This PR was merged into the 2.7 branch.
Discussion
----------
[Security] fix switch user _exit without having current token
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22729
| License | MIT
| Doc PR | -
Attempting to `_exit` from a switched user caused an error when not having any token in the storage (for example happens when not logged in + disallowing anonymous users on that firewall):
`[1] Symfony\Component\Debug\Exception\FatalThrowableError: Type error: Argument 1 passed to Symfony\Component\Security\Http\Firewall\SwitchUserListener::getOriginalToken()
must be an instance of Symfony\Component\Security\Core\Authentication\Token\TokenInterface, null given, called in
symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php on line 164`
Commits
-------
16da6861be [Security] fix switch user _exit without having current token
This PR was merged into the 3.4 branch.
Discussion
----------
[Profiler][Validator] Add a validator panel in profiler
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
I'm exploring the possibility of having a validator panel in the profiler.
The integration in the form panel is great, but there are a lot of other use-cases where you're likely to call the validator. The idea of this panel is to reference every calls made to the validator (`ValidatorInterface::validate()` at least) along with detailed informations.
Dealing with apis and a mobile app, it's not always easy to get the response body within the app to get what's wrong with the call. So now with this panel, I'm able to get the details without the api response.
In action with Symfony demo (on the admin new post form):
![symfony-demo](https://cloud.githubusercontent.com/assets/2211145/25490828/579a2c96-2b6e-11e7-9574-fb0975a5db83.gif)
![capture d ecran 2017-04-27 a 17 14 24](https://cloud.githubusercontent.com/assets/2211145/25490866/77d76988-2b6e-11e7-83c7-a10613442a5e.png)
On another app, by calling the validator elsewhere:
|No violations|With violations|
|--|--|
|![capture d ecran 2017-04-27 a 17 16 41](https://cloud.githubusercontent.com/assets/2211145/25490861/741886f6-2b6e-11e7-9e18-5948312d0096.png)|![capture d ecran 2017-04-27 a 17 17 32](https://cloud.githubusercontent.com/assets/2211145/25490860/74128daa-2b6e-11e7-979f-0d39741cc172.png)|
What do you think ?
---
Note: the SVG icon used should be changed. If anyone is willing to contribute and provide one, I'll be glad to add it!
Commits
-------
ac5e884f36 [Profiler][Validator] Add a validator panel in profiler
This PR was merged into the 3.3 branch.
Discussion
----------
[Validator] replace hardcoded service id
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23224
| License | MIT
| Doc PR |
Commits
-------
44ff4b1a49 [Validator] replace hardcoded service id
This PR was merged into the 2.7 branch.
Discussion
----------
[Routing] Fix XmlFileLoader exception message
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
When an `XmlFileLoader` encounters an unknown tag it throws an exception with message like `Unknown tag "foo" used in file "bar". Expected "default", "requirement" or "option".`. A proper message should be `Unknown tag "foo" used in file "bar". Expected "default", "requirement", "option" or "condition".`
Commits
-------
f6a94cb56f [Routing] Fix XmlFileLoader exception message
This PR was merged into the 2.7 branch.
Discussion
----------
[FrameworkBundle] Sessions: configurable "use_strict_mode" option for NativeSessionStorage
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
It is currently not possible to configure the `use_strict_mode` option for `NativeSessionStorage` in a proper manner.
The reason of this PR: https://github.com/symfony/symfony/pull/22352#issuecomment-302113533
It could be considered a new feature, but I wish it wouldn't, as I don't want to do any ugly hacking to get it working.
What else could be done?
* implement more options from `NativeSessionStorage` in the config?
* get rid of duplication somehow (maybe a static method in `NativeSessionStorage` that would return the option list and could be used in `FrameworkExtension`?)
* update `FrameworkExtensionTest`?
* update `ConfigurationTest`?
* update [the docs](https://symfony.com/doc/current/reference/configuration/framework.html#session)?
I'm willing to do those if decided.
Commits
-------
90e192e824 Sessions: configurable "use_strict_mode" option for NativeSessionStorage
This PR was squashed before being merged into the 3.4 branch (closes#22124).
Discussion
----------
Shift responsibility for keeping Date header to ResponseHeaderBag
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
This is an improvement over #22036. It shifts responsibility for preserving a `Date` header to the `ResponseHeaderBag`.
We already have similar logic there for the `Cache-Control` header.
Commits
-------
5d838360f3 Shift responsibility for keeping Date header to ResponseHeaderBag
This PR was submitted for the 2.7 branch but it was merged into the 3.4 branch instead (closes#23122).
Discussion
----------
Xml encoder optional type cast
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22478
| License | MIT
| Doc PR | n/a
This fixes the issue where certain XML attributes are typecasted when you don't want them to by providing the ability opt out of any typecasting of xml attributes via an option in the context. If this is approved, then I'll add docs in the serializer component describing the new context option.
Commits
-------
8f6e67d319 XML Encoder Optional Type Cast
This PR was squashed before being merged into the 2.7 branch (closes#23195).
Discussion
----------
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
| Q | A
| ------------- | ---
| Branch? | 2.7 <!-- see comment below -->
| Bug fix? | yes
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | no
| Fixed tickets | #23177
| License | MIT
This PR fix#23177
when running an assets:install, it will remove directorys who do not have anymore a valid Bundle
Commits
-------
180f178f43 [FrameworkBundle] [Command] Clean bundle directory, fixes#23177
This PR was merged into the 3.3 branch.
Discussion
----------
Fixed composer resources between web/cli
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no (reverts one)
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23212
| License | MIT
| Doc PR | ~
This is a possible fix for the flawed module check for the composer resource. As this is the easiest fix, I've created a PR ready to be merged.
Commits
-------
9e047122f1 Fixed composer resources between web/cli
This PR was squashed before being merged into the 3.3 branch (closes#23160).
Discussion
----------
[WebProfilerBundle] Fix the icon for the Cache panel
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23159
| License | MIT
| Doc PR | -
Commits
-------
50c1d478ce [WebProfilerBundle] Fix the icon for the Cache panel
This PR was merged into the 2.7 branch.
Discussion
----------
[TwigBundle] Add Content-Type header for exception response
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
This PR comes after I was looking to customize the way exceptions are served for a JSON API (grabbed the info at http://symfony.com/doc/current/controller/error_pages.html#overriding-the-default-exceptioncontroller).
I noticed that even when changing the request format to 'json' so that the right json.twig template is served:
```php
// in my override of the ExceptionController
public function showAction(Request $request, FlattenException $exception, DebugLoggerInterface $logger = null)
{
$request->setRequestFormat('json');
return parent::showAction($request, $exception, $logger);
}
```
the response Content-Type header was still 'text/html'.
By now, the response Content-Type should be corresponding to the given request format.
I also feel there's some room for improvement with the general "displaying error for a JSON API" chapter as it feels strange that there's no configuration option to just say "serve me anything as json", but that's another issue.
Commits
-------
9e2b408f25 add content-type header on exception response
This PR was merged into the 3.3 branch.
Discussion
----------
[WebServerBundle] Fix router script option BC
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23206
| License | MIT
| Doc PR | -
Server commands does not work with router script given by a relative path eg.:
```
bin/console server:run -r router.php
```
but, this was working before and was removed (by accident I guess) in https://github.com/symfony/symfony/pull/21039/files#diff-b915f83f99a4166eb34eab581a92501bL187
Commits
-------
aeab2fe1f7 [WebServerBundle] Fix router script path and check existence
This PR was merged into the 2.7 branch.
Discussion
----------
Reset redirectCount when throwing exception
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23197
| License | MIT
When catching the exception throw when exceeding the redirect limit, all new request which results in a redirect fail. By resetting the redirectCount we can still use the same client instance.
Commits
-------
83fd578f96 Reset redirectCount when throwing exception
This PR was merged into the 3.3 branch.
Discussion
----------
[FrameworkBundle] Expose the AbstractController's container to its subclasses
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
This is useful if an application provides their own base Controller that
references items in the container. It also makes it simpler for that
base controller to add additional optional dependencies by only overriding
getSubscribedServices instead of having to reimplement setContainer and
use ControllerTrait.
Commits
-------
ee17131fca Expose the AbstractController's container to its subclasses
This PR was merged into the 3.4 branch.
Discussion
----------
[Validator] Adds support to check specific DNS record type for URL
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
URL validation with the `checkDNS` option can time out for some international registrars or for reasons unknown. When the `URL` constraint is implemented, the context may logically allow for a single DNS record type to be checked, which is less prone to timing out. This updates the `checkDNS` option value to be one of any valid for the underlying `checkdnsrr()` method with backwards compatibility for the original boolean value.
Commits
-------
e66d8f1bef [Validator] Adds support to check specific DNS record type for URL
This PR was squashed before being merged into the 3.4 branch (closes#22629).
Discussion
----------
[Security] Trigger a deprecation when a voter is missing the VoterInterface
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Right now it's possible to add voters to the access decision manager that do not have a `VoterInterface`.
- No Interface, no `vote()` method, and it will give a PHP error.
- No Interface, but `vote()` method, it will still work.
- If I don't implement the interface _and_ have no `vote()` method, I will get weird exception that's not meaningful: `Attempted to call an undefined method named "vote" of class "App\Voter\MyVoter".`
This PR will deprecate the ability to use voters without the interface, it will also throw a proper exception when missing the interface _and_ the `vote()` method. Why when using and not when setting? Due to the fact that the voters can be set lazily via the `IteratorArgument`. The SecurityBundle will trigger a deprecation if the interface is not implemented and an exception if there's not even a `vote()` method present (to prevent exceptions at run-time).
This should have full backwards compatibility with 3.3, but give more meaningful errors. The only behavioral difference, might be that the container will throw an exception instead of maybe succeeding in voting when 1 voter would be broken at the end of the list (based on strategy). This case however, will be detected during development and deployment, rather than run-time.
Commits
-------
9c253e1ff6 [Security] Trigger a deprecation when a voter is missing the VoterInterface
Useful if an application provides their own base Controller that
references items in the container. It also makes it simpler for that
base controller to add additional optional dependencies by only overriding
getSubscribedServices instead of having to reimplement setContainer and
use ControllerTrait.
This PR was merged into the 2.7 branch.
Discussion
----------
Keep s-maxage when expiry and validation are used in combination
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
(Symfony) docs say that [expiration wins over validation](https://symfony.com/doc/current/http_cache/validation.html). So,
a) when both the master and embedded response are public with an s-maxage, the result should be public as well and use the lower s-maxage of both, *also* in the case that the embedded response carries validation headers. (The cache may use those for revalidating the embedded response once it has become stale, but that does not impact expiration-based caching of the combined response.)
b) when both the master and embedded response are public with an s-maxage, the result should be public as well and use the lower s-maxage of both, *also* in the case that the master response carries validation headers. However, those *must not* be passed on to the client: They do not apply to the combined response, but may only be used by the cache itself to revalidate the (raw) master response.
Commits
-------
09bcbc70e7 Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response