatcher] cleanup
fix testIgnoredAttributesInContext
Re-generate icu 64.1 data
Improve PHPdoc / IDE autocomplete for config tree builder
[Bridge][Twig] DebugCommand - fix escaping and filter
...
* 3.4:
[Form] various minor fixes
bugfix: the terminal state was wrong and not reseted
[Console] Fix inconsistent result for choice questions in non-interactive mode
Define null return type for Constraint::getDefaultOption()
[HttpKernel] Fix DebugHandlersListener constructor docblock
Skip Glob brace test when GLOB_BRACE is unavailable
bumped Symfony version to 3.4.25
updated VERSION for 3.4.24
update CONTRIBUTORS for 3.4.24
updated CHANGELOG for 3.4.24
[EventDispatcher] cleanup
This PR was squashed before being merged into the 4.3-dev branch (closes#27738).
Discussion
----------
[Validator] Add a HaveIBeenPwned password validator
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | n/a <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | todo
This PR adds a new `Pwned` validation constraint to prevent users to choose passwords that have been leaked in public data breaches.
The validator uses the https://haveibeenpwned.com/ API. The implementation is similar to the one used by [Firefox Monitor](https://blog.mozilla.org/futurereleases/2018/06/25/testing-firefox-monitor-a-new-security-tool/). It allows to not expose the password hash using a k-anonymity model. The specific implementation for HaveIBeenPwned has been [described in depth by Cloudflare](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/).
Usage:
```php
// Rejects the password if is present in any number of times in any data breach
class User
{
/** @Pwned */
public $plainPassword;
}
// Rejects the password if is present more than 5 times in data breaches
class User
{
/** @Pwned(maxCount=5) */
public $plainPassword;
}
// Customize the error message
class User
{
/** @Pwned(message='Please select another password, this one has already been hacked.') */
public $plainPassword;
}
```
Commits
-------
ec1ded898a [Validator] Add a HaveIBeenPwned password validator
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Validator][DoctrineBridge][FWBundle] Automatic data validation
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes<!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | n/a <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/11132
This feature automatically adds some validation constraints by inferring existing metadata. To do so, it uses the PropertyInfo component and Doctrine metadata, but it has been designed to be easily extendable.
Example:
```php
use Doctrine\ORM\Mapping as ORM;
/**
* @ORM\Entity
*/
class Dummy
{
/**
* @ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
* @ORM\Column(type="integer")
*/
public $id;
/**
* @ORM\Column(nullable=true)
*/
public $columnNullable;
/**
* @ORM\Column(length=20)
*/
public $columnLength;
/**
* @ORM\Column(unique=true)
*/
public $columnUnique;
}
$manager = $this->managerRegistry->getManager();
$manager->getRepository(Dummy::class);
$firstOne = new Dummy();
$firstOne->columnUnique = 'unique';
$firstOne->columnLength = '0';
$manager->persist($firstOne);
$manager->flush();
$dummy = new Dummy();
$dummy->columnNullable = 1; // type mistmatch
$dummy->columnLength = '012345678901234567890'; // too long
$dummy->columnUnique = 'unique'; // not unique
$res = $this->validator->validate($dummy);
dump((string) $res);
/*
Object(App\Entity\Dummy).columnUnique:\n
This value is already used. (code 23bd9dbf-6b9b-41cd-a99e-4844bcf3077f)\n
Object(App\Entity\Dummy).columnLength:\n
This value is too long. It should have 20 characters or less. (code d94b19cc-114f-4f44-9cc4-4138e80a87b9)\n
Object(App\Entity\Dummy).id:\n
This value should not be null. (code ad32d13f-c3d4-423b-909a-857b961eb720)\n
Object(App\Entity\Dummy).columnNullable:\n
This value should be of type string. (code ba785a8c-82cb-4283-967c-3cf342181b40)\n
*/
```
It also works for DTOs:
```php
class MyDto
{
/** @var string */
public $name;
}
$dto = new MyDto();
$dto->name = 1; // type error
dump($validator->validate($dto));
/*
Object(MyDto).name:\n
This value should be of type string. (code ba785a8c-82cb-4283-967c-3cf342181b40)\n
*/
```
Supported constraints currently are:
* `@NotNull` (using PropertyInfo type extractor, so supports Doctrine metadata, getters/setters and PHPDoc)
* `@Type` (using PropertyInfo type extractor, so supports Doctrine metadata, getters/setters and PHPDoc)
* `@UniqueEntity` (using Doctrine's `unique` metadata)
* `@Length` (using Doctrine's `length` metadata)
Many users don't understand that the Doctrine mapping doesn't validate anything (it's just a hint for the schema generator). It leads to usability and security issues (that are not entirely fixed by this PR!!).
Even the ones who add constraints often omit important ones like `@Length`, or `@Type` (important when building web APIs).
This PR aims to improve things a bit, and ease the development process in RAD and when prototyping. It provides an upgrade path to use proper validation constraints.
I plan to make it opt-in, disabled by default, but enabled in the default Flex recipe. (= off by default when using components, on by default when using the full stack framework)
TODO:
* [x] Add configuration flags
* [x] Move the Doctrine-related DI logic from the extension to DoctrineBundle: doctrine/DoctrineBundle#831
* [x] Commit the tests
Commits
-------
2d64e703c2 [Validator][DoctrineBridge][FWBundle] Automatic data validation
This PR was squashed before being merged into the 3.4 branch (closes#30737).
Discussion
----------
[Validator] Improve constraint default option check
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Any constraint without default option used as annotation with unnamed first argument (for example, `@Assert\Collection(1)`) throws an exception with an ugly message `The options "" do not exist in constraint Collection`.
This PR makes constraint check the default option in the annotation case in the same way it checks it in the "real" code case. So the exception will be `No default option is configured for constraint Collection.`
Commits
-------
915912e18e [Validator] Improve constraint default option check
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Validator] Add constraint on unique elements collection(Assert\Unique)
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | no <!-- please add some, will be required by reviewers -->
| Fixed tickets | #26535
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
<!--
Write a short README entry for your feature/bugfix here (replace this comment block.)
This will help people understand your PR and can be used as a start of the Doc PR.
Additionally:
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
-->
Commits
-------
d0eb13e55a Rebase and update to latest CS
fc66683cf2 Add UniqueCollection constraint and validator
* 4.2:
[Phpunit] fixed support for PHP 5.3
Response prepare method update
[Workflow] Added missing license header
Fix case when multiple loaders are providing paths for the same namespace
Check if Client exists when test.client does not exist, to provide clearer exception message
throw TypeErrors to prepare for type hints in 5.0
[Form] Preventing validation of children if parent with Valid constraint has no validation groups
[Form] Added ResetInterface to CachingFactoryDecorator
Remove deprecated usage
[Tests] fixed compatbility of assertEquals(): void
Fixed usage of TranslatorInterface in form extension (fixes#30591)
[Intl][4.2] Fix test
[Intl] Fix test
[Validator] Add the missing translations for the Arabic (ar) locale
[Intl] Add compile binary
Fix DebugCommand when chain loader is involved
[Form] Fixed some phpdocs
* 3.4:
[Phpunit] fixed support for PHP 5.3
Response prepare method update
[Workflow] Added missing license header
Check if Client exists when test.client does not exist, to provide clearer exception message
[Form] Preventing validation of children if parent with Valid constraint has no validation groups
[Tests] fixed compatbility of assertEquals(): void
[Intl] Fix test
[Validator] Add the missing translations for the Arabic (ar) locale
[Intl] Add compile binary
[Form] Fixed some phpdocs
* 4.2:
Fix Cache error while using anonymous class
[Cache] fix LockRegistry
Update validators.cs.xlf
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
* 3.4:
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
* 4.2:
[Cache] Only delete one key at a time when on Predis + Cluster
[Validator] Add missing translations for Swedish locale
[Process] fix using argument $php of new PhpProcess()
[Routing] removed a useless var
[Routing] Fixed XML options resolution
* 3.4:
[Cache] Only delete one key at a time when on Predis + Cluster
[Validator] Add missing translations for Swedish locale
[Routing] removed a useless var
[Routing] Fixed XML options resolution
This PR was merged into the 3.4 branch.
Discussion
----------
[Validator] Add the missing translations for the Swedish ("sv") locale
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30190
| License | MIT
| Doc PR | -
Added the missing translations to the `src/Symfony/Component/Validator/Resources/translations/validators.sv.xlf` file.
Commits
-------
7e9f63da43 [Validator] Add missing translations for Swedish locale
* 4.2: (27 commits)
cs fix
cs fix
[PHPUnit-Bridge] override some environment variables
[TwigBridge] Remove use spaceless tag
Upgrade zookeeper ext
[translation] Update defaut format from yml to yaml
Change default log level for output streams
update docblock to match the actual behavior
Don't resolve the Deprecation error handler mode until a deprecation is triggered
compatibility with phpunit8
Make 'headers' key optional for encoded messages
[Debug][DebugClassLoader] Detect annotations before blank docblock lines on final and internal methods
Fix undefined variable fromConstructor when passing context to getTypes
Added translations for chineese language.
Allow 3rd argument to be null
Remove whitespace (tab on blank line)
[Monolog] Really reset logger when calling logger::reset()
[Form] Fixes debug:form appears many times as type extensions configured with new getExtendedTypes method
Update src/Symfony/Component/PropertyInfo/Tests/Extractor/ReflectionExtractorTest.php
Update src/Symfony/Component/PropertyInfo/Tests/Extractor/ReflectionExtractorTest.php
...
* 3.4:
cs fix
cs fix
[PHPUnit-Bridge] override some environment variables
[TwigBridge] Remove use spaceless tag
[translation] Update defaut format from yml to yaml
Change default log level for output streams
update docblock to match the actual behavior
compatibility with phpunit8
[Debug][DebugClassLoader] Detect annotations before blank docblock lines on final and internal methods
Added translations for chineese language.
