This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[RateLimiter] Moved classes implementing LimiterInterface to a new namespace
| Q | A
| ------------- | ---
| Branch? | 5.x
| Bug fix? | no
| New feature? | no
| Deprecations? | no?
| Tickets |
| License | MIT
| Doc PR |
Before we release the RateLimit component.
I think it would be a good idea to put the 7 classes that belongs to a specific strategy in their own "Policy" namespace. It is very likely that it will be more strategies in the future and the `Symfony\Component\RateLimiter` namespace is crowed as it is.
I decided not to put the `CompoundLimiter` in this namespace as it is not a strategy.
Commits
-------
1e6cea56e4 [RateLimiter] Moved classes implementing LimiterInterface to a new namespace
* 5.1:
fix merge
fix merge
Remove branch-version (keep them for contracts only)
[HttpClient] relax auth bearer format requirements
[PHPUnitBridge] Silence errors from mkdir()
[DependencyInjection] Preload classes with union types correctly.
[Serializer] fix decoding float XML attributes starting with 0
add missing dutch translations
[TwigBridge] Remove "transchoice" from the code base
Support PHPUnit 8 and PHPUnit 9 in constraint compatibility trait
Add expectDeprecation, expectNotice, expectWarning, and expectError to TestCase polyfill
[String] fix before/after[Last]() returning the empty string instead of the original one on non-match
Add missing exporter function for PHPUnit 7
[Validator] Add missing romanian translations
[String] fix slicing in UnicodeString
[Cache] Use correct expiry in ChainAdapter
do not translate null placeholders or titles
* 4.4:
fix merge
Remove branch-version (keep them for contracts only)
[HttpClient] relax auth bearer format requirements
[PHPUnitBridge] Silence errors from mkdir()
[DependencyInjection] Preload classes with union types correctly.
[Serializer] fix decoding float XML attributes starting with 0
add missing dutch translations
Support PHPUnit 8 and PHPUnit 9 in constraint compatibility trait
Add expectDeprecation, expectNotice, expectWarning, and expectError to TestCase polyfill
Add missing exporter function for PHPUnit 7
[Validator] Add missing romanian translations
[Cache] Use correct expiry in ChainAdapter
do not translate null placeholders or titles
* 3.4:
Remove branch-version (keep them for contracts only)
[Serializer] fix decoding float XML attributes starting with 0
add missing dutch translations
[Validator] Add missing romanian translations
do not translate null placeholders or titles
This PR was squashed before being merged into the 5.x branch.
Discussion
----------
[Validator] Upgraded constraints to enable named arguments and attributes
| Q | A
| ------------- | ---
| Branch? | 5.2
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | #38096
| License | MIT
| Doc PR | TODO with symfony/symfony-docs#14305
This PR enables all remaining atomic (!= composite) constraints to be used as attributes.
The only exception is `UniqueEntity` from Doctrine bridge because we don't have a Doctrine ORM release yet that supports PHP 8. So I could migrate that one as well, but I cannot really test it.
Commits
-------
fb99eb2052 [Validator] Upgraded constraints to enable named arguments and attributes
Returning DateTime objects seems like a common use-case to automatically expire
all login links when one is used or to only allow the login link to be used
once.
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[Security] Magic login link authentication
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | none
| License | MIT
| Doc PR | TODO
Hi!
This adds a Slack-style "magic link" login authenticator to the new login system: (A) enter your email into a form, (B) receive an email with a link in it (C) click that link and you are authenticated!
For most users, implementing this would require:
A) Create a [controller](https://github.com/weaverryan/symfony-magic-login-link-example/blob/master/src/Controller/MagicLinkLoginController.php) with the "enter your email" form and a route for the "check" functionality (similar to `form_login`)
B) Activate in `security.yaml`:
```yml
security:
enable_authenticator_manager: true
# ...
firewalls:
# ...
main:
# ...
login_link:
check_route: 'magic_link_verify'
# this is an important and powerful option
# An array of properties on your User that are used to sign the link.
# If any of these change, all existing links will become invalid
# tl;dr If you want the modification of ANY field to invalidate ALL existing magic links immediately,
# then you can add it to this list. You could even add a "lastLoginLinkSentAt" to invalid
# all existing login links when a new one is sent.
signature_properties: [id, password, email]
# optional - by default, links can be reused but have a 10 minute lifetime
#max_uses: 3
#used_link_cache: cache.app
```
Done! This will generate a URL that looks something like this:
> https://127.0.0.1:9033/login/verify?user=weaverryan@gmail.com&expires=1601342578&hash=YzE1ZDJlYjM3YTMyMjgwZDdkYzg2ZjFlMjZhN2E5ZWRmMzk3NjAxNjRjYThiMjMzNmIxYzAzYzQ4NmQ2Zjk4NA%3D%3D
We would implement a Maker command this config + login/controller. The implementation is done via a "signed URL" and an optional cache pool to "expire" links. The hash of the signed URL can contain any user fields you want, which give you a powerful mechanism to invalidate magic tokens on user data changes. See `signature_properties` above.
#### Security notes:
There is a LOT of variability about how secure these need to be:
* A) Many/most implementation only allow links to be used ONE time. That is *possible* with this implementation, but is not the *default*. You CAN add a `max_uses` config which stores the expired links in a cache so they cannot be re-used. However, to make this work, you need to do more work by adding some "page" between the link the users clicks and *actually* using the login link. Why? Because unless you do this, email clients may follow the link to "preview" it and will "consume" the link.
* B) Many implementations will invalidate all other login links for a user when a new one is created. We do *not* do that, but that IS possible (and we could even generate the code for it) by adding a `lastLoginLinkSentAt` field to `User` and including this in `signature_properties`.
* C) We *do* invalidate all links if the user's email address is changed (assuming the `email` is included in `signature_properties`, which it should be). You can also invalidate on password change or whatever you want.
* D) Some implementations add a "state" so that you can only use the link on the same device that created it. That is, in many cases, quite annoying. We do not currently support that, but we could in the future (and the user could add it themselves).
Thanks!
#### TODOS:
* [x] A) more tests: functional (?) traits
* [ ] B) documentation
* [ ] C) MakerBundle PR
* [ ] D) Make sure we have what we need to allow that "in between" page
* [ ] E) Create a new cache pool instead of relying on cache.app?
Commits
-------
a8afe109d8 [Security] Magic login link authentication
This allows limiting on different elements of a request. This is usefull to
e.g. prevent breadth-first attacks, by allowing to enforce a limit on both IP
and IP+username.
* 5.1: (25 commits)
stop using the deprecated at() PHPUnit matcher
fix lowest allowed version of the HTTP client contracts
fix lowest allowed version for the PHPUnit bridge
fix merge
fix merge
drop logger mock in favor of using the BufferingLogger
catch ValueError thrown on PHP 8
[Yaml Parser] Fix edge cases when parsing multiple documents
fix parsing comments not prefixed by a space
[Translator] Make sure a null locale is handled properly
deal with errors being thrown on PHP 8
loadRoutes shoud receive RoutingPhpFileLoader
[Cache] Allow cache tags to be objects implementing __toString()
[HttpKernel] Do not override max_redirects option in HttpClientKernel
Log notice when no entry point is configured
remove superfluous cast
[HttpClient] Support for CURLOPT_LOCALPORT.
Upgrade PHPUnit to 8.5 (php 7.2) and 9.3 (php >= 7.3).
Fixed exception message formatting
[FrameworkBundle] Fix error in xsd which prevent to register more than one metadata
...
* 5.1:
[Debug] fix test
consistently use same types for strict comparisons
[PhpUnitBridge] Skip internal classes in CoverageListenerTrait
[VarExporter] unserialize() might throw an Exception on php 8.
[SecurityHttp] Don't call createMock() with multiple interfaces.
[ErrorHandler] Parse "x not found" errors correctly on php 8.
Prevent parsing invalid octal digits as octal numbers
remove unnecessary check for existing request
[DI] fix ContainerBuilder on PHP8
[Console] Make sure $maxAttempts is an int or null.
[VarDumper] Fix caster for invalid SplFileInfo objects on php 8.
[Intl] Skip test cases that produce a TypeError on php 8.
[PhpUnitBridge] Adjust output parsing for PHPUnit 9.3.
[PhpUnitBridge] CoverageListenerTrait update for PHPUnit 8.5/9.x
add bosnian (bs) translation
[Debug] Parse "x not found" errors correctly on php 8.
* 5.1:
Enable "native_constant_invocation" CS rule
Make AbstractPhpFileCacheWarmer public
Fix CS
Add a warning comment on ldap empty password
Bump Symfony version to 4.4.14
Update VERSION for 4.4.13
Update CHANGELOG for 4.4.13
[PhpunitBridge] Fix deprecation type detection
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Configurable execution order for firewall listeners
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
| Doc PR | n/a
Hello there, I'm the author of `scheb/two-factor-bundle`, which extends Symfony's security layer with two-factor authentication. I've been closely following the recent changes by @wouterj to rework the security layer with "authenticators" (great work!). While I managed to make my bundle work with authenticators, I see some limitations in the security layer that I'd like to address to make such extensions easier to implement.
In #37336 I've submitted a draft to let security factories add their own authentication listeners to the firewall. This PR is intended to address the issue of execution order. If you look at the `Firewall` class
f64f59a9c0/src/Symfony/Component/Security/Http/Firewall.php (L62-L82)
authentication listeners are executed in the order of their creation. Additionally, there's hardcoded logic to execute `Symfony\Component\Security\Http\Firewall\AccessListener` always last and the logout listener second to last. I'd like to have a more flexible approach, to remove the hardcoded order and give authentication listeners the ability to determine their execution order.
I've added an optional interface to provide a priority to sort all registered authenitication listeners. Sorting is done in a compiler pass, so no time is wasted at runtime.
This is a draft, so I'd like to hear your opinion on this :)
Commits
-------
91388e871b Add ability to prioritize firewall listeners
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Renamed provider key to firewall name
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | Fix#15207
| License | MIT
| Doc PR | tbd
This fixes the `$providerKey` argument names on the classes that will remain in use, even when the new Security system will take over. @fabpot do you think these changes are worth it?
Officially, all token classes are not marked as `@final`. Do I need to take into account when someone is overriding the `getProviderKey()` method? Also, I couldn't find a way to trigger a deprecation notice for deprecated properties, is this a problem?
Commits
-------
91b276326d Renamed $providerKey to $firewallName
* 5.1:
Backport: Improve link script with rollback when using symlink
fix more numeric cases changing in PHP 8
Fixed autoLogin() returning null
[Notifier] add doc for free mobile dsn
* 5.1:
fix: clarify parameter name to comply with deprecations from #34074
[Sendgrid-Mailer] Fixed envelope recipients on sendgridApiTransport
mark the AssertingContextualValidator class as internal
Fix the parameter names in the SecurityFactoryInterface::create() method
[Serializer][ClassDiscriminatorMapping] Fix getMappedObjectType() when a discriminator child extends another one
make return type correct
* 5.1:
Postpone BC layer removal to 6.0.
add validator translation 99 for Italian language
stop using the deprecated at() PHPUnit matcher
Fix typehint phpdoc
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[Security] Add event to inspect authenticated token before it becomes effective
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
| Doc PR | n/a
Hello there, I'm the author of `scheb/two-factor-bundle`, which extends Symfony's security layer with two-factor authentication. I've been closely following the recent changes by @wouterj to rework the security layer with "authenticators" (great work!). While I managed to make my bundle work with authenticators, I see some limitations in the security layer that I'd like to address to make such extensions easier to implement.
This PR adds a new event, which is disapatched right after the authenticated token has been created by the authenticator, to "announce" it to the application *before* it becomes effective to the security system. The event works similar to `ResponseEvent`, but for security token. It allows listeners to inspect the new token before it becomes effective and - most importantly - apply modifications to it. So components other than the authenticator will be able to influence how the security token looks like, that will be set to the security layer on successful authentication.
Why would you want to do this? Of course I'm looking at this from the 2fa perspective. To make 2fa work, it's necessary to prevent a newly created authenticated token from becoming visible to the security system and therefore exposing its privileges/roles. This is done by replacing the authenticated token with a temporary "TwoFactorToken". Currently I'm doing this through dependency injection, getting all the registered authenticators and decorating them with my own token-exchange logic. This is not very clean and overly complicated, but it works. Adding this event as a hook-in point would allow for a much cleaner integration for any component that wants to have a saying in how the security token should look like.
Commits
-------
20309646b7 [Security] Add event to inspect authenticated token before it becomes effective
* 5.1:
Fix typo
Fix deprecated libxml_disable_entity_loader
Add Tagalog translations for validator messages 94, 95, 96 and 99
PHPUnit's assertContains() performs strict comparisons now.
[ClassLoader][Routing] Fix namespace parsing on php 8.
Fix deprecated libxml_disable_entity_loader
Made reference to PHPUnit\Util\XML::loadfile php5-compatible.
[Validator] Add missing translations for german and vietnamese
Modernized deprecated PHPUnit assertion calls
[Console] The message of "class not found" errors has changed in php 8.
The PHPUnit\Util\XML class has been removed in PHPUnit 9.3.
[Console] Make sure we pass a numeric array of arguments to call_user_func_array().
Remove outdated references from base_js.html.twig file
[String] We cannot have a "provides" function in test cases.
Typo: somes styles fixed
[Serializer] Fix that it will never reach DOMNode
[Validator] sync translations
[VarDumper] Improve previous fix on light array coloration
[Cache] Fix#37667
* 4.4:
Fix typo
Fix deprecated libxml_disable_entity_loader
Add Tagalog translations for validator messages 94, 95, 96 and 99
PHPUnit's assertContains() performs strict comparisons now.
[ClassLoader][Routing] Fix namespace parsing on php 8.
Fix deprecated libxml_disable_entity_loader
Made reference to PHPUnit\Util\XML::loadfile php5-compatible.
[Validator] Add missing translations for german and vietnamese
Modernized deprecated PHPUnit assertion calls
[Console] The message of "class not found" errors has changed in php 8.
The PHPUnit\Util\XML class has been removed in PHPUnit 9.3.
[Console] Make sure we pass a numeric array of arguments to call_user_func_array().
[Serializer] Fix that it will never reach DOMNode
[Validator] sync translations
[VarDumper] Improve previous fix on light array coloration
[Cache] Fix#37667
* 3.4:
Add Tagalog translations for validator messages 94, 95, 96 and 99
PHPUnit's assertContains() performs strict comparisons now.
[ClassLoader][Routing] Fix namespace parsing on php 8.
Fix deprecated libxml_disable_entity_loader
Made reference to PHPUnit\Util\XML::loadfile php5-compatible.
[Validator] Add missing translations for german and vietnamese
Modernized deprecated PHPUnit assertion calls
[Console] The message of "class not found" errors has changed in php 8.
The PHPUnit\Util\XML class has been removed in PHPUnit 9.3.
[Console] Make sure we pass a numeric array of arguments to call_user_func_array().
[Serializer] Fix that it will never reach DOMNode
[Validator] sync translations
[VarDumper] Improve previous fix on light array coloration
[Cache] Fix#37667
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
Modernized deprecated PHPUnit assertion calls
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Part of #37564
| License | MIT
| Doc PR | N/A
Some assertions have been renamed in PHPUnit 9. PhpUnitBridge should already have polyfills in place for those methods, so it should be save to use them.
Commits
-------
ab417f7040 Modernized deprecated PHPUnit assertion calls
* 5.1:
minor #37121 [Contracts] Add missing "extra.thanks" entries in composer.json (nicolas-grekas)
[Process] Fix Permission Denied error when writing sf_proc_00 lock files on Windows
fix handling null as empty data
[Security\Http] Skip remember-me logout on empty token
Missing return in loadValuesForChoices method
No need to create an issue when creating a PR
Use ">=" for the "php" requirement
[HttpClient] Fix promise behavior in HttplugClient
[Console] Fixes question input encoding on Windows
This PR was merged into the 5.1 branch.
Discussion
----------
[Security] Added missing license headers
| Q | A
| ------------- | ---
| Branch? | 5.1
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
See 3be6ce121b
Seems like the fabbot reviews (and I) missed quite a lot of these in my big security PR.
Commits
-------
ea81b61e5f Added missing license headers
* 5.1:
Fix test that fails on old distros
Fix: compatibility with phpunit 9.3
[DoctrineBridge] work around Connection::ping() deprecation
[MimeType] Duplicated MimeType due to PHP Bug
[HttpClient] fix casting TraceableResponse to php streams
[DI] fix parsing of argument type=binary in xml
fix guessing form types for DateTime types
fix handling typed properties as constraint options
Fix the 'supports' method argument type of the security voter
Use the driverConnection executeUpdate method
* 5.0:
Fix test that fails on old distros
Fix: compatibility with phpunit 9.3
[DoctrineBridge] work around Connection::ping() deprecation
[MimeType] Duplicated MimeType due to PHP Bug
[DI] fix parsing of argument type=binary in xml
fix guessing form types for DateTime types
fix handling typed properties as constraint options
Fix the 'supports' method argument type of the security voter
Use the driverConnection executeUpdate method
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Add attributes on Passport
| Q | A
| ------------- | ---
| Branch? | master <!-- see below -->
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | not yet
see https://github.com/symfonycorp/connect/pull/95
/cc @wouterj
Commits
-------
440ada3c5f [Security] Add attributes on Passport
* 5.1: (28 commits)
[DI] fix
Use "composer/package-versions-deprecated" when possible
Fix
Small update in our internal terminology
Fix support for PHP8 union types
[VarDumper] fix typo
[Lock][Messenger] Fix precedence of DSN options for 5.1
Fix support for PHP8 union types
[FrameworkBundle] preserve dots in query-string when redirecting
[3.4] Fix support for PHP8 union types
[PhpUnitBridge] Streamline ansi/no-ansi of composer according to phpunit --colors option
[3.4] Small update in our internal terminology
[Cache] fix compat with DBAL v3
Remove unnecessary null check
[HttpFoundation] Allow `null` in InputBag@set
[HttpClient] Convert CurlHttpClient::handlePush() to instance method
Fix package rename when releasing
bumped Symfony version to 5.1.3
updated VERSION for 5.1.2
updated CHANGELOG for 5.1.2
...
* 5.1:
[Security] Run functional tests also for the authenticator system
Fix register csrf protection listener
bumped Symfony version to 5.1.2
updated VERSION for 5.1.1
updated CHANGELOG for 5.1.1
* 5.1: (36 commits)
Fixed left-over debug statement
set column length for mysql 5.6 compatibility
[Mime] Remove unused var
[HttpClient] fix monitoring timeouts when other streams are active
[PhpUnitBridge] fix syntax on PHP 5.3
[PhpUnitBridge] Fix undefined index when output of "composer show" cannot be parsed
properly cascade validation to child forms
[PropertyAccess] Fix getter call order BC
[PhpUnitBridge] fix undefined var on version 3.4
Fix invalid char in SQS Headers
Move ajax clear event listener initialization on loadToolbar
[HttpClient] Throw JsonException instead of TransportException on empty response in Response::toArray()
Fix CS
FrameworkBundle Serializer issue
register event listeners depending on the installed packages
take into account the context when preserving empty array objects
Only register CSRF protection listener if CSRF is available
[VarExporter] tfix: s/markAsSkipped/markTestSkipped/
Also check PUBLIC_ACCESS for authenticated tokens
Fix enabled_locales behavior
...
* 5.1:
Fix abstract method name in PHP doc block
Various cleanups
[HttpClient] fix issues in tests
Fixes sprintf(): Too few arguments in form transformer
[Console] Fix QuestionHelper::disableStty()
[Validator] Use Mime component to determine mime type for file validator
validate subforms in all validation groups
Update Hungarian translations
Add meaningful message when Process is not installed (ProcessHelper)
[Messenger] Change the default notify timeout value for PostgreSQL
[PropertyAccess] Fix TypeError parsing again.
[TwigBridge] fix fallback html-to-txt body converter
[Security/Http] fix merge
[ErrorHandler] fix setting $trace to null in FatalError
[Form] add missing Czech validators translation
[Validator] add missing Czech translations
never directly validate Existence (Required/Optional) constraints
* 5.0:
Fix abstract method name in PHP doc block
Various cleanups
[HttpClient] fix issues in tests
Fixes sprintf(): Too few arguments in form transformer
[Console] Fix QuestionHelper::disableStty()
[Validator] Use Mime component to determine mime type for file validator
validate subforms in all validation groups
Update Hungarian translations
Add meaningful message when Process is not installed (ProcessHelper)
[PropertyAccess] Fix TypeError parsing again.
[TwigBridge] fix fallback html-to-txt body converter
[Security/Http] fix merge
[ErrorHandler] fix setting $trace to null in FatalError
[Form] add missing Czech validators translation
[Validator] add missing Czech translations
never directly validate Existence (Required/Optional) constraints
* 5.1:
Handle fetch mode deprecation of DBAL 2.11.
Fixed security-* package dependencies
Fixed handling of CSRF logout error
[WebProfilerBundle] changed label of memory usage in time panel (Mb into MiB)
[DotEnv][WebLink][Templating][ErrorHandler] Updated README with minimal example
* 5.0:
Handle fetch mode deprecation of DBAL 2.11.
Fixed handling of CSRF logout error
[WebProfilerBundle] changed label of memory usage in time panel (Mb into MiB)
[DotEnv][WebLink][Templating][ErrorHandler] Updated README with minimal example
* 4.4:
Handle fetch mode deprecation of DBAL 2.11.
Fixed handling of CSRF logout error
[WebProfilerBundle] changed label of memory usage in time panel (Mb into MiB)
[DotEnv][WebLink][Templating][ErrorHandler] Updated README with minimal example
* 5.1:
Allow email message to have "To", "Cc", or "Bcc" header to be valid
[FrameworkBundle] Removed detection of Serializer < 3.2
Update pull request template for 5.1.
[Security/Core] fix PHP8 deprecation
* 5.0:
Allow email message to have "To", "Cc", or "Bcc" header to be valid
[FrameworkBundle] Removed detection of Serializer < 3.2
Update pull request template for 5.1.
[Security/Core] fix PHP8 deprecation
* 4.4:
Allow email message to have "To", "Cc", or "Bcc" header to be valid
[FrameworkBundle] Removed detection of Serializer < 3.2
Update pull request template for 5.1.
[Security/Core] fix PHP8 deprecation
* 5.1: (33 commits)
[Cache] $lifetime cannot be null
[Serializer] minor cleanup
fix merge
Run PHP 8 as 7.4.99
Remove calls to deprecated ReflectionParameter::getClass().
[VarDumper] fix PHP 8 support
Removed "services" prototype node from "custom_authenticator"
Add php 8 to travis.
[Cache] Accessing undefined constants raises an Error in php8
[Cache] allow DBAL v3
Skip Doctrine DBAL on php 8 until we have a compatible version.
[DomCrawler] Catch expected ValueError.
Made method signatures compatible with their corresponding traits.
[ErrorHandler] Apply php8 fixes from Debug component.
[DomCrawler] Catch expected ValueError.
[Validator] Catch expected ValueError.
[VarDumper] ReflectionFunction::isDisabled() is deprecated.
[BrowserKit] Raw body with custom Content-Type header
Revert https://github.com/symfony/symfony/pull/34986
Make ExpressionLanguageSyntax validator usable with annotation
...
* 5.0: (28 commits)
[Cache] $lifetime cannot be null
[Serializer] minor cleanup
fix merge
Run PHP 8 as 7.4.99
Remove calls to deprecated ReflectionParameter::getClass().
[VarDumper] fix PHP 8 support
Add php 8 to travis.
[Cache] Accessing undefined constants raises an Error in php8
[Cache] allow DBAL v3
Skip Doctrine DBAL on php 8 until we have a compatible version.
[DomCrawler] Catch expected ValueError.
Made method signatures compatible with their corresponding traits.
[ErrorHandler] Apply php8 fixes from Debug component.
[DomCrawler] Catch expected ValueError.
[Validator] Catch expected ValueError.
[VarDumper] ReflectionFunction::isDisabled() is deprecated.
[BrowserKit] Raw body with custom Content-Type header
[PropertyAccess] Parse php 8 TypeErrors correctly.
[Intl] Fix call to ReflectionProperty::getValue() for static properties.
[HttpKernel] Prevent calling method_exists() with non-string values.
...
* 4.4: (27 commits)
[Serializer] minor cleanup
fix merge
Run PHP 8 as 7.4.99
Remove calls to deprecated ReflectionParameter::getClass().
[VarDumper] fix PHP 8 support
Add php 8 to travis.
[Cache] Accessing undefined constants raises an Error in php8
[Cache] allow DBAL v3
Skip Doctrine DBAL on php 8 until we have a compatible version.
[DomCrawler] Catch expected ValueError.
Made method signatures compatible with their corresponding traits.
[ErrorHandler] Apply php8 fixes from Debug component.
[DomCrawler] Catch expected ValueError.
[Validator] Catch expected ValueError.
[VarDumper] ReflectionFunction::isDisabled() is deprecated.
[BrowserKit] Raw body with custom Content-Type header
[PropertyAccess] Parse php 8 TypeErrors correctly.
[Intl] Fix call to ReflectionProperty::getValue() for static properties.
[HttpKernel] Prevent calling method_exists() with non-string values.
Fix wrong roles comparison
...
* 5.1:
[PhpUnitBridge] fix leftover
[PhpUnitBridge] fix installing under PHP >= 8
Use ">=" for the "php" requirement
bump icu 67.1
[DI] Remove preload primitive types
[Validator] Add missing translations of nn locale
[HttpKernel] Fix that the `Store` would not save responses with the X-Content-Digest header present
[Intl] bump icu 67.1
[Validator] allow passing a validator to Validation::createCallable()
* 5.1:
[PhpUnitBridge] fix bad detection of unsilenced deprecations
[Security] Unserialize $parentData, if needed, to avoid errors
[HttpKernel] Fix error logger when stderr is redirected to /dev/null (FPM)
* 5.0:
[PhpUnitBridge] fix bad detection of unsilenced deprecations
[Security] Unserialize $parentData, if needed, to avoid errors
[HttpKernel] Fix error logger when stderr is redirected to /dev/null (FPM)
* 4.4:
[PhpUnitBridge] fix bad detection of unsilenced deprecations
[Security] Unserialize $parentData, if needed, to avoid errors
[HttpKernel] Fix error logger when stderr is redirected to /dev/null (FPM)
This PR was merged into the 5.1-dev branch.
Discussion
----------
RememberMeLogoutListener should depend on LogoutHandlerInterface
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| License | MIT
`RememberMeLogoutListener`, which was introduced together with the new authenticator security in Symfony 5.1, depends on `AbstractRememberMeServices`. This forces people to always extend from `AbstractRememberMeServices`, even when they're implementing the correct interface.
I'd suggest to depend on the minimum interface, which is `LogoutHandlerInterface`, instead.
Example of the type errors you'd get otherwise:
`
Argument 1 passed to Symfony\Component\Security\Http\EventListener\RememberMeLogoutListener::__construct() must be an instance of Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices, instance of Scheb\TwoFactorBundle\Security\Authentication\RememberMe\RememberMeServicesDecorator given, called in var/cache/dev/Container3IpOCEd/getSecurity_Logout_Listener_RememberMe_MainService.php on line 22
`
with
```php
class RememberMeServicesDecorator implements RememberMeServicesInterface, LogoutHandlerInterface
[...]
```
Commits
-------
994700fbae Depend on LogoutHandlerInterface
* 5.0:
[VarDumper] fix for change in PHP 7.4.6
Added regression test for AccountStatusException behavior (ref #36822)
[HttpClient] fix PHP warning + accept status code >= 600
[Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
embed resource name in error message
[FrameworkBundle] fix stringable annotation
Change priority of KernelEvents::RESPONSE subscriber
Fix register event listeners compiler pass
Missing description in `messenger:setup-transports` command
[Serializer] fix issue with PHP 8
[WebProfiler] Remove 'none' when appending CSP tokens
[TwigBundle] FormExtension does not have a constructor anymore since sf 4.0
[Yaml] Fix escaped quotes in quoted multi-line string
* 4.4:
[VarDumper] fix for change in PHP 7.4.6
Added regression test for AccountStatusException behavior (ref #36822)
[HttpClient] fix PHP warning + accept status code >= 600
[Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
embed resource name in error message
[FrameworkBundle] fix stringable annotation
Change priority of KernelEvents::RESPONSE subscriber
Fix register event listeners compiler pass
Missing description in `messenger:setup-transports` command
[Serializer] fix issue with PHP 8
[WebProfiler] Remove 'none' when appending CSP tokens
[TwigBundle] FormExtension does not have a constructor anymore since sf 4.0
[Yaml] Fix escaped quotes in quoted multi-line string
This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36451
| License | MIT
| Doc PR | -
Commits
-------
df32171cb2 [Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
* 3.4:
[VarDumper] fix for change in PHP 7.4.6
Added regression test for AccountStatusException behavior (ref #36822)
embed resource name in error message
[Serializer] fix issue with PHP 8
[Yaml] Fix escaped quotes in quoted multi-line string
* 5.0:
[PhpUnitBridge] fix bad test
[4.4] CS fixes
[3.4] CS fixes
Disable phpunit verbosity
Queue name is a required parameter
[FrameworkBundle] display actual target for error in AssetsInstallCommand
Remove patches for Doctrine bugs and deprecations
[Mime] fix bad method call on "EmailAddressContains"
[DI][EventDispatcher] added contract for implementation
* 4.4:
[PhpUnitBridge] fix bad test
[4.4] CS fixes
[3.4] CS fixes
Disable phpunit verbosity
Queue name is a required parameter
[FrameworkBundle] display actual target for error in AssetsInstallCommand
Remove patches for Doctrine bugs and deprecations
[Mime] fix bad method call on "EmailAddressContains"
[DI][EventDispatcher] added contract for implementation
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Security/Core] Add CustomUserMessageAccountStatusException
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
| Doc PR | Not really needed
When implementing the `UserCheckerInterface`, we can throw `AccountStatusException`. Similar to `CustomUserMessageAuthenticationException`, this exception allow to throw an `AccountStatusException` with a custom message.
Commits
-------
9233efbe06 Add CustomUserMessageAccountStatusException
* Anonymous users are actual to unauthenticated users, both are now represented by no token
* Added a PUBLIC_ACCESS Security attribute to be used in access_control
* Deprecated "anonymous: lazy" in favor of "lazy: true"
* 5.0:
[FrameworkBundle] Fix session.attribute_bag service definition
[Routing] Remove unused properties from the Route annotation
[Routing] Add missing _locale requirements
Update LdapBindAuthenticationProvider.php
Add reproducer to for hit after update expire cacheItem
[Cache] fix FilesystemTagAwareAdapter failing when a tag link preexists
* 4.4:
[FrameworkBundle] Fix session.attribute_bag service definition
[Routing] Remove unused properties from the Route annotation
[Routing] Add missing _locale requirements
Update LdapBindAuthenticationProvider.php
Add reproducer to for hit after update expire cacheItem
[Cache] fix FilesystemTagAwareAdapter failing when a tag link preexists
The AuthenticatorManager now performs the whole authentication process. This
allows for manual authentication without duplicating or publicly exposing parts
of the process.
This to remove confusion between the new system and Guard. When using the new
system, guard should not be installed. Guard did however influence the idea
behind the new system. Thus keeping the mentions of "guard" makes it confusing
to use the new system.
This allows more flexibility for the authentication manager (to e.g. implement
login throttling, easier remember me, etc). It is also a known design pattern
in Symfony HttpKernel.
This removes the introduced dependency on Guard from core. It also allows an
easier migration path, as the complete Guard subcomponent can now be deprecated
later in the 5.x life.
This is an iteration on the AuthenticatorInterface of the Guard, to allow more
flexibility so it can be used as a real replaced of the authentication
providers and listeners.
