This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] Throw a meaningful exception when an undefined user provider is used inside a firewall
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Before
> The service "security.authentication.manager" has a dependency on a non-existent service "security.user.provider.concrete.undefined_provider".
After
> Invalid firewall "main": user provider "undefined_provider" not found.
Commits
-------
b884c6612d Throw a meaningful exception when an undefined user provider is used inside a firewall
* 2.7:
[travis] update to trusty
Fix ArrayInput::toString() for VALUE_IS_ARRAY options/args
[ExpressionLanguage] throws an exception on calling uncallable method
This PR was merged into the 3.4 branch.
Discussion
----------
[Console] Allow commands to provide a default name for compile time registration
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23796
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/issues/8147
Commits
-------
eda7d42955 [Console] Add protected static $defaultName to set the default name of a Command
5d9ae6b56f [Console] Allow commands to provide a default name for compile time registration
This PR was squashed before being merged into the 3.4 branch (closes#23862).
Discussion
----------
[SecurityBundle] resolve class name parameter inside AddSecurityVotersPass
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23733
| License | MIT
Commits
-------
a86bf52 [SecurityBundle] resolve class name parameter inside AddSecurityVotersPass
This PR was squashed before being merged into the 3.4 branch (closes#23624).
Discussion
----------
[FrameworkBundle] Commands as a service
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes/no
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
Next step towards #23488
It's a work in progress if we want to do all commands at once (im fine :)). But i think we should review `assets:install` first.
Also im assuming framework commands can rely on `getApplication()->getKernel()` from the framework application (we already do that in some commands). That saves a dep on `@kernel`.
And filesystem as a service; perhaps drop that as well :)
Commits
-------
de1dc0b [FrameworkBundle] Commands as a service
This PR was merged into the 3.4 branch.
Discussion
----------
Consistently use 7 chars of sha256 for hash-based id generation
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This prevents generating over long service ids, and for filesystem-related changes, makes the Windows 258 chars limit farther.
Commits
-------
bc22cdd034 Consistently use 7 chars of sha256 for hash-based id generation
* 3.3:
Removed useless argument $definition
Fix comment
[Config] Fix checking class existence freshness
bumped Symfony version to 3.3.7
updated VERSION for 3.3.6
updated CHANGELOG for 3.3.6
Bump minimal PHP version to ^5.5.9|>=7.0.8
* 3.3:
[DI] use assertStringEqualsFile when possible
[VarDumper] Adapt to php 7.2 changes
[DI] Fix using private services in expressions
[Form][TwigBridge] Don't render _method in form_rest() for a child form
[Form] Static call TimezoneType::getTimezones
Removed references for non existent validator constraints
Suggest using quotes instead of Yaml::PARSE_KEYS_AS_STRINGS
[DI] Fix test
[Cache] Handle unserialization failures for Memcached
Remove unused prop + added @deprecated
Remove unused mocks/vars
[DoctrineBridge][PropertyInfo] Added support for Doctrine Embeddables
[Validator] Fix IbanValidator for ukrainian IBANs
Router: allow HEAD method to be defined first
[WebProfilerBundle] Display trace and context in the logger profiler
Fixing a bug where if a core class was autowired, autowiring tried to autowire optional args as if they were required
* 3.3:
[FrameworkBundle] Set default public directory on install assets
[Security] Fix wrong term in UserProviderInterface
[HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
disable inlining deprecated services
[Cache] add constructor docblocks for clarity
[WebServerBundle] allowed public/ root directory to be auto-discovered along side web/
[WebServerBundle] remove duplicate code
[SecurityBundle] Clarify deprecation in UserPasswordEncoderCommand::getContainer
[Cache] add constructor docblocks for clarity
[Security] validate empty passwords again
[DI] Remove irrelevant comment from container
[TwigBridge] cleaner implementation of the TwigRenderer
This PR was merged into the 3.4 branch.
Discussion
----------
[Console] Add support for command lazy-loading
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/12063https://github.com/symfony/symfony/pull/16438https://github.com/symfony/symfony/pull/13946#21781
| License | MIT
| Doc PR | todo
This PR adds command lazy-loading support to the console, based on PSR-11 and DI tags.
(https://github.com/symfony/symfony/issues/12063#issuecomment-57173784)
Commands registered as services which set the `command` attribute on their `console.command` tag are now instantiated when calling `Application::get()` instead of all instantiated at `run()`.
__Usage__
```yaml
app.command.heavy:
tags:
- { name: console.command, command: app:heavy }
```
This way private command services can be inlined (no public aliases, remain really private).
With console+PSR11 implem only:
```php
$application = new Application();
$container = new ServiceLocator(['heavy' => function () { return new Heavy(); }]);
$application->setCommandLoader(new ContainerCommandLoader($container, ['app:heavy' => 'heavy']);
```
Implementation is widely inspired from Twig runtime loaders (without the definition/runtime separation which is not needed here).
Commits
-------
7f97519 Add support for command lazy-loading
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] make it possible to configure a custom access decision manager service
| Q | A |
| --- | --- |
| Branch? | 3.4 |
| Bug fix? | no |
| New feature? | yes |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | #942, #14049, #15295, #16828, #16843, |
| License | MIT |
| Doc PR | TODO |
These changes will make it possible to let users define their own voting strategies without the need for custom compiler passes that replace the built-in `AccessDecisionManager` (see linked issues in the PR table for some use cases).
Commits
-------
e0913a2 add option to define the access decision manager
* 3.3:
Don't display the Symfony debug toolbar when printing the page
do not wire namespaces for the ArrayAdapter
check _controller attribute is a string before parsing it
[Cache] Added test for ApcuAdapter when using in CLI
allow to configure custom formats in XML configs
[HttpKernel] fix DumpDataCollector tests
[FrameworkBundle] fix changelog
[WebProfilerBundle] Cleanup profiler leftover
[DotEnv] Fix variable substitution
require the XML PHP extension
Fix phpdoc for serializer normalizers exceptions
Fixed absolute url generation for query strings and hash urls
bumped Symfony version to 2.8.25
updated VERSION for 2.8.24
updated CHANGELOG for 2.8.24
bumped Symfony version to 2.7.32
[Filesystem] Dont copy perms when origin is remote
updated VERSION for 2.7.31
update CONTRIBUTORS for 2.7.31
updated CHANGELOG for 2.7.31
* 3.2:
Don't display the Symfony debug toolbar when printing the page
do not wire namespaces for the ArrayAdapter
[Cache] Added test for ApcuAdapter when using in CLI
allow to configure custom formats in XML configs
[HttpKernel] fix DumpDataCollector tests
[FrameworkBundle] fix changelog
[WebProfilerBundle] Cleanup profiler leftover
require the XML PHP extension
Fix phpdoc for serializer normalizers exceptions
Fixed absolute url generation for query strings and hash urls
bumped Symfony version to 2.8.25
updated VERSION for 2.8.24
updated CHANGELOG for 2.8.24
bumped Symfony version to 2.7.32
[Filesystem] Dont copy perms when origin is remote
updated VERSION for 2.7.31
update CONTRIBUTORS for 2.7.31
updated CHANGELOG for 2.7.31
* 2.8:
Don't display the Symfony debug toolbar when printing the page
allow to configure custom formats in XML configs
require the XML PHP extension
Fixed absolute url generation for query strings and hash urls
bumped Symfony version to 2.8.25
updated VERSION for 2.8.24
updated CHANGELOG for 2.8.24
bumped Symfony version to 2.7.32
[Filesystem] Dont copy perms when origin is remote
updated VERSION for 2.7.31
update CONTRIBUTORS for 2.7.31
updated CHANGELOG for 2.7.31
* 2.7:
allow to configure custom formats in XML configs
require the XML PHP extension
Fixed absolute url generation for query strings and hash urls
bumped Symfony version to 2.7.32
[Filesystem] Dont copy perms when origin is remote
updated VERSION for 2.7.31
update CONTRIBUTORS for 2.7.31
updated CHANGELOG for 2.7.31
* 3.3: (33 commits)
Preserve HttpOnly value when deserializing a header
[DX] [TwigBundle] Enhance the new exception page design
Fix deprecated message
[DI][Security] Prevent unwanted deprecation notices when using Expression Languages
bumped Symfony version to 3.3.5
updated VERSION for 3.3.4
updated CHANGELOG for 3.3.4
[VarDumper] Reduce size of serialized Data objects
bumped Symfony version to 3.2.12
updated VERSION for 3.2.11
updated CHANGELOG for 3.2.11
fixed bad merge
Fix indent of methods
[Cache] Handle APCu failures gracefully
[DoctrineBridge] Use normalizedIds for resetting entity manager services
[FrameworkBundle] Do not remove files from assets dir
[FrameworkBundle] 3.3: Don't get() private services from debug:router
bumped Symfony version to 3.3.4
updated VERSION for 3.3.3
updated CHANGELOG for 3.3.3
...
* 3.3:
fixed tests
swiftmailer bridge is gone
respect the API in FirewallContext map
[TwigBundle] add back exception check
Dont call count on non countable object
Fix undefined variable $filesystem
* 3.3: (64 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
Fix Predis client cluster with pipeline
[Dotenv] Test load() with multiple paths
[Console] Fix catching exception type in QuestionHelper
Improved the exception page when there is no message
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Validator] replace hardcoded service id
[Routing] Fix XmlFileLoader exception message
[DI] Dedup tags when using instanceof/autoconfigure
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
fixed CS
[WebProfilerBundle] Fix the icon for the Cache panel
[WebServerBundle] Fix router script path and check existence
...
* 3.2: (42 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
[Console] Fix catching exception type in QuestionHelper
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Routing] Fix XmlFileLoader exception message
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
Reset redirectCount when throwing exception
[TwigBundle] Remove template.xml services when templating is disabled
add content-type header on exception response
Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response
fixed bad merge
Fix two edge cases in ResponseCacheStrategy
[Routing] Expose request in route conditions, if needed and possible
[Routing] Expose request in route conditions, if needed and possible
...
* 2.8: (40 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
return fallback locales whenever possible
[Console] Fix catching exception type in QuestionHelper
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Routing] Fix XmlFileLoader exception message
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
Reset redirectCount when throwing exception
[TwigBundle] Remove template.xml services when templating is disabled
add content-type header on exception response
Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response
Fix two edge cases in ResponseCacheStrategy
[Routing] Expose request in route conditions, if needed and possible
[Routing] Expose request in route conditions, if needed and possible
[Translation][FrameworkBundle] Fix resource loading order inconsistency reported in #23034
[Filesystem] added workaround in Filesystem::rename for PHP bug
...
This PR was squashed before being merged into the 3.4 branch (closes#22629).
Discussion
----------
[Security] Trigger a deprecation when a voter is missing the VoterInterface
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Right now it's possible to add voters to the access decision manager that do not have a `VoterInterface`.
- No Interface, no `vote()` method, and it will give a PHP error.
- No Interface, but `vote()` method, it will still work.
- If I don't implement the interface _and_ have no `vote()` method, I will get weird exception that's not meaningful: `Attempted to call an undefined method named "vote" of class "App\Voter\MyVoter".`
This PR will deprecate the ability to use voters without the interface, it will also throw a proper exception when missing the interface _and_ the `vote()` method. Why when using and not when setting? Due to the fact that the voters can be set lazily via the `IteratorArgument`. The SecurityBundle will trigger a deprecation if the interface is not implemented and an exception if there's not even a `vote()` method present (to prevent exceptions at run-time).
This should have full backwards compatibility with 3.3, but give more meaningful errors. The only behavioral difference, might be that the container will throw an exception instead of maybe succeeding in voting when 1 voter would be broken at the end of the list (based on strategy). This case however, will be detected during development and deployment, rather than run-time.
Commits
-------
9c253e1ff6 [Security] Trigger a deprecation when a voter is missing the VoterInterface
* 3.2:
[SecurityBundle] Move cache of the firewall context into the request parameters
Fix Usage with anonymous classes
[Workflow] Added more keywords in the composer.json
[Cache] APCu isSupported() should return true when apc.enable_cli=Off
[PropertyAccess] Do not silence TypeErrors from client code.
* 3.3:
Fix the conditional definition of the SymfonyTestsListener
[DI] Fix keys resolution in ResolveParameterPlaceHoldersPass
[EventDispatcher] Remove dead code in WrappedListener
Fix non-dumped voters in security panel
[Yaml] Remove line number in deprecation notices
[SecurityBundle] Made 2 service aliases private
* 2.7:
bumped Symfony version to 2.7.30
Cache ipCheck
updated VERSION for 2.7.29
update CONTRIBUTORS for 2.7.29
updated CHANGELOG for 2.7.29
show unique inherited roles
This PR was merged into the 2.7 branch.
Discussion
----------
[SecurityBundle] Show unique Inherited roles in profile panel
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
When more than one assigned role reaches the same inherited role then it's duplicated in the "Inherited roles" list.
The changes in the test case show the unexpected result before fix it:
```console
There was 1 failure:
1) Symfony\Bundle\SecurityBundle\Tests\DataCollector\SecurityDataCollectorTest::testCollectAuthenticationTokenAndRoles with data set #4 (array('ROLE_ADMIN', 'ROLE_OPERATOR'), array('ROLE_ADMIN', 'ROLE_OPERATOR'), array('ROLE_USER', 'ROLE_ALLOWED_TO_SWITCH'))
Failed asserting that Array &0 (
0 => 'ROLE_USER'
1 => 'ROLE_ALLOWED_TO_SWITCH'
2 => 'ROLE_USER'
) is identical to Array &0 (
0 => 'ROLE_USER'
1 => 'ROLE_ALLOWED_TO_SWITCH'
)
```
Commits
-------
7061bfbf3a show unique inherited roles
* 3.3:
Fix optional cache warmers are always instantiated whereas they should be lazy-loaded
add some \ on PHP_VERSION_ID for 2.8
[Di] Remove closure-proxy arguments
[PropertyInfo][DoctrineBridge] The bigint Doctrine's type must be converted to string
* 3.2:
Fix optional cache warmers are always instantiated whereas they should be lazy-loaded
add some \ on PHP_VERSION_ID for 2.8
[PropertyInfo][DoctrineBridge] The bigint Doctrine's type must be converted to string
This PR was merged into the 3.4 branch.
Discussion
----------
[3.4] Allow 4.* deps
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22756
| License | MIT
| Doc PR | -
This is implementing option 3 as described in #22756.
See #22769 for corresponding PR on 2.8: everything goes well and this allows catching a few more potential mistakes.
Commits
-------
c3e1646af8 [3.4] Allow 4.* deps
* 3.3:
[DI] prepare for signature change in 4.0
[DI] Add missing deprecation on Extension::getClassesToCompile
[Routing] remove an unused routing fixture
[Yaml] fix multiline block handling
[WebProfilerBundle] Fix sub-requests display in time profiler panel
[FrameworkBundle] Handle project dir in cache:clear command
[WebServerBundle] Mark ServerCommand as internal
[DI] Fix autowire error for inlined services
Close PHP code in phpt file
[Profiler][VarDumper] Fix searchbar css when in toolbar
Prevent auto-registration of UserPasswordEncoderCommand
[Process] Fixed incorrectly escaping arguments on Windows when inheritEnvironmentVariables is set to false
avoid double blanks while rendering form attributes
use getProjectDir() when possible
[PhpUnitBridge] add a changelog file
[FrameworkBundle][Validator] Deprecate passing validator instances/aliases over using the service locator
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security] add Request type json check in json_login
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no, unreleased feature
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | -
follow up to https://github.com/symfony/symfony/pull/22425 to limit the `UsernamePasswordJsonAuthenticationListener` to only requests with appropriate JSON content type.
I am not entirely happy with this implementation but mostly because Symfony out of the box only provides very limited content type negotiation. I guess anyone that wants to tweak the content negotiation will simply need to ensure the Request::$format is set accordingly before the code is triggered.
Commits
-------
045a36b303 add Request type json check in json_login
This PR was merged into the 3.3-dev branch.
Discussion
----------
[SecurityBundle] Enhance FirewallContext::getListeners()
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/20417#discussion_r91704023, https://github.com/symfony/symfony/pull/20417#discussion_r91704145
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
I think @stof is right.. and the fact we can do this on master currently without the hassle.
cc @chalasr
Commits
-------
ba650783f5 [SecurityBundle] Enhance FirewallContext::getListeners()
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security] Fix json_login default success/failure handling
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no (master only)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22483
| License | MIT
| Doc PR | n/a
This makes the `json_login` listener default configuration stateless oriented by:
- Not using the default (redirect based) failure handler, it returns a 401 (json) response containing the failure reason instead
- Not using the default (redirect based) success handler, just let the original request continue instead (reaching the targeted resource without being redirected).
- Setting `require_previous_session` to `false` by default (I have to set it on `form-login` each time I want it to be stateless)
- Removing the options related to redirections (`default_target_path`, `login_path`, ...) from the listener factory, if one wants redirections then one has to write its own handlers, not the inverse
Commits
-------
9749618ff5 Fix json_login default success/failure handling
This PR was squashed before being merged into the 3.3-dev branch (closes#22234).
Discussion
----------
[DI] Introducing autoconfigure: automatic _instanceof configuration
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes (mostly, a continuation of a new feature)
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/issues/7538
This is a proposal to allow the user to opt into some automatic `_instanceof` config. Suppose I want to auto-tag all of my voters and event subscribers
```yml
# current
services:
_defaults:
autowire: true
_instanceof:
Symfony\Component\Security\Core\Authorization\Voter\VoterInterface:
tags: [security.voter]
Symfony\Component\EventDispatcher\EventSubscriberInterface:
tags: [kernel.event_subscriber]
# services using the above tags
AppBundle\Security\PostVoter: ~
AppBundle\EventListener\CheckRequirementsSubscriber: ~
```
If I'm registering a service with a class that implements `VoterInterface`, when would I ever *not* want that to be tagged with `security.voter`? Here's the proposed code:
```yml
# proposed
services:
_defaults:
autowire: true
autoconfigure: true
# services using the auto_configure_instanceof functionality
AppBundle\Security\PostVoter: ~
AppBundle\EventListener\CheckRequirementsSubscriber: ~
```
The user must opt into this and it only applies locally to this configuration file. It works because each enabled bundle would have the opportunity to add one or more "automatic instanceof" definitions - e.g. SecurityBundle would add the `security.voter` instanceof config, FrameworkBundle would add the `kernel.event_subscriber` instanceof config, etc.
For another example, you can check out the proposed changes to `symfony-demo` - symfony/symfony-demo#483 - the `_instanceof` section is pretty heavy: 81694ac21e/app/config/services.yml (L20)
Thanks!
Commits
-------
18627bf9f6 [DI] Introducing autoconfigure: automatic _instanceof configuration
* 3.2:
[Bridge\Doctrine] Fix change breaking doctrine-bundle test suite
[WebProfilerBundle] Include badge status in translation tabs
[FrameworkBundle] Cache pool clear command requires at least 1 pool
[HttpFoundation][bugfix] should always be initialized
MockArraySessionStorage: updated phpdoc for $bags so that IDE autocompletion would work
normalize paths before making them relative
removed test that does not test anything
fixed tests
#21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile
[WebProfilerBundle] Fix for CSS attribute at Profiler Translation Page
Set Date header in Response constructor already
[Validator] fix URL validator to detect non supported chars according to RFC 3986
[Security] Fixed roles serialization on token from user object
