This PR was merged into the 3.3-dev branch.
Discussion
----------
[HttpKernel] Allow signing URIs with a custom query string parameter
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
`UriSigner` is currently restricting to using `_hash` as the query string parameter, this makes is customisable.
Commits
-------
32301c3a30 Allow a custom query string parameter
This PR was merged into the 3.3-dev branch.
Discussion
----------
[HttpKernel] Deprecate X-Status-Code for better alternative
| Q | A |
| --- | --- |
| Branch? | master |
| Bug fix? | no |
| New feature? | yes |
| BC breaks? | no |
| Deprecations? | yes |
| Tests pass? | yes |
| Fixed tickets | #12343 |
| License | MIT |
| Doc PR | https://github.com/symfony/symfony-docs/pull/6948 |
This marks the X-Status-Code header method of setting a custom response status
code in exception listeners for a better alternative. There is now a new method
on the `GetResponseForExceptionEvent` that allows successful status codes in
the response sent to the client.
The old method of setting the X-Status-Code header will now throw a deprecation warning.
Instead, in your exception listener you simply call `GetResponseForExceptionEvent::allowCustomResponseCode()` which will tell the Kernel not to override the status code of the event's response object.
Currenty the `X-Status-Code` header will still be removed, so as not to change the existing behaviour, but this is something we can remove in 4.0.
TODO:
- [x] Replace usage of X-Status-Code in `FormAuthenticationEntryPoint`
- [x] Open Silex issue
- [x] Rename method on the response
- [x] Ensure correct response code is set in `AuthenticationEntryPointInterface` implementations
- [x] Ensure the exception listeners are marking `GetResponseForExceptionEvent` as allowing a custom response code
- [x] In the Security component we should only use the new method of setting a custom response code if it is available, and fall back to the `X-Status-Code` method
Commits
-------
cc0ef282cd [HttpKernel] Deprecate X-Status-Code for better alternative
This PR was merged into the 3.3-dev branch.
Discussion
----------
Remove some container injections in favor of service locators
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/21553#issuecomment-279214666
| License | MIT
| Doc PR | n/a
Commits
-------
8293b753cf Replace some container injections by service locators
0be9ea8ba1 [EventDispatcher] Fix abstract event subscribers registration
This PR was merged into the 3.3-dev branch.
Discussion
----------
[HttpKernel] Added the SessionValueResolver
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #21159
| License | MIT
| Doc PR | (soon)
This feature adds the `SessionValueResolver`. That means that you no longer have to rely on injecting a `SessionInterface` implementation via the constructor or getting this implementation from the `Request`. Regardless of method, it does not know about the `getFlashBag()`.
By adding the `Session` to the action arguments, you can now type-hint against the implementation rather than interface, which contains the `getFlashBag()`, making it accessible rather than using duck-typing.
_It should also feel less like injecting a service into the constructor which has a state or getting a service from the request._
**Old Situation**
```php
class Controller
{
public function __construct(SessionInterface $session) { /* ... */ }
public function fooAction(Request $request)
{
$this->get('session')->get(...);
$request->getSession()->get(...);
$this->session->get(...)
// duck-typing
$this->get('session')->getFlashBag();
$request->getSession()->getFlashBag();
$this->session->getFlashBag();
$this->addFlash(...);
}
}
```
**New Situation** _- The controller shortcut for flashbag could in theory be removed now_
```php
class Controller
{
public function fooAction(Session $session)
{
$session->get(...);
$session->getFlashBag();
}
}
```
Commits
-------
b4464dcea1 Added the SessionValueResolver
This marks the X-Status-Code header method of setting a custom response
status code in exception listeners as deprecated. Instead there is now
a new method on the GetResponseForExceptionEvent that allows successful
status codes in the response sent to the client.
* 3.2:
Refactored other PHPUnit method calls to work with namespaced PHPUnit 6
Refactored other PHPUnit method calls to work with namespaced PHPUnit 6
Further refactorings to PHPUnit namespaces
resolve parameters in definition classes
* 2.8:
Refactored other PHPUnit method calls to work with namespaced PHPUnit 6
Further refactorings to PHPUnit namespaces
resolve parameters in definition classes
* 3.2:
Fix typo in process error message
Update to PHPUnit namespaces
Minor typo fix messsagesData -> messagesData
remove translation data collector when not usable
This PR was merged into the 3.3-dev branch.
Discussion
----------
Secure unserialize by restricting allowed classes when using PHP 7
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ---
| License | MIT
| Doc PR | ---
While playing around with Symfony in a PHP 7.1 application I noticed a warning in how EnvParameterResoure uses unserialize. Since PHP 7.0 introduced the options argument which allows to restrict which classes can be unserialized for better security, it might make sense to use it here. As far as I can tell this is no BC break, it only provides an additional safety mechanism.
Commits
-------
b4201810b9 Conditionally add options to unserialize in PHP 7.0+.