If an exception was thrown with line separators in its message the
WebProfiler would cause an exception by passing it through unsanitized
into the X-Debug-Error HTTP header. This commit fixes that by replacing
all whitespace sequences with a single space in the header.
This PR was merged into the 3.3-dev branch.
Discussion
----------
[DI] Enhance DX by throwing instead of triggering a deprecation notice
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | yes - at the config file level, for edge cases
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22143
| License | MIT
| Doc PR | -
Looking at the linked issue, I'm reconsidering our decision to trigger a deprecation notice when one uses `_instanceof` or `_defaults` as a service name. While on the BC side, this is strict - on the DX side, it looks like this opens a trap where people fill fall into.
The same occurs to me with named args: instead of silently accepting invalid args as was the case before, let's throw to help DX when people do mistakes.
Last change in this PR: the complex logic required to force strings to be given as `$id` args into `Reference` or `Alias` makes no sense to me, especially considering that a `string` type hint on PHP7 will *do* a string cast.
Commits
-------
b07da3d [DI] Enhance DX by throwing instead of triggering a deprecation notice
This PR was merged into the 2.7 branch.
Discussion
----------
[HttpKernel] Fix test
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Should make 2.7 green again on Travis.
Commits
-------
ba8f46ad23 [HttpKernel] Fix test
This PR was merged into the 2.7 branch.
Discussion
----------
[Console] Escape exception messages in renderException
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22021
| License | MIT
| Doc PR | n/a
Adding style on exception messages should be prevented, it leads to weird results.
> Allowing formatting in them would be a nightmare, given that Symfony itself applies some formatting when rendering the exception.
Commits
-------
cb1348231a [Console] Escape exception messages
This PR was merged into the 3.3-dev branch.
Discussion
----------
[DX] [DI] Throw more helpful error when shortcutting global classes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? |no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22146
| License | MIT
As discussed in #22146 the error message received when trying to use a class in the global
namespace as a service without defined class is confusing. Helpful information was added
pointing out this current limitation.
Commits
-------
b9e7b4fd61 [DependencyInjection] Throw helpful error when shortcutting global classes
As discussed in #22146 the error message received when trying to use a class in the global
namespace as a service without defined class is confusing. Helpful information was added
pointing out this current limitation.
* 3.2:
[Bridge\Doctrine] Fix change breaking doctrine-bundle test suite
[WebProfilerBundle] Include badge status in translation tabs
[FrameworkBundle] Cache pool clear command requires at least 1 pool
[HttpFoundation][bugfix] should always be initialized
MockArraySessionStorage: updated phpdoc for $bags so that IDE autocompletion would work
normalize paths before making them relative
removed test that does not test anything
fixed tests
#21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile
[WebProfilerBundle] Fix for CSS attribute at Profiler Translation Page
Set Date header in Response constructor already
[Validator] fix URL validator to detect non supported chars according to RFC 3986
[Security] Fixed roles serialization on token from user object
* 2.8:
[Bridge\Doctrine] Fix change breaking doctrine-bundle test suite
[HttpFoundation][bugfix] should always be initialized
MockArraySessionStorage: updated phpdoc for $bags so that IDE autocompletion would work
normalize paths before making them relative
* 2.7:
[Bridge\Doctrine] Fix change breaking doctrine-bundle test suite
[HttpFoundation][bugfix] should always be initialized
MockArraySessionStorage: updated phpdoc for $bags so that IDE autocompletion would work
normalize paths before making them relative
This PR was merged into the 3.3-dev branch.
Discussion
----------
[DI] Add "by-id" autowiring: a side-effect free variant of it based on the class<>id convention
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This PR adds a new autowiring mode, based only on the class <> id convention.
This way of autowiring is free from any conflicting behavior, which is what I was looking for to begin with.
The expected DX is a bit more involving than the current way we do autowiring. But it's worth it to me, because it's plain predictable - a lot less "magic" imho.
So in this mode, for each `App\Foo` type hint, a reference to an "App\Foo" service will be created. If no such service exists, an exception will be thrown. To me, this opens a nice DX: when type hinting interfaces (which is the best practice), this will tell you when you need to create the explicit interface <> id mapping that is missing - thus encourage things to be made explicit, but only when required, and gradually, in a way that will favor discoverability by devs.
Of course, this is opt-in, and BC. You'd need to do eg in yaml: `autowire: by_id`.
For consistency, the current mode (`autowire: true`) can be configured using `autowire: by_type`.
Commits
-------
c298f2a90c [DI] Add "by-id" autowiring: a side-effect free variant of it based on the class<>id convention
This PR was merged into the 3.3-dev branch.
Discussion
----------
Revert "feature #20973 [DI] Add getter injection (nicolas-grekas)"
This reverts commit 2183f98f54, reversing
changes made to b465634a55.
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no (master only)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Let's remove getter injection, we now have enough alternative mechanisms to achieve almost the same results (e.g. `ServiceSubscriberInterface`, see #21708)., and I'm tired being called by names because of it.
The only use case in core is `ControllerTrait`, but this should be gone if #22157 is merged.
Commits
-------
23fa3a09bf Revert "feature #20973 [DI] Add getter injection (nicolas-grekas)"
This PR was squashed before being merged into the 3.3-dev branch (closes#22046).
Discussion
----------
[Asset] Adding a new version strategy that reads from a manifest JSON file
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/issues/7659
Hi guys!
Often, when using a frontend task manager or bundler (e.g. webpack of gulp), the final assets are dumped with a version or content hash in the filename itself (e.g. main.123abc.css). To know what the correct, current hashed filename is, you'll dump a `manifest.json` file - e.g.
```json
{
"main.js": "main.123abc.js",
"css/styles.css": "css/styles.555def.css"
}
```
Examples: [gulp-rev](https://github.com/sindresorhus/gulp-rev) and [webpack-manifest-plugin](https://www.npmjs.com/package/webpack-manifest-plugin).
This PR adds a new version strategy that will look up the asset path (e.g. `main.css`) in that file and return the final, versioned path. Some people may dump manifest files in other formats, but I think this catches the most common use-case (and you can always still create your own version strategy). I've written this to be "forgiving" - if a path doesn't exist in the manifest, the path is simply returned, unaltered.
Another implementation *could* have been to add a new Twig filter (e.g. `{{ asset('main.css|manifest_path) }}`) - but I thought I'd try first using the existing versioning system.
## Usage
```yml
# app/config/config.yml
framework:
# ...
assets:
# added validation prevents you from setting json_manifest_path AND version, for example
json_manifest_path: '%kernel.root_dir%/../web/manifest.json'
```
```twig
{# someTemplate.html.twig #}
{# use asset() just like normal #}
<script src="{{ asset('js/main.js') }}"></script>
```
## TODO
* fabbot hates my invalid json syntax file... even though I tried to be clever and not give it a `.json` suffix :)
Commits
-------
07fec2bbad [Asset] Adding a new version strategy that reads from a manifest JSON file
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Console] Fixed fatal error when the command is not defined
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/18140/files#r107871406
| License | MIT
| Doc PR |
Commits
-------
d5b41b6b0a [Console] Fixed fatal error when the command is not defined
This PR was merged into the 2.7 branch.
Discussion
----------
[Filesystem] normalize paths before making them relative
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22083
| License | MIT
| Doc PR |
Commits
-------
d50ffa1de7 normalize paths before making them relative
This PR was merged into the 2.7 branch.
Discussion
----------
[HttpFoundation][DX] MockArraySessionStorage: phpdocs update
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
Commits
-------
967f7a7add MockArraySessionStorage: updated phpdoc for $bags so that IDE autocompletion would work
* 2.8:
removed test that does not test anything
fixed tests
#21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile
[WebProfilerBundle] Fix for CSS attribute at Profiler Translation Page
Set Date header in Response constructor already
[Validator] fix URL validator to detect non supported chars according to RFC 3986
[Security] Fixed roles serialization on token from user object
* 2.7:
removed test that does not test anything
fixed tests
#21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile
[Validator] fix URL validator to detect non supported chars according to RFC 3986
[Security] Fixed roles serialization on token from user object
This PR was squashed before being merged into the 3.3-dev branch (closes#21819).
Discussion
----------
[Twig Bridge] A simpler way to retrieve flash messages
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Getting flash messages in templates is more complex than it could be. Main problems:
1. It's too low level: you need to get the "flash bag" (and first, learn what a "flash bag" is) and then you need to call the internal method: `all()`, `get()`, etc.
2. You need to be careful because the session will start automatically when you ask for flashes (even if there are no flashes). You can prevent this with the `{% if app.session is not null and app.session.started %}` code, but it's boring to always use that.
So, I propose to add a new `app.flashes` helper that works as follows.
---
## Get all the flash messages
### Before
```twig
{% if app.session is not null and app.session.started %}
{% for label, messages in app.session.flashbag.all %}
{% for message in messages %}
<div class="alert alert-{{ label }}">
{{ message }}
</div>
{% endfor %}
{% endfor %}
{% endif %}
```
### After
```twig
{% for label, messages in app.flashes %}
{% for message in messages %}
<div class="alert alert-{{ label }}">
{{ message }}
</div>
{% endfor %}
{% endfor %}
```
---
## Get only the flashes of type `notice`
```twig
{% if app.session is not null and app.session.started %}
{% for message in app.session.flashbag.get('notice') %}
<div class="alert alert-notice">
{{ message }}
</div>
{% endfor %}
{% endif %}
```
### After
```twig
{% for message in app.flashes('notice') %}
<div class="alert alert-notice">
{{ message }}
</div>
{% endfor %}
```
---
As an added bonus, you can get any number of flash messages because the method allows to pass an array of flash types:
```twig
{% for label, messages in app.flashes(['warning', 'error']) %}
{% for message in messages %}
<div class="alert alert-{{ label }}">
{{ message }}
</div>
{% endfor %}
{% endfor %}
```
Commits
-------
5a56b23327 [Twig Bridge] A simpler way to retrieve flash messages
This PR was merged into the 3.3-dev branch.
Discussion
----------
[DX][Form][Validator] Add ability check if cocrete constraint fails.
| Q | A |
| --- | --- |
| Branch? | master |
| Bug fix? | no |
| New feature? | yes |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | wait for travis |
| Fixed tickets | #15154 |
| License | MIT |
| Doc PR | should open |
Sometimes for big forms with multiple constraints we should handle some errors separately.
``` php
// when using validator
$constraintViolations = $validator->validate(...);
if (count($constraintViolations->findByCodes(UniqueEntity::NOT_UNIQUE_ERROR))) {
// display some message or send email or etc
}
// when using forms
if (count($form->getErrors()->findByCodes(UniqueEntity::NOT_UNIQUE_ERROR))) {
// display some message or send email or etc
}
```
This PR add some useful methods to handle this. Before we should iterate all failed constraints using foreach.
Feel free to suggest better names for new methods.
Commits
-------
29a3a7e0d6 Add ability retrieve errors by their code.
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Lock] Adjust lock delay to avoid false error tests
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Adjust the clockDelay to fix tests
This test is here to:
T0.
* Fork A, B, C
T1.
* A acquire Lock then start sleeping for 3*clockDelay
* B start sleeping for 1*clockDelay
* C start sleeping for 1*clockDelay
T2
* B wakeup AND try to acquire lock in wait mode
* C wakeup AND try to acquire lock in non wait mode (lock should be till acquired by A)
T4
* A release Lock
* B acquire lock and release it
At the end, this tests assert than:
* A acquire and delete the lock
* B acquire and delete the lock
* C failed to acquire the lock
The point is, this test is time sensitive, and if the fork is too slow, A, B and C are not synchronized and C is able to acquire Lock.
This PR adjuste clock delay to reduce false failures
Commits
-------
33f2a9a6f7 Adjust lock delay to avoid false error tests
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Console] Add console.ERROR event and deprecate console.EXCEPTION
| Q | A |
| --- | --- |
| Branch | master |
| Bug fix? | yes |
| New feature? | yes |
| BC breaks? | no |
| Deprecations? | yes |
| Tests pass? | yes |
| Fixed tickets | - |
| License | MIT |
| Doc PR | todo |
## The Problem
The current `console.EXCEPTION` event is only dispatched for exceptions during the execution of `Command#execute()`. All other exceptions (e.g. the ones thrown by listeners to events) are catched by the `try ... catch` loop in `Application#doRunCommand()`. This means that there is _no way to override exception handling_.
## The Solution
This PR adds a `console.ERROR` event which has the same scope as the default `try ... catch` loop. This allows to customize all exception handling.
In order to keep BC, a new event was created and `console.EXCEPTION` was deprecated.
Commits
-------
c02a4c9857 Added a console.ERROR event
This PR was squashed before being merged into the 3.3-dev branch (closes#22120).
Discussion
----------
[FrameworkBundle] Multiple services on one Command class
rebased version of #19305
Commits
-------
2b82fcb437 [FrameworkBundle] Multiple services on one Command class
This PR was squashed before being merged into the 3.3-dev branch (closes#22043).
Discussion
----------
Refactor stale-while-revalidate code in HttpCache, add a (first?) test for it
| Q | A
| ------------- | ---
| Branch? | 2.8
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
I came up with this while trying to hunt a production bug related to handling of stale cache entries under the condition of a busy backend (also see #22033).
It's just a refactoring to make the code more readable plus a new test.
Commits
-------
b14057c88a Refactor stale-while-revalidate code in HttpCache, add a (first?) test for it
This PR was merged into the 3.3-dev branch.
Discussion
----------
[FrameworkBundle] Add new "controller.service_arguments" tag to inject services into actions
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | (no test yet)
| Fixed tickets | -
| License | MIT
| Doc PR | -
Talking with @simensen and @weaverryan, we wondered if we could leverage the `ArgumentResolver` mechanism to make it inject services on demand, using e.g. autowiring.
```php
class PostController
{
public function indexAction(Request $request, PostRepository $postRepository)
{
// PostRepository comes from the container
$postRepository->findAll(); // ...
}
}
```
This PR achieves that, using a new "controller.service_arguments" tag. Typically:
```yaml
services:
AppBundle\Controller\PostController:
autowire: true
tags:
- name: controller.service_arguments
```
It also supports with explicit wiring (thus doesn't necessarily require autowiring if you don't want to use it):
```yaml
services:
AppBundle\Controller\PostController:
tags:
- name: controller.service_arguments
action: fooAction
argument: logger
id: my_logger
```
~~The attached diff is bigger than strictly required for now, until #21770 is merged.~~
Todo:
- [x] rebase on top of #21770 when merged
- [x] add tests
- [x] add cleaning pass to remove empty service locators
Commits
-------
9c6e672780 [FrameworkBundle] Add new "controller.service_arguments" tag to inject services into actions
This PR was merged into the 3.3-dev branch.
Discussion
----------
[lock] Rename Quorum into Strategy
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes (not consistent naming)
| New feature? | no
| BC breaks? | yes (but version 3.4 not yet released)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
| Doc PR |
The term `Quorum` in Interface is confusing an not consistent with the Symfony project.
This PR switch to naming `Strategy\StrategyInterface` (like in adapter i `Cache` and `Ldap` component)
Commits
-------
1e9671b993 Rename Quorum into Strategy
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Lock] Don't call blindly the redis client
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Actual code rely on controls on the constructor. This PR add an assertion to avoid futur bugs
Commits
-------
e4db018b6d Don't call blindly the redis client
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Fixed roles serialization on token from user object
| Q | A |
| --- | --- |
| Branch? | 2.7 |
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | #14274 |
| License | MIT |
| Doc PR | - |
This PR fixes the serialization of tokens when using `Role` objects provided from the user. Indeed, there were actually a reference issue that can causes fatal errors like the following one:
```
FatalErrorException in RoleHierarchy.php line 43:
Error: Call to a member function getRole() on string
```
Here is a small code example to reproduce and its output:
``` php
$user = new Symfony\Component\Security\Core\User\User('name', 'password', [
new Symfony\Component\Security\Core\Role\Role('name')
]);
$token = new Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken($user, 'password', 'providerKey', $user->getRoles());
$serialized = serialize($token);
$unserialized = unserialize($serialized);
var_dump($unserialized->getRoles());
```
Before:
```
array(1) { [0]=> bool(true) }
```
After:
```
array(1) { [0]=> object(Symfony\Component\Security\Core\Role\Role)#15 (1) {["role":"Symfony\Component\Security\Core\Role\Role":private]=> string(4) "name" } }
```
Thank you
Commits
-------
dfa7f5020e [Security] Fixed roles serialization on token from user object
* 3.2:
Fixed pathinfo calculation for requests starting with a question mark.
[HttpFoundation] Fix missing handling of for/host/proto info from "Forwarded" header
[Validator] Add object handling of invalid constraints in Composite
[WebProfilerBundle] Remove uneeded directive in the form collector styles
removed usage of $that
HttpCache: New test for revalidating responses with an expired TTL
[Serializer] [XML] Ignore Process Instruction
[Security] simplify the SwitchUserListenerTest
Revert "bug #21841 [Console] Do not squash input changes made from console.command event (chalasr)"
[HttpFoundation] Fix Request::getHost() when having several hosts in X_FORWARDED_HOST
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security][SecurityBundle] Enhance automatic logout url generation
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
This should help whenever:
- [the token does not implement the `getProviderKey` method](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Http/Logout/LogoutUrlGenerator.php#L89-L99)
- you've got multiple firewalls sharing a same context but a logout listener only define on one of them.
##### Behavior:
> When not providing the firewall key:
>
>- Try to find the key from the token (unless it's an anonymous token)
>- If found, try to get the listener from the key. If the listener is found, stop there.
>- Try from the injected firewall key. If the listener is found, stop there.
>- Try from the injected firewall context. If the listener is found, stop there.
>
>The behavior remains unchanged when providing explicitly the firewall key. No fallback.
Commits
-------
5b7fe852aa [Security][SecurityBundle] Enhance automatic logout url generation
This PR was squashed before being merged into the 3.3-dev branch (closes#22112).
Discussion
----------
Minor PR fixes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes-ish
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
cc @fabpot my bad :)
Commits
-------
0728fb91b8 typo
036b0414d6 Minor PR fixes
This PR was merged into the 3.3-dev branch.
Discussion
----------
[WebProfilerBundle] Improved cookie traffic
| Q | A
| ------------- | ---
| Branch? | "master"
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | comma-separated list of tickets fixed by the PR, if any
| License | MIT
| Doc PR | reference to the documentation PR, if any
![image](https://cloud.githubusercontent.com/assets/1047696/20455635/a033a814-ae60-11e6-8500-e60146f4619e.png)
Relates to #20569 in terms of getting _all_ the cookies.
Commits
-------
171c6d100e [WebProfilerBundle] Improved cookie traffic
This PR was squashed before being merged into the 2.8 branch (closes#22036).
Discussion
----------
Set Date header in Response constructor already
| Q | A
| ------------- | ---
| Branch? | 2.8
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Setting the `Date` header in the `Response` constructor has been removed in #14912 and changed to a more lazy approach in `getDate()`.
That way, methods like `getAge()`, `getTtl()` or `isFresh()` cause side effects as they eventually call `getDate()` and the Request "starts to age" once you call them.
I don't know if this would be a nice test, but current behaviour is
```php
$response = new Response();
$response->setSharedMaxAge(10);
sleep(20);
$this->assertTrue($response->isFresh());
sleep(5);
$this->assertTrue($response->isFresh());
sleep(5);
$this->assertFalse($response->isFresh());
```
A particular weird case is the `isCacheable()` method, because it calls `isFresh()` only under certain conditions, like particular status codes, no `ETag` present etc. This symptom is also described under "Cause of the problem" in #19390, however the problem is worked around there in other ways.
So, this PR suggests to effectively revert #14912.
Additionally, I'd like to suggest to move this special handling of the `Date` header into the `ResponseHeaderBag`. If the `ResponseHeaderBag` guards that we always have the `Date`, we would not need special logic in `sendHeaders()` and could also take care of https://github.com/symfony/symfony/pull/14912#issuecomment-110105215.
Commits
-------
3a7fa7ede2 Set Date header in Response constructor already
This PR was squashed before being merged into the 3.3-dev branch (closes#19887).
Discussion
----------
Sort alternatives alphabetically when a command is not found
| Q | A |
| --- | --- |
| Branch? | master |
| Bug fix? | no |
| New feature? | yes |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | #10893 |
| License | MIT |
| Doc PR | - |
Commits
-------
ba6c9464ea Sort commands like a human would do
f04b1bd72f Sort alternatives alphabetically when a command is not found
This PR was merged into the 3.3-dev branch.
Discussion
----------
[Security] json auth listener should not produce a 500 response on bad request format
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
To me, it looks wrong to simply throw a `BadCredentialsException` in the wild, which produces a 500 (unless an entrypoint handles it, which you probably don't have on a json login firewall). There isn't any server error, the client request originated the error due to a wrong format.
Instead, the listener should give a chance to the failure handler to resolve it, and return a proper 4XX response. (BTW, the `UsernamePasswordFormAuthenticationListener` also throws a similar `BadCredentialsException` on a too long submitted username, which is caught and forwarded to the failure handler)
Better diff: https://github.com/symfony/symfony/pull/22034/files?w=1
BTW, should we have another exception type like `BadCredentialsFormatException` or whatever in order to distinct a proper `BadCredentialsException` from a format issue in a failure listener?
Commits
-------
cb175a41c3 [Security] json auth listener should not produce a 500 response on bad request format
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] simplify the SwitchUserListenerTest
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
While working on #22048 I noticed that the `SwitchUserListenerTest` was more complicated than necessary by mocking a lot of stuff that didn't need to be mocked.
Commits
-------
923bbdbf9f [Security] simplify the SwitchUserListenerTest