* 3.4:
[FrameworkBundle] fix "samesite" in XSD
Update UserPasswordEncoderCommand.php
[HttpFoundation][FrameworkBundle] fix support for samesite in session cookies
[DoctrineBridge] Fixed submitting ids with query limit or offset
This PR was submitted for the master branch but it was merged into the 4.4 branch instead.
Discussion
----------
[Console] Consider STDIN interactive
| Q | A
| ------------- | ---
| Branch? |4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#30726, supersedes #30796
| License | MIT
| Doc PR | -
As demonstrated with `yes | bin/console foo` in #30726, original assumption made in #1699 was wrong. Then, #8452 was merged which solved bug #8079 -> this was a use case when application hangs with `--no-interaction` flag - nobody probably realized that application can be in "non-interactive" mode, without using this flag and not hang. Then, there was #14102 which was poor man's fix for problem caused by this. So already plenty issues this behaviour causes. Looks like a mess to me. Application should be considered non-interactive only when explicitly specified so (--no-interactive flag), otherwise it doesn't hang.
### What this change means?
It only changes one case: When doing `echo foo | bin/console bar`, `yes | bin/console bar`, `bin/console bar < foo`, etc. Redirecting stdout is not affected, as application in that case was considered interactive before too. With stdin, this opens possibility to control symfony/console based application by default via stdin, including via `proc_open`.
Additionally, not only it allows to control the input for questions, it also makes the question and answers to display on screen. So before, user had no idea what questions are happening and what answers (defaults) are being used.
### About a BC break
I'm not really aware of a valid use case this can break. Can you help find any?
1. Since symfony/console components were NOT interactive with stdin before, stdin couldn't be used to control them - so there this change breaks nothing, because it didn't make sense to pass stdin there instead of specifying -n flag.
1. If application uses internal logic where it relies on STDIN disregarding `Output::isInteractive` flag, this doesn't change anything for these either - they will keep using STDIN disregarding result of this flag.
1. What if application uses internal logic for stdin AND console components like QuestionHelper? To me, that doesn't make much sense, because with previous behaviour, such questions would result always into defaults. It might make sense in case application supports both modes - either stdin, or user supplied input and just use default answers with stdin. But I cannot figure out example of such use - what would be the case where application allows user to control something via stdin, but at the same time forbids them to set certain aspects (answers to questions given)?
1. What about `SHELL_INTERACTIVE` env variable? Only way to utilize it was to force enable interactive mode, but since it will be interactive now by default, it will do nothing and no behaviour changes.
1. Preventing stdin control was much bigger potential BC break. Despite that, it was disallowed in minor Symfony version. And as far as I can see, I saw no backlash.
Finally, this targets Symfony 5.0 to be extra sure anyways, so I think it's ok, but feel free to suggest documenting this in upgrade guide or changelog. I would even target 4.4, but chose 5.0 as it's easier to push through there.
Commits
-------
ef157d5b3f [Console] Consider STDIN interactive
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpFoundation][FrameworkBundle] fix support for samesite in session cookies
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#35520
| License | MIT
| Doc PR | -
This PR cherry-picks #28168 on 3.4, with a rationale given by @ConneXNL in https://github.com/symfony/symfony/issues/35520#issuecomment-582296847:
> I hope I am wrong but I see the impact of not making any changes to Symfony 3.4 will have a tons of sites break if we cannot set the cookie's samesite setting (in the framework session and remember me) before Chrome pushes this update.
>
> Very soon all existing cookies are no longer going to work with cross-domains if you do not specify 'None' for the cookie_samesite. All external APIs that use cookies and are running SF 3.4 will break and devs will have no quick solution to fix their auth process.
>
> If you are using PHP 7.4, yes you can most likely use ini_set to workaround this issue.
>
> However, ini_set('cookie_samesite') does not work in PHP Version <= 7.2.
I am not even sure PHP 7.3 supports the value 'None' as php.watch/articles/PHP-Samesite-cookies says it has support for 'Lax' and 'Scrict'.
>
> This effectively means SF 3.4 on PHP 7.2 (or PHP 7.3) is no longer supported for cross domain APIs with cookies. People would have to either update PHP to 7.4 (if they even can?) or go to Symfony 4 (with a dead live site is going to be a complete disaster).
>
> Since the impact of the change that chrome is about to roll out is so fundamentally changing our way to set cookies, I consider configuring samesite configuration in the framework an absolute requirement, not a feature, especially since SF 3.4 is still supported.
>
> What am i missing?
>
> Note: SF3 HTTPFoundation already supports the new cookie settings, it's just the framework that doesn't support it.
Our BC policy embeds the promise that one should be able to keep the same app on a newest infrastructure (eg that's why supporting a PHP version is a bug fix). I think we can consider this for browsers here also. WDYT?
Commits
-------
f46e6cb8a0 [HttpFoundation][FrameworkBundle] fix support for samesite in session cookies
This PR was merged into the 3.4 branch.
Discussion
----------
[DoctrineBridge] Fixed submitting ids with query limit or offset
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix https://github.com/symfony/symfony/pull/34900#discussion_r375246113 <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | ~ <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch master.
-->
Commits
-------
9bb194098f [DoctrineBridge] Fixed submitting ids with query limit or offset
This PR was submitted for the master branch but it was merged into the 3.4 branch instead (closes#35628).
Discussion
----------
[Security] Improve info UserPasswordEncoderCommand
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| License | MIT
| Doc PR | n/a
`php bin/console security:encode-password [password] App\Entity\User`
will result in
`No encoder has been configured for account "AppEntityUser". `
If a full class path is used, it either has to be passed in as a string or has to be escaped by double slashes.
Commits
-------
3604bb7018 Update UserPasswordEncoderCommand.php
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Replace 403 with 401 in `onAuthenticationFailure` method
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | N/A
| License | MIT
| Doc PR | N/A
This comment in `onAuthenticationFailure` was misleading since a 401 status code should probably be returned instead of a 403.
Commits
-------
73bc793be2 Replace 403 with 401 in onAuthenticationFailure method
This PR was submitted for the master branch but it was merged into the 4.4 branch instead.
Discussion
----------
[PhpUnitBridge] fix getting the vendor/ dir for tests
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
341dd5dd1d [PhpUnitBridge] fix getting the vendor/ dir for tests
This PR was merged into the 4.4 branch.
Discussion
----------
[PHPunit bridge] Provide current file as file path
I failed to apply perfectly this comment:
https://github.com/symfony/symfony/pull/33820#discussion_r338746158
It should fix one failing test in the bridge.
| Q | A
| ------------- | ---
| Branch? |4.4
| Bug fix? | not for the end user
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | n/a
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch master.
-->
Commits
-------
d5302cb5d2 Provide current file as file path
This PR was submitted for the 4.3 branch but it was merged into the 4.4 branch instead.
Discussion
----------
[DI] Unknown env prefix not recognized as such
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
This is a failing test to illustrate the difference between real and fake env vars when using an unknown prefix, followed by the `default` prefix.
```
%env(unknown:default::REAL)%
// Unsupported env var prefix "unknown".
%env(unknown:default::FAKE)%
// null
```
For `default::FAKE` we get `null` at
38b9a27976/src/Symfony/Component/DependencyInjection/EnvVarProcessor.php (L103)
which is then preserved at
38b9a27976/src/Symfony/Component/DependencyInjection/EnvVarProcessor.php (L123)
need inspiration for a patch still :)
Commits
-------
550819a655 [DI] Unknown env prefix not regornized as such
This PR was merged into the 4.4 branch.
Discussion
----------
[DI] Fix support for multiple tags for locators and iterators
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34462, Fix#35326
| License | MIT
| Doc PR | none
Fix PriorityTaggedServiceTrait::findAndSortTaggedServices to work with multiple explicitely tagged services as would be expected by !tagged_locator. Also reorganize PriorityTaggedServiceTrait::findAndSortTaggedServices to be simpler and easier to understand.
Commits
-------
6fc91eb192 [DI] Fix support for multiple tags for locators and iterators
This PR was submitted for the 4.3 branch but it was squashed and merged into the 4.4 branch instead.
Discussion
----------
[PhpUnitBridge] Fix some errors when using serialized deprecations
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
This PR attempts to fix conflicts that arose in #31478
Creating as a draft for now as I think having separate test methods no longer make sense (`isSelf()` and `isIndirect()` have been replaced with `getType()`). @l-vo please review and confirm I did not loose anything valuable from your original contribution.
Commits
-------
056d59824f [PhpUnitBridge] Fix some errors when using serialized deprecations
This PR was merged into the 4.4 branch.
Discussion
----------
Fix HTTP client config handling
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Defining a `key` parameter in the `query` option of a scoped HTTP client triggers an error:
```
Undefined index: value
```
This PR fixes this issue but an edge case still remains with YAML and PHP config. If one wants to define parameters `key=foo`, `value=bar` and nothing else, the query will actually be `foo=bar` instead of `key=foo&value=bar`. Not sure how to fix this case without breaking the tests I added here.
Commits
-------
963d0cce86 Fix HTTP client config handling
This PR was merged into the 4.4 branch.
Discussion
----------
Fix CS
| Q | A
| ------------- | ---
| Branch? | 4.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | n/a
Commits
-------
de8348a033 Fix CS
This PR was merged into the 3.4 branch.
Discussion
----------
Fix CS
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | n/a
Commits
-------
a3e49f30c7 Fix CS
* 3.4:
[Translation] Add missing use statement
[Translation][Debug] Add installation and minimal example to README
[Validator] try to call __get method if property is uninitialized
Fix handling of empty_data's \Closure value in Date/Time form types
This PR was merged into the 4.4 branch.
Discussion
----------
Add missing use statements
| Q | A
| ------------- | ---
| Branch? | 4.4 <!-- see below -->
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | n/a
Commits
-------
cd27b9d06f Add missing use statements
This PR was merged into the 4.4 branch.
Discussion
----------
Missing use statement 4.4
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | n/a
Commits
-------
00baa290e8 [Translation] Add missing use statement
This PR was merged into the 3.4 branch.
Discussion
----------
[Form] Fix handling of empty_data's \Closure value in Date/Time form types
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#33188
| License | MIT
| Doc PR | -
Basically this would solve the posibility to pass a `\Closure` to the `empty_data` option for Date/Time form types.
> https://symfony.com/doc/current/reference/forms/types/form.html#empty-data
> If a form is compound, you can set empty_data as an array, object or **closure**. See the [How to Configure empty Data](https://symfony.com/doc/current/form/use_empty_data.html) for a Form Class article for more details about these options.
Also related to https://github.com/symfony/symfony/pull/29182
Commits
-------
4939f0e323 Fix handling of empty_data's \Closure value in Date/Time form types
