Instead of deprecating the interface it is sufficient to deprecate its
getReachableRoles() method and add a new getReachableRoleNames() method
in Symfony 5.
* 4.2:
[Phpunit] fixed support for PHP 5.3
Response prepare method update
[Workflow] Added missing license header
Fix case when multiple loaders are providing paths for the same namespace
Check if Client exists when test.client does not exist, to provide clearer exception message
throw TypeErrors to prepare for type hints in 5.0
[Form] Preventing validation of children if parent with Valid constraint has no validation groups
[Form] Added ResetInterface to CachingFactoryDecorator
Remove deprecated usage
[Tests] fixed compatbility of assertEquals(): void
Fixed usage of TranslatorInterface in form extension (fixes#30591)
[Intl][4.2] Fix test
[Intl] Fix test
[Validator] Add the missing translations for the Arabic (ar) locale
[Intl] Add compile binary
Fix DebugCommand when chain loader is involved
[Form] Fixed some phpdocs
This PR was merged into the 4.3-dev branch.
Discussion
----------
[EventDispatcher] swap arguments of dispatch() to allow registering events by FQCN
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
PR green and ready. From UPGRADE files:
EventDispatcher
---------------
* The signature of the `EventDispatcherInterface::dispatch()` method should be updated to `dispatch($event, string $eventName = null)`, not doing so is deprecated
HttpKernel
----------
* Renamed `FilterControllerArgumentsEvent` to `ControllerArgumentsEvent`
* Renamed `FilterControllerEvent` to `ControllerEvent`
* Renamed `FilterResponseEvent` to `ResponseEvent`
* Renamed `GetResponseEvent` to `RequestEvent`
* Renamed `GetResponseForControllerResultEvent` to `ViewEvent`
* Renamed `GetResponseForExceptionEvent` to `ExceptionEvent`
* Renamed `PostResponseEvent` to `TerminateEvent`
Security
---------
* The `ListenerInterface` is deprecated, turn your listeners into callables instead.
* The `Firewall::handleRequest()` method is deprecated, use `Firewall::callListeners()` instead.
Commits
-------
75369dabb8 [EventDispatcher] swap arguments of dispatch() to allow registering events by FQCN
* 4.2:
Fix Cache error while using anonymous class
[Cache] fix LockRegistry
Update validators.cs.xlf
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
* 3.4:
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] deprecate the Role and SwitchUserRole classes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #20824
| License | MIT
| Doc PR | symfony/symfony-docs#11047
In #20801, we deprecated the `RoleInterface`. The next logical step would be to also deprecate the `Role` class. However, we currently have the `SwitchUserRole` class (a sub-class of `Role`) that acts as an indicator to check whether or not the authenticated user switched to another user.
This PR proposes an alternative solution to the usage of the special `SwitchUserRole` class by storing the original token inside the `UsernamePasswordToken`. This PR is not complete, but rather acts as a proof of concept of how we could get rid of the `Role` and the `SwitchUserRole` classes.
Please share your opinions whether you think this is a valid approach and I will be happy to finalise the PR.
Commits
-------
d7aaa615b9 deprecate the Role and SwitchUserRole classes
* 4.2: (26 commits)
Apply php-cs-fixer rule for array_key_exists()
[Cache] fix warming up cache.system and apcu
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
...
* 3.4: (24 commits)
Apply php-cs-fixer rule for array_key_exists()
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
[Validator] Add the missing translations for the Greek (el) locale
...
* 4.2:
[Console] Fix command testing with missing inputs
[Validator] Sync no/nb translation files
[Translation] Added a script to display the status of translations
[Validator] Added missing translations for Norwegian (\"no\") locale #30179
[Security\Guard] bump lowest version of security-core
[TwigBridge] Fix test
Remove unnecessary ProgressBar stdout writes (fixes flickering)
[Validator] improve translations for albanian ("sq") locale
[VarDumper] fix serializing Stub instances
[Validator] Added missing use statement for UnexpectedTypeException
Don't resolve the Deprecation error handler mode until a deprecation is triggered
bug #30245 fix lost namespace in eval (fizzka)
fix lost namespace in eval
[Twig] removed usage of non-namespaced classes
added missing dot
Update validators.lt.xlf
#30172 Add the missing validation translations for the Luxembourgish …
[Debug][ErrorHandler] Preserve next error handler
* 3.4:
[Console] Fix command testing with missing inputs
[Validator] Sync no/nb translation files
[Translation] Added a script to display the status of translations
[Validator] Added missing translations for Norwegian (\"no\") locale #30179
[Security\Guard] bump lowest version of security-core
* 4.2: (25 commits)
Add missing ID_id validators translation
fixed CS
Added missing translations in validators.tr.xlf
Update validators.es.xlf
Update validators.hu.xlf
[Validator] Add the missing translations for the Welsh (cy) locale
[Validator] Add missing DE validator translations
[Validator] Add the missing translations for the Dutch (nl) locale
Add missing PL translation
Add missing translations.
Add missing translations for IT to Validator
minor #30184 [Validator] Add the missing translations for the Russian (ru) locale (antonch1989)
[Validator] Add the missing translations for the Arabic (ar) locale
add_missing_translations_for_portuguese : [Validator] Add the missing translations for the Portuguese ("pt") locale
[Validator] Add the missing translations for the French (fr) locale
[Validator] Add some missing contents to the English translation
use PropertyAccessorInterface instead of PropertyAccessor
Fix KernelTestCase compatibility for PhpUnit 8 (bis)
add xabbuh as code owner of the Form component
[Validator] Added a missing translation
...
* 3.4: (25 commits)
Add missing ID_id validators translation
fixed CS
Added missing translations in validators.tr.xlf
Update validators.es.xlf
Update validators.hu.xlf
[Validator] Add the missing translations for the Welsh (cy) locale
[Validator] Add missing DE validator translations
[Validator] Add the missing translations for the Dutch (nl) locale
Add missing PL translation
Add missing translations.
Add missing translations for IT to Validator
minor #30184 [Validator] Add the missing translations for the Russian (ru) locale (antonch1989)
[Validator] Add the missing translations for the Arabic (ar) locale
add_missing_translations_for_portuguese : [Validator] Add the missing translations for the Portuguese ("pt") locale
[Validator] Add the missing translations for the French (fr) locale
[Validator] Add some missing contents to the English translation
use PropertyAccessorInterface instead of PropertyAccessor
Fix KernelTestCase compatibility for PhpUnit 8 (bis)
add xabbuh as code owner of the Form component
[Validator] Added a missing translation
...
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Declare exceptions that are already thrown by implementations
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #29650
| License | MIT
| Doc PR |
Adding exception declarations for PasswordEncoderInterface. I think it's a matter of opinion whether this change is a BC break. The BC promise doesn't cover such a case; I'd see it as a BC break to add exceptions in general, but in this case it's more of a "documentation" issue, as most implementations of the interface have been throwing those exceptions for years.
Commits
-------
f4cc30b72b Declare exceptions that are already thrown by implementations
* 4.2:
[DI] Fix dumping Doctrine-like service graphs
fix serialization workaround in CustomUserMessageAuthenticationException
PHPUnit Bridge: Rollback to traditional array syntax.
[Form] fix some docblocks and type checks
* 3.4:
[DI] Fix dumping Doctrine-like service graphs
fix serialization workaround in CustomUserMessageAuthenticationException
PHPUnit Bridge: Rollback to traditional array syntax.
[Form] fix some docblocks and type checks
* 4.2:
[Routing] dont redirect routes with greedy trailing vars with no explicit slash
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
[MonologBridge] Remove unused local variable
Remove unreachable code
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Fix format strings for deprecation notices
Remove a harmless duplicate array key from VarDumper
[VarDumper] Fixed search bar
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 4.1:
[Routing] dont redirect routes with greedy trailing vars with no explicit slash
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
[MonologBridge] Remove unused local variable
Remove unreachable code
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 3.4:
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 4.2:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
Avoid dots in generated class names.
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
* 4.1:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
* 3.4:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Do not mix password_*() API with libsodium one
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | n/a
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Argon2IPasswordEncoder uses native `password_hash()` and `password_verify()` functions if the current PHP installation embeds Argon2 support (>=7.2, compiled `--with-password-argon2`).
Otherwise, it fallbacks to the libsodium extension.
This was fine at time the encoder was introduced, but meanwhile libsodium changed the algorithm used by `sodium_crypto_pwhash_str()` which is now argon2id, that goes outside of the scope of the encoder which was designed to deal with `argon2i` only.
Nothing we can do as databases may already contain passwords hashed with argon2id, the encoder must keep validating those.
However, the PHP installation may change as time goes by, and could suddenly embed the Argon2 core integration. In this case, the encoder would use the `password_verify()` function which would fail in case the password was not hashed using argon2i.
This PR prevents it by detecting that argon2id was used, avoiding usage of `password_verify()`.
See https://github.com/jedisct1/libsodium-php/issues/194 and https://github.com/symfony/symfony/issues/28093 for references.
Patch cannot be tested as it is platform dependent.
Side note: I'm currently working on a new implementation for 4.3 that will properly supports argon2id (which has been added to the PHP core sodium integration in 7.3) and argon2i, distinctively.
Commits
-------
d6cfde94b4 [Security] Do not mix usage of password_*() functions and sodium_*() ones
* 3.4:
fixed CS
fixed short array CS in comments
fixed CS in ExpressionLanguage fixtures
fixed CS in generated files
fixed CS on generated container files
fixed CS on Form PHP templates
fixed CS on YAML fixtures
fixed fixtures
switched array() to []
