* 3.4:
[SecurityBundle] Fix valid provider considered undefined
Revert "bug #24105 [Filesystem] check permissions if dump target dir is missing (xabbuh)"
[Filesystem] skip tests if not applicable
[Fabbot] Do not run php-cs-fixer if there are no change in src/
[ExpressionLanguage] make a proposal in SyntaxError message
[Security] Fix exception when use_referer option is true and referer is not set or empty
[HttpKernel] "controller.service_arguments" services should be public
Get KERNEL_DIR through $_ENV too for KernelTestCase
Get KERNEL_CLASS through $_ENV too
check permissions if dump target dir is missing
* 3.3:
Revert "bug #24105 [Filesystem] check permissions if dump target dir is missing (xabbuh)"
[Filesystem] skip tests if not applicable
[Fabbot] Do not run php-cs-fixer if there are no change in src/
[Security] Fix exception when use_referer option is true and referer is not set or empty
[HttpKernel] "controller.service_arguments" services should be public
Get KERNEL_DIR through $_ENV too for KernelTestCase
Get KERNEL_CLASS through $_ENV too
check permissions if dump target dir is missing
* 2.8:
Revert "bug #24105 [Filesystem] check permissions if dump target dir is missing (xabbuh)"
[Filesystem] skip tests if not applicable
[Fabbot] Do not run php-cs-fixer if there are no change in src/
[Security] Fix exception when use_referer option is true and referer is not set or empty
Get KERNEL_DIR through $_ENV too for KernelTestCase
check permissions if dump target dir is missing
* 2.7:
Revert "bug #24105 [Filesystem] check permissions if dump target dir is missing (xabbuh)"
[Filesystem] skip tests if not applicable
[Fabbot] Do not run php-cs-fixer if there are no change in src/
[Security] Fix exception when use_referer option is true and referer is not set or empty
Get KERNEL_DIR through $_ENV too for KernelTestCase
check permissions if dump target dir is missing
This PR was merged into the 4.0-dev branch.
Discussion
----------
Add scalar typehints/return types
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no (final, already breaks if doc not respected)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/23242#issuecomment-310327150
| License | MIT
| Doc PR | n/a
Commits
-------
7b1715b078 [Yaml] use scalar type hints where possible
6ce70e4bf9 Add scalar typehints/return types on final/internal/private code
* 3.4:
Improved the design of the redirection method in the web toolbar
Mark SemaphoreStore::isSupported() as internal
[DI] Add ContainerInterface::IGNORE_ON_UNINITIALIZED_REFERENCE
[FrameworkBundle] Fix form conflict rule
[Security] add impersonator_user to "User was reloaded" log message
[DI] Add upgrade note about case insenstive params
add (pdo|chain) cache (adapter|simple) prune method
Update NoSuchPropertyException message for writeProperty
[Routing] added the possibility to define a prefix for all routes of a controller
[DI] Don't track merged configs when the extension doesn't expose it
[Cache] Use namespace versioning for backends that dont support clearing by keys
[VarDumper] add force-collapse/expand + use it for traces
* 3.4:
[Bridge\ProxyManager] Dont call __destruct() on non-instantiated services
Consistently use 7 chars of sha256 for hash-based id generation
Docblock improvement
bumped Symfony version to 2.8.27
updated VERSION for 2.8.26
updated CHANGELOG for 2.8.26
bumped Symfony version to 2.7.34
updated VERSION for 2.7.33
update CONTRIBUTORS for 2.7.33
updated CHANGELOG for 2.7.33
* 3.3:
[Bridge\ProxyManager] Dont call __destruct() on non-instantiated services
Docblock improvement
bumped Symfony version to 2.8.27
updated VERSION for 2.8.26
updated CHANGELOG for 2.8.26
bumped Symfony version to 2.7.34
updated VERSION for 2.7.33
update CONTRIBUTORS for 2.7.33
updated CHANGELOG for 2.7.33
* 2.8:
[Bridge\ProxyManager] Dont call __destruct() on non-instantiated services
Docblock improvement
bumped Symfony version to 2.8.27
updated VERSION for 2.8.26
updated CHANGELOG for 2.8.26
bumped Symfony version to 2.7.34
updated VERSION for 2.7.33
update CONTRIBUTORS for 2.7.33
updated CHANGELOG for 2.7.33
* 3.3:
Removed useless argument $definition
Fix comment
[Config] Fix checking class existence freshness
bumped Symfony version to 3.3.7
updated VERSION for 3.3.6
updated CHANGELOG for 3.3.6
Bump minimal PHP version to ^5.5.9|>=7.0.8
* 3.4:
[DI] Remove unused props from the PhpDumper
[VarDumper] Keep and reuse array stubs in memory
[DI][ProxyManager] Pass the factory code to execute to DumperInterface::getProxyFactoryCode()
[Workflow] Adding workflow name to the announce event
[ProxyManager] Cleanup fixtures
[Console][WebServerBundle] Use "exec" when possible
[Debug] HTML-escape array key
Add some phpdocs for IDE autocompletion and better SCA
Fixed typo in docblock
* 3.3:
[DI] Remove unused props from the PhpDumper
[VarDumper] Keep and reuse array stubs in memory
[ProxyManager] Cleanup fixtures
[Console][WebServerBundle] Use "exec" when possible
[Debug] HTML-escape array key
Add some phpdocs for IDE autocompletion and better SCA
Fixed typo in docblock
* 3.2:
[DI] Remove unused props from the PhpDumper
[ProxyManager] Cleanup fixtures
[Debug] HTML-escape array key
Add some phpdocs for IDE autocompletion and better SCA
Fixed typo in docblock
* 2.8:
[DI] Remove unused props from the PhpDumper
[ProxyManager] Cleanup fixtures
[Debug] HTML-escape array key
Add some phpdocs for IDE autocompletion and better SCA
Fixed typo in docblock
This PR was merged into the 2.8 branch.
Discussion
----------
Fixed typo in docblock in AuthenticationExpiredException
| Q | A
| ------------- | ---
| Branch? | 2.8
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Found a small typo, applied it in the lowest branch possible.
Commits
-------
432d2de Fixed typo in docblock
* 3.4: (22 commits)
use Precise on Travis to keep PHP LDAP support
Fix case sensitive sameSite cookie
[PropertyInfo] Use rawurlencode to escape PSR-6 keys
fix(security): ensure the 'route' index is set before attempting to use it
Fix registering lazy command services with autoconfigure enabled
Fix the design of the profiler exceptions when there is no message
[Config] Minor fix
document the TwigRenderer class deprecation
[Security] added more tests
[Security] fixed default target path when referer contains a query string
[Security] simplified tests
[Security] refactored tests
[WebProfilerBundle][TwigBundle] Fix infinite js loop on exception pages
[FrameworkBundle] fix ValidatorCacheWarmer: use serializing ArrayAdapter
Change "this" to "that" to avoid confusion
[VarDumper] Move locale sniffing to dump() time
[VarDumper] Use "C" locale when using "comma" flags
[Config] Make ClassExistenceResource throw on invalid parents
[DebugBundle] Added min_depth to Configuration
[Console] Add a factory command loader for standalone application with lazy-loading needs
...
* 3.3:
use Precise on Travis to keep PHP LDAP support
Fix case sensitive sameSite cookie
[PropertyInfo] Use rawurlencode to escape PSR-6 keys
fix(security): ensure the 'route' index is set before attempting to use it
Fix the design of the profiler exceptions when there is no message
[Config] Minor fix
[WebProfilerBundle] Fix full sized dump hovering in toolbar
* 3.2:
use Precise on Travis to keep PHP LDAP support
Fix case sensitive sameSite cookie
[PropertyInfo] Use rawurlencode to escape PSR-6 keys
fix(security): ensure the 'route' index is set before attempting to use it
[WebProfilerBundle] Fix full sized dump hovering in toolbar
* 2.8:
use Precise on Travis to keep PHP LDAP support
fix(security): ensure the 'route' index is set before attempting to use it
[WebProfilerBundle] Fix full sized dump hovering in toolbar
* 3.3:
[Security] added more tests
[Security] fixed default target path when referer contains a query string
[Security] simplified tests
[Security] refactored tests
[WebProfilerBundle][TwigBundle] Fix infinite js loop on exception pages
[FrameworkBundle] fix ValidatorCacheWarmer: use serializing ArrayAdapter
Change "this" to "that" to avoid confusion
[VarDumper] Move locale sniffing to dump() time
[VarDumper] Use "C" locale when using "comma" flags
[Config] Make ClassExistenceResource throw on invalid parents
* 3.4: (22 commits)
Fix lazy commands registration
[TwigBridge] deprecate TwigRenderer
[FrameworkBundle] Set default public directory on install assets
[Security] Fix wrong term in UserProviderInterface
[HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
disable inlining deprecated services
[Stopwatch] Fix precision for root section
[Cache] add constructor docblocks for clarity
[WebServerBundle] allowed public/ root directory to be auto-discovered along side web/
[WebServerBundle] remove duplicate code
[SecurityBundle] Clarify deprecation in UserPasswordEncoderCommand::getContainer
[Profiler][Validator] ValidatorDataCollector: use new DataCollector::getCasters() method
[Profiler] Fix data collector getCasters() call
[VarDumper] Added setMinDepth to VarCloner
remove symfony/process suggestion
[DI] Remove unused dynamic property
[Cache] add constructor docblocks for clarity
[Security] validate empty passwords again
[Process] Fixed issue between process builder and exec
non-conflicting anonymous service ids across files
...
* 3.3:
[FrameworkBundle] Set default public directory on install assets
[Security] Fix wrong term in UserProviderInterface
[HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
disable inlining deprecated services
[Cache] add constructor docblocks for clarity
[WebServerBundle] allowed public/ root directory to be auto-discovered along side web/
[WebServerBundle] remove duplicate code
[SecurityBundle] Clarify deprecation in UserPasswordEncoderCommand::getContainer
[Cache] add constructor docblocks for clarity
[Security] validate empty passwords again
[DI] Remove irrelevant comment from container
[TwigBridge] cleaner implementation of the TwigRenderer
* 3.2:
[Security] Fix wrong term in UserProviderInterface
[HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
disable inlining deprecated services
[Cache] add constructor docblocks for clarity
[Security] validate empty passwords again
[DI] Remove irrelevant comment from container
[TwigBridge] cleaner implementation of the TwigRenderer
* 2.8:
[Security] Fix wrong term in UserProviderInterface
[HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
disable inlining deprecated services
[Security] validate empty passwords again
[DI] Remove irrelevant comment from container
[TwigBridge] cleaner implementation of the TwigRenderer
* 2.7:
[Security] Fix wrong term in UserProviderInterface
[HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
[Security] validate empty passwords again
[DI] Remove irrelevant comment from container
[TwigBridge] cleaner implementation of the TwigRenderer
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] validate empty passwords again
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/23341#issuecomment-315341226
| License | MIT
| Doc PR |
It looks like this part of #23341 causes serious security issues for some users who rely on the validator to also compare the empty string with their user's password (see for example https://github.com/symfony/symfony/pull/23341#issuecomment-315341226). Thus I suggest to revert this part of #23341.
Commits
-------
878198cefa [Security] validate empty passwords again
* 3.4:
Add TokenProcessor
[DI] Handle root namespace in service definitions
Add support for command lazy-loading
Use rawurlencode() to transform the Cookie into a string
[TwigBundle] Added a RuntimeExtensionInterface to take advantage of autoconfigure
[Process] Fix parsing args on Windows
Add exculde verbosity test
[HttpKernel][VarDumper] Truncate profiler data & optim perf
[DI] Allow imports in string format for YAML
[Validator] Allow to use a property path to get value to compare in comparison constraints
[Security] Fix authentication.failure event not dispatched on AccountStatusException
add option to define the access decision manager
Add support for doctrin/dbal 2.6 types
* 3.3:
[DI] Handle root namespace in service definitions
Use rawurlencode() to transform the Cookie into a string
[Process] Fix parsing args on Windows
[HttpKernel][VarDumper] Truncate profiler data & optim perf
[Security] Fix authentication.failure event not dispatched on AccountStatusException
* 3.2:
[DI] Handle root namespace in service definitions
Use rawurlencode() to transform the Cookie into a string
[Security] Fix authentication.failure event not dispatched on AccountStatusException
* 2.8:
[DI] Handle root namespace in service definitions
Use rawurlencode() to transform the Cookie into a string
[Security] Fix authentication.failure event not dispatched on AccountStatusException
* 2.7:
[DI] Handle root namespace in service definitions
Use rawurlencode() to transform the Cookie into a string
[Security] Fix authentication.failure event not dispatched on AccountStatusException
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Fix authentication.failure event not dispatched on AccountStatusException
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/18807
| License | MIT
| Doc PR | n/a
Authentication fails if the user exists but its account is disabled/expired/locked, the failure event should be dispatched in this case, so that you can hook into as for any authentication exception.
Commits
-------
64c2efd [Security] Fix authentication.failure event not dispatched on AccountStatusException
* 3.3: (33 commits)
Preserve HttpOnly value when deserializing a header
[DX] [TwigBundle] Enhance the new exception page design
Fix deprecated message
[DI][Security] Prevent unwanted deprecation notices when using Expression Languages
bumped Symfony version to 3.3.5
updated VERSION for 3.3.4
updated CHANGELOG for 3.3.4
[VarDumper] Reduce size of serialized Data objects
bumped Symfony version to 3.2.12
updated VERSION for 3.2.11
updated CHANGELOG for 3.2.11
fixed bad merge
Fix indent of methods
[Cache] Handle APCu failures gracefully
[DoctrineBridge] Use normalizedIds for resetting entity manager services
[FrameworkBundle] Do not remove files from assets dir
[FrameworkBundle] 3.3: Don't get() private services from debug:router
bumped Symfony version to 3.3.4
updated VERSION for 3.3.3
updated CHANGELOG for 3.3.3
...
* 3.3:
[DI][Security] Prevent unwanted deprecation notices when using Expression Languages
bumped Symfony version to 3.3.5
updated VERSION for 3.3.4
updated CHANGELOG for 3.3.4
[VarDumper] Reduce size of serialized Data objects
bumped Symfony version to 3.2.12
updated VERSION for 3.2.11
updated CHANGELOG for 3.2.11
[DoctrineBridge] Use normalizedIds for resetting entity manager services
* 3.2:
[DI][Security] Prevent unwanted deprecation notices when using Expression Languages
bumped Symfony version to 3.2.12
updated VERSION for 3.2.11
updated CHANGELOG for 3.2.11
* 3.4:
[Console] Fix descriptor tests
Change wording from object to subject
add changelog entry for Stopwatch::reset()
Add DateCaster
[Dotenv] parse concatenated variable values
[Yaml] deprecate the !str tag
Add filter in VarDumperTestTrait
Support for parsing PHP constants in yaml loader
This PR was merged into the 3.4 branch.
Discussion
----------
Change wording from object to subject
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| License | MIT
The authorization checker has been changed to support any value
recently. The naming should reflect that to avoid confusion.
Refs https://github.com/sonata-project/SonataAdminBundle/issues/4518
Commits
-------
d261894c6e Change wording from object to subject
* 3.4:
Misspelled word
Display a better error design when the toolbar cannot be displayed
fixed CS
do not validate empty values
[Cache] fix cleanup of expired items for PdoAdapter
[Dotenv] clean up before running assertions
[Console] fix description of INF default values
parse escaped quotes in unquoted env var values
[PropertyAccess] Fix TypeError discard
[Validator] Throw exception on Comparison constraints null options
[FrameworkBundle] Display a proper warning on cache:clear without the --no-warmup option
[Security] Fix Firewall ExceptionListener priority
Allow * to bind all interfaces (as INADDR_ANY)
Identify tty tests in Component/Process
[Workflow] Added more events to the announce function
[Validator] Remove property path suggestion for using the Expression validator
[WebProfilerBundle] Fix css trick used for offsetting html anchor from fixed header
disable unusable fragment renderers
[Stopwatch] Add a reset method
[Security] Fix annotation
* 3.3:
Misspelled word
Display a better error design when the toolbar cannot be displayed
do not validate empty values
[Cache] fix cleanup of expired items for PdoAdapter
[Dotenv] clean up before running assertions
[Console] fix description of INF default values
parse escaped quotes in unquoted env var values
[PropertyAccess] Fix TypeError discard
[Validator] Throw exception on Comparison constraints null options
[FrameworkBundle] Display a proper warning on cache:clear without the --no-warmup option
[Security] Fix Firewall ExceptionListener priority
Identify tty tests in Component/Process
[Workflow] Added more events to the announce function
[Validator] Remove property path suggestion for using the Expression validator
[WebProfilerBundle] Fix css trick used for offsetting html anchor from fixed header
[Security] Fix annotation
* 3.2:
Misspelled word
Display a better error design when the toolbar cannot be displayed
do not validate empty values
[Cache] fix cleanup of expired items for PdoAdapter
[Console] fix description of INF default values
[PropertyAccess] Fix TypeError discard
[Validator] Throw exception on Comparison constraints null options
Identify tty tests in Component/Process
[Workflow] Added more events to the announce function
[Validator] Remove property path suggestion for using the Expression validator
[WebProfilerBundle] Fix css trick used for offsetting html anchor from fixed header
[Security] Fix annotation
* 2.8:
Misspelled word
Display a better error design when the toolbar cannot be displayed
do not validate empty values
[Console] fix description of INF default values
[PropertyAccess] Fix TypeError discard
[Validator] Throw exception on Comparison constraints null options
Identify tty tests in Component/Process
[Security] Fix annotation
* 2.7:
Misspelled word
Display a better error design when the toolbar cannot be displayed
do not validate empty values
[Console] fix description of INF default values
[PropertyAccess] Fix TypeError discard
[Validator] Throw exception on Comparison constraints null options
Identify tty tests in Component/Process
[Security] Fix annotation
This PR was merged into the 2.7 branch.
Discussion
----------
[DoctrineBridge][Security][Validator] do not validate empty values
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23319
| License | MIT
| Doc PR |
Nearly all validators operating on scalar values (except for some special constraints) do ignore empty values. If you want to forbid them, you have to use the `NotBlank` constraint instead.
Commits
-------
fd7ad234bc do not validate empty values
* 3.4: (83 commits)
add missing version attribute
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
[SecurityBundle] Add user impersonation info and exit action to the profiler
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
Fix Predis client cluster with pipeline
[Dotenv] Test load() with multiple paths
[Console] Fix catching exception type in QuestionHelper
Improved the exception page when there is no message
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Profiler][Validator] Add a validator panel in profiler
[Validator] replace hardcoded service id
[Routing] Fix XmlFileLoader exception message
Remove duplicate changelog entries
[DI] Dedup tags when using instanceof/autoconfigure
[Translation] Fix FileLoader::loadResource() php doc
[Serializer] Fix workaround min php version
...
* 3.3: (64 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
Fix Predis client cluster with pipeline
[Dotenv] Test load() with multiple paths
[Console] Fix catching exception type in QuestionHelper
Improved the exception page when there is no message
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Validator] replace hardcoded service id
[Routing] Fix XmlFileLoader exception message
[DI] Dedup tags when using instanceof/autoconfigure
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
fixed CS
[WebProfilerBundle] Fix the icon for the Cache panel
[WebServerBundle] Fix router script path and check existence
...
* 3.2: (42 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
[Console] Fix catching exception type in QuestionHelper
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Routing] Fix XmlFileLoader exception message
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
Reset redirectCount when throwing exception
[TwigBundle] Remove template.xml services when templating is disabled
add content-type header on exception response
Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response
fixed bad merge
Fix two edge cases in ResponseCacheStrategy
[Routing] Expose request in route conditions, if needed and possible
[Routing] Expose request in route conditions, if needed and possible
...
* 2.8: (40 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
return fallback locales whenever possible
[Console] Fix catching exception type in QuestionHelper
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Routing] Fix XmlFileLoader exception message
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
Reset redirectCount when throwing exception
[TwigBundle] Remove template.xml services when templating is disabled
add content-type header on exception response
Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response
Fix two edge cases in ResponseCacheStrategy
[Routing] Expose request in route conditions, if needed and possible
[Routing] Expose request in route conditions, if needed and possible
[Translation][FrameworkBundle] Fix resource loading order inconsistency reported in #23034
[Filesystem] added workaround in Filesystem::rename for PHP bug
...
* 2.7:
[Routing] Fix XmlFileLoader exception message
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
Reset redirectCount when throwing exception
[TwigBundle] Remove template.xml services when templating is disabled
add content-type header on exception response
Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response
Fix two edge cases in ResponseCacheStrategy
[Routing] Expose request in route conditions, if needed and possible
[Routing] Expose request in route conditions, if needed and possible
[Translation][FrameworkBundle] Fix resource loading order inconsistency reported in #23034
[Filesystem] added workaround in Filesystem::rename for PHP bug
Add tests for ResponseCacheStrategy to document some more edge cases
[HttpFoundation] added missing docs
fixes#21606
[VarDumper] fixes
[Security] fix switch user _exit without having current token
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] fix switch user _exit without having current token
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22729
| License | MIT
| Doc PR | -
Attempting to `_exit` from a switched user caused an error when not having any token in the storage (for example happens when not logged in + disallowing anonymous users on that firewall):
`[1] Symfony\Component\Debug\Exception\FatalThrowableError: Type error: Argument 1 passed to Symfony\Component\Security\Http\Firewall\SwitchUserListener::getOriginalToken()
must be an instance of Symfony\Component\Security\Core\Authentication\Token\TokenInterface, null given, called in
symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php on line 164`
Commits
-------
16da6861be [Security] fix switch user _exit without having current token
This PR was squashed before being merged into the 3.4 branch (closes#22629).
Discussion
----------
[Security] Trigger a deprecation when a voter is missing the VoterInterface
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Right now it's possible to add voters to the access decision manager that do not have a `VoterInterface`.
- No Interface, no `vote()` method, and it will give a PHP error.
- No Interface, but `vote()` method, it will still work.
- If I don't implement the interface _and_ have no `vote()` method, I will get weird exception that's not meaningful: `Attempted to call an undefined method named "vote" of class "App\Voter\MyVoter".`
This PR will deprecate the ability to use voters without the interface, it will also throw a proper exception when missing the interface _and_ the `vote()` method. Why when using and not when setting? Due to the fact that the voters can be set lazily via the `IteratorArgument`. The SecurityBundle will trigger a deprecation if the interface is not implemented and an exception if there's not even a `vote()` method present (to prevent exceptions at run-time).
This should have full backwards compatibility with 3.3, but give more meaningful errors. The only behavioral difference, might be that the container will throw an exception instead of maybe succeeding in voting when 1 voter would be broken at the end of the list (based on strategy). This case however, will be detected during development and deployment, rather than run-time.
Commits
-------
9c253e1ff6 [Security] Trigger a deprecation when a voter is missing the VoterInterface
This PR was merged into the 3.4 branch.
Discussion
----------
Consistent error handling in remember me services
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | yes
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
RememberMeServices lacked consistent error handling so far making it impossible for implementors to e.g. maintain sufficiently detailed audit logs for remember me errors. Since remember me is a very sensitive area in any application, detailed logging is crucial.
The change proposed allows `loginFail` to optionally take the exception object as a second parameter and uses said exception consistently internally by calling `loginFail` instead of `cancelCookie`.
Commits
-------
eda1888f71 Consistent error handling in remember me services
* 3.4:
[FrameworkBundle] Deprecate useless --no-prefix option
Add Doctrine Cache to dev dependencies to fix failing unit tests.
Give info about called security listeners in profiler
Fix the usage of FrameworkBundle in debug mode without Stopwatch
This PR was squashed before being merged into the 2.7 branch (closes#22931).
Discussion
----------
SCA with Php Inspections (EA Extended): 2.7
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Static Code Analysis with Php Inspections (EA Extended): dead code and control flow tweaks.
Commits
-------
598ae56cc9 SCA with Php Inspections (EA Extended): 2.7
* 3.3:
[TwigBridge] Fix namespaced classes
bumped Symfony version to 3.3.2
updated VERSION for 3.3.1
updated CHANGELOG for 3.3.1
[DependencyInjection] Fix named args support in ChildDefinition
[Cache] Fallback to positional when keyed results are broken
[HttpFoundation][FrameworkBundle] Revert "trusted proxies" BC break
[Cache] MemcachedAdapter not working with TagAwareAdapter
Remove closure-proxy leftovers
[DependencyInjection] Use more clear message when unused environment variables detected
[Form][Profiler] Fixes form collector triggering deprecations
mitigate BC break with empty trusted_proxies
[Profiler] Never wrap in code excerpts
[Form][FrameworkBundle] Remove non-existing arg for data_collector.form
explain that a role can be an instance of Role
[Cache] fix Redis scheme detection
mix attr options between type-guess options and user options
* 2.7:
Using FQ name for PHP_VERSION_ID
[Form] Fix \IntlDateFormatter timezone parameter usage to bypass PHP bug #66323
Harden the debugging of Twig filters and functions
bumped Symfony version to 2.7.29
updated VERSION for 2.7.28
update CONTRIBUTORS for 2.7.28
updated CHANGELOG for 2.7.28
* 3.4:
bug #22814 [FrameworkBundle] FC with EventDispatcher 4.0 (xabbuh)
[PhpUnitBridge] remove unused use statement
do not used deprecated validator test case class
do not mock a deprecated interface
[DI] Added missing deprecation in changelog
[Ldap] add a changelog file
[Security][Serializer][DI] Add new arguments typehints in preparation for 4.0
[MonologBridge] Fix the Monlog ServerLogHandler from Hanging on Windows
[DependencyInjection] Fix dumping of RewindableGenerator with empty IteratorArgument
[DI][Serializer] Fix missing de(normalizer|coder) autoconfig
Use 0.0.0.0 as the server log host default.
* 3.3:
[PhpUnitBridge] remove unused use statement
do not mock a deprecated interface
[DI] Added missing deprecation in changelog
[Ldap] add a changelog file
[Security][Serializer][DI] Add new arguments typehints in preparation for 4.0
[MonologBridge] Fix the Monlog ServerLogHandler from Hanging on Windows
[DependencyInjection] Fix dumping of RewindableGenerator with empty IteratorArgument
[DI][Serializer] Fix missing de(normalizer|coder) autoconfig
Use 0.0.0.0 as the server log host default.
* 3.2:
Fix errors not rethrown even if not handled by console.error listeners
[VarDumper] Fix dumping of non-nested stubs
[Security] Avoid unnecessary route lookup for empty logout path
respect inline level when dumping objects as maps
Test case for not in-lined map-objects
* 2.8:
Fix errors not rethrown even if not handled by console.error listeners
[VarDumper] Fix dumping of non-nested stubs
[Security] Avoid unnecessary route lookup for empty logout path
* 2.7:
Fix errors not rethrown even if not handled by console.error listeners
[VarDumper] Fix dumping of non-nested stubs
[Security] Avoid unnecessary route lookup for empty logout path
Security-core no longer directly depends upon polyfill-util since #16382.
This does not change the existing dependancy tree as polyfill-util is
transitivly depended on via polyfill-php56.
* 3.2:
fixed tests
fixed merge
Fix minor phpdoc mismatches with the code(detected by phan)
[Asset] Starting slash should indicate no basePath wanted
[Security] Fix phpdoc logout listener
[EventDispatcher] fix getting priorities of listeners during dispatch
Add iconv extension to suggested dependencies
Fix minor typo in the main README.md
Allow Upper Case property names in ObjectNormalizer
[EventDispatcher] fix: unwrap listeners for correct info
* 2.8:
Fix minor phpdoc mismatches with the code(detected by phan)
[Asset] Starting slash should indicate no basePath wanted
[Security] Fix phpdoc logout listener
Add iconv extension to suggested dependencies
Fix minor typo in the main README.md
Allow Upper Case property names in ObjectNormalizer
[EventDispatcher] fix: unwrap listeners for correct info
* 2.7:
Fix minor phpdoc mismatches with the code(detected by phan)
[Asset] Starting slash should indicate no basePath wanted
[Security] Fix phpdoc logout listener
Fix minor typo in the main README.md
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security] add Request type json check in json_login
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no, unreleased feature
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | -
follow up to https://github.com/symfony/symfony/pull/22425 to limit the `UsernamePasswordJsonAuthenticationListener` to only requests with appropriate JSON content type.
I am not entirely happy with this implementation but mostly because Symfony out of the box only provides very limited content type negotiation. I guess anyone that wants to tweak the content negotiation will simply need to ensure the Request::$format is set accordingly before the code is triggered.
Commits
-------
045a36b303 add Request type json check in json_login
* 3.2:
Make .travis.yml more readable
Fold Travis CI output by component
[VarDumper] Minor tweaks to html/css dumps
Add trhows PHPDoc in Application::run
[Debug] Set exit status to 255 on error
[HttpFoundation] Store IANA's RNG files in the repository
[PropertyInfo] Remove a useless call to count() in SerializerExtractor
[PropertyInfo] Prevent returning int values in some cases.
[HttpFoundation] Fix getClientIp @return docblock
Add @throws phpdoc
unify PHPUnit config files
* 2.8:
Make .travis.yml more readable
Fold Travis CI output by component
Add trhows PHPDoc in Application::run
[Debug] Set exit status to 255 on error
[HttpFoundation] Store IANA's RNG files in the repository
[PropertyInfo] Remove a useless call to count() in SerializerExtractor
[PropertyInfo] Prevent returning int values in some cases.
[HttpFoundation] Fix getClientIp @return docblock
Add @throws phpdoc
unify PHPUnit config files
* 2.7:
Make .travis.yml more readable
Fold Travis CI output by component
Add trhows PHPDoc in Application::run
[Debug] Set exit status to 255 on error
[HttpFoundation] Store IANA's RNG files in the repository
[HttpFoundation] Fix getClientIp @return docblock
Add @throws phpdoc
unify PHPUnit config files
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security] Use IteratorArgument for voters
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| License | MIT
Use an IteratorArgument for injecting voters into the AccessDecisionManager.
Commits
-------
4ec80b1ae8 Use IteratorArgument for voters
* 3.2:
[FrameworkBundle] Update console fixtures after #22217
Allow Upper Case property names
fix some risky tests
bumped Symfony version to 2.7.27
updated VERSION for 2.7.26
update CONTRIBUTORS for 2.7.26
updated CHANGELOG for 2.7.26
* 2.8:
Allow Upper Case property names
fix some risky tests
bumped Symfony version to 2.7.27
updated VERSION for 2.7.26
update CONTRIBUTORS for 2.7.26
updated CHANGELOG for 2.7.26
* 3.2:
[Bridge\Doctrine] Fix change breaking doctrine-bundle test suite
[WebProfilerBundle] Include badge status in translation tabs
[FrameworkBundle] Cache pool clear command requires at least 1 pool
[HttpFoundation][bugfix] should always be initialized
MockArraySessionStorage: updated phpdoc for $bags so that IDE autocompletion would work
normalize paths before making them relative
removed test that does not test anything
fixed tests
#21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile
[WebProfilerBundle] Fix for CSS attribute at Profiler Translation Page
Set Date header in Response constructor already
[Validator] fix URL validator to detect non supported chars according to RFC 3986
[Security] Fixed roles serialization on token from user object
* 2.8:
removed test that does not test anything
fixed tests
#21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile
[WebProfilerBundle] Fix for CSS attribute at Profiler Translation Page
Set Date header in Response constructor already
[Validator] fix URL validator to detect non supported chars according to RFC 3986
[Security] Fixed roles serialization on token from user object
* 2.7:
removed test that does not test anything
fixed tests
#21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile
[Validator] fix URL validator to detect non supported chars according to RFC 3986
[Security] Fixed roles serialization on token from user object
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Fixed roles serialization on token from user object
| Q | A |
| --- | --- |
| Branch? | 2.7 |
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | #14274 |
| License | MIT |
| Doc PR | - |
This PR fixes the serialization of tokens when using `Role` objects provided from the user. Indeed, there were actually a reference issue that can causes fatal errors like the following one:
```
FatalErrorException in RoleHierarchy.php line 43:
Error: Call to a member function getRole() on string
```
Here is a small code example to reproduce and its output:
``` php
$user = new Symfony\Component\Security\Core\User\User('name', 'password', [
new Symfony\Component\Security\Core\Role\Role('name')
]);
$token = new Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken($user, 'password', 'providerKey', $user->getRoles());
$serialized = serialize($token);
$unserialized = unserialize($serialized);
var_dump($unserialized->getRoles());
```
Before:
```
array(1) { [0]=> bool(true) }
```
After:
```
array(1) { [0]=> object(Symfony\Component\Security\Core\Role\Role)#15 (1) {["role":"Symfony\Component\Security\Core\Role\Role":private]=> string(4) "name" } }
```
Thank you
Commits
-------
dfa7f5020e [Security] Fixed roles serialization on token from user object
* 3.2:
Fixed pathinfo calculation for requests starting with a question mark.
[HttpFoundation] Fix missing handling of for/host/proto info from "Forwarded" header
[Validator] Add object handling of invalid constraints in Composite
[WebProfilerBundle] Remove uneeded directive in the form collector styles
removed usage of $that
HttpCache: New test for revalidating responses with an expired TTL
[Serializer] [XML] Ignore Process Instruction
[Security] simplify the SwitchUserListenerTest
Revert "bug #21841 [Console] Do not squash input changes made from console.command event (chalasr)"
[HttpFoundation] Fix Request::getHost() when having several hosts in X_FORWARDED_HOST
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security][SecurityBundle] Enhance automatic logout url generation
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
This should help whenever:
- [the token does not implement the `getProviderKey` method](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Http/Logout/LogoutUrlGenerator.php#L89-L99)
- you've got multiple firewalls sharing a same context but a logout listener only define on one of them.
##### Behavior:
> When not providing the firewall key:
>
>- Try to find the key from the token (unless it's an anonymous token)
>- If found, try to get the listener from the key. If the listener is found, stop there.
>- Try from the injected firewall key. If the listener is found, stop there.
>- Try from the injected firewall context. If the listener is found, stop there.
>
>The behavior remains unchanged when providing explicitly the firewall key. No fallback.
Commits
-------
5b7fe852aa [Security][SecurityBundle] Enhance automatic logout url generation
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security] json auth listener should not produce a 500 response on bad request format
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
To me, it looks wrong to simply throw a `BadCredentialsException` in the wild, which produces a 500 (unless an entrypoint handles it, which you probably don't have on a json login firewall). There isn't any server error, the client request originated the error due to a wrong format.
Instead, the listener should give a chance to the failure handler to resolve it, and return a proper 4XX response. (BTW, the `UsernamePasswordFormAuthenticationListener` also throws a similar `BadCredentialsException` on a too long submitted username, which is caught and forwarded to the failure handler)
Better diff: https://github.com/symfony/symfony/pull/22034/files?w=1
BTW, should we have another exception type like `BadCredentialsFormatException` or whatever in order to distinct a proper `BadCredentialsException` from a format issue in a failure listener?
Commits
-------
cb175a41c3 [Security] json auth listener should not produce a 500 response on bad request format
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] simplify the SwitchUserListenerTest
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
While working on #22048 I noticed that the `SwitchUserListenerTest` was more complicated than necessary by mocking a lot of stuff that didn't need to be mocked.
Commits
-------
923bbdbf9f [Security] simplify the SwitchUserListenerTest
This PR was squashed before being merged into the 2.7 branch (closes#21968).
Discussion
----------
Fixed pathinfo calculation for requests starting with a question mark.
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #21967
| License | MIT
| Doc PR |
With improper `strpos` result check calculated pathinfo for requests starting with '?' equals to request itself.
Correct pathinfo for those requests should be '/'.
Commits
-------
43297b45de Fixed pathinfo calculation for requests starting with a question mark.
* 3.2:
Fixes a typo in the form collector styles
[WebProfilerBundle] Fix content-security-policy compatibility
[WebProfilerBundle] Drop dead code
[HttpKernel] Fixed bug with purging of HTTPS URLs
fix some risky tests
[DI] [YamlFileLoader] change error message of a non existing file
[WebProfilerBundle] Handle Content-Security-Policy-Report-Only header correctly
[Security] Added option to return true in the method isRememberMeRequested
* 2.8:
Fixes a typo in the form collector styles
[HttpKernel] Fixed bug with purging of HTTPS URLs
fix some risky tests
[DI] [YamlFileLoader] change error message of a non existing file
[Security] Added option to return true in the method isRememberMeRequested
* 2.7:
[HttpKernel] Fixed bug with purging of HTTPS URLs
fix some risky tests
[DI] [YamlFileLoader] change error message of a non existing file
[Security] Added option to return true in the method isRememberMeRequested
This PR was merged into the 2.7 branch.
Discussion
----------
fix some risky tests
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
PHPUnit 6 marks tests as risky when they have no assertions (and are not marked as skipped or incomplete). This PR will update our test suite accordingly.
Component that still need to be covered:
- [ ] Config
- [ ] Form
- [ ] HttpFoundation
- [ ] Security
- [ ] Workflow
Commits
-------
abf1787dcc fix some risky tests
* 3.2:
[Cache] Fix Redis pipelining/multi-ops
[Yaml] Fix the tests
[github] Add a reminder about CHANGELOG.md files
respect the umask argument in dumpFile()
dumpFile(), preserve existing file permissions
[Form] Fixed overridden choices option in extended choice types
Add validate method to mockec validator in form TypeTestCase
bumped Symfony version to 2.8.19
updated VERSION for 2.8.18
updated CHANGELOG for 2.8.18
bumped Symfony version to 2.7.26
updated VERSION for 2.7.25
update CONTRIBUTORS for 2.7.25
updated CHANGELOG for 2.7.25
[HttpKernel] fixed Kernel name when stored in a directory starting with a number
context listener: hardening user provider handling
[Console] Do not squash input changes made from console.command event
* 2.8:
respect the umask argument in dumpFile()
dumpFile(), preserve existing file permissions
Add validate method to mockec validator in form TypeTestCase
bumped Symfony version to 2.8.19
updated VERSION for 2.8.18
updated CHANGELOG for 2.8.18
bumped Symfony version to 2.7.26
updated VERSION for 2.7.25
update CONTRIBUTORS for 2.7.25
updated CHANGELOG for 2.7.25
[HttpKernel] fixed Kernel name when stored in a directory starting with a number
context listener: hardening user provider handling
[Console] Do not squash input changes made from console.command event
* 2.7:
respect the umask argument in dumpFile()
dumpFile(), preserve existing file permissions
Add validate method to mockec validator in form TypeTestCase
bumped Symfony version to 2.7.26
updated VERSION for 2.7.25
update CONTRIBUTORS for 2.7.25
updated CHANGELOG for 2.7.25
[HttpKernel] fixed Kernel name when stored in a directory starting with a number
context listener: hardening user provider handling
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] context listener: hardening user provider handling
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #4498
| License | MIT
| Doc PR |
After the wrong fix in #21791 this is the second attempt to solve #4498. If more than one user provider support the user for the current context, all of them will be applied instead of returning prematurely when the first user provider does not find the logged in user.
Commits
-------
0fb09293fd context listener: hardening user provider handling
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security] fix test class location
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Keeping the test file in the old location means that it is not available in the `symfony/security-http` subtree split.
Commits
-------
b4e803a [Security] fix test class location
* 3.2:
[Security] fix Composer constraint
Provide less state in getRequestFormat
fix test class location
Static code analysis with Php Inspections (EA Extended): dead code dropped, couple bugs fixed
Adding use statement for InvalidArgumentException
* 2.8:
[Security] fix Composer constraint
Provide less state in getRequestFormat
fix test class location
Static code analysis with Php Inspections (EA Extended): dead code dropped, couple bugs fixed
* 2.7:
[Security] fix Composer constraint
Provide less state in getRequestFormat
fix test class location
Static code analysis with Php Inspections (EA Extended): dead code dropped, couple bugs fixed
This PR was merged into the 3.3-dev branch.
Discussion
----------
[HttpKernel] Deprecate X-Status-Code for better alternative
| Q | A |
| --- | --- |
| Branch? | master |
| Bug fix? | no |
| New feature? | yes |
| BC breaks? | no |
| Deprecations? | yes |
| Tests pass? | yes |
| Fixed tickets | #12343 |
| License | MIT |
| Doc PR | https://github.com/symfony/symfony-docs/pull/6948 |
This marks the X-Status-Code header method of setting a custom response status
code in exception listeners for a better alternative. There is now a new method
on the `GetResponseForExceptionEvent` that allows successful status codes in
the response sent to the client.
The old method of setting the X-Status-Code header will now throw a deprecation warning.
Instead, in your exception listener you simply call `GetResponseForExceptionEvent::allowCustomResponseCode()` which will tell the Kernel not to override the status code of the event's response object.
Currenty the `X-Status-Code` header will still be removed, so as not to change the existing behaviour, but this is something we can remove in 4.0.
TODO:
- [x] Replace usage of X-Status-Code in `FormAuthenticationEntryPoint`
- [x] Open Silex issue
- [x] Rename method on the response
- [x] Ensure correct response code is set in `AuthenticationEntryPointInterface` implementations
- [x] Ensure the exception listeners are marking `GetResponseForExceptionEvent` as allowing a custom response code
- [x] In the Security component we should only use the new method of setting a custom response code if it is available, and fall back to the `X-Status-Code` method
Commits
-------
cc0ef282cd [HttpKernel] Deprecate X-Status-Code for better alternative
Passing multiple user providers to the context listener does not make
much sense. The listener is only responsible to refresh users for a
particular firewall. Thus, it must only be aware of the user provider
for this particular firewall.
This marks the X-Status-Code header method of setting a custom response
status code in exception listeners as deprecated. Instead there is now
a new method on the GetResponseForExceptionEvent that allows successful
status codes in the response sent to the client.
* 3.2:
Refactored other PHPUnit method calls to work with namespaced PHPUnit 6
Refactored other PHPUnit method calls to work with namespaced PHPUnit 6
Further refactorings to PHPUnit namespaces
resolve parameters in definition classes
* 2.8:
Refactored other PHPUnit method calls to work with namespaced PHPUnit 6
Further refactorings to PHPUnit namespaces
resolve parameters in definition classes
This PR was squashed before being merged into the 2.8 branch (closes#21663).
Discussion
----------
Updated PHPUnit namespaces
| Q | A
| ------------- | ---
| Branch? | 2.8
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Follow Up of #21564
Commits
-------
205ced4 Updated PHPUnit namespaces
* 3.2:
Fix typo in process error message
Update to PHPUnit namespaces
Minor typo fix messsagesData -> messagesData
remove translation data collector when not usable
This PR was squashed before being merged into the 3.3-dev branch (closes#21450).
Discussion
----------
[Security] Lazy load guard authenticators and authentication providers
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Authentication stops on the first authenticator that fails or succeeds, let's instantiate them only if actually needed.
Commits
-------
cd6422ae73 [SecurityBundle] Lazy load authentication providers
b8a23ded63 [Security][Guard] Lazy load authenticators
* 3.2: (27 commits)
Improve tracking of environment variables in the case of private services
[DI] Align AutowirePass with 2.8
property constraints can be added in child classes
added test for staticClassLoader in LazyLoadingMetadatafactory
fixed PHPUnit setUp and tearDown method visibility
spelling fixes
Readd Symfony version status in the toolbar
[Security] LdapUserProvider should not throw an exception if the UID key does not exist in an LDAP entry
make sure that null can be the invalid value
[VarDumper] Improve dump of AMQP* Object
Fix annotations cache folder path
[FrameworkBundle] Wire ArrayCache for annotation reader at bootstrap
Ignore missing 'debug.file_link_formatter' service in Debug bundle
[VarDumper] Fixed dumping of terminated generator
bumped Symfony version to 3.2.4
updated VERSION for 3.2.3
updated CHANGELOG for 3.2.3
bumped Symfony version to 2.8.18
updated VERSION for 2.8.17
updated CHANGELOG for 2.8.17
...
* 3.2: (40 commits)
fixed CS
fixed CS
fixed CS fixer config
fixed typo
Revert "fixed typo"
fixed typo
fixed CS
Avoid setting request attributes from signature arguments in AnnotationClassLoader
[DependencyInjection] Add some missing typehints in YamlFileLoader
[DependencyInjection] minor: Fix a DocBlock
[HttpKernel] Give higher priority to adding request formats
[Cache] Fix tags expiration
[PhpUnit] Blacklist DeprecationErrorHandler in stack traces
[PropertyInfo] Don't try to access a property thru a static method
[PropertyInfo] Exclude static methods form properties guessing
[Workflow] Added new validator to make sure each place has unique translation names
[Cache] [PdoAdapter] Fix MySQL 1170 error (blob as primary key)
[FrameworkBundle] Fix third level headers for MarkdownDescriptor
[Ldap] Using Ldap stored username instead of form submitted one
[Ldap] load users with the good username case
...
* 3.1: (31 commits)
fixed CS
fixed CS
fixed CS fixer config
fixed typo
Revert "fixed typo"
fixed typo
fixed CS
Avoid setting request attributes from signature arguments in AnnotationClassLoader
[DependencyInjection] Add some missing typehints in YamlFileLoader
[DependencyInjection] minor: Fix a DocBlock
[HttpKernel] Give higher priority to adding request formats
[PropertyInfo] Don't try to access a property thru a static method
[PropertyInfo] Exclude static methods form properties guessing
[FrameworkBundle] Fix third level headers for MarkdownDescriptor
[Ldap] Using Ldap stored username instead of form submitted one
[Ldap] load users with the good username case
[DoctrineBridge] Fixed invalid unique value as composite key
[Doctrine Bridge] fix UniqueEntityValidator for composite object primary keys
[TwigBundle] do not lose already set method calls
#20411 fix Yaml parsing for very long quoted strings
...
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security] use authenticated token for json authentication
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #21123
| License | MIT
| Doc PR | N/A
When using `UsernamePasswordJsonAuthenticationListener` with [LexikJWTAuthenticationBundle](https://github.com/lexik/LexikJWTAuthenticationBundle), we get a type exception
> Type error: Argument 1 passed to Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\AuthenticationSuccessHandler::handleAuthenticationSuccess() must implement interface Symfony\Component\Security\Core\User\UserInterface, string given, called in .../vendor/lexik/jwt-authentication-bundle/Security/Http/Authentication/AuthenticationSuccessHandler.php on line 47
This error occurs because the `UsernamePasswordJsonAuthenticationListener` send to the authentication success handler the token which have the user as a string and not the authenticated one that have a UserInterface as user.
Commits
-------
208c617716 use authenticated token for json authentication
This PR was squashed before being merged into the 3.3-dev branch (closes#21088).
Discussion
----------
Rename DebugAccessDecisionManager to TraceableAccessDecisionManager
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #21085
| License | MIT
[EDIT] No longer WIP, test passing. Also, test added to preserve BC with the SecurityBundle.
Commits
-------
c5e0e59 Rename DebugAccessDecisionManager to TraceableAccessDecisionManager
* 3.1:
fixed obsolete getMock() usage
fixed obsolete getMock() usage
fixed obsolete getMock() usage
[WebProfilerBundle] Display multiple HTTP headers in WDT
do not remove the Twig ExceptionController service
removed obsolete condition
do not try to register incomplete definitions
* 2.8:
fixed obsolete getMock() usage
fixed obsolete getMock() usage
[WebProfilerBundle] Display multiple HTTP headers in WDT
do not remove the Twig ExceptionController service
removed obsolete condition
do not try to register incomplete definitions
* 2.7:
[Validator] add Indonesian translation
fixed CS
[config] Fix issue when key removed and left value only
[Security] AbstractVoter method supportsAttribute gives false positive if attribute is zero (0)
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] AbstractVoter->supportsAttribute gives false positive if attribute is zero (0)
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Issue is easy to reproduce with test giving negative data set.
0 should not pass as supported attribute for any set of attributes but it does as in_array in the method does not use flag 'strict' set to true.
As this is abstract voter and is used by users with their code flag 'strict' should be set to true.
Since is there in 2.7 and 2.8 (LTS) IMHO it should be fixed.
Commits
-------
8306530 [Security] AbstractVoter method supportsAttribute gives false positive if attribute is zero (0)
* 3.2: (51 commits)
[FrameworkBundle] [Workflow] Fix service marking store configuration
Fix merge
[Validator] add class name to the cache key
[Serializer] Remove AbstractObjectNormalizer::isAttributeToNormalize
Throw less misleading exception when property access not found
[Twig] Fix deprecations with Twig 1.29
[FrameworkBundle] Fix validation cache warmer with failing or missing classes
Fixed typo
[FrameworkBundle] Removed the kernel.debug parameter from the cache pool namespace seed
Fix email address
fix the docblock in regard to the role argument
[Bridge\Twig] Trigger deprecation when using FormExtension::$renderer
Don't use the "app" global variable in the profiler
[VarDumper] fix tests when xdebug is enabled
Fix merge
FIXED NON EXISTING TYPE DECLARATION
[Form] Add failing test for data collector bug
[Cache] Fix dumping SplDoublyLinkedList iter mode
[Form] Fix FormDataCollector
Ignore missing 'debug.file_link_formatter' service in Debug and Twig bundles
...
* 3.1: (28 commits)
Fix merge
[Validator] add class name to the cache key
[Serializer] Remove AbstractObjectNormalizer::isAttributeToNormalize
Throw less misleading exception when property access not found
[Twig] Fix deprecations with Twig 1.29
Fixed typo
[FrameworkBundle] Removed the kernel.debug parameter from the cache pool namespace seed
Fix email address
fix the docblock in regard to the role argument
Don't use the "app" global variable in the profiler
[VarDumper] fix tests when xdebug is enabled
Fix merge
FIXED NON EXISTING TYPE DECLARATION
[Cache] Fix dumping SplDoublyLinkedList iter mode
[Console] fixed PHP7 Errors when not using Dispatcher
Regression test for missing controller arguments (3.1)
Regression test for missing controller arguments
fix a test checking for a value
[Form][DX] FileType "multiple" fixes
fixed CS
...
* 2.8:
[Twig] Fix deprecations with Twig 1.29
Fixed typo
Fix email address
fix the docblock in regard to the role argument
[VarDumper] fix tests when xdebug is enabled
Fix merge
[Cache] Fix dumping SplDoublyLinkedList iter mode
[Console] fixed PHP7 Errors when not using Dispatcher
Regression test for missing controller arguments
fix a test checking for a value
[Form][DX] FileType "multiple" fixes
fixed CS
[TwigBundle] Fix twig loader registered twice
[WebProfilerBundle] Fix dump block is unfairly restrained
[Console] Fix wrong handling of multiline arg/opt descriptions
[DependencyInjection] PhpDumper.php: hasReference() should not search references in lazy service arguments.
[Form] fixed "empty_value" option deprecation
Cast result to int before adding to it
* 3.2:
[Routing] Fail properly when a route parameter name cannot be used as a PCRE subpattern name
[FrameworkBundle] Improve performance of ControllerNameParser
Update documentation link to the component
[HttpFoundation] Add links to RFC-7231
[DI] Initialize properties before method calls
[Bridge/Doctrine] Use cache.prefix.seed parameter for generating cache namespace
Tag missing internals
Add missing example for 'path' argument in debug:config
[WebProfilerBundle] Dont use request attributes in RouterController
Fix complete config tests
* 3.1:
[Routing] Fail properly when a route parameter name cannot be used as a PCRE subpattern name
[FrameworkBundle] Improve performance of ControllerNameParser
Update documentation link to the component
[HttpFoundation] Add links to RFC-7231
[DI] Initialize properties before method calls
Tag missing internals
[WebProfilerBundle] Dont use request attributes in RouterController
Fix complete config tests
* 2.8:
[Routing] Fail properly when a route parameter name cannot be used as a PCRE subpattern name
[FrameworkBundle] Improve performance of ControllerNameParser
Update documentation link to the component
[HttpFoundation] Add links to RFC-7231
[DI] Initialize properties before method calls
Tag missing internals
[WebProfilerBundle] Dont use request attributes in RouterController
Fix complete config tests
* 2.7:
[Routing] Fail properly when a route parameter name cannot be used as a PCRE subpattern name
[FrameworkBundle] Improve performance of ControllerNameParser
Update documentation link to the component
[HttpFoundation] Add links to RFC-7231
[DI] Initialize properties before method calls
Tag missing internals
[WebProfilerBundle] Dont use request attributes in RouterController
Fix complete config tests
This PR was merged into the 2.7 branch.
Discussion
----------
Tag missing internals
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
Commits
-------
97e94b4 Tag missing internals
* 3.2: (24 commits)
[Filesystem] Remove extra argv in dumpFile() tests
[DI] minor FileLoaders tests update
[FrameworkBundle] Add framework.cache.prefix_seed for predictible cache key prefixes
[SecurityBundle] Remove FirewallContext mandatory FirewallConfig argument deprecation
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DI] Allow null as default env value
[WebProfilerBundle] Fix deprecated uses of profiler_dump
[SecurityBundle] Fix FirewallConfig nullable arguments
[FrameworkBundle] Avoid warming up the validator cache for non-existent classes
[DOMCrawler] Bug fixed
[FrameworkBundle] Mark cache.default_*_provider services private
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 3.1.8
updated VERSION for 3.1.7
updated CHANGELOG for 3.1.7
bumped Symfony version to 2.8.15
updated VERSION for 2.8.14
updated CHANGELOG for 2.8.14
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
...
* 3.1:
[Filesystem] Remove extra argv in dumpFile() tests
[DI] minor FileLoaders tests update
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DOMCrawler] Bug fixed
[FrameworkBundle] Mark cache.default_*_provider services private
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 3.1.8
updated VERSION for 3.1.7
updated CHANGELOG for 3.1.7
bumped Symfony version to 2.8.15
updated VERSION for 2.8.14
updated CHANGELOG for 2.8.14
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
update CONTRIBUTORS for 2.7.21
updated CHANGELOG for 2.7.21
Fix annotation type for $context
[Doctrine][Form] support large integers
* 2.8:
[DI] minor FileLoaders tests update
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DOMCrawler] Bug fixed
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 2.8.15
updated VERSION for 2.8.14
updated CHANGELOG for 2.8.14
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
update CONTRIBUTORS for 2.7.21
updated CHANGELOG for 2.7.21
Fix annotation type for $context
[Doctrine][Form] support large integers
* 2.7:
[DI] minor FileLoaders tests update
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DOMCrawler] Bug fixed
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
update CONTRIBUTORS for 2.7.21
updated CHANGELOG for 2.7.21
[Doctrine][Form] support large integers
* 3.1:
[Debug] Remove GLOBALS from exception context to avoid endless recursion
[Serializer] Improve test coverage of the MaxDepth annotation
DX: replace @link with @see annotation
bumped min version of Twig to 1.28
* 3.1:
Minor fixes & cleanups
[DependencyInjection] Add missing PHPDoc type
Correct a typo in the ReflectionExtractor's description
[HttpFoundation] JSONP callback validation
[Console] Improved the explanation of the hasOption() method
Uniformize exception vars according to our CS
add missing use statement
bug #18042 [Security] $attributes can be anything, but RoleVoter assumes strings
* 2.8:
[DependencyInjection] Add missing PHPDoc type
Correct a typo in the ReflectionExtractor's description
[HttpFoundation] JSONP callback validation
[Console] Improved the explanation of the hasOption() method
Uniformize exception vars according to our CS
add missing use statement
bug #18042 [Security] $attributes can be anything, but RoleVoter assumes strings
* 2.7:
[HttpFoundation] JSONP callback validation
[Console] Improved the explanation of the hasOption() method
add missing use statement
bug #18042 [Security] $attributes can be anything, but RoleVoter assumes strings
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] $attributes can be anything, but RoleVoter assumes strings
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #18042
| License | MIT
| Doc PR | reference to the documentation PR, if any
Commits
-------
ad3ac95 bug #18042 [Security] $attributes can be anything, but RoleVoter assumes strings
* 3.1:
expectedException expects FQCN
Fixed expectedException annotations
[Cache] Fix password used to make the redis connection.
Security and validators messages translation to Latvian
[Form] FormView->isRendered() remove dead code and simplify the flow
Fixed issue with legacy find() method not working as expected
* 2.8:
expectedException expects FQCN
Fixed expectedException annotations
Security and validators messages translation to Latvian
[Form] FormView->isRendered() remove dead code and simplify the flow
* 2.7:
Fixed expectedException annotations
Security and validators messages translation to Latvian
[Form] FormView->isRendered() remove dead code and simplify the flow
* 3.1:
[travis/appveyor] Wire simple-phpunit
[Console] fixed PHP7 Errors are now handled and converted to Exceptions
Fix#19721
Fix translation:update command count
bumped Symfony version to 2.8.12
updated VERSION for 2.8.11
updated CHANGELOG for 2.8.11
bumped Symfony version to 2.7.19
updated VERSION for 2.7.18
update CONTRIBUTORS for 2.7.18
updated CHANGELOG for 2.7.18
[Security] Optimize RoleHierarchy's buildRoleMap method
[FrameworkBundle] Fix Incorrect line break in exception message (500 debug page)
[Security] Added note inside phpdoc.
Minor cleanups and improvements
[form] lazy trans `post_max_size_message`.
[DI] Fix setting synthetic services on ContainerBuilder
[ClassLoader] Fix ClassCollectionLoader inlining with declare(strict_types=1)
* 2.8:
[travis/appveyor] Wire simple-phpunit
[Console] fixed PHP7 Errors are now handled and converted to Exceptions
Fix#19721
Fix translation:update command count
bumped Symfony version to 2.8.12
updated VERSION for 2.8.11
updated CHANGELOG for 2.8.11
bumped Symfony version to 2.7.19
updated VERSION for 2.7.18
update CONTRIBUTORS for 2.7.18
updated CHANGELOG for 2.7.18
[Security] Optimize RoleHierarchy's buildRoleMap method
* 2.7:
[travis/appveyor] Wire simple-phpunit
[Console] fixed PHP7 Errors are now handled and converted to Exceptions
Fix#19721
bumped Symfony version to 2.7.19
updated VERSION for 2.7.18
update CONTRIBUTORS for 2.7.18
updated CHANGELOG for 2.7.18
[Security] Optimize RoleHierarchy's buildRoleMap method
This PR was squashed before being merged into the 2.7 branch (closes#19868).
Discussion
----------
[Security] Optimize RoleHierarchy's buildRoleMap method
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | no
| License | MIT
| Doc PR | no
I have an issue with a large role hierarchy(~150 roles). Optimized it a little bit
![image](https://cloud.githubusercontent.com/assets/858989/18271257/df6c4ba0-7439-11e6-8406-e13bdcefe9ca.png)
Commits
-------
c3b68b0 [Security] Optimize RoleHierarchy's buildRoleMap method
* 3.1:
[FrameworkBundle] Check for class existence before is_subclass_of
Update GroupSequence.php
Code enhancement and cleanup
[Form] Fix transformer tests after the ICU update
[DI] Add anti-regression test
Revert "minor #19689 [DI] Cleanup array_key_exists (ro0NL)"
bumped Symfony version to 3.1.5
updated VERSION for 3.1.4
updated CHANGELOG for 3.1.4
bumped Symfony version to 2.8.11
updated VERSION for 2.8.10
updated CHANGELOG for 2.8.10
[BrowserKit] Fix cookie expiration on 32 bit systems
bumped Symfony version to 2.7.18
updated VERSION for 2.7.17
update CONTRIBUTORS for 2.7.17
updated CHANGELOG for 2.7.17
Update misleading comment about RFC4627
* 2.8:
[FrameworkBundle] Check for class existence before is_subclass_of
Update GroupSequence.php
Code enhancement and cleanup
[Form] Fix transformer tests after the ICU update
[DI] Add anti-regression test
Revert "minor #19689 [DI] Cleanup array_key_exists (ro0NL)"
bumped Symfony version to 2.8.11
updated VERSION for 2.8.10
updated CHANGELOG for 2.8.10
[BrowserKit] Fix cookie expiration on 32 bit systems
bumped Symfony version to 2.7.18
updated VERSION for 2.7.17
update CONTRIBUTORS for 2.7.17
updated CHANGELOG for 2.7.17
Update misleading comment about RFC4627
* 2.7:
[FrameworkBundle] Check for class existence before is_subclass_of
Update GroupSequence.php
Code enhancement and cleanup
[DI] Add anti-regression test
Revert "minor #19689 [DI] Cleanup array_key_exists (ro0NL)"
[BrowserKit] Fix cookie expiration on 32 bit systems
bumped Symfony version to 2.7.18
updated VERSION for 2.7.17
update CONTRIBUTORS for 2.7.17
updated CHANGELOG for 2.7.17
Update misleading comment about RFC4627
* 3.1:
fix typo
add "provides" for psr/cache-implementation
[Validator][GroupSequence] fixed GroupSequence validation ignores PropertyMetadata of parent classes
[FrameworkBundle][Security] Remove useless mocks
Add symfony/inflector to composer.json "replaces"
[DoctrineBridge] Enhance exception message in EntityUserProvider
added friendly exception when constraint validator does not exist or it is not enabled
remove duplicate instruction
[FrameworkBundle] Remove TranslatorBagInterface check
[FrameworkBundle] Remove duplicated code in RouterDebugCommand
[Validator] fixed duplicate constraints with parent class interfaces
SecurityBundle:BasicAuthenticationListener: removed a default argument on getting a header value
* 2.8:
[Validator][GroupSequence] fixed GroupSequence validation ignores PropertyMetadata of parent classes
[FrameworkBundle][Security] Remove useless mocks
[DoctrineBridge] Enhance exception message in EntityUserProvider
added friendly exception when constraint validator does not exist or it is not enabled
remove duplicate instruction
[FrameworkBundle] Remove TranslatorBagInterface check
[FrameworkBundle] Remove duplicated code in RouterDebugCommand
[Validator] fixed duplicate constraints with parent class interfaces
SecurityBundle:BasicAuthenticationListener: removed a default argument on getting a header value
* 2.7:
[Validator][GroupSequence] fixed GroupSequence validation ignores PropertyMetadata of parent classes
[FrameworkBundle][Security] Remove useless mocks
[DoctrineBridge] Enhance exception message in EntityUserProvider
added friendly exception when constraint validator does not exist or it is not enabled
remove duplicate instruction
[FrameworkBundle] Remove TranslatorBagInterface check
[FrameworkBundle] Remove duplicated code in RouterDebugCommand
[Validator] fixed duplicate constraints with parent class interfaces
SecurityBundle:BasicAuthenticationListener: removed a default argument on getting a header value
* 3.1:
[VarDumper] Fix dumping jsons casted as arrays
PassConfig::getMergePass is not an array
Revert "bug #19114 [HttpKernel] Dont close the reponse stream in debug (nicolas-grekas)"
[Serializer] Include the format in the cache key
Fix the retrieval of the last username when using forwarding
[Yaml] Fix PHPDoc of the Yaml class
[HttpFoundation] Add OPTIONS and TRACE to the list of safe methods
Update getAbsoluteUri() for query string uris
Conflicts:
src/Symfony/Component/DependencyInjection/Compiler/PassConfig.php
src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
* 3.0:
[VarDumper] Fix dumping jsons casted as arrays
PassConfig::getMergePass is not an array
Revert "bug #19114 [HttpKernel] Dont close the reponse stream in debug (nicolas-grekas)"
Fix the retrieval of the last username when using forwarding
[Yaml] Fix PHPDoc of the Yaml class
[HttpFoundation] Add OPTIONS and TRACE to the list of safe methods
Update getAbsoluteUri() for query string uris
Conflicts:
src/Symfony/Component/Yaml/Yaml.php
* 2.8:
[VarDumper] Fix dumping jsons casted as arrays
PassConfig::getMergePass is not an array
Revert "bug #19114 [HttpKernel] Dont close the reponse stream in debug (nicolas-grekas)"
Fix the retrieval of the last username when using forwarding
[Yaml] Fix PHPDoc of the Yaml class
[HttpFoundation] Add OPTIONS and TRACE to the list of safe methods
Update getAbsoluteUri() for query string uris
* 2.7:
[VarDumper] Fix dumping jsons casted as arrays
PassConfig::getMergePass is not an array
Revert "bug #19114 [HttpKernel] Dont close the reponse stream in debug (nicolas-grekas)"
Fix the retrieval of the last username when using forwarding
[Yaml] Fix PHPDoc of the Yaml class
[HttpFoundation] Add OPTIONS and TRACE to the list of safe methods
Update getAbsoluteUri() for query string uris
* 3.1:
[HttpKernel] fixed internal subrequests having an if-modified-since-header
[Security] Fix deprecated usage of DigestAuthenticationEntryPoint::getKey() in DigestAuthenticationListener
[Validator] Added additional MasterCard range to the CardSchemeValidator
Make the exception message more clear.
[Form] fixed bug - name in ButtonBuilder
[DoctrineBridge] added missing error code for constraint.
[ClassLoader] Fix declared classes being computed when not needed
[varDumper] Fix missing usage of ExceptionCaster::$traceArgs
* 3.0:
[HttpKernel] fixed internal subrequests having an if-modified-since-header
[Security] Fix deprecated usage of DigestAuthenticationEntryPoint::getKey() in DigestAuthenticationListener
[Validator] Added additional MasterCard range to the CardSchemeValidator
Make the exception message more clear.
[Form] fixed bug - name in ButtonBuilder
[DoctrineBridge] added missing error code for constraint.
[ClassLoader] Fix declared classes being computed when not needed
[varDumper] Fix missing usage of ExceptionCaster::$traceArgs
* 2.8:
[HttpKernel] fixed internal subrequests having an if-modified-since-header
[Security] Fix deprecated usage of DigestAuthenticationEntryPoint::getKey() in DigestAuthenticationListener
[Validator] Added additional MasterCard range to the CardSchemeValidator
Make the exception message more clear.
[Form] fixed bug - name in ButtonBuilder
[DoctrineBridge] added missing error code for constraint.
[ClassLoader] Fix declared classes being computed when not needed
[varDumper] Fix missing usage of ExceptionCaster::$traceArgs
Conflicts:
src/Symfony/Bridge/Doctrine/Validator/Constraints/UniqueEntityValidator.php
src/Symfony/Component/ClassLoader/ClassCollectionLoader.php
* 3.1:
[VarDumper] Fix indentation trimming in ExceptionCaster
[HttpKernel] Clarify deprecation of non-scalar values in surrogate renderer
removed @since
[Security] fixed DebugAccessDecisionManager::setVoters()
Remove and change unrelevant comments in Validator and Security components.
[Validator] add missing interface use statement for phpdoc block return type.
[Validator] UuidValidator must accept a Uuid constraint.
[Validator] make UuidValidator class formatting consistent.
Conflicts:
src/Symfony/Component/Validator/Tests/Constraints/AbstractConstraintValidatorTest.php
* 3.0:
[VarDumper] Fix indentation trimming in ExceptionCaster
removed @since
Remove and change unrelevant comments in Validator and Security components.
[Validator] add missing interface use statement for phpdoc block return type.
[Validator] UuidValidator must accept a Uuid constraint.
[Validator] make UuidValidator class formatting consistent.
* 2.7:
removed @since
Remove and change unrelevant comments in Validator and Security components.
[Validator] UuidValidator must accept a Uuid constraint.
[Validator] make UuidValidator class formatting consistent.
* 3.1: (22 commits)
[travis] Fix deps=low/high builds
[Form] Fix depreciation triggers
fixed CS
skip test with current phpunit bridge
Fix for #19183 to add support for new PHP MongoDB extension in sessions.
[Console] Fix for block() padding formatting after #19189
[Security][Guard] check if session exist before using it
bumped Symfony version to 3.1.3
updated VERSION for 3.1.2
updated CHANGELOG for 3.1.2
bumped Symfony version to 3.0.9
updated VERSION for 3.0.8
updated CHANGELOG for 3.0.8
bumped Symfony version to 2.8.9
updated VERSION for 2.8.8
updated CHANGELOG for 2.8.8
bumped Symfony version to 2.7.16
updated VERSION for 2.7.15
update CONTRIBUTORS for 2.7.15
updated CHANGELOG for 2.7.15
...
Conflicts:
src/Symfony/Component/HttpKernel/Kernel.php
* 3.0:
[travis] Fix deps=low/high builds
fixed CS
skip test with current phpunit bridge
Fix for #19183 to add support for new PHP MongoDB extension in sessions.
[Console] Fix for block() padding formatting after #19189
[Security][Guard] check if session exist before using it
bumped Symfony version to 3.0.9
updated VERSION for 3.0.8
updated CHANGELOG for 3.0.8
bumped Symfony version to 2.8.9
updated VERSION for 2.8.8
updated CHANGELOG for 2.8.8
bumped Symfony version to 2.7.16
updated VERSION for 2.7.15
update CONTRIBUTORS for 2.7.15
updated CHANGELOG for 2.7.15
Fix some lowest deps
Fixed typos in the expectedException annotations
Conflicts:
src/Symfony/Component/HttpKernel/Kernel.php
src/Symfony/Component/Security/Guard/Authenticator/AbstractFormLoginAuthenticator.php
* 2.8:
[travis] Fix deps=low/high builds
fixed CS
skip test with current phpunit bridge
Fix for #19183 to add support for new PHP MongoDB extension in sessions.
[Console] Fix for block() padding formatting after #19189
[Security][Guard] check if session exist before using it
bumped Symfony version to 2.8.9
updated VERSION for 2.8.8
updated CHANGELOG for 2.8.8
bumped Symfony version to 2.7.16
updated VERSION for 2.7.15
update CONTRIBUTORS for 2.7.15
updated CHANGELOG for 2.7.15
Fix some lowest deps
Fixed typos in the expectedException annotations
Conflicts:
CHANGELOG-2.7.md
CHANGELOG-3.0.md
src/Symfony/Bundle/FrameworkBundle/composer.json
src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/MongoDbSessionHandlerTest.php
src/Symfony/Component/HttpKernel/Kernel.php
src/Symfony/Component/HttpKernel/composer.json
src/Symfony/Component/Yaml/Tests/ParserTest.php
* 3.1:
Fixed BC Layer in DoctrineChoiceLoader
[HttpKernel] Add listener that checks when request has both Forwarded and X-Forwarded-For
[HttpKernel] Move conflicting origin IPs handling to catch block
[travis] Fix deps=low/high patching
Fixed some issues of the AccessDecisionManager profiler
[DoctrineBridge] fixed default parameter value in UniqueEntityValidator
This PR was squashed before being merged into the 3.1 branch (closes#18934).
Discussion
----------
Fixed some issues of the AccessDecisionManager profiler
| Q | A
| ------------- | ---
| Branch? | 3.1
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #19022https://github.com/symfony/symfony-standard/issues/968https://github.com/schmittjoh/JMSSecurityExtraBundle/issues/207
| License | MIT
| Doc PR | -
Commits
-------
082f1b5 Fixed some issues of the AccessDecisionManager profiler
* 3.1:
fixed CS
fixed CS
fixed CS
fixed form tests
[Console] Fix formatting of SymfonyStyle::comment()
[Form] fix post max size translation type extension for >= 2.8
[Security] Allow LDAP loadUser override
removed dots at the end of @param and @return
fixed typo
* 3.0:
fixed CS
fixed CS
fixed form tests
[Console] Fix formatting of SymfonyStyle::comment()
[Form] fix post max size translation type extension for >= 2.8
removed dots at the end of @param and @return
fixed typo
* 2.8:
fixed CS
fixed form tests
[Console] Fix formatting of SymfonyStyle::comment()
[Form] fix post max size translation type extension for >= 2.8
removed dots at the end of @param and @return
fixed typo
This PR was merged into the 3.1 branch.
Discussion
----------
[Security] Allow LDAP loadUser override
| Q | A
| ------------- | ---
| Branch? | 3.1
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Back to 3.0, one could extend `Symfony\Component\Security\Core\User\LdapUserProvider` and override how User objects are created.
Among several improvements, #17560 changed `loadUser` signature but also visibility to `private` which disallow any overriding.
Even if the signature BC break is legitimate, we should still be able to override this method IMHO, which is not possible with a private visibility.
This PRs introduces a `protected` visibility to allow again overriding.
Commits
-------
ae99aa8 [Security] Allow LDAP loadUser override
* 3.1:
[CS] Respect PSR2 4.2
[Form] fix `empty_data` option in expanded `ChoiceType`
[Console] removed unneeded private methods
updated Http-Kernel dependency
[Security] [Guard] Improve comment with working example
sync min email validator version
[TwigBridge] Fix inconsistency in LintCommand help
explicitly forbid e-mail validator 2.0 or higher
Fixed SymfonyQuestionHelper multi-choice with defaults
[DoctrineBridge] Don't use object IDs in DoctrineChoiceLoader when passing a value closure
Differentiate between the first time a progress bar is displayed and subsequent times
finished previous commit
No more exception for malformed input name
fix post_max_size_message translation
[Process] Fix pipes cleaning on Windows
Avoid phpunit 5.4 warnings on getMock
[Form] Add exception to FormRenderer about non-unique block names
[FrameworkBundle] templating can be fully disabled
[Form] Consider a violation even if the form is not submitted
* 3.0:
[CS] Respect PSR2 4.2
[Form] fix `empty_data` option in expanded `ChoiceType`
[Console] removed unneeded private methods
[Security] [Guard] Improve comment with working example
sync min email validator version
[TwigBridge] Fix inconsistency in LintCommand help
explicitly forbid e-mail validator 2.0 or higher
Fixed SymfonyQuestionHelper multi-choice with defaults
[DoctrineBridge] Don't use object IDs in DoctrineChoiceLoader when passing a value closure
Differentiate between the first time a progress bar is displayed and subsequent times
finished previous commit
No more exception for malformed input name
fix post_max_size_message translation
[Process] Fix pipes cleaning on Windows
Avoid phpunit 5.4 warnings on getMock
[Form] Add exception to FormRenderer about non-unique block names
[Form] Consider a violation even if the form is not submitted
* 2.8:
[CS] Respect PSR2 4.2
[Form] fix `empty_data` option in expanded `ChoiceType`
[Console] removed unneeded private methods
[Security] [Guard] Improve comment with working example
sync min email validator version
[TwigBridge] Fix inconsistency in LintCommand help
explicitly forbid e-mail validator 2.0 or higher
Fixed SymfonyQuestionHelper multi-choice with defaults
[DoctrineBridge] Don't use object IDs in DoctrineChoiceLoader when passing a value closure
Differentiate between the first time a progress bar is displayed and subsequent times
finished previous commit
No more exception for malformed input name
fix post_max_size_message translation
[Process] Fix pipes cleaning on Windows
Avoid phpunit 5.4 warnings on getMock
[Form] Add exception to FormRenderer about non-unique block names
[Form] Consider a violation even if the form is not submitted
* 3.1:
fixed CS
fixed CS
fixed CS
fixed CS
tweaked default CS fixer config
[HttpKernel] Dont close the output stream in debug
move HttpKernel component to require section
Fixed oci and sqlsrv merge queries when emulation is disabled - fixes#17284
[Session] fix PDO transaction aborted under PostgreSQL
[Console] Use InputInterface inherited doc as possible
Mention generating absolute urls in UPGRADE files and CHANGELOG
parse embedded mappings only if value is a string
add docblock type elements to support newly added IteratorAggregate::getIterator PhpStorm support
FormBuilderInterface: fix getForm() return type.
[YAML] Fixed parsing problem with nested DateTime lists
Fixed typo in PHPDoc
* 3.1:
[travis] Don't use parallel on HHVM
[HttpKernel] Fix RequestDataCollector starting the session
[appveyor] Ignore STATUS_HEAP_CORRUPTION errors on Windows
[FrameworkBundle] Skip redis cache pools test on failed connection
Fixed forwarded request data in templates
[Security] Fix DebugAccessDecisionManager when object is not a scalar
Skip some tests on HHVM due to a PHPunit bug
Use the Trusty Travis infrastructure for HHVM builds
LdapUserProvider: add missing argument type doc
Fixed issue with missing argument in the abstract service definition for the ldap user provider
Add 3.1 to PR template branch row, remove 2.3
Improve memory efficiency
[Console] Fix BC break introduced by #18101
document method name changes in Voter class
add missing hint for vote() argument type
[#18838] add a test to avoid regressions
bumped Symfony version to 3.1.1
updated VERSION for 3.1.0
updated CHANGELOG for 3.1.0
Conflicts:
src/Symfony/Component/HttpKernel/Kernel.php
* 3.1:
[Console] SymfonyStyle: Align multi-line/very-long-line blocks
[Console][DX] Fixed ambiguous error message when using a duplicate option shortcut
Fix js comment in profiler
[Ldap] Fixed issue with Entry password attribute containing array of values and made password attribute configurable
[Serializer][#18837] adding a test
[Cache] Drop counting hit/miss in ProxyAdapter
[Serializer] AbstractObjectNormalizer: be sure that isAllowedAttribute is called
[Serializer] ObjectNormalizer: add missing parameters
* 3.0: (31 commits)
Drop hirak/prestissimo
[MonologBridge] Uninstallable together with symfony/http-kernel in 3.0.6
bumped Symfony version to 3.0.7
updated VERSION for 3.0.6
updated CHANGELOG for 3.0.6
bumped Symfony version to 2.8.7
updated VERSION for 2.8.6
updated CHANGELOG for 2.8.6
bumped Symfony version to 2.7.14
updated VERSION for 2.7.13
updated CHANGELOG for 2.7.13
bumped Symfony version to 2.3.42
[Debug] Fix fatal error handlers on PHP 7
updated VERSION for 2.3.41
update CONTRIBUTORS for 2.3.41
updated CHANGELOG for 2.3.41
fixed bad merge
Fixed issue with blank password with Ldap
limited the maximum length of a submitted username
[2.3][Component/Security] Fixed phpdoc in AnonymousToken constructor for user param
...
Conflicts:
src/Symfony/Component/DependencyInjection/Compiler/AutowirePass.php
src/Symfony/Component/DependencyInjection/Tests/Compiler/AutowirePassTest.php
src/Symfony/Component/HttpKernel/Kernel.php
This PR was merged into the 2.8 branch.
Discussion
----------
Fixed issue with blank password with Ldap
| Q | A
| ------------- | ---
| Branch? | 1.8
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Commits
-------
c7d9c62 Fixed issue with blank password with Ldap
The bind operation of LDAP, as described in RFC 4513, provides a method
which allows for authentication of users. For the Simple Authentication
Method a user may use the anonymous authentication mechanism, the
unauthenticated authentication mechanism, or the name/password
authentication mechanism. The unauthenticated authentication mechanism
is used when a client who desires to establish an anonymous
authorization state passes a non-zero length distinguished name and a
zero length password. Most LDAP servers either can be configured to
allow this mechanism or allow it by default.
_Web-based applications which perform the simple bind operation with the
client's credentials are at risk when an anonymous authorization state is
established. This can occur when the web-based application passes a
distinguished name and a zero length password to the LDAP server._
Thus, misconfiguring a server with simple bind can trick Symfony into
thinking the username/password tuple as valid, potentially leading to
unauthorized access.
* 2.8:
[2.3][Component/Security] Fixed phpdoc in AnonymousToken constructor for user param
prevent calling get() for service_container service
call get() after the container was compiled
Fixed readme of OptionsResolver
top-level anonymous services must be public
[DependencyInjection] Suggest ExpressionLanguage in composer.json
added a conflict between Monolog bridge 2.8 and HTTP Kernel 3.0+
* 2.7:
[2.3][Component/Security] Fixed phpdoc in AnonymousToken constructor for user param
prevent calling get() for service_container service
call get() after the container was compiled
Fixed readme of OptionsResolver
[DependencyInjection] Suggest ExpressionLanguage in composer.json
* 2.3:
[2.3][Component/Security] Fixed phpdoc in AnonymousToken constructor for user param
call get() after the container was compiled
Fixed readme of OptionsResolver
This PR was squashed before being merged into the 2.3 branch (closes#18727).
Discussion
----------
[2.3][Component/Security] Fixed phpdoc in AnonymousToken constructor for user param
| Q | A
| ------------- | ---
| Branch? | 2.3
| Bug fix? | yes, phpdoc one
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Updated phpdoc of AnonymousToken $user param from string to string|object since an object is allowed to in the parent AbstractToken: https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php#L91
Commits
-------
b1c60b4 [2.3][Component/Security] Fixed phpdoc in AnonymousToken constructor for user param
* 2.8:
add @Event annotation for AuthenticationEvents
bumped Symfony version to 2.8.6
[PropertyInfo] PHPDoc correction
add @Event annotation for KernelEvents
updated VERSION for 2.8.5
updated CHANGELOG for 2.8.5
bumped Symfony version to 2.7.13
updated VERSION for 2.7.12
update CONTRIBUTORS for 2.7.12
updated CHANGELOG for 2.7.12
bumped Symfony version to 2.3.41
updated VERSION for 2.3.40
update CONTRIBUTORS for 2.3.40
updated CHANGELOG for 2.3.40
Revert "minor #18257 [Routing] Don't needlessly execute strtr's as they are fairly expensive (arjenm)"
Revert "fixed CS"
fixed deprecation notices in tests
[Security] Normalize "symfony/security-acl" dependency versions across all composer.json files
[FrameworkBundle] Remove misleading comment
bug #17460 [DI] fix ambiguous services schema
* 2.7:
add @Event annotation for AuthenticationEvents
add @Event annotation for KernelEvents
bumped Symfony version to 2.7.13
updated VERSION for 2.7.12
update CONTRIBUTORS for 2.7.12
updated CHANGELOG for 2.7.12
bumped Symfony version to 2.3.41
updated VERSION for 2.3.40
update CONTRIBUTORS for 2.3.40
updated CHANGELOG for 2.3.40
Revert "minor #18257 [Routing] Don't needlessly execute strtr's as they are fairly expensive (arjenm)"
Revert "fixed CS"
[FrameworkBundle] Remove misleading comment
bug #17460 [DI] fix ambiguous services schema
* 2.3:
add @Event annotation for AuthenticationEvents
bumped Symfony version to 2.3.41
updated VERSION for 2.3.40
update CONTRIBUTORS for 2.3.40
updated CHANGELOG for 2.3.40
bug #17460 [DI] fix ambiguous services schema
This PR was merged into the 3.1-dev branch.
Discussion
----------
add @Event annotation for AuthenticationEvents
| Q | A
| ------------- | ---
| Branch | 2.3
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #18684
| License | MIT
split of #18684 for targeting 2.3 branch
Commits
-------
e2c1270 add @Event annotation for AuthenticationEvents
This PR was merged into the 3.1-dev branch.
Discussion
----------
Updating the error message of an AuthenticationEntryPointInterface
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | not necessary
During a training, we forgot to fill in the `start()` method for an entry point and got a *horrible* error message. Now, if you mess up `start()`, you get:
![screen shot 2016-04-27 at 12 49 50 pm](https://cloud.githubusercontent.com/assets/121003/14860378/92578e68-0c76-11e6-9fe5-45141fe2ce43.png)
Thanks!
Commits
-------
7b6c56c Updating the error message of an AuthenticationEntryPointInterface returns a non-Response object
* 3.0: (24 commits)
[Filesystem] Better error handling in remove()
[DependencyInjection] Add coverage for invalid Expression in exportParameters
[DependencyInjection] Add coverage for all invalid arguments in exportParameters
anonymous services are always private
[Form] FormValidator removed code related to removed option
[Console] Correct time formatting.
[WebProfilerBundle] Fixed error from unset twig variable
Force profiler toolbar svg display
[DependencyInjection] Resolve aliases before removing abstract services + add tests
Fix Dom Crawler select option with empty value
Remove unnecessary option assignment
fix tests (use non-deprecated options)
remove unused variable
mock the proper method
[PropertyAccess] Fix regression
[HttpFoundation] Improve phpdoc
[Logging] Add support for firefox in ChromePhpHandler
Windows 10 version check in just one line
Detect CLI color support for Windows 10 build 10586
[Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken
...
* 2.8: (23 commits)
[Filesystem] Better error handling in remove()
[DependencyInjection] Add coverage for invalid Expression in exportParameters
[DependencyInjection] Add coverage for all invalid arguments in exportParameters
anonymous services are always private
[Console] Correct time formatting.
[WebProfilerBundle] Fixed error from unset twig variable
Force profiler toolbar svg display
[DependencyInjection] Resolve aliases before removing abstract services + add tests
Fix Dom Crawler select option with empty value
Remove unnecessary option assignment
fix tests (use non-deprecated options)
remove unused variable
mock the proper method
[PropertyAccess] Fix regression
[HttpFoundation] Improve phpdoc
[Logging] Add support for firefox in ChromePhpHandler
Windows 10 version check in just one line
Detect CLI color support for Windows 10 build 10586
[Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken
[EventDispatcher] Try first if the event is Stopped
...
* 2.7:
[HttpFoundation] Improve phpdoc
[Logging] Add support for firefox in ChromePhpHandler
Windows 10 version check in just one line
Detect CLI color support for Windows 10 build 10586
[Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken
[EventDispatcher] Try first if the event is Stopped
[FrameworkBundle] fixes grammar in container:debug command manual.
[Form] fix "prototype" not required when parent form is not required
* 2.3:
[HttpFoundation] Improve phpdoc
[Logging] Add support for firefox in ChromePhpHandler
[Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken
[Form] fix "prototype" not required when parent form is not required
If you configure a firewall with switch user with `role: IS_AUTHENTICATED_ANONYMOUSLY` it's impossible to exit the
impersonation because the next line `$this->provider->refreshUser($original->getUser())` will fail. It fails because `RefreshUser`
expects an instance of `UserInterface` and here it's a string.
Therefore, it does not make sense to refresh an Anonymous Token, right ?