* 2.8:
fixed obsolete getMock() usage
fixed obsolete getMock() usage
[WebProfilerBundle] Display multiple HTTP headers in WDT
do not remove the Twig ExceptionController service
removed obsolete condition
do not try to register incomplete definitions
* 2.8:
[Twig] Fix deprecations with Twig 1.29
Fixed typo
Fix email address
fix the docblock in regard to the role argument
[VarDumper] fix tests when xdebug is enabled
Fix merge
[Cache] Fix dumping SplDoublyLinkedList iter mode
[Console] fixed PHP7 Errors when not using Dispatcher
Regression test for missing controller arguments
fix a test checking for a value
[Form][DX] FileType "multiple" fixes
fixed CS
[TwigBundle] Fix twig loader registered twice
[WebProfilerBundle] Fix dump block is unfairly restrained
[Console] Fix wrong handling of multiline arg/opt descriptions
[DependencyInjection] PhpDumper.php: hasReference() should not search references in lazy service arguments.
[Form] fixed "empty_value" option deprecation
Cast result to int before adding to it
* 2.7:
Regression test for missing controller arguments
fix a test checking for a value
[Form][DX] FileType "multiple" fixes
fixed CS
[TwigBundle] Fix twig loader registered twice
[Console] Fix wrong handling of multiline arg/opt descriptions
[DependencyInjection] PhpDumper.php: hasReference() should not search references in lazy service arguments.
[Form] fixed "empty_value" option deprecation
This PR was squashed before being merged into the 2.7 branch (closes#20418).
Discussion
----------
[Form][DX] FileType "multiple" fixes
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/12547
| License | MIT
| Doc PR | -
# (1st) Derive "data_class" option from passed "multiple" option
Information
-------------
Following this tutorial ["How to Upload Files"][1] but storing many `brochures` instead of one, i.e.:
```php
// src/AppBundle/Entity/Product.php
class Product
{
/**
* @var string[]
*
* @ORM\Column(type="array")
*/
private $brochures;
//...
}
```
```php
//src/AppBundle/Form/ProductType.php
$builder->add('brochures', FileType::class, array(
'label' => 'Brochures (PDF files)',
'multiple' => true,
));
```
The Problem
--------------
I found a pain point here when the form is loaded again after save some brochures (Exception):
> The form's view data is expected to be an instance of class Symfony\Component\HttpFoundation\File\File, but is a(n) array. You can avoid this error by setting the "data_class" option to null or by adding a view transformer that transforms a(n) array to an instance of Symfony\Component\HttpFoundation\File\File.
The message is very clear, but counter-intuitive in this case, because the form field (`FileType`) was configured with `multiple = true`, so IMHO it shouldn't expect a `File` instance but an array of them at all events.
The PR's effect
---------------
**Before:**
```php
$form = $this->createFormBuilder($product)
->add('brochures', FileType::class, [
'multiple' => true,
'data_class' => null, // <---- mandatory
])
->getForm();
```
**After:**
```php
$form = $this->createFormBuilder($product)
->add('brochures', FileType::class, [
'multiple' => true,
])
->getForm();
```
# (2nd) Return empty `array()` at submit no file
Information
-------------
Based on the same information before, but adding some constraints:
```php
// src/AppBundle/Entity/Product.php
use Symfony\Component\Validator\Constraints as Assert;
class Product
{
/**
* @var string[]
*
* @ORM\Column(type="array")
*
* @Assert\Count(min="1") // or @Assert\NotBlank()
* @Assert\All({
* @Assert\File(mimeTypes = {"application/pdf", "application/x-pdf"})
* })
*
*/
private $brochures;
}
```
This should require at least one file to be stored.
The Problem
--------------
But, when no file is uploaded at submit the form, it's valid completely. The submitted data for this field was `array(null)` so the constraints pass without any problem:
* `@Assert\Count(min="1")` pass! because contains at least one element (No matter what)
* `@Assert\NotBlank()` it could pass! because no `false` and no `empty()`
* `@Assert\File()` pass! because the element is `null`
Apart from that really we expecting an empty array instead.
The PR's effect
----------------
**Before:**
```php
// src/AppBundle/Entity/Product.php
use Symfony\Component\Validator\Constraints as Assert;
class Product
{
/**
* @var string[]
*
* @ORM\Column(type="array")
*
* @Assert\All({
* @Assert\NotBlank,
* @Assert\File(mimeTypes = {"application/pdf", "application/x-pdf"})
* })
*
*/
private $brochures;
}
```
**After:**
```php
// src/AppBundle/Entity/Product.php
use Symfony\Component\Validator\Constraints as Assert;
class Product
{
/**
* @var string[]
*
* @ORM\Column(type="array")
*
* @Assert\Count(min="1") // or @Assert\NotBlank
* @Assert\All({
* @Assert\File(mimeTypes = {"application/pdf", "application/x-pdf"})
* })
*
*/
private $brochures;
}
```
[1]: http://symfony.com/doc/current/controller/upload_file.html
Commits
-------
36b7ba6 [Form][DX] FileType "multiple" fixes
* 2.8:
[ci] Testing with UTC hides bugs
[DI] Fix error when trying to resolve a DefinitionDecorator
[DoctrineBridge] Fix deprecation message/documentation of implementing UserProviderInterface using the entity provider
[Validator] improve and added more Indonesian translation.
* 2.7:
[ci] Testing with UTC hides bugs
[DI] Fix error when trying to resolve a DefinitionDecorator
[Validator] improve and added more Indonesian translation.
* 2.8:
[TwigBridge] fix tests
Tag the FormFieldRegistry as being internal
[Form] Fix Date\TimeType marked as invalid on request with single_text and zero seconds
[Validator] Added missing swedish translation
[TranslationDebug] workaround for getFallbackLocales.
[Translation] fixed nested fallback catalogue using multiple locales.
fixed phpdoc
[Command] Fixed method comments as phpDoc syntax
Added single quotes for upgrade guides.
* 2.7:
[TwigBridge] fix tests
Tag the FormFieldRegistry as being internal
[Form] Fix Date\TimeType marked as invalid on request with single_text and zero seconds
[Validator] Added missing swedish translation
[TranslationDebug] workaround for getFallbackLocales.
[Translation] fixed nested fallback catalogue using multiple locales.
fixed phpdoc
[Command] Fixed method comments as phpDoc syntax
This PR was squashed before being merged into the 2.7 branch (closes#20307).
Discussion
----------
[Form] Fix Date\TimeType marked as invalid on request with single_text and zero seconds
| Q | A |
| --- | --- |
| Branch? | 2.7 |
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | 20304 |
| License | MIT |
| Doc PR | |
Fix: When using a form with an Time type with option 'widget' => 'single_text', and 0 is selected in the seconds, we obtain an TransformationFailedException "Unable to reverse value for property path "[time]": Data missing". Check ticket #20304
Commits
-------
bcb03e0 [Form] Fix Date\TimeType marked as invalid on request with single_text and zero seconds
* 2.8:
[TwigBridge] removed deprecations added in Twig 1.27
PHP CS Fixer: use php_unit_dedicate_assert
3.0 Upgrade Guide: Added details describing how to pass data to a form through the options resolver
fixed Filesystem:makePathRelative and added 2 more testcases
no 304 response if method is not cacheable
move tags from decorated to decorating service
* 2.7:
[TwigBridge] removed deprecations added in Twig 1.27
PHP CS Fixer: use php_unit_dedicate_assert
fixed Filesystem:makePathRelative and added 2 more testcases
no 304 response if method is not cacheable
move tags from decorated to decorating service
* 2.8:
[travis/appveyor] Wire simple-phpunit
[Console] fixed PHP7 Errors are now handled and converted to Exceptions
Fix#19721
Fix translation:update command count
bumped Symfony version to 2.8.12
updated VERSION for 2.8.11
updated CHANGELOG for 2.8.11
bumped Symfony version to 2.7.19
updated VERSION for 2.7.18
update CONTRIBUTORS for 2.7.18
updated CHANGELOG for 2.7.18
[Security] Optimize RoleHierarchy's buildRoleMap method
* 2.7:
[travis/appveyor] Wire simple-phpunit
[Console] fixed PHP7 Errors are now handled and converted to Exceptions
Fix#19721
bumped Symfony version to 2.7.19
updated VERSION for 2.7.18
update CONTRIBUTORS for 2.7.18
updated CHANGELOG for 2.7.18
[Security] Optimize RoleHierarchy's buildRoleMap method
* 2.7:
[FrameworkBundle] Fix Incorrect line break in exception message (500 debug page)
Minor cleanups and improvements
[form] lazy trans `post_max_size_message`.
[DI] Fix setting synthetic services on ContainerBuilder
[ClassLoader] Fix ClassCollectionLoader inlining with declare(strict_types=1)
* 2.8:
[FrameworkBundle] Check for class existence before is_subclass_of
Update GroupSequence.php
Code enhancement and cleanup
[Form] Fix transformer tests after the ICU update
[DI] Add anti-regression test
Revert "minor #19689 [DI] Cleanup array_key_exists (ro0NL)"
bumped Symfony version to 2.8.11
updated VERSION for 2.8.10
updated CHANGELOG for 2.8.10
[BrowserKit] Fix cookie expiration on 32 bit systems
bumped Symfony version to 2.7.18
updated VERSION for 2.7.17
update CONTRIBUTORS for 2.7.17
updated CHANGELOG for 2.7.17
Update misleading comment about RFC4627
* 2.7:
[FrameworkBundle] Check for class existence before is_subclass_of
Update GroupSequence.php
Code enhancement and cleanup
[DI] Add anti-regression test
Revert "minor #19689 [DI] Cleanup array_key_exists (ro0NL)"
[BrowserKit] Fix cookie expiration on 32 bit systems
bumped Symfony version to 2.7.18
updated VERSION for 2.7.17
update CONTRIBUTORS for 2.7.17
updated CHANGELOG for 2.7.17
Update misleading comment about RFC4627
* 2.8:
[VarDumper] Various minor fixes & cleanups
Revert "bug #18935 [Form] Consider a violation even if the form is not submitted (egeloen)"
[HttpKernel] Add missing SsiFragmentRendererTest
[DoctrineBridge] Fix exception message and tests after misresolved merge
Fixes the calendar in constructor to handle null
* 2.7:
[VarDumper] Various minor fixes & cleanups
Revert "bug #18935 [Form] Consider a violation even if the form is not submitted (egeloen)"
[HttpKernel] Add missing SsiFragmentRendererTest
Fixes the calendar in constructor to handle null
* 2.8:
[Routing] Add missing options in docblock
[VarDumper] Fix dumping continuations
[HttpFoundation] fixed Request::getContent() reusage bug
[Form] Skip CSRF validation on form when POST max size is exceeded
Enhance the phpDoc return types so IDEs can handle the configuration tree.
fixes
Remove 3.0 from branch suggestions for fixes in PR template
[Process] Strengthen Windows pipe files opening (again...)
Fix#19531 [Form] DateType fails parsing when midnight is not a valid time
* 2.7:
[Routing] Add missing options in docblock
[VarDumper] Fix dumping continuations
[HttpFoundation] fixed Request::getContent() reusage bug
[Form] Skip CSRF validation on form when POST max size is exceeded
Enhance the phpDoc return types so IDEs can handle the configuration tree.
fixes
Remove 3.0 from branch suggestions for fixes in PR template
[Process] Strengthen Windows pipe files opening (again...)
Fix#19531 [Form] DateType fails parsing when midnight is not a valid time
This PR was squashed before being merged into the 2.7 branch (closes#19373).
Discussion
----------
[Form] Skip CSRF validation on form when POST max size is exceeded
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #19140
| License | MIT
| Doc PR | N/A
In #19140 the CSRF validation listener was not aware that the POST max size had exceeded, and was adding a form error message that wasn't relevant to the actual error.
This introduces the `ServerParams` utility class into the `CsrfValidationListener` and checks that the POST max size has not been exceeded. If it has then it won't bother trying to validate the CSRF token.
My main concern with this change is that it opens up an attack vector around tokens, but I've encapsulated the request size validation in a single method in `ServerParams` now so that the request handlers are using the same logic.
Commits
-------
289531f [Form] Skip CSRF validation on form when POST max size is exceeded
