This PR was merged into the 2.3 branch.
Discussion
----------
[Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This argument was introduced in #11924. No release was made of the 2.3 branch after merging that PR.
Since a different constructor argument (`$requestHandler`) was added to FormTypeHttpFoundationExtension in the 2.5 branch, we cannot merge this forward in a BC fashion. For this reason, I removed the argument again.
Commits
-------
6cbc862 [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
* 2.3:
remove obsolete test file
[FrameworkBundle] output failed matched path for clarification
bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
[Validator] Fixed StaticMethodLoaderTest to actually test something
[Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
Use request format from request in twig ExceptionController
[Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
[Form] Add a form error if post_max_size has been reached.
Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
[WebProfilerBundle] turbolinks compatibility
Conflicts:
src/Symfony/Component/Form/CHANGELOG.md
src/Symfony/Component/HttpFoundation/Tests/ResponseTest.php
src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
This PR was squashed before being merged into the 2.6-dev branch (closes#11949).
Discussion
----------
[Console] More consistent application description
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
| Doc PR | none
Commits
-------
28edd30 [Console] More consistent application description
This PR was merged into the 2.6-dev branch.
Discussion
----------
New php library structure made easier
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
[This article](https://medium.com/@christophewillemsen/stop-making-bundles-think-bundles-deadd27b88c0) from @ikwattro gives some good ideas on how to ease the creation of a PHP package:
- which is not a bundle usable only on a symfony full stack framework
- without requiring to maintain 2 repos (one for the lib and the other for the bundle)
The only drawback is that Symfony requires the DI extension to be on a given location. So I created a new method Bundle#getContainerExtensionClass than can be easily overwritten if you want to move the Extension class in another directory.
Commits
-------
8eda6b5 New php library structure made easier
This PR was merged into the 2.3 branch.
Discussion
----------
[Validator] Fixed StaticMethodLoaderTest to actually test something
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This test is not testing anything, except for whether PHP throws a strict standards error when invalid code is loaded.
I disabled error reporting for this test, so that the actual functionality (ignoring static+abstract functions) is tested.
Commits
-------
1b1303a [Validator] Fixed StaticMethodLoaderTest to actually test something
This PR was merged into the 2.6-dev branch.
Discussion
----------
[FrameworkBundle] Added unit-tests for GlobalVariables::getUser()
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Tests added should explain that `getUser()` should return `null` when a string is found as user. If this is not correct, a PR should be made. However, this would result in a huge BC break due to people using `{% if app.user %}` which would return `null` if an anonymous token was found. If this suddenly returns a string, this check will fail.
While at it, I have also added `getUser()` tests to verify the unhappy flow is working. These tests uncovered that if `$container->get('security.token_storage')` fails, it will throw an exception rather than return `null`. This issue is now fixed.
List of changes
--------------------
- The old `testGetUser` has been refactored to be tested with multiple variations of return types to verify the return type to work as the code tells.
- `get('security.token_storage')` is now only executed if `has('security.token_storage')` returns true
@fabpot I think this PR should be merged before 2.6, because it fixes an uncaught exception bug in my previous PR which splits the security context
Commits
-------
3f055f7 Fixed a bug and added unit-tests for GlobalVariables
This PR was merged into the 2.3 branch.
Discussion
----------
[FrameworkBundle] output failed matched path for clarification
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11780
| License | MIT
| Doc PR | -
Because cygwin resolves the path behind the scenes, it is otherwise very unclear what path is actually used for matching.
Commits
-------
8d13af7 [FrameworkBundle] output failed matched path for clarification
This PR was merged into the 2.6-dev branch.
Discussion
----------
[HttpKernel] Extract method to instantiate controller in ControllerResolver
Replaces #10814 to merge into `master` instead of `2.3`.
---
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Currently it's required to duplicate the entirety of the `getController()` and `createController()` methods just to replace the call to `new` (e.g. with container resolution, instead).
Now it's possible to just override the `instantiateController()` method.
Commits
-------
88274df [HttpKernel] Extract method to make callable controller in ControllerResolver
This PR was merged into the 2.6-dev branch.
Discussion
----------
[FrameworkBundle]Ignore LoggingTranslatorPass if there is no Translator ...
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
Commits
-------
6e1b47c [FrameworkBundle]Ignore LoggingTranslatorPass if there is no Translator definition.
This PR was merged into the 2.3 branch.
Discussion
----------
remove obsolete test file
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
I don't think this file is used anymore.
Commits
-------
83f556f remove obsolete test file
This PR was submitted for the 2.4 branch but it was merged into the 2.3 branch instead (closes#11058).
Discussion
----------
[Security] bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #10242
| License | MIT
[Security] fixed missing call to UserChecker::checkPreAuth
edit : after the discution with @hellomedia , i replaced postcheck with precheck
e0730e07ed (commitcomment-6580764)
Commits
-------
a38d1cd bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
This PR was merged into the 2.6-dev branch.
Discussion
----------
[Serializer] PropertyNormalizer: a new normalizer that maps an object's properties to an array
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | if PR is deemed mergeable, I'll write the docs
This PR adds a new Normalizer for the Serializer component: **`PropertyNormalizer`**.
Currently the only normalizer is `GetSetMethodNormalizer`, which calls getters and setters. This new serializer uses the properties values directly.
This is especially useful if you write a webservice and take/return very simple DTO (Data Transfer Objects) which role is only to act like a "named" `stdClass`. Every property is public (the class doesn't contain any logic), and mapping that to an array is pretty easy.
This normalizer takes into account public, but also *private* and *protected* properties.
FYI I've based most of the code of `GetSetMethodNormalizer`.
Commits
-------
78ceed1 [Serializer] Added PropertyNormalizer, a new normalizer that maps an object's properties to an array
This PR was merged into the 2.3 branch.
Discussion
----------
[Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #6645
| License | MIT
| Doc PR | -
Consider the following entity:
```php
class Author
{
/**
* @Assert\NotBlank
*/
private $name;
private $age;
}
```
Right now, the "required" HTML attribute is set for both fields (since the default value of the "required" option is true). IMO this is wrong.
With this fix, the ValidatorTypeGuesser guesses `false` for the "required" option unless a NotNull/NotBlank constraint is present.
Commits
-------
fd77b09 [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
This PR was merged into the 2.6-dev branch.
Discussion
----------
[WebProfilerBundle] Show AJAX requests in the symfony profiler toolbar
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Adds AJAX requests in the web debug toolbar.
See #8896 for the original discussion.
Commits
-------
16d1b35 optimized JS for the AJAX section of the toolbar
2e708d7 made minor tweaks to JS code
8e4c603 replaced the AJAX icon with a smaller one
b66f39a removed hack
9c74fcc removed uneeded web_profiler.debug_toolbar.excluded_ajax_paths parameter in the container
d43edaf [WebProfilerBundle] improved the ajax section of the WDT
37f7dd7 [WebProfilerBundle] Show AJAX requests in the symfony profiler toolbar
This PR was merged into the 2.6-dev branch.
Discussion
----------
[Validator] Added "payload" option to all constraints for attaching domain-specific data
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #7273
| License | MIT
| Doc PR | TODO
The "payload" option can be used to pass whatever data should be attached to a constraint for an application:
```php
/**
* Domain-specific error codes
* @NotNull(payload="100")
*/
/**
* Structured domain-specific data
* @NotNull(payload={"display": "inline", "highlight": false})
*/
```
The term "payload" is borrowed from JSR-303.
Commits
-------
e8b7c6d [Validator] Added "payload" option to all constraints for attaching domain-specific data
This PR was merged into the 2.6-dev branch.
Discussion
----------
[DependencyInjection] Add a new Syntax to define factories as callables
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
From the original PR #9839:
"This pull requests adds a new syntax to define factories based on the syntax for configurators. This is more flexible than the old syntax (factoryMethod and either of factoryClass or factoryService), as it also allows for functions as factories.
Since the service is now a Reference to a Definition it also allows us to inline factories for a small performance improvement and better encapsulation.
Lastly this prevents a bug where a private factory is simple removed because it's not referenced in the graph.
I did not change any of the existing definitions (there's one use of a factory in FrameworkBundle) or automatically use the new internal representation when parsing YAML or XML definitions because this could introduce subtle B/C issues.
"
Commits
-------
187aeee fixed CS
bd8531d added a new Syntax to define factories as callables.
This PR was merged into the 2.6-dev branch.
Discussion
----------
[Translation][changelog] fix typo.
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
Translator::getMessages() was added in 2.6.
Commits
-------
e371bd7 [Translation][changelog] fix typo.
This PR was merged into the 2.6-dev branch.
Discussion
----------
[Security] Split of the SecurityContext
~~_As a reminder, this PR is not ready to be merged. It's merely a proof of concept in which I'm trying to fix a circular dependency with the SecurityContext and the entity manager for Symfony 2.6 and/or 3.0_~~
PR Info
======
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/4188
TODO List
=========
- [x] Split tests for SecurityContext/AuthorizationChecker/TokenStorage
- [x] Fix tests for security usages (only the component has been successfully tested at this point)
- [x] Submit changes to the documentation
- [x] Document the BC breaks
Main Problem for my use case
========================
I've build a bunch of event listeners on `doctrine.event_manager`. They include a Blamable, Revision and Mutation annotation on entities. It works by creating a custom event listener on preFlush which then throws an entityChanged event (also a doctrine hooked up event).
To make it configurable and flexible, we have written a provider for Blamable to provide the username/user-id and a date time (updated-by, updated-at). In order to get that information, we need to look into the SecurityContext to get the current user and ask the user id (custom user implementation).
However, injecting the SecurityContext - or services depending on the SecurityContext - creates a circular reference and causes the container to blurt out an Exception. This is because the SecurityContext uses a UserProvider (indirectly) which has a dependency on doctrine (em, connection). Because it needs doctrine, it's impossible for my listener to inject the SecurityContext as it becomes this:
- SecurityContext requires AuthenticationProvider
- (Simple)AuthenticationProvider requires UserProvider
- UserProvider requires EntityManager
- EntityManager requires _insert connection name here_
- My custom Listener calls addEvent (or something similar) in doctrine which causes a dependency from the EM/Connection to my Listener
- My Listener requires SecurityContext... which finishes the circle.
I've googled for this problem and it wasn't hard to find similar issues, it seems to be a quite common issue regarding the SecurityContext and the EntityManager
- http://stackoverflow.com/questions/7561013/injecting-securitycontext-into-a-listener-prepersist-or-preupdate-in-symfony2-to
- http://stackoverflow.com/questions/8708822/circular-reference-when-injecting-security-context-into-entity-listener-class
- http://stackoverflow.com/questions/17020733/how-to-get-userid-from-eventlistener-which-are-called-from-ajax
- You can find more simply by googling.
The main solution seems to be to lazy load using an additional bundle or as recommended in the above topics, inject the container. Neither of them is really a solution I'm happy with. I don't want my code to know about the Container(Interface), nor do I want to use a another bundle just to get around an issue that a lot of people seem to have with the SecurityContext and EntityManager.
Possible Solutions
==============
I've been thinking about several solutions:
- I could write a service that listens to `kernel.request` and when possible injects the username/user-id into my provider which then can provide it to my listener
- I could use the Container directly
- I can use a lazy service with `symfony/proxy-manager-bridge`
- I can store the user-id in my request
However, those solutions are just not it for me. Depending on an event like `kernel.request` is a bad practice in my opinion, I shouldn't depend on what listeners might be registered. Using the container directly inverses the dependency which is also wrong in my opinion. Using a lazy service will only work around the problem and storing the user-id in my request means I might not always have it (say commands).
Long story short, not what I'm looking for.
Splitting the SecurityContext
======================
So, I ended up at the SecurityContext. Digging back to the real problem, I started asking myself the following questions: why do I have that dependency? Why do I need to have the EntityManager when the only thing I want, is the currently logged in User object? (which is not related to a database). I came to the conclusion that the SecurityContext gives me too many dependencies in order to retrieve a simple Token/User object, which is not really what I want. Most of the times I need the SecurityContext to get the token/user and not for isGranted. Personally I use `@Security` and `access_control` for that.
I came to the conclusion that storing the Token within the SecurityContext wasn't what I found useful due to the dependencies of the SecurityContext. I figured I'd want a storage class with a dependency on the SessionInterface which could autonomously retrieve and store the TokenInterface (`@session` in this case). It would also be handling the storage within the session using get/setToken.
I have proposed this change and had a small discussion with @WouterJ on IRC about my proposal to take out the Token (can be read here http://pastebin.com/8kSvVZtj). Based on his feedback, I have split the isGranted to the AuthorizationChecker(Interface), which now has those dependencies. I have also moved the set/getToken to a TokenStorage.
tldr;
- The getToken en setToken are moved to the TokenStorage(Interface).
- ~~If this idea is feasible, I will also try to get the SecurityContext to actually store and retrieve it from the session instead of `ContextListener::onKernelResponse`. This will just do `$context->setToken($token);` which will handle this storage itself.~~ I still chase this idea but I will create a new PR for this in the future if I find time.
- isGranted is moved to AuthorizationChecker(Interface) so that you don't have a bunch of dependencies you don't need when retrieving the Token/User.
Draft
====
~~This PR is just a draft. I'm looking for feedback if this proposal is A) desired and B) in-line with the developer's ideas regarding the SecurityContext.~~
Changed Components/bundles
=========================
[FrameworkBundle] Updated GlobalVariables, added test for GlobalVariables
[SecurityBundle] Updated service definitions
[Security Component] Deprecated SecurityContext(Interface), added AuthorizationChecker(Interface) and TokenStorage(Interface)
Commits
-------
b967787 Split of the SecurityContext to AuthorizationChecker and TokenStorage
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#11904).
Discussion
----------
Make twig ExceptionController conformed with ExceptionListener
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #9083
| License | MIT
| Doc PR |
Parameter passed to exception controller from exception listener called ``format``, so variable ``_format`` in exception controller always takes default value.
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpKernel/EventListener/ExceptionListener.php#L120
Commits
-------
24c5ba4 Use request format from request in twig ExceptionController
This PR was merged into the 2.3 branch.
Discussion
----------
[Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11729, #11877
| License | MIT
| Doc PR | -
Commits
-------
759ae1a [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
4780210 [Form] Add a form error if post_max_size has been reached.
This PR was merged into the 2.4 branch.
Discussion
----------
[Security] [Firewall] Bug fixed in SimplePreAuthenticationListener when createToken() not return TokenInterface object
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | no
| Fixed tickets | #11490, #11414
| License | MIT
| Doc PR |
This is a follow-up for #11414 on the right branch.
Commits
-------
faa8e98 fixed bug
e85cb7f added the possibility to return null from SimplePreAuthenticationListener
This PR was merged into the 2.6-dev branch.
Discussion
----------
[Form] Renamed the option "empty_value" to "placeholder"
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #5791
| License | MIT
| Doc PR | TODO
This PR is changing the "empty_value" option to the more understandable name "placeholder".
In a subsequent PR, the "placeholder" option should also be added to all types that support the "placeholder" HTML5 attribute.
Commits
-------
2b440f3 [Form] Renamed the option "empty_value" to "placeholder"
