This PR was merged into the 5.1 branch.
Discussion
----------
[Security] Added missing license headers
| Q | A
| ------------- | ---
| Branch? | 5.1
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
See 3be6ce121b
Seems like the fabbot reviews (and I) missed quite a lot of these in my big security PR.
Commits
-------
ea81b61e5f Added missing license headers
* 5.1:
Fix test that fails on old distros
Fix: compatibility with phpunit 9.3
[DoctrineBridge] work around Connection::ping() deprecation
[MimeType] Duplicated MimeType due to PHP Bug
[HttpClient] fix casting TraceableResponse to php streams
[DI] fix parsing of argument type=binary in xml
fix guessing form types for DateTime types
fix handling typed properties as constraint options
Fix the 'supports' method argument type of the security voter
Use the driverConnection executeUpdate method
* 5.0:
Fix test that fails on old distros
Fix: compatibility with phpunit 9.3
[DoctrineBridge] work around Connection::ping() deprecation
[MimeType] Duplicated MimeType due to PHP Bug
[DI] fix parsing of argument type=binary in xml
fix guessing form types for DateTime types
fix handling typed properties as constraint options
Fix the 'supports' method argument type of the security voter
Use the driverConnection executeUpdate method
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Add attributes on Passport
| Q | A
| ------------- | ---
| Branch? | master <!-- see below -->
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | not yet
see https://github.com/symfonycorp/connect/pull/95
/cc @wouterj
Commits
-------
440ada3c5f [Security] Add attributes on Passport
* 5.1: (28 commits)
[DI] fix
Use "composer/package-versions-deprecated" when possible
Fix
Small update in our internal terminology
Fix support for PHP8 union types
[VarDumper] fix typo
[Lock][Messenger] Fix precedence of DSN options for 5.1
Fix support for PHP8 union types
[FrameworkBundle] preserve dots in query-string when redirecting
[3.4] Fix support for PHP8 union types
[PhpUnitBridge] Streamline ansi/no-ansi of composer according to phpunit --colors option
[3.4] Small update in our internal terminology
[Cache] fix compat with DBAL v3
Remove unnecessary null check
[HttpFoundation] Allow `null` in InputBag@set
[HttpClient] Convert CurlHttpClient::handlePush() to instance method
Fix package rename when releasing
bumped Symfony version to 5.1.3
updated VERSION for 5.1.2
updated CHANGELOG for 5.1.2
...
* 5.1:
[Security] Run functional tests also for the authenticator system
Fix register csrf protection listener
bumped Symfony version to 5.1.2
updated VERSION for 5.1.1
updated CHANGELOG for 5.1.1
* 5.1: (36 commits)
Fixed left-over debug statement
set column length for mysql 5.6 compatibility
[Mime] Remove unused var
[HttpClient] fix monitoring timeouts when other streams are active
[PhpUnitBridge] fix syntax on PHP 5.3
[PhpUnitBridge] Fix undefined index when output of "composer show" cannot be parsed
properly cascade validation to child forms
[PropertyAccess] Fix getter call order BC
[PhpUnitBridge] fix undefined var on version 3.4
Fix invalid char in SQS Headers
Move ajax clear event listener initialization on loadToolbar
[HttpClient] Throw JsonException instead of TransportException on empty response in Response::toArray()
Fix CS
FrameworkBundle Serializer issue
register event listeners depending on the installed packages
take into account the context when preserving empty array objects
Only register CSRF protection listener if CSRF is available
[VarExporter] tfix: s/markAsSkipped/markTestSkipped/
Also check PUBLIC_ACCESS for authenticated tokens
Fix enabled_locales behavior
...
* 5.1:
Fix abstract method name in PHP doc block
Various cleanups
[HttpClient] fix issues in tests
Fixes sprintf(): Too few arguments in form transformer
[Console] Fix QuestionHelper::disableStty()
[Validator] Use Mime component to determine mime type for file validator
validate subforms in all validation groups
Update Hungarian translations
Add meaningful message when Process is not installed (ProcessHelper)
[Messenger] Change the default notify timeout value for PostgreSQL
[PropertyAccess] Fix TypeError parsing again.
[TwigBridge] fix fallback html-to-txt body converter
[Security/Http] fix merge
[ErrorHandler] fix setting $trace to null in FatalError
[Form] add missing Czech validators translation
[Validator] add missing Czech translations
never directly validate Existence (Required/Optional) constraints
* 5.0:
Fix abstract method name in PHP doc block
Various cleanups
[HttpClient] fix issues in tests
Fixes sprintf(): Too few arguments in form transformer
[Console] Fix QuestionHelper::disableStty()
[Validator] Use Mime component to determine mime type for file validator
validate subforms in all validation groups
Update Hungarian translations
Add meaningful message when Process is not installed (ProcessHelper)
[PropertyAccess] Fix TypeError parsing again.
[TwigBridge] fix fallback html-to-txt body converter
[Security/Http] fix merge
[ErrorHandler] fix setting $trace to null in FatalError
[Form] add missing Czech validators translation
[Validator] add missing Czech translations
never directly validate Existence (Required/Optional) constraints
* 5.1:
Handle fetch mode deprecation of DBAL 2.11.
Fixed security-* package dependencies
Fixed handling of CSRF logout error
[WebProfilerBundle] changed label of memory usage in time panel (Mb into MiB)
[DotEnv][WebLink][Templating][ErrorHandler] Updated README with minimal example
* 5.0:
Handle fetch mode deprecation of DBAL 2.11.
Fixed handling of CSRF logout error
[WebProfilerBundle] changed label of memory usage in time panel (Mb into MiB)
[DotEnv][WebLink][Templating][ErrorHandler] Updated README with minimal example
* 4.4:
Handle fetch mode deprecation of DBAL 2.11.
Fixed handling of CSRF logout error
[WebProfilerBundle] changed label of memory usage in time panel (Mb into MiB)
[DotEnv][WebLink][Templating][ErrorHandler] Updated README with minimal example
* 5.1:
Allow email message to have "To", "Cc", or "Bcc" header to be valid
[FrameworkBundle] Removed detection of Serializer < 3.2
Update pull request template for 5.1.
[Security/Core] fix PHP8 deprecation
* 5.0:
Allow email message to have "To", "Cc", or "Bcc" header to be valid
[FrameworkBundle] Removed detection of Serializer < 3.2
Update pull request template for 5.1.
[Security/Core] fix PHP8 deprecation
* 4.4:
Allow email message to have "To", "Cc", or "Bcc" header to be valid
[FrameworkBundle] Removed detection of Serializer < 3.2
Update pull request template for 5.1.
[Security/Core] fix PHP8 deprecation
* 5.1: (33 commits)
[Cache] $lifetime cannot be null
[Serializer] minor cleanup
fix merge
Run PHP 8 as 7.4.99
Remove calls to deprecated ReflectionParameter::getClass().
[VarDumper] fix PHP 8 support
Removed "services" prototype node from "custom_authenticator"
Add php 8 to travis.
[Cache] Accessing undefined constants raises an Error in php8
[Cache] allow DBAL v3
Skip Doctrine DBAL on php 8 until we have a compatible version.
[DomCrawler] Catch expected ValueError.
Made method signatures compatible with their corresponding traits.
[ErrorHandler] Apply php8 fixes from Debug component.
[DomCrawler] Catch expected ValueError.
[Validator] Catch expected ValueError.
[VarDumper] ReflectionFunction::isDisabled() is deprecated.
[BrowserKit] Raw body with custom Content-Type header
Revert https://github.com/symfony/symfony/pull/34986
Make ExpressionLanguageSyntax validator usable with annotation
...
* 5.0: (28 commits)
[Cache] $lifetime cannot be null
[Serializer] minor cleanup
fix merge
Run PHP 8 as 7.4.99
Remove calls to deprecated ReflectionParameter::getClass().
[VarDumper] fix PHP 8 support
Add php 8 to travis.
[Cache] Accessing undefined constants raises an Error in php8
[Cache] allow DBAL v3
Skip Doctrine DBAL on php 8 until we have a compatible version.
[DomCrawler] Catch expected ValueError.
Made method signatures compatible with their corresponding traits.
[ErrorHandler] Apply php8 fixes from Debug component.
[DomCrawler] Catch expected ValueError.
[Validator] Catch expected ValueError.
[VarDumper] ReflectionFunction::isDisabled() is deprecated.
[BrowserKit] Raw body with custom Content-Type header
[PropertyAccess] Parse php 8 TypeErrors correctly.
[Intl] Fix call to ReflectionProperty::getValue() for static properties.
[HttpKernel] Prevent calling method_exists() with non-string values.
...
* 4.4: (27 commits)
[Serializer] minor cleanup
fix merge
Run PHP 8 as 7.4.99
Remove calls to deprecated ReflectionParameter::getClass().
[VarDumper] fix PHP 8 support
Add php 8 to travis.
[Cache] Accessing undefined constants raises an Error in php8
[Cache] allow DBAL v3
Skip Doctrine DBAL on php 8 until we have a compatible version.
[DomCrawler] Catch expected ValueError.
Made method signatures compatible with their corresponding traits.
[ErrorHandler] Apply php8 fixes from Debug component.
[DomCrawler] Catch expected ValueError.
[Validator] Catch expected ValueError.
[VarDumper] ReflectionFunction::isDisabled() is deprecated.
[BrowserKit] Raw body with custom Content-Type header
[PropertyAccess] Parse php 8 TypeErrors correctly.
[Intl] Fix call to ReflectionProperty::getValue() for static properties.
[HttpKernel] Prevent calling method_exists() with non-string values.
Fix wrong roles comparison
...
* 5.1:
[PhpUnitBridge] fix leftover
[PhpUnitBridge] fix installing under PHP >= 8
Use ">=" for the "php" requirement
bump icu 67.1
[DI] Remove preload primitive types
[Validator] Add missing translations of nn locale
[HttpKernel] Fix that the `Store` would not save responses with the X-Content-Digest header present
[Intl] bump icu 67.1
[Validator] allow passing a validator to Validation::createCallable()
* 5.1:
[PhpUnitBridge] fix bad detection of unsilenced deprecations
[Security] Unserialize $parentData, if needed, to avoid errors
[HttpKernel] Fix error logger when stderr is redirected to /dev/null (FPM)
* 5.0:
[PhpUnitBridge] fix bad detection of unsilenced deprecations
[Security] Unserialize $parentData, if needed, to avoid errors
[HttpKernel] Fix error logger when stderr is redirected to /dev/null (FPM)
* 4.4:
[PhpUnitBridge] fix bad detection of unsilenced deprecations
[Security] Unserialize $parentData, if needed, to avoid errors
[HttpKernel] Fix error logger when stderr is redirected to /dev/null (FPM)
This PR was merged into the 5.1-dev branch.
Discussion
----------
RememberMeLogoutListener should depend on LogoutHandlerInterface
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| License | MIT
`RememberMeLogoutListener`, which was introduced together with the new authenticator security in Symfony 5.1, depends on `AbstractRememberMeServices`. This forces people to always extend from `AbstractRememberMeServices`, even when they're implementing the correct interface.
I'd suggest to depend on the minimum interface, which is `LogoutHandlerInterface`, instead.
Example of the type errors you'd get otherwise:
`
Argument 1 passed to Symfony\Component\Security\Http\EventListener\RememberMeLogoutListener::__construct() must be an instance of Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices, instance of Scheb\TwoFactorBundle\Security\Authentication\RememberMe\RememberMeServicesDecorator given, called in var/cache/dev/Container3IpOCEd/getSecurity_Logout_Listener_RememberMe_MainService.php on line 22
`
with
```php
class RememberMeServicesDecorator implements RememberMeServicesInterface, LogoutHandlerInterface
[...]
```
Commits
-------
994700fbae Depend on LogoutHandlerInterface
* 5.0:
[VarDumper] fix for change in PHP 7.4.6
Added regression test for AccountStatusException behavior (ref #36822)
[HttpClient] fix PHP warning + accept status code >= 600
[Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
embed resource name in error message
[FrameworkBundle] fix stringable annotation
Change priority of KernelEvents::RESPONSE subscriber
Fix register event listeners compiler pass
Missing description in `messenger:setup-transports` command
[Serializer] fix issue with PHP 8
[WebProfiler] Remove 'none' when appending CSP tokens
[TwigBundle] FormExtension does not have a constructor anymore since sf 4.0
[Yaml] Fix escaped quotes in quoted multi-line string
* 4.4:
[VarDumper] fix for change in PHP 7.4.6
Added regression test for AccountStatusException behavior (ref #36822)
[HttpClient] fix PHP warning + accept status code >= 600
[Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
embed resource name in error message
[FrameworkBundle] fix stringable annotation
Change priority of KernelEvents::RESPONSE subscriber
Fix register event listeners compiler pass
Missing description in `messenger:setup-transports` command
[Serializer] fix issue with PHP 8
[WebProfiler] Remove 'none' when appending CSP tokens
[TwigBundle] FormExtension does not have a constructor anymore since sf 4.0
[Yaml] Fix escaped quotes in quoted multi-line string
This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36451
| License | MIT
| Doc PR | -
Commits
-------
df32171cb2 [Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
* 3.4:
[VarDumper] fix for change in PHP 7.4.6
Added regression test for AccountStatusException behavior (ref #36822)
embed resource name in error message
[Serializer] fix issue with PHP 8
[Yaml] Fix escaped quotes in quoted multi-line string
* 5.0:
[PhpUnitBridge] fix bad test
[4.4] CS fixes
[3.4] CS fixes
Disable phpunit verbosity
Queue name is a required parameter
[FrameworkBundle] display actual target for error in AssetsInstallCommand
Remove patches for Doctrine bugs and deprecations
[Mime] fix bad method call on "EmailAddressContains"
[DI][EventDispatcher] added contract for implementation
* 4.4:
[PhpUnitBridge] fix bad test
[4.4] CS fixes
[3.4] CS fixes
Disable phpunit verbosity
Queue name is a required parameter
[FrameworkBundle] display actual target for error in AssetsInstallCommand
Remove patches for Doctrine bugs and deprecations
[Mime] fix bad method call on "EmailAddressContains"
[DI][EventDispatcher] added contract for implementation
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Security/Core] Add CustomUserMessageAccountStatusException
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
| Doc PR | Not really needed
When implementing the `UserCheckerInterface`, we can throw `AccountStatusException`. Similar to `CustomUserMessageAuthenticationException`, this exception allow to throw an `AccountStatusException` with a custom message.
Commits
-------
9233efbe06 Add CustomUserMessageAccountStatusException
* Anonymous users are actual to unauthenticated users, both are now represented by no token
* Added a PUBLIC_ACCESS Security attribute to be used in access_control
* Deprecated "anonymous: lazy" in favor of "lazy: true"
* 5.0:
[FrameworkBundle] Fix session.attribute_bag service definition
[Routing] Remove unused properties from the Route annotation
[Routing] Add missing _locale requirements
Update LdapBindAuthenticationProvider.php
Add reproducer to for hit after update expire cacheItem
[Cache] fix FilesystemTagAwareAdapter failing when a tag link preexists
* 4.4:
[FrameworkBundle] Fix session.attribute_bag service definition
[Routing] Remove unused properties from the Route annotation
[Routing] Add missing _locale requirements
Update LdapBindAuthenticationProvider.php
Add reproducer to for hit after update expire cacheItem
[Cache] fix FilesystemTagAwareAdapter failing when a tag link preexists
The AuthenticatorManager now performs the whole authentication process. This
allows for manual authentication without duplicating or publicly exposing parts
of the process.
This to remove confusion between the new system and Guard. When using the new
system, guard should not be installed. Guard did however influence the idea
behind the new system. Thus keeping the mentions of "guard" makes it confusing
to use the new system.
This allows more flexibility for the authentication manager (to e.g. implement
login throttling, easier remember me, etc). It is also a known design pattern
in Symfony HttpKernel.
This removes the introduced dependency on Guard from core. It also allows an
easier migration path, as the complete Guard subcomponent can now be deprecated
later in the 5.x life.
This is an iteration on the AuthenticatorInterface of the Guard, to allow more
flexibility so it can be used as a real replaced of the authentication
providers and listeners.
* 5.0:
[PhpUnitBridge] add PolyfillTestCaseTrait::expectExceptionMessageMatches to provide FC with recent phpunit versions
[Messenger] Make sure redis transports are initialized correctly
Remove return type for Twig function workflow_metadata()
[DI] fix typo
* 4.4:
[PhpUnitBridge] add PolyfillTestCaseTrait::expectExceptionMessageMatches to provide FC with recent phpunit versions
[Messenger] Make sure redis transports are initialized correctly
Remove return type for Twig function workflow_metadata()
[DI] fix typo
This PR was squashed before being merged into the 4.4 branch.
Discussion
----------
[PhpUnitBridge] add PolyfillTestCaseTrait::expectExceptionMessageMatches to provide FC with recent phpunit versions
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | na
| License | MIT
| Doc PR | na
expectExceptionMessageRegExp is deprecated coming phpunit 8.5.3 see https://github.com/sebastianbergmann/phpunit/issues/4133
Not sure if I need to add something else lmk.
Commits
-------
cfd5a29eaf [PhpUnitBridge] add PolyfillTestCaseTrait::expectExceptionMessageMatches to provide FC with recent phpunit versions
This PR was merged into the 5.1-dev branch.
Discussion
----------
[HttpFoundation] Add InputBag
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes
| License | MIT
When ppl read a request attribute, they never check if an array is returned
This means many apps just fail with a 500 when adding `[]` in the query string.
This PR turns them to 400 basically (with a deprecation for now)
Commits
-------
0a2ef70c04 [HttpFoundation] add InputBag
* 5.0:
[PropertyAccess] fix tests
[WebProfilerBundle] fix test
remove assertions that can never be reached
[PropertyAccess] Improve message of unitialized property in php 7.4
[HttpFoundation] Fixed session migration with custom cookie lifetime
[HttpKernel][FrameworkBundle] fix compat with Debug component
[Serializer] Remove unused variable
Allow URL-encoded special characters in basic auth part of URLs
[Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
[Validator] Add missing Ukrainian and Russian translations
Track session usage when setting the token
[4.4][MonologBridge] Fix $level type
[5.0][MonologBridge] Fix $level type
No need to reconnect the bags to the session
Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler
[PropertyInfo][ReflectionExtractor] Check the array mutator prefixes last when the property is singular
[Security][Http][SwitchUserListener] Ignore all non existent username protection errors
Add installation and minimal example to README
* 4.4:
[PropertyAccess] fix tests
[WebProfilerBundle] fix test
remove assertions that can never be reached
[PropertyAccess] Improve message of unitialized property in php 7.4
[HttpFoundation] Fixed session migration with custom cookie lifetime
[HttpKernel][FrameworkBundle] fix compat with Debug component
[Serializer] Remove unused variable
Allow URL-encoded special characters in basic auth part of URLs
[Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
[Validator] Add missing Ukrainian and Russian translations
Track session usage when setting the token
[4.4][MonologBridge] Fix $level type
No need to reconnect the bags to the session
Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler
[PropertyInfo][ReflectionExtractor] Check the array mutator prefixes last when the property is singular
[Security][Http][SwitchUserListener] Ignore all non existent username protection errors
Add installation and minimal example to README
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[Security] Refactor logout listener to dispatch an event instead
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes (sort of...)
| New feature? | yes
| Deprecations? | yes
| Tickets | Fix#25212, Fix#22473
| License | MIT
| Doc PR | tbd
The current `LogoutListener` has some extension points, but they are not really DX-friendly (ref #25212). It requires hacking a `addMethodCall('addHandler')` in the container builder to register a custom logout handler.
Also, it is impossible to overwrite the default logout functionality from a bundle (ref #22473).
This PR introduces a `LogoutEvent` that replaces both the `LogoutSuccessHandlerInterface` and `LogoutHandlerInterface`. This provides a DX-friendly extension point and also cleans up the authentication factories (no more `addMethodCall()`'s).
In order to allow different logout handlers for different firewalls, I created a specific event dispatcher for each firewall (as also shortly discussed in #33558). The `dispatcher` tag attribute allows you to specify which dispatcher it should be registered to (defaulting to the global dispatcher). The `EventBubblingLogoutListener` also dispatches logout events on the global dispatcher, to be used for listeners that should run on all firewalls.
_@weaverryan and I discussed this feature while working on #33558, but figured it was unrelated and could be done while preservering BC. So that's why a separate PR is created._
Commits
-------
a9f096eb1f [Security] Refactor logout listener to dispatch an event instead
* 5.0:
Fix wrong namespaces
Fix wrong namespaces
Fix the reporting of deprecations in twig:lint
forward multiple attributes voting flag
bumped Symfony version to 5.0.8
updated VERSION for 5.0.7
updated CHANGELOG for 5.0.7
bumped Symfony version to 4.4.8
updated VERSION for 4.4.7
updated CHANGELOG for 4.4.7
[Validator] Fixed calling getters before resolving groups
[HttpKernel][LoggerDataCollector] Prevent keys collisions in the sanitized logs processing
* 4.4:
Fix wrong namespaces
Fix wrong namespaces
Fix the reporting of deprecations in twig:lint
forward multiple attributes voting flag
bumped Symfony version to 4.4.8
updated VERSION for 4.4.7
updated CHANGELOG for 4.4.7
[Validator] Fixed calling getters before resolving groups
[HttpKernel][LoggerDataCollector] Prevent keys collisions in the sanitized logs processing
This PR was merged into the 5.1-dev branch.
Discussion
----------
[HttpFoundation][HttpKernel][Security] Improve UnexpectedSessionUsageException backtrace
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets |
| License | MIT
| Doc PR |
Improve `UnexceptedSessionUsageException` backtrace so that it leads to the place in the userland where it was told to use session.
Commits
-------
1e1d332c7c Improve UnexcpectedSessionUsageException backtrace
* 5.0:
[HttpFoundation] Do not set the default Content-Type based on the Accept header
[Security] Fix access_control behavior with unanimous decision strategy
* 4.4:
[HttpFoundation] Do not set the default Content-Type based on the Accept header
[Security] Fix access_control behavior with unanimous decision strategy
* 5.0: (27 commits)
Fix versions
[Security/Http] Allow setting cookie security settings for delete_cookies
[DI] fix generating TypedReference from PriorityTaggedServiceTrait
[FrameworkBundle] revert to legacy wiring of the session when circular refs are detected
bumped Symfony version to 3.4.40
updated VERSION for 3.4.39
update CONTRIBUTORS for 3.4.39
updated CHANGELOG for 3.4.39
[DomCrawler] Fix BC break in assertions breaking Panther
[BrowserKit] fixed missing post request parameters in file uploads
update Italian translation
[Validator] Add missing Hungarian translations
[Validator] Add the missing translations for the Arabic (ar) locale
[Validator] Add missing vietnamese translations
[Console] Fix OutputStream for PHP 7.4
add missing gitattributes for phpunit-bridge
add German translations
Bump Symfony version to 5.0.7
Update VERSION for 5.0.6
Update CHANGELOG for 5.0.6
...
* 4.4:
Fix versions
[Security/Http] Allow setting cookie security settings for delete_cookies
[DI] fix generating TypedReference from PriorityTaggedServiceTrait
[FrameworkBundle] revert to legacy wiring of the session when circular refs are detected
bumped Symfony version to 3.4.40
updated VERSION for 3.4.39
update CONTRIBUTORS for 3.4.39
updated CHANGELOG for 3.4.39
[DomCrawler] Fix BC break in assertions breaking Panther
[BrowserKit] fixed missing post request parameters in file uploads
update Italian translation
[Validator] Add missing Hungarian translations
[Validator] Add the missing translations for the Arabic (ar) locale
[Validator] Add missing vietnamese translations
[Console] Fix OutputStream for PHP 7.4
add German translations
bug #36157 [Validator] Assert Valid with many groups
[Validator] Add missing Lithuanian translations
Fixed some typos
Add french "at least" constraint translations
* 3.4:
Fix versions
[Security/Http] Allow setting cookie security settings for delete_cookies
[FrameworkBundle] revert to legacy wiring of the session when circular refs are detected
bumped Symfony version to 3.4.40
updated VERSION for 3.4.39
update CONTRIBUTORS for 3.4.39
updated CHANGELOG for 3.4.39
update Italian translation
[Validator] Add missing Hungarian translations
[Validator] Add the missing translations for the Arabic (ar) locale
[Validator] Add missing vietnamese translations
[Console] Fix OutputStream for PHP 7.4
add German translations
bug #36157 [Validator] Assert Valid with many groups
[Validator] Add missing Lithuanian translations
Fixed some typos
Add french "at least" constraint translations
* 5.0:
[Http Foundation] Fix clear cookie samesite
[Security] Check if firewall is stateless before checking for session/previous session
[Form] Support customized intl php.ini settings
[Security] Remember me: allow to set the samesite cookie flag
[Debug] fix for PHP 7.3.16+/7.4.4+
[Validator] Backport translations
[Mailer] Use %d instead of %s for error code in error messages
[HttpKernel] fix locking for PHP 7.4+
[Security] Fixed hardcoded value of SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
Prevent warning in proc_open()
[FrameworkBundle] Fix Router Cache
Fix deprecation messages
* 4.4:
[Http Foundation] Fix clear cookie samesite
[Security] Check if firewall is stateless before checking for session/previous session
[Form] Support customized intl php.ini settings
[Security] Remember me: allow to set the samesite cookie flag
[Debug] fix for PHP 7.3.16+/7.4.4+
[Validator] Backport translations
[Mailer] Use %d instead of %s for error code in error messages
[HttpKernel] fix locking for PHP 7.4+
[Security] Fixed hardcoded value of SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
Prevent warning in proc_open()
[FrameworkBundle] Fix Router Cache
Fix deprecation messages
* 3.4:
[Http Foundation] Fix clear cookie samesite
[Security] Check if firewall is stateless before checking for session/previous session
[Form] Support customized intl php.ini settings
[Security] Remember me: allow to set the samesite cookie flag
[Debug] fix for PHP 7.3.16+/7.4.4+
[Validator] Backport translations
Prevent warning in proc_open()
This PR was merged into the 3.4 branch.
Discussion
----------
[Security/Http] Remember me: allow to set the samesite cookie flag
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Similar to #35605, since Chrome 80 is going to require the `samesite` attribute.
This is a cherry-pick of #27976
Commits
-------
f0ceb73397 [Security] Remember me: allow to set the samesite cookie flag
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle] Fix deprecation message for booting a kernel twice
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | - <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | - <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/releases):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch master.
-->
Commits
-------
a0a6243a21 Fix deprecation messages
* 5.0:
[DI] Fix CheckTypeDeclarationPass
[Security/Http] don't require the session to be started when tracking its id
[DI] fix preloading script generation
* 4.4:
[DI] Fix CheckTypeDeclarationPass
[Security/Http] don't require the session to be started when tracking its id
[DI] fix preloading script generation
This PR was merged into the 4.4 branch.
Discussion
----------
[DI] fix preloading script generation
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
(fabbot failure is a false positive)
On master, we should work on being able to preload more classes (esp. all cache-warmup artifacts).
But for 4.4, this is good enough. Submitted as a bug fix because 1. the current code that deals with preloading kinda-works, but only on "dev" mode... and 2. fixing it provides a nice boost!
Small bench on a hello world:
- before: 380 req/s
- after: 580 req/s
That's +50%!
Pro-tip: adding a few `class_exists()` as done in this PR for the classes that are always used in the implementations (e.g. `new Foo()` in the constructor) will help the preload-script generator to work optimally. Without them, it will discover the symbols to preload only if they're found on methods.
Some of those `class_exists()` are mandatory, in relation to anonymous classes and https://bugs.php.net/79349
Commits
-------
a10fc4da5d [DI] fix preloading script generation
* 5.0:
fix merge
Fix more quotes in exception messages
Fix more quotes in exception messages
Fix more quotes in exception messages
[3.4] Minor fixes
[PropertyAccess] Improved errors when reading uninitialized properties
* 4.4:
Fix more quotes in exception messages
Fix more quotes in exception messages
[3.4] Minor fixes
[PropertyAccess] Improved errors when reading uninitialized properties
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[PhpUnitBridge] Deprecate @expectedDeprecation annotation
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | yes<!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | N/A
| License | MIT
| Doc PR | N/A
Addresses https://github.com/orgs/symfony/projects/1#card-32934769 as a follow-up to #35192.
Deprecating `@expectedDeprecation` annotation on tests in favour of the `expectDeprecation()` method similar to other PHPUnit deprecations of annotations in favour of methods.
Commits
-------
36a57cc7c2 [PhpUnitBridge] Deprecate @expectedDeprecation annotation
* 5.0:
Add missing dots at the end of exception messages
Add missing dots at the end of exception messages
[DI][Form] Fixed test suite (TimeType changes & unresolved merge conflict)
Fix bad merge
Add missing dots at the end of exception messages
* 4.4:
Add missing dots at the end of exception messages
[DI][Form] Fixed test suite (TimeType changes & unresolved merge conflict)
Fix bad merge
Add missing dots at the end of exception messages
* 5.0: (36 commits)
Add test for tagged iterator with numeric index
Fix container lint command when a synthetic service is used in combination with the expression language
Fix Travis script
[Validator][Range] Fix typos
[SecurityBundle] Minor fix in LDAP config tree builder
[HttpClient] fix requests to hosts that idn_to_ascii() cannot handle
Revert "minor #35559 [FrameworkBundle] remove mention of the old Controller class (nicolas-grekas)"
[FrameworkBundle] remove redundant PHPDoc in console Descriptor and subclass
[Mime] remove phpdoc mentioning Utf8AddressEncoder
Add missing phpdoc
Remove int return type from FlattenException::getCode
[Yaml] fix dumping strings containing CRs
[DI] Fix XmlFileLoader bad error message
[Form] Handle false as empty value on expanded choices
[Messenger] Add ext-redis min version req to tests
Tweak message
improve PlaintextPasswordEncoder docBlock summary
[Validator] Add two missing translations for the Arabic (ar) locale
Use some PHP 5.4 constants unconditionally
Add new packages on the link script
...
* 4.4: (34 commits)
Add test for tagged iterator with numeric index
Fix container lint command when a synthetic service is used in combination with the expression language
[Validator][Range] Fix typos
[SecurityBundle] Minor fix in LDAP config tree builder
[HttpClient] fix requests to hosts that idn_to_ascii() cannot handle
[FrameworkBundle] remove redundant PHPDoc in console Descriptor and subclass
[Mime] remove phpdoc mentioning Utf8AddressEncoder
Add missing phpdoc
Remove int return type from FlattenException::getCode
[Yaml] fix dumping strings containing CRs
[DI] Fix XmlFileLoader bad error message
[Form] Handle false as empty value on expanded choices
[Messenger] Add ext-redis min version req to tests
Tweak message
improve PlaintextPasswordEncoder docBlock summary
[Validator] Add two missing translations for the Arabic (ar) locale
Use some PHP 5.4 constants unconditionally
Add new packages on the link script
[DI] fix dumping errored definitions
[DI] ignore extra tags added by autoconfiguration in PriorityTaggedServiceTrait
...
* 3.4:
[Yaml] fix dumping strings containing CRs
[DI] Fix XmlFileLoader bad error message
Tweak message
improve PlaintextPasswordEncoder docBlock summary
[Validator] Add two missing translations for the Arabic (ar) locale
Use some PHP 5.4 constants unconditionally
Revert "bug symfony#28179 [DomCrawler] Skip disabled fields processing in Form"
Add Spanish translation
Fix typo
[Validator] add Japanese translation
Fix typo
Add Polish translation
[SecurityBundle] Minor fixes in configuration tree builder
bumped Symfony version to 3.4.39
updated VERSION for 3.4.38
update CONTRIBUTORS for 3.4.38
updated CHANGELOG for 3.4.38
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Security] Deprecated ROLE_PREVIOUS_ADMIN
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | n/a
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/11487
`ROLE_PREVIOUS_ADMIN` is added to the token roles if the session is an impersonation. Since https://github.com/symfony/symfony/pull/31189 we have the `IS_IMPERSONATOR` attribute which can be used for the same reason. I propose to deprecate the `ROLE_PREVIOUS_ADMIN`:
* This is not what roles are for ([resulting in hacking this exception in `AbstractToken`](https://github.com/symfony/symfony/blob/5.0/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php#L275-L277))
* The role isn't very descriptive
* I don't like having 2 ways of doing exactly the same thing
* While every application with impersonation enabled probably needs to be updated, the update is as simple as replacing `ROLE_PREVIOUS_ADMIN` with `IS_IMPERSONATOR`: `find ./ -type f -exec sed -i 's/ROLE_PREVIOUS_ADMIN/IS_IMPERSONATOR/g' {} +`
---
I'm a bit unsure on how to deprecate this role, but I think having it in `RoleVoter` is probably the safest (`isGranted()` and variants + `AccessDecisionManager#decide()` all use this voter to check if the token has this role).
Commits
-------
dce55f352a Deprecated ROLE_PREVIOUS_ADMIN
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Security] Add IS_IMPERSONATOR, IS_ANONYMOUS and IS_REMEMBERED
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/29848
| License | MIT
| Doc PR | symfony/symfony-docs#11487
This continues work of @HeahDude and finally finishes one of the code PRs I've been working on during the ⭐️ EUFOSSA Hackathon.
Changes
---
The PRs modifies some of the attributes used by the `AuthenticatedVoter`:
* New `IS_IMPERSONATOR`, `IS_ANONYMOUS` and `IS_REMEMBERED` attributes are introduced to indicate the user either impersonated, anonymous or rembered.
* <s>`IS_AUTHENTICATED_ANONYMOUSLY` actually meant "is authenticated, either anonymous or fully". As this is confusing, it is replaced by `IS_AUTHENTICATED`.</s>
* <s>All `is_*()` functions in expressions are deprecated in favor of `is_granted('IS_*')`. It's not worth duplicating the `AuthenticatedVoter` logic in two places now we have shorter `IS_*` attributes</s>
**Before**
```php
if ($authorizationChecker->isGranted('ROLE_PREVIOUS_ADMIN')) {
// ...
}
```
<s>
```yaml
security:
# ...
access_control:
- { path: ^/protected, roles: 'IS_AUTHENTICATED_ANONYMOUSLY' }
```
</s>
**After**
```php
if ($authorizationChecker->isGranted('IS_IMPERSONATOR')) {
// ...
}
```
<s>
```yaml
security:
# ...
access_control:
- { path: ^/protected, roles: 'IS_AUTHENTICATED' }
```
</s>
<s>Discussion
---
The only thing I'm wondering is how we combine this with the `is_authenticated()` expression function:
98929dc292/src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php (L33-L37)
As you can see, the `IS_AUTHENTICATED` attribute and `is_authenticated()` expression function do not have the same meaning. Should we somehow deprecate the current behavior of `is_authenticated()` or should we find another name for `IS_AUTHENTICATED` (that would be a shame imo).</s>
Commits
-------
6c522a7d98 Added IS_ANONYMOUS, IS_REMEMBERED, IS_IMPERSONATOR
* 5.0: (28 commits)
[DoctrineBridge] Use new Types::* constants and support new json type
Fix bad merge in README of Nexmo Notifier bridge
[Debug][ErrorHandler] improved deprecation notices for methods new args and return type
[BrowserKit] Nested file array prevents uploading file
[ExpressionLanguage] Fixed collisions of character operators with object properties
remove usage of already deleted Symfony\Component\EventDispatcher\Event
[Notifier] Add correct tags for NullTransportFactory
[Validator] Remove specific check for Valid targets
[PhpUnitBridge] Use trait instead of extending deprecated class
Fix versioned namespace clears
fix remember me
Use strict assertion in asset tests
[DoctrineBridge][DoctrineExtractor] Fix indexBy with custom and some core types
Do not rely on the current locale when dumping a Graphviz object
fix typo
[Ldap] force default network timeout
[Config] don't throw on missing excluded paths
Docs: Typo, grammar
[Validator] Add the missing translations for the Polish ("pl") locale
[PhpUnitBridge] Add compatibility to PHPUnit 9 #35662
...
* 4.4: (25 commits)
[DoctrineBridge] Use new Types::* constants and support new json type
[Debug][ErrorHandler] improved deprecation notices for methods new args and return type
[BrowserKit] Nested file array prevents uploading file
[ExpressionLanguage] Fixed collisions of character operators with object properties
[Validator] Remove specific check for Valid targets
[PhpUnitBridge] Use trait instead of extending deprecated class
Fix versioned namespace clears
fix remember me
Use strict assertion in asset tests
[DoctrineBridge][DoctrineExtractor] Fix indexBy with custom and some core types
Do not rely on the current locale when dumping a Graphviz object
fix typo
[Ldap] force default network timeout
[Config] don't throw on missing excluded paths
Docs: Typo, grammar
[Validator] Add the missing translations for the Polish ("pl") locale
[PhpUnitBridge] Add compatibility to PHPUnit 9 #35662
[Routing] Add locale requirement for localized routes
[Console] Inline exact-match handling with 4.4
Set previous exception when rethrown from controller resolver
...
* 3.4:
[ExpressionLanguage] Fixed collisions of character operators with object properties
[Validator] Remove specific check for Valid targets
[PhpUnitBridge] Use trait instead of extending deprecated class
fix remember me
Use strict assertion in asset tests
[DoctrineBridge][DoctrineExtractor] Fix indexBy with custom and some core types
Do not rely on the current locale when dumping a Graphviz object
fix typo
[Ldap] force default network timeout
[Config] don't throw on missing excluded paths
Docs: Typo, grammar
[Validator] Add the missing translations for the Polish ("pl") locale
[Console] Inline exact-match handling with 4.4
Set previous exception when rethrown from controller resolver
[VarDumper] fixed DateCaster not displaying additional fields
[HttpKernel] fix registering DebugHandlersListener regardless of the PHP_SAPI
* 5.0:
[HttpClient] fix "undefined variable"
[HttpClient] remove useless code in test
[HttpClient] fix getting response content after its destructor throwed an HttpExceptionInterface
[HttpClient] fix HttpClientDataCollector when handling canceled responses
[Security] Fix exception name in doc comments
* 4.4:
[HttpClient] fix "undefined variable"
[HttpClient] remove useless code in test
[HttpClient] fix getting response content after its destructor throwed an HttpExceptionInterface
[HttpClient] fix HttpClientDataCollector when handling canceled responses
[Security] Fix exception name in doc comments
This PR was squashed before being merged into the 3.4 branch (closes#35657).
Discussion
----------
[Security] Fix exception name in doc comments
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
f10098e9f1 [Security] Fix exception name in doc comments
* 5.0:
Add missing use statements
[Translation] Add missing use statement
[Translation] Add missing use statement
[Config][XmlReferenceDumper] Prevent potential \TypeError
[Mailer] Fix broken mandrill http send for recipients with names
[Translation] prefer intl domain when adding messages to catalogue
Fix CS
Fix CS
Fail on empty password verification (without warning on any implementation)
[Translation][Debug] Add installation and minimal example to README
[Validator] try to call __get method if property is uninitialized
Show both missing packages in the same error message
Fix handling of empty_data's \Closure value in Date/Time form types
* 4.4:
Add missing use statements
[Translation] Add missing use statement
[Translation] Add missing use statement
[Config][XmlReferenceDumper] Prevent potential \TypeError
[Mailer] Fix broken mandrill http send for recipients with names
[Translation] prefer intl domain when adding messages to catalogue
Fix CS
Fix CS
Fail on empty password verification (without warning on any implementation)
[Translation][Debug] Add installation and minimal example to README
[Validator] try to call __get method if property is uninitialized
Show both missing packages in the same error message
Fix handling of empty_data's \Closure value in Date/Time form types
* 5.0:
[Validator] fix access to uninitialized property when getting value
[HttpClient] Fix regex bearer
[Translator] Default value for 'sort' option in translation:update should be 'asc'
[HttpKernel] Fix stale-if-error behavior, add tests
[Intl] Provide more locale translations
[Mailer] Fix STARTTLS support for Postmark and Mandrill
[Messenger] Check for all serialization exceptions during message dec…
[Messenger] Fix bug when using single route with XML config
Fix exception message in Doctrine Messenger
[DI] CheckTypeDeclarationsPass now checks if value is type of parameter type
[SecurityBundle] fix security.authentication.provider.ldap_bind arguments
Improved error message when no supported user provider is found
Mysqli doesn't support the named parameters used by PdoAdapter
Added debug argument to decide if debug page should be shown or not
Mysqli doesn't support the named parameters used by PdoStore
Properly handle phpunit arguments for configuration file
[Mailer] add tests for http transports
* 4.4:
[Validator] fix access to uninitialized property when getting value
[HttpClient] Fix regex bearer
[Translator] Default value for 'sort' option in translation:update should be 'asc'
[HttpKernel] Fix stale-if-error behavior, add tests
[Intl] Provide more locale translations
[Mailer] Fix STARTTLS support for Postmark and Mandrill
[Messenger] Check for all serialization exceptions during message dec…
[Messenger] Fix bug when using single route with XML config
Fix exception message in Doctrine Messenger
[DI] CheckTypeDeclarationsPass now checks if value is type of parameter type
[SecurityBundle] fix security.authentication.provider.ldap_bind arguments
Improved error message when no supported user provider is found
Mysqli doesn't support the named parameters used by PdoAdapter
Added debug argument to decide if debug page should be shown or not
Mysqli doesn't support the named parameters used by PdoStore
Properly handle phpunit arguments for configuration file
[Mailer] add tests for http transports
* 4.3:
[Validator] fix access to uninitialized property when getting value
[HttpClient] Fix regex bearer
[HttpKernel] Fix stale-if-error behavior, add tests
Improved error message when no supported user provider is found
Properly handle phpunit arguments for configuration file
* 3.4:
[Validator] fix access to uninitialized property when getting value
[HttpKernel] Fix stale-if-error behavior, add tests
Improved error message when no supported user provider is found
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] suggest a non-deprecated function replacement
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#35437
| License | MIT
| Doc PR |
Commits
-------
731730fe2f suggest a non-deprecated function replacement
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Use supportsClass in addition to UnsupportedUserException
| Q | A
| ------------- | ---
| Branch? | 3.4+
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#35045
| License | MIT
| Doc PR | ~
This PR fixes the issue where user providers rely on just the UnsupportedUserException from `refreshUser()`, causing a flow where users are wrongfully re-authenticated.
There's one issue where `refreshUser()` can do far more sophisticated checks on the user class, which it will never reach if the class is not supported. As far as I know it was never intended to support instances that are rejected by `supportsClass()`, though people could've implemented this (by accident). So the question is more if we should add a BC layer for this; for example:
```php
try {
$refreshedUser = $provider->refreshUser($user);
$newToken = clone $token;
$newToken->setUser($refreshedUser);
if (!$provider->supportsClass($userClass)) {
if ($this->shouldCheckSupportsClass) {
continue;
}
// have to think of a proper deprecation here for 6.0
@trigger_error('Provider %s does not support user class %s via supportsClass() while it does support it via refreshUser .. please set option X and fix %s::supportsUser() ', E_USER_DEPRECATED);
}
```
This would prevent behavior from breaking but also means we can't fix this on anything less than 5.1.
Commits
-------
d3942cbe17 Use supportsClass where possible
* 4.3:
chown and chgrp should also accept int as owner and group
Fix RememberMe with null password
[Validator] Fix plurals for sr_Latn (Serbian language written in latin script) validation messages
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove some unneeded code
fix PHP const mapping keys using the inline notation
Fix that no-cache requires positive validation with the origin, even for fresh responses
* 3.4:
chown and chgrp should also accept int as owner and group
Fix RememberMe with null password
[Validator] Fix plurals for sr_Latn (Serbian language written in latin script) validation messages
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove some unneeded code
fix PHP const mapping keys using the inline notation
Fix that no-cache requires positive validation with the origin, even for fresh responses
* 5.0:
[Debug] fix ClassNotFoundFatalErrorHandler
[FrameworkBundle] Document the router.cache_class_prefix parameter removal
[Routing] Fix using a custom matcher & generator dumper class
[Notifier] Add more specific types at documentation level when php engine can't
[Serializer] Fix cache in MetadataAwareNameConverter
[Dotenv] Fixed infinite loop with missing quote followed by quoted value
[HttpClient] Added missing sprintf
[TwigBridge] button_widget now has its title attr translated even if its label = null or false
[PhpUnitBridge] When using phpenv + phpenv-composer plugin, composer executable is wrapped into a bash script
[Messenger] Added check if json_encode succeeded
[Messenger] Added check if json_encode succeeded
[FrameworkBundle][ContainerLintCommand] Only skip .errored. services
[HttpClient] fix exception in case of PSR17 discovery failure
[DependencyInjection] Handle ServiceClosureArgument for callable in container linting
fix processing chain adapter based cache pool
[HttpKernel] release lock explicitly
[Security] Prevent canceled remember-me cookie from being accepted
[FrameworkBundle][TranslationUpdateCommand] Do not output positive feedback on stderr
[Security\Guard] Fix missing typehints
do not render preferred choices as selected
* 4.4:
[Debug] fix ClassNotFoundFatalErrorHandler
[Routing] Fix using a custom matcher & generator dumper class
[Serializer] Fix cache in MetadataAwareNameConverter
[Dotenv] Fixed infinite loop with missing quote followed by quoted value
[HttpClient] Added missing sprintf
[TwigBridge] button_widget now has its title attr translated even if its label = null or false
[PhpUnitBridge] When using phpenv + phpenv-composer plugin, composer executable is wrapped into a bash script
[Messenger] Added check if json_encode succeeded
[Messenger] Added check if json_encode succeeded
[FrameworkBundle][ContainerLintCommand] Only skip .errored. services
[HttpClient] fix exception in case of PSR17 discovery failure
[DependencyInjection] Handle ServiceClosureArgument for callable in container linting
fix processing chain adapter based cache pool
[HttpKernel] release lock explicitly
[Security] Prevent canceled remember-me cookie from being accepted
[FrameworkBundle][TranslationUpdateCommand] Do not output positive feedback on stderr
[Security\Guard] Fix missing typehints
do not render preferred choices as selected
* 4.3:
[Debug] fix ClassNotFoundFatalErrorHandler
[Routing] Fix using a custom matcher & generator dumper class
[Dotenv] Fixed infinite loop with missing quote followed by quoted value
[HttpClient] Added missing sprintf
[TwigBridge] button_widget now has its title attr translated even if its label = null or false
[PhpUnitBridge] When using phpenv + phpenv-composer plugin, composer executable is wrapped into a bash script
[Messenger] Added check if json_encode succeeded
[Security] Prevent canceled remember-me cookie from being accepted
[FrameworkBundle][TranslationUpdateCommand] Do not output positive feedback on stderr
[Security\Guard] Fix missing typehints
* 3.4:
[Debug] fix ClassNotFoundFatalErrorHandler
[Dotenv] Fixed infinite loop with missing quote followed by quoted value
[TwigBridge] button_widget now has its title attr translated even if its label = null or false
[PhpUnitBridge] When using phpenv + phpenv-composer plugin, composer executable is wrapped into a bash script
[Security] Prevent canceled remember-me cookie from being accepted
[FrameworkBundle][TranslationUpdateCommand] Do not output positive feedback on stderr
* 5.0: (31 commits)
[HttpClient] NativeHttpClient should not send >1.1 protocol version
[HttpClient] fix support for non-blocking resource streams
[Mailer] Make sure you can pass custom headers to Mailgun
[Mailer] Remove line breaks in email attachment content
Update links to documentation
[Validator] Add the missing translations for the Arabic (ar) locale
ensure to expect no validation for the right reasons
[Security-Guard] fixed 35203 missing name tag in param docblock
[HttpClient] fix casting responses to PHP streams
[PhpUnitBridge] Add test case for @expectedDeprecation annotation
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove $testsWithWarnings stack
[FrameworkBundle] Fix getUser() phpdoc in AbstractController
[Mailer] Fix addresses management in Sendgrid API payload
[Mailer][MailchimpBridge] Fix missing attachments when sending via Mandrill API
[Mailer][MailchimpBridge] Fix incorrect sender address when sender has name
[HttpClient] fix capturing SSL certificates with NativeHttpClient
Update year in license files
Update year in license files
[TwigBridge][Form] Added missing help messages in form themes
Update year in license files
...
* 4.4: (26 commits)
[HttpClient] NativeHttpClient should not send >1.1 protocol version
[HttpClient] fix support for non-blocking resource streams
[Mailer] Make sure you can pass custom headers to Mailgun
[Mailer] Remove line breaks in email attachment content
Update links to documentation
[Validator] Add the missing translations for the Arabic (ar) locale
ensure to expect no validation for the right reasons
[Security-Guard] fixed 35203 missing name tag in param docblock
[HttpClient] fix casting responses to PHP streams
[PhpUnitBridge] Add test case for @expectedDeprecation annotation
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove $testsWithWarnings stack
[Mailer] Fix addresses management in Sendgrid API payload
[Mailer][MailchimpBridge] Fix missing attachments when sending via Mandrill API
[Mailer][MailchimpBridge] Fix incorrect sender address when sender has name
[HttpClient] fix capturing SSL certificates with NativeHttpClient
Update year in license files
[TwigBridge][Form] Added missing help messages in form themes
Update year in license files
Update year in license files
fix version when "anonymous: lazy" was introduced
...
* 4.3:
[Mailer] Remove line breaks in email attachment content
Update links to documentation
[Validator] Add the missing translations for the Arabic (ar) locale
ensure to expect no validation for the right reasons
[PhpUnitBridge] Add test case for @expectedDeprecation annotation
[PhpUnitBridge][SymfonyTestsListenerTrait] Remove $testsWithWarnings stack
[Mailer][MailchimpBridge] Fix missing attachments when sending via Mandrill API
[Mailer][MailchimpBridge] Fix incorrect sender address when sender has name
[HttpClient] fix capturing SSL certificates with NativeHttpClient
[TwigBridge][Form] Added missing help messages in form themes
Update year in license files
Update year in license files
[HttpClient] fix typo
[Console][FormatterHelper] Use helper strlen statically and remove duplicated code
[Routing] Fix i18n routing when the url contains the locale
Fix BC issue in phpDoc Reflection library
[Translator] Performance improvement in MessageCatalogue and catalogue operations.
* 3.4:
Update links to documentation
[Validator] Add the missing translations for the Arabic (ar) locale
ensure to expect no validation for the right reasons
[PhpUnitBridge] Add test case for @expectedDeprecation annotation
Update year in license files
[Console][FormatterHelper] Use helper strlen statically and remove duplicated code
Fix BC issue in phpDoc Reflection library
[Translator] Performance improvement in MessageCatalogue and catalogue operations.
* 5.0: (24 commits)
Removing unused variable
Fixed#35084
Add missing use statement
[HttpClient] fix scheduling pending NativeResponse
do not overwrite variable value
[Profiler] wording
Use spaces correctly to display options in DebugCommand
Add supported schemes doc blocks type
X-Accel Nginx URL updated
ticket-30197 [Validator] Add the missing translations for the Chinese (Taiwan) ("zh_TW") locale
Fixed test added in #35022
Use locale_parse for computing fallback locales
[Console] Fix filtering out identical alternatives when there is a command loader
[String][UnicodeString] Remove unneeded flag in chunk regex pattern
add note about HTTP status code change
Migrate server:log command away from WebServerBundle
[DependencyInjection][CheckTypeDeclarationsPass] Handle \Closure for callable
[Security] Fix missing defaults for auto-migrating encoders
bumped Symfony version to 5.0.3
updated VERSION for 5.0.2
...
* 4.4:
Fixed#35084
Add missing use statement
[HttpClient] fix scheduling pending NativeResponse
do not overwrite variable value
[Profiler] wording
Use spaces correctly to display options in DebugCommand
X-Accel Nginx URL updated
ticket-30197 [Validator] Add the missing translations for the Chinese (Taiwan) ("zh_TW") locale
Fixed test added in #35022
Use locale_parse for computing fallback locales
[Console] Fix filtering out identical alternatives when there is a command loader
add note about HTTP status code change
Migrate server:log command away from WebServerBundle
[DependencyInjection][CheckTypeDeclarationsPass] Handle \Closure for callable
[Security] Fix missing defaults for auto-migrating encoders
bumped Symfony version to 4.4.3
updated VERSION for 4.4.2
updated CHANGELOG for 4.4.2
This PR was squashed before being merged into the 5.1-dev branch (closes#34548).
Discussion
----------
Added access decision strategy to respect voter priority
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | _will happily do if this is of interest/to be merged 🙃_
The priority-based access decision strategy will decide based on the first voter that does not abstain from the decision. Security voters can be registered with priority (`PriorityTaggedServiceTrait`), so a voter with higher priority can overrule other voters.
In [Contao CMS](https://github.com/contao/contao), the core system should provide security voters that provide the "default permissions", but extensions/bundles can override almost anything and therefore need to be able to override the core decision. None of the existing strategies allow for something like that.
/ping @chalasr @Toflar @leofeyer @ausi
#SymfonyHackday
Commits
-------
0b8028a0ec Added access decision strategy to respect voter priority
This PR was merged into the 5.1-dev branch.
Discussion
----------
[EventDispatcher] Deprecate LegacyEventDispatcherProxy
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | Cleanup of #28920
| License | MIT
| Doc PR | N/A
> This class should be deprecated in Symfony 5.1
Well, here you go. 😃
Commits
-------
c7e612d4ad [EventDispatcher] Deprecate LegacyEventDispatcherProxy.
This PR was merged into the 3.4 branch.
Discussion
----------
Use `::class` constants instead of `__NAMESPACE__` when possible
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Related to #34987
| License | MIT
| Doc PR | no
Form component has a lot of built-in form types. Some of them were implemented from the very beginning. In most of them there is a such method
```php
/**
* {@inheritdoc}
*/
public function getParent()
{
return __NAMESPACE__.'\TextType';
}
```
This `getParent()` method was refactored in Symfony 2.8. The upgrade instructions are given here https://github.com/symfony/symfony/blob/2.8/UPGRADE-2.8.md#form
I think the `__NAMESPACE__.'\TextType';` expression was used because Symfony 2.8 was using `"php": ">=5.3.9"`, and the constant `::class` was added only in PHP 5.5
Now this line can be refactored into
```php
/**
* {@inheritdoc}
*/
public function getParent()
{
return TextType::class;
}
```
For example new form types, that were added later, already using the `::class` constant.
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Form/Extension/Core/Type/ColorType.php#L23https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Form/Extension/Core/Type/TelType.php#L23
So, in this pull request I propose to refactor all old form types to use `::class` constant. It will give a benefit during the future refactoring, because IDE or static analysers will find all usages of parent class. Unlike the `__NAMESPACE__.'\TextType';` line, which doesn't show the real link to the class for IDE or static analysers, and it could complicate finding all usages of parent class.
Commits
-------
32bf50abca Use `::class` constants instead of `__NAMESPACE__` when possible
* 5.0: (21 commits)
fix merge
CS
[FrameworkBundle][ContainerLintCommand] Improve messages when the kernel or the container is not supported
[Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer
stop using deprecated Doctrine persistence classes
[Cache] Fix wrong classname in deprecation message
Fix regex lookahead syntax in ApplicationTest
Fixed syntax in comment
[SecurityBundle][FirewallMap] Remove unused property
[Messenger][AMQP] Use delivery_mode=2 by default
[FrameworkBundle][DependencyInjection] Skip removed ids in the lint container command and its associated pass
[SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of #28462"
[FrameworkBundle][Secrets] Hook configured local dotenv file
[DI] Improve performance of processDefinition
fix redis multi host dsn not recognized
fix constructor argument type declaration
Fix invalid Windows path normalization
[Validator][ConstraintValidator] Safe fail on invalid timezones
[DoctrineBridge] Fixed submitting invalid ids when using queries with limit
[FrameworkBundle] Add info & example to auto_mapping config
...
* 4.4: (21 commits)
fix merge
CS
[FrameworkBundle][ContainerLintCommand] Improve messages when the kernel or the container is not supported
[Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer
stop using deprecated Doctrine persistence classes
[Cache] Fix wrong classname in deprecation message
Fix regex lookahead syntax in ApplicationTest
Fixed syntax in comment
[SecurityBundle][FirewallMap] Remove unused property
[Messenger][AMQP] Use delivery_mode=2 by default
[FrameworkBundle][DependencyInjection] Skip removed ids in the lint container command and its associated pass
[SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of #28462"
[FrameworkBundle][Secrets] Hook configured local dotenv file
[DI] Improve performance of processDefinition
fix redis multi host dsn not recognized
fix constructor argument type declaration
Fix invalid Windows path normalization
[Validator][ConstraintValidator] Safe fail on invalid timezones
[DoctrineBridge] Fixed submitting invalid ids when using queries with limit
[FrameworkBundle] Add info & example to auto_mapping config
...
* 4.3:
fix merge
CS
[Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer
stop using deprecated Doctrine persistence classes
[Cache] Fix wrong classname in deprecation message
Fix regex lookahead syntax in ApplicationTest
Fixed syntax in comment
[SecurityBundle][FirewallMap] Remove unused property
[Messenger][AMQP] Use delivery_mode=2 by default
[DI] Improve performance of processDefinition
Fix invalid Windows path normalization
[Validator][ConstraintValidator] Safe fail on invalid timezones
[DoctrineBridge] Fixed submitting invalid ids when using queries with limit
[FrameworkBundle] Add info & example to auto_mapping config
fix comparisons with null values at property paths
This PR was merged into the 3.4 branch.
Discussion
----------
CS for AccessDecisionManager
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | #34548
| License | MIT
| Doc PR | -
As discussed in #34548 with @nicolas-grekas here's a CS change for the `AccessDecisionManager`
Commits
-------
b3742ec493 CS
* 5.0: (38 commits)
[Security] Check UserInterface::getPassword is not null before calling needsRehash
gracefully handle missing event dispatchers
Fix TokenStorage::reset not called in stateless firewall
[DotEnv] Remove `usePutEnv` property default value
[HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
Set up typo fix
[DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
[Cache] fix memory leak when using PhpArrayAdapter
[Validator] Allow underscore character "_" in URL username and password
[TwigBridge] Update bootstrap_4_layout.html.twig
[DoctrineBridge] Removed QueryBuilder type hint in getLoader()
[FrameworkBundle][SodiumVault] Create secrets directory only when needed
fix parsing negative octal numbers
[String] implement __sleep()/__wakeup() on strings
Fixed translations file dumper behavior
[Routing][ObjectLoader] Remove forgotten deprecation after merge
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
[DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
[SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass
do not validate passwords when the hash is null
...
* 4.4: (30 commits)
[Security] Check UserInterface::getPassword is not null before calling needsRehash
gracefully handle missing event dispatchers
Fix TokenStorage::reset not called in stateless firewall
[DotEnv] Remove `usePutEnv` property default value
[HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
Set up typo fix
[DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
[Cache] fix memory leak when using PhpArrayAdapter
[Validator] Allow underscore character "_" in URL username and password
[TwigBridge] Update bootstrap_4_layout.html.twig
[FrameworkBundle][SodiumVault] Create secrets directory only when needed
fix parsing negative octal numbers
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
[DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
[SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass
do not validate passwords when the hash is null
[DI] fix resolving bindings for named TypedReference
[Config] never try loading failed classes twice with ClassExistenceResource
[Mailer] Fix SMTP Authentication when using STARTTLS
[DI] Fix making the container path-independent when the app is in /app
...
* 4.3:
[DotEnv] Remove `usePutEnv` property default value
Set up typo fix
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] fix resolving bindings for named TypedReference
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 4.3.10
updated VERSION for 4.3.9
updated CHANGELOG for 4.3.9
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
Add test on ServerLogHandler
* 3.4:
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
* 5.0:
[Security/Core] Fix checking for SHA256/SHA512 passwords
[Cache][Lock] fix tests
bumped Symfony version to 5.0.2
updated VERSION for 5.0.1
updated CHANGELOG for 5.0.1
bumped Symfony version to 4.4.2
updated VERSION for 4.4.1
updated CHANGELOG for 4.4.1
* 4.4:
[Security/Core] Fix checking for SHA256/SHA512 passwords
[Cache][Lock] fix tests
bumped Symfony version to 4.4.2
updated VERSION for 4.4.1
updated CHANGELOG for 4.4.1
* 5.0:
[DI] auto-register singly implemented interfaces by default
[DI] fix overriding existing services with aliases for singly-implemented interfaces
remove service when base class is missing
do not depend on the QueryBuilder from the ORM
[Security/Http] call auth listeners/guards eagerly when they "support" the request
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[HttpClient] remove conflict rule with HttpKernel that prevents using the component in Symfony 3.4
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
Fix compatibility with Monolog 2
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
Changing the multipart form-data behavior to use the form name as an array, which makes it recognizable as an array by PHP on the $_POST globals once it is coming from the HttpClient component
* 4.4:
[DI] auto-register singly implemented interfaces by default
[DI] fix overriding existing services with aliases for singly-implemented interfaces
remove service when base class is missing
do not depend on the QueryBuilder from the ORM
[Security/Http] call auth listeners/guards eagerly when they "support" the request
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[HttpClient] remove conflict rule with HttpKernel that prevents using the component in Symfony 3.4
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
Changing the multipart form-data behavior to use the form name as an array, which makes it recognizable as an array by PHP on the $_POST globals once it is coming from the HttpClient component
* 4.3:
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Http] call auth listeners/guards eagerly when they "support" the request
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34614, Fix#34679
| License | MIT
| Doc PR | -
This fixes the form authenticator linked to #34614.
Since laziness is here to provide compatibility with HTTP caching, it should be disabled when the request cannot be cached.
Tests don't pass yet, but I'm on the path to something here.
The PR now introduces a new `AbstractListener` that splits the handling logic in two:
- `supports(Request): ?bool` is always called eagerly and tells whether the listener matches the request for an earger call or a lazy call
- `authenticate(RequestEvent)` does the rest of the job when `supports()` allows so - lazily or not depending on the return value of `supports()`.
Of course, this remains compatible with non-lazy logics, see `AbstractListener::__invoke()`.
Commits
-------
b20ebe6b90 [Security/Http] call auth listeners/guards eagerly when they "support" the request
* 5.0: (47 commits)
reset the kernel cache after each test
[HttpKernel] Ability to define multiple kernel.reset tags
[Routing] Continue supporting single colon in object route loaders
[FWBundle] Remove unused parameter
[Intl] [Workflow] fixes English grammar typos
[Filesystem] [Serializer] fixes English grammar typo
mailer: mailchimp bridge is throwing undefined index _id when setting message id in mandrill http transport
has_roles should be is_granted in security upgrade file
has_roles should be is_granted in upgrade files
[HttpClient] Fix early cleanup of pushed HTTP/2 responses
skip test on incompatible PHP versions
[HttpKernel] Don't cache "not-fresh" state
Drop WebServerBundle directory
[FrameworkBundle][Cache] Don't deep-merge cache pools configuration
[Messenger] Adding exception to amqp transport in case amqp ext is not installed
[SecurityBundle] Don't require a user provider for the anonymous listener
[DoctrineBridge] Fixed cs in DoctrineType
[Monolog Bridge] Fixed accessing static property as non static.
Improve Symfony description
[Mailer] Add UPGRADE entries about Envelope and MessageEvent
...
