Commits
-------
f7bf7b5 fixed condition
181332b added a Controller:getUser() shortcut to recover the current user
Discussion
----------
[2.1] added a Controller:getUser() shortcut to recover the current user
Commits
-------
c4a0f79 Updates according to suggestions.
6aec789 Added tests.
54454ba Added generic filtering to ParameterBag.
Discussion
----------
Added generic filtering to ParameterBag.
Adds filtering convenience using PHP's filter_var() e.g.
$request->get->filter($key, '', false, FITLER_SANITIZE_STRING);
See http://php.net/manual/en/filter.filters.php for capabilities.
---------------------------------------------------------------------------
by GromNaN at 2011/09/25 15:41:50 -0700
What is the use case ?
---------------------------------------------------------------------------
by drak at 2011/09/25 15:52:19 -0700
Input variable validation/sanitization. ParameterBag has a few built in like `getAlnum()` for example. This method offer's PHP's full filtering and sanitization suite.
---------------------------------------------------------------------------
by fabpot at 2011/09/27 00:56:41 -0700
Can you add some unit tests for this new feature?
---------------------------------------------------------------------------
by drak at 2011/09/27 00:58:56 -0700
Sure thing.
---------------------------------------------------------------------------
by drak at 2011/09/27 01:07:03 -0700
Before I make the commit, is the method name ok for you or would you prefer it is called `getFiltered()`?
---------------------------------------------------------------------------
by fabpot at 2011/09/27 01:13:46 -0700
`filter` sounds good to me.
---------------------------------------------------------------------------
by drak at 2011/09/27 02:37:01 -0700
I've added some tests.
---------------------------------------------------------------------------
by stloyd at 2011/09/27 02:42:42 -0700
@drak IMO you must check that user don't use unknown filter and/or flags for filter.
---------------------------------------------------------------------------
by drak at 2011/09/27 02:48:38 -0700
@stloyd - I'm not sure that's practical at all, this is a wrapper for a built-in PHP function and I don't understand why we would need validate arguments for a PHP function - it's the coder's job to use the API correctly - none of the inputs to this function are coming from a web request. It would also mean that the API would need to keep track of any upstream changes to constants in the PHP engine (which are just integers after all). It's really just not practical.
---------------------------------------------------------------------------
by stealth35 at 2011/09/27 05:16:50 -0700
@drak it's could be cool to use `filter_id` ✌️
if (is_string) {
$filter = filter_id($filter);
}
---------------------------------------------------------------------------
by drak at 2011/09/27 07:05:42 -0700
@stealth35 regarding this
if (is_string) {
$filter = filter_id($filter);
}
I believe strongly in the use of IDEs when coding and autocomplete nicely provides when you type `FILTER_`. Additionally, `filter_id()` only works on filters, but not for the flags, so I'm not entirely sure how useful it would be overall compared to using a good IDE (which you need when working with complex frameworks anyhow, imo :)
---------------------------------------------------------------------------
by drak at 2011/09/27 07:30:10 -0700
Ok check it now.
Commits
-------
d675c28 [FrameworkBundle] Use Router instead of RouterInterface
ae7ae8d [FrameworkBundle] Moved router_listener from web to router.xml since it depends on the router
35a9023 [FrameworkBundle] Added isEnabled to Router commands, fixes#1467536d979 [Console] Added Command::isEnabled method that defines whether to add the command or not
Discussion
----------
[2.1] [Console] Added Command::isEnabled method
This addresses #1467.
The idea is to allow commands to evaluate whether they can run or not, since they are automatically registered.
- It's useful for the two router:* commands since they're optional (router can be disabled), but part of the FrameworkBundle that is not really optional.
- It could be useful for third party code as well.
- It's BC.
- aa95bb0d395810b29a3e654673e130736d9d1080 should address the issue in #1467, while the other commits just make sure the command is not registered at all if the router isn't standard.
One issue remains though:
- A few other services like twig helpers get the `ròuter` injected, this means that if there is really **no** router service defined, there is still an error. I'm not sure how to fix those beyond adding `on-invalid="null"` but I'm not sure if that's desirable. I guess we could argue that the router is a big candidate for replacement/suppression, and as such it should be truly optional, but if we do it I don't know where it'll lead. I don't want to end up in a situation where half the dependencies are optional to support every possible combination. @fabpot wdyt?
---------------------------------------------------------------------------
by kriswallsmith at 2011/06/28 16:19:46 -0700
I'd rather see us not register a command instead of register and then disable it. Can we do the same thing you've done here in the bundle's registerCommands() method?
---------------------------------------------------------------------------
by Seldaek at 2011/06/28 16:51:36 -0700
Note that it's never really registered. During the registration it's checked and skipped if not enabled.
However, doing it as you suggest means overriding/copy-pasting all the code from the core Bundle class, which I don't like so much. It also means adding code specific to those two commands in a somewhat unrelated place, which I also don't like.
I'm not saying the current solution is perfect, but from the alternatives I considered, it's the best I have found.
---------------------------------------------------------------------------
by stof at 2011/09/04 04:58:04 -0700
@Seldaek your branch conflicts with master. could you rebase it ?
@fabpot what do you think about this PR ?
---------------------------------------------------------------------------
by Seldaek at 2011/09/04 08:39:05 -0700
Rebased
Commits
-------
6555e28 Remove unnecessary use statement
369f181 [FrameworkBundle] Add request scope to assets helper only if needed
d6b915a [FrameworkBundle] Assets templating helper does not need request scope
Discussion
----------
[FrameworkBundle] Assign request scope to assets helper only if needed
**Note**: This PR replaces #2218
I traced this request scope addition back to [an old commit](d9f5c99fab (commitcomment-597654)) from @kriswallsmith.
No other helpers have request scope and the assets helper's parameters don't appear to depend on the request in any way, so this appears to be unnecessary. As-is, request scope here prevents use of the assets helper from a console command that may need to internally render a template.
---------------------------------------------------------------------------
by fabpot at 2011/09/20 08:10:48 -0700
There is probably a reason why it was set to the request scope (just run the unit tests ;)).
---------------------------------------------------------------------------
by jmikola at 2011/09/20 08:22:46 -0700
Doh! Didn't even think to do that for such a small change.
I will investigate further. Do you have any idea how one can generate templates (which call the `asset()` function) during a console script?
---------------------------------------------------------------------------
by fabpot at 2011/09/20 08:33:22 -0700
Apparently, something depends on the Request somewhere. We need to find what needs the Request and determine if this is legitimate or not.
---------------------------------------------------------------------------
by henrikbjorn at 2011/09/20 09:25:05 -0700
https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/FrameworkBundle/Templating/Asset/PathPackage.php#L33
---------------------------------------------------------------------------
by jmikola at 2011/09/20 10:40:23 -0700
Thanks @henrikbjorn. So, it appears the default behavior of the asset helper is to use the request path as the base URL for assets. In my particular case, I didn't get this scope-widening exception at runtime because I use `assets_base_urls`, which results in the request-independent UrlPackage being injected instead of PathPackage.
This is tricky. I think there's definitely a use case for folks rendering templates outside of a request. Sending HTML emails via some console command is perhaps the most common example. Also, if those developers are not using a CDN, they likely won't think of using `assets_base_urls` at all. Unfortunately, that appears to be the only configuration option where the site's domain is specified (outside of, say, a session domain).
---------------------------------------------------------------------------
by lsmith77 at 2011/09/20 10:45:42 -0700
So do we need 2 services?
---------------------------------------------------------------------------
by jmikola at 2011/09/20 10:52:02 -0700
Well, we actually already have two services. I think that's why PathPackages and UrlPackages are distinct. The issue is that the asset helper has been assigned the request scope to accommodate to satisfy the most restrictive possibility.
I don't think two separate asset helpers would help the developer, even if it'd let us get passing tests.
Also, there is a very real use case here that I wasn't struggling with. You want to render templates with asset paths outside of a request (from a console command). In that case, you need a base URL, but where do you get that from?
Has anyone else encountered that requirement? I know we definitely did at OpenSky, and now at Exercise.com.
---------------------------------------------------------------------------
by jmikola at 2011/09/22 20:14:37 -0700
Had a chat with @kriswallsmith today. We brainstormed and came up with the idea of simply adding `strict="false"` to the request arguments of these templating services. That would disable the premature scope exception, but lead to different kind of error if the user attempted to call `asset()` when using a PathPackage (no `asset_base_urls` and no UrlPackage in play).
The PathPackage class in the templating component obviously has no request dependency -- just the FrameworkBundle version. I started modifying FrameworkBundle's PathPackage to make the Request usage optional (if it's not available, an empty base path is provided to the parent constructor, which actually works fine).
In the course of implementing that, I made the request argument `strict="false" on-invalid="null"` and encountered some strange behavior (possibly a bug) where the PathPackage service generated in FrameworkExtension via the DefinitionDecorator was not inheriting the strict/invalid properties. If I removed `on-invalid="null", strictness was inherited just fine. I'm going to continue looking into this, but at this point it seems like that may be a separate PR if it is, indeed, a bug.
Just going to paste my chat transcript with Kris here for some extra context:
```
<jmikola> if you have a moment later, could you chime in on https://github.com/symfony/symfony/pull/2223 ?
<jmikola> it's about using the asset() helper from a console command
<jmikola> i could have sworn we were sending emails like this in opensky, from console commands
<jmikola> doing the same thing for exercise, but the request scope on the asset helper is a cog in the gear
<kris> you don't have base urls configured?
<jmikola> we do
<jmikola> but the service is request-scoped because it doesn't know until runtime if it will be using UrlPackage or PathPackage
<jmikola> and PathPackage depends on the request object
<kris> yeah, it's tricky
<jmikola> so i think the scope was added to handle the most restrictive case
<jmikola> no way around that except to remove the scoping at runtime i suppose
<kris> we can tweak the scope in a compilation pass
<kris> but that could create some wtfs
<jmikola> why?
<jmikola> because some asset() calls might specify a package name?
<jmikola> without base_url's?
<kris> what about setting strict to false?
<jmikola> i haven't played with package names but i think that's how it works
<jmikola> ah, what's the problem with that again? i know it disables the exception
<jmikola> but if strict is false, what's the benefit of having request scope at all?
<kris> there are a lot of instances of strict="false" in the core
<jmikola> if strict is false, the scope becomes just documentation?
<jmikola> i'm drawing a blank on how that works - i just know strictness turns on the exceptions for widening violations
<kris> right
<kris> it means that helper would no longer be in the request scope, even though it uses a service from the request scope
<kris> i think that would be fine
<jmikola> ah, strict=false goes on the service argument
<jmikola> does that mean we'd apply that to the definition of templating.asset.path_package ?
<kris> yes
<jmikola> or just when PathPackage becomes an argument to the helper?
<jmikola> ok
<kris> whatever uses the request
<jmikola> and this would still cause havoc if I didn't define base_urls and tried to call asset() :)
<jmikola> i suppose in the form of null passed when Request instance expected?
<jmikola> or worse, undefined service request
<kris> right...
<jmikola> ok
<kris> so maybe we need a way to manually define the base path
<jmikola> for PathPackage
<kris> right, i think that's what's in the component
<jmikola> UrlPackage only comes into play if there's 1 or more assets_base_urls defined, right?
<kris> right
<jmikola> i'm looking at it, and am curious what happens if it was constructed with no base urls :)
<jmikola> since there's no checks that the array is full
<jmikola> *non-empty
<jmikola> ah, if it's empty it uses '' as the base Url
<jmikola> Perhaps PathPackage in FrameworkBundle could make the request optional
<jmikola> the core PathPackage does support an empty baseUrl
<jmikola> $basePath rather
<jmikola> it uses "/" by default
<kris> how about a configurator that calls setBasePath() if the container includes a request?
<jmikola> then the service would still need to be request scoped, no?
<jmikola> what it the same service was used on multiple requests
<jmikola> thinking of those trendy php app servers :)
<kris> the service wouldn't use the request
<kris> the configurator would
<kris> but via dic injection
<jmikola> do configurators exist?
<jmikola> i don't think i've seen one, a class with that name is in the DistributionBundle though - probably different
<kris> you can define a configurator on a service
<jmikola> example? is this done via tags?
<kris> it's a callable that will be passed the service before it leaves the container for the first time
<jmikola> so the PathPackage base class in the Templating component has a private basePath, it'd need a setBasePath method added of course
<kris> yeah, that's fine
<jmikola> ah <configurator
<jmikola> can't believe i've never seen this before
<kris> it's an old feature
<kris> and you can only set one for some reason
<jmikola> woah, it's only in test fixtures
<jmikola> nothing actually uses it
<jmikola> yet :)
<jmikola> configurators receive the container as their only argument?
<jmikola> oh, no arguments at all
<kris> they receive the service
<kris> but a configurator can be a service itself
<kris> i would add a base path node to the config
<kris> and disallow using both base path and base urls
<kris> and only use the configurator if the base path isn't explicitly set
<jmikola> now, in this case i'd have the configurator for the PathPackage service be another service that depends on request
<kris> no
<kris> the configurator should depend on the container
<kris> check if there is a request service and use it to set the base path if so
<jmikola> ok, and it's responsible for $pathPackage->setBaseUrl($request->getBasePath()) if the request exists
<jmikola> right
<kris> setBasePath
<jmikola> correct, sorry
<jmikola> i think a base_path and base_url can co-exist
<jmikola> base_url will entail use of the UrlPackage
<jmikola> and base_path is simply the default value for PathPackages
<jmikola> in the absence of the request
<kris> i don't follow
<jmikola> a base_url option in the config would simply be for the case where PathPackage is utilized outside of a request scope (i.e. console command)
<jmikola> sorry, base_path***
<jmikola> assets_base_url is for UrlPackages
<kris> right
<jmikola> ok, so you're saying at the top level, or in the packages prototypes, we'd allow only one or the other
<jmikola> at present, there's only asset_base_url's, so that implies configurations creating only UrlPackages
<kris> add a validation to the Configuration class so you have to choose one or the other
<kris> i don't understand why you would need base_path from the cli
<jmikola> so in this case, absence of either will result in a PathPackage configured based on the current request
<kris> don't you need absolute urls in your emails?
<kris> i'm rethinking
<jmikola> yes, we're using UrlPackages of course
<jmikola> but the request scope ruined this for me
<kris> don't bother with base_path in the config
<kris> just do the configurator
<jmikola> there's still a possibility that someone would generate HTML for on-site use from a console command
<jmikola> perhaps pre-building twig templates or something
<jmikola> your idea made sense i think
<jmikola> even if it's an edge case
<jmikola> granted, most people are perfectly fine with "/" as a default base_path in the absence of a request
<kris> that would be another pr
<jmikola> right
<jmikola> then for now, what about just making the request argument on-invalid null?
<jmikola> and changing PathPackage in the bundle
<jmikola> PathPackage in the component already handles an empty base path itself just fine
<kris> yeah, that's better
<jmikola> on-invalid="null" and strict="false"
<kris> nice
<jmikola> i'm satisifed with the simplicity of that
<jmikola> and will comment about your base_path option idea in my PR for a future task when i get around to it - as that sounded great as well
<jmikola> thanks for talking through this w/ me :)
<kris> np
<jmikola> PackageFactory is the new roadblock, heh
<jmikola> getPackage() { return $this->container->get($request->isSecure() ? $sslId : $httpId); }
<jmikola> :D
<kris> oh yeah
<jmikola> should i utilize the same logic? default to non-ssl?
<jmikola> i'm actually curious how gmail handles references to http:// assets embedded in its emails
<jmikola> i suppose it renders message bodies in iframes
<kris> then it would be impossible to render https asset urls without a request
<jmikola> wouldn't it default to the http url?
<kris> right
<kris> but what if you only have https base urls configured?
<jmikola> if you break them into http and https blocks, it'd be a problem
<kris> i think it always uses https if you only have https urls configured
<jmikola> otherwise, the shorthand notation sorts them for you
<jmikola> and all https urls are available to http
<jmikola> ah, you're correct
<jmikola> FrameworkExtension::createPackageDefinition
```
---------------------------------------------------------------------------
by jmikola at 2011/09/26 10:39:00 -0700
@fabpot: I believe I reached an agreeable solution, so please review when you get a chance.
I removed any `strict` and `on-invalid` trickery (ideas I was discussing with Kris) and decided to only apply request scoping to the assets helper if one or more of its injected packages (default or named) is request scoped.
This satisfies my requirements, as I had absolute base URL's defined for both HTTP and SSL protocols. It also leaves the current scope exceptions in place if, for instance, someone only defined an HTTP base URL and FrameworkBundle ended up creating a PathPackage for their SSL assets. I go into detail about this more in my second commit, and I think the added tests help explain this as well.
---------------------------------------------------------------------------
by jmikola at 2011/09/26 16:56:30 -0700
Something screwed up earlier and this PR's branch included all commits in `symfony/master`. I just cleaned things up.
Builds upon aead4a9836180cabae4d47fe27c634dcd79ac8f2, which prematurely removed request scoping from the assets templating helper in all cases. The helper need only be request-scoped if one or more request-scoped packages (e.g. PathPackages) are injected into it. This change makes it possible to utilize the assets helper outside of a request (e.g. during a console script).
To ensure that the assets helper is not assigned a request scope, all asset base URL's must be defined for all packages (default and any named) and both protocols: HTTP and SSL. The included test config fixtures concisely accomplish this by specifying a single HTTPS URL as the base URL for our default and named package, since FrameworkExtension's Configuration conveniently registers this URL for both protocols.
No other helpers have request scope and the assets helper's parameters don't appear to depend on the request in any way, so this appears to be unnecessary. As-is, request scope here prevents use of the assets helper from a console command that may need to internally render a template.
Commits
-------
85ed5c6 [ClassLoader] Fixed state when trait_exists doesn't exists
Discussion
----------
[ClassLoader] Fixed state when trait_exists doesn't exists
Just for consistency of throwing exceptions in the ClassCollectionLoader. (An exception would be thrown in the next step by the ReflectionClass.)
Adds filtering convenience using PHP's filter_var() e.g.
`$request->get->filter($key, '', false, FITLER_SANITIZE_STRING);`
See http://php.net/manual/en/filter.filters.php for capabilities.
* 2.0:
bumped Symfony version to 2.0.3-DEV
updated VERSION for 2.0.2
update CONTRIBUTORS for 2.0.2
updated CHANGELOG for 2.0.2
updated vendors for 2.0.2
merged branch helmer/target_path (PR #2228)
Commits
-------
022a9a7 [Security] Make saving target_path extendible
Discussion
----------
[Security] Make saving target_path extendible
The problem lies in how Security component handles ``target_path`` - the latest request URI is always stored. This can lead to problems in following scenarios:
a) The response type of the request is not HTML (think JSON, XML ..)
b) The URI matches a route that does not listen to HTTP GET
I opened a [PR](https://github.com/symfony/symfony/pull/604) months ago, to partly solve scenario A, which did not make it. Now I am proposing a different solution - user can extend ``ExceptionListener`` and override the logic behind setting the ``target_path`` to match his precise needs.
In my simplified scenario, I would be using:
```
protected function setTargetPath(Request $request)
{
if ($request->isXmlHttpRequest() || 'GET' !== $request->getMethod()) {
return;
}
$request->getSession()->set('_security.target_path', $request->getUri());
}
```
@Seldaek, @schmittjoh, @lsmith77, thoughts?
---------------------------------------------------------------------------
by Seldaek at 2011/09/21 02:37:02 -0700
Seems like a better solution for flexibility's sake. Would be quite awesome if you could add a cookbook entry to symfony/symfony-docs about this, otherwise I'm afraid we'll have to explain it over and over again :)
---------------------------------------------------------------------------
by helmer at 2011/09/21 03:38:57 -0700
[Cookbook](b22c5e666e) entry done. Perhaps though I rushed ahead ..
---------------------------------------------------------------------------
by Seldaek at 2011/09/21 03:52:01 -0700
Thanks. You can already do a pull request against symfony-docs, just reference this pull request in it so it's not merged before this is merged.
Commits
-------
67c33a8 Rebased with master, and fixed wrong behavior with proper tests coverage
f8a6a4b Be sure that both fields have same value for required option in RepeatedType
0679220 Additional test coverage for changes in RepeatedType
b23d47d moved options test form from class->method scope
5fe5556 fixed accidental permission change
a969434 [Form] fixed CS, merged options, added tests
8819db3 [Form] Allow setting different options to repeating fields
Discussion
----------
[2.1] [Form] Allow setting different options at RepeatedType fields
This an test covered version of #1348 (rebased with master).
---------------------------------------------------------------------------
by stloyd at 2011/06/27 04:18:19 -0700
@fabpot What do you think about this ? I'm just not sure that we should allow setting `required` per field, IMO better would be forcing this option from default `$options['options']` and ignore that field in `$options['first_options']` and/or `$options['second_options']`.
---------------------------------------------------------------------------
by stloyd at 2011/07/02 00:00:04 -0700
@fabpot ping.
---------------------------------------------------------------------------
by fabpot at 2011/07/06 05:45:56 -0700
Let's discuss this new feature for 2.1.
---------------------------------------------------------------------------
by stloyd at 2011/08/24 01:12:59 -0700
Rebased with master.
---------------------------------------------------------------------------
by stof at 2011/09/04 05:02:42 -0700
@fabpot What do you think about this feature ? It is now time to discuss it :)
---------------------------------------------------------------------------
by fabpot at 2011/09/22 00:18:29 -0700
Tests do not pass.
---------------------------------------------------------------------------
by stloyd at 2011/09/24 01:54:42 -0700
@fabpot Should be ok now.
