This PR was squashed before being merged into the 2.7 branch (closes#20307).
Discussion
----------
[Form] Fix Date\TimeType marked as invalid on request with single_text and zero seconds
| Q | A |
| --- | --- |
| Branch? | 2.7 |
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | 20304 |
| License | MIT |
| Doc PR | |
Fix: When using a form with an Time type with option 'widget' => 'single_text', and 0 is selected in the seconds, we obtain an TransformationFailedException "Unable to reverse value for property path "[time]": Data missing". Check ticket #20304
Commits
-------
bcb03e0 [Form] Fix Date\TimeType marked as invalid on request with single_text and zero seconds
This PR was squashed before being merged into the 2.7 branch (closes#19373).
Discussion
----------
[Form] Skip CSRF validation on form when POST max size is exceeded
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #19140
| License | MIT
| Doc PR | N/A
In #19140 the CSRF validation listener was not aware that the POST max size had exceeded, and was adding a form error message that wasn't relevant to the actual error.
This introduces the `ServerParams` utility class into the `CsrfValidationListener` and checks that the POST max size has not been exceeded. If it has then it won't bother trying to validate the CSRF token.
My main concern with this change is that it opens up an attack vector around tokens, but I've encapsulated the request size validation in a single method in `ServerParams` now so that the request handlers are using the same logic.
Commits
-------
289531f [Form] Skip CSRF validation on form when POST max size is exceeded
This PR was merged into the 2.7 branch.
Discussion
----------
removed dots at the end of @param and @return
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
For phpdocs, we only add dots for sentences like description, but not for @param and @return for instance. This PR fixes this issue.
This should probably be added to PHP-CS-Fixer as well (/cc @phansys @keradus).
Commits
-------
554303e removed dots at the end of @param and @return
This PR was merged into the 2.7 branch.
Discussion
----------
[Form] Consider a violation even if the form is not submitted
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | yes (only for the behavior)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11493
| License | MIT
| Doc PR |
Hey!
I'm currently implementing an API using the form component in order to validate the payload sent (in conjonction with the FOSRestBundle). Unfortunatelly, we dig into an issue about the PATCH request which don't map some of our validation rules to the form. Basically, the violations are lost in the middle of the process.
### Use case
We have an entity with the following fields "type", "image" & "video". The field "type"can be either "default", "image" or "video" and then accordingly we use the appropriate field (none for the "default" type, video for the "video" type and image for the "image" type. Then, in our form, we change the validation groups according to our entity type in order to make the "image" field mandatory if the type is "image" and the same for the video field if the type is "video".
### Current behavior
The current behavior (since 2.5) seems to not propages a violation to a form if this form is not submitted but in our use case, changing the field "type" via a PATCH request triggers some new validation which should be reported to end user (inform that a field (video or image) is missing in the PATCH request).
### Expected behavior
The current behavior was introduced in #10567 but IMO, this update is a bug as suggested by @webmozart in https://github.com/symfony/symfony/issues/11493#issuecomment-59549054 Instead, the form component should still map validation errors to the form even if the field was not submitted. If the initial data is not valid, then your initial data was buggy from the beginning but the form should not accept it and instead of silently ignoring the errors, end users should be informed and fix it.
WDYT?
Commits
-------
c483a0f [Form] Consider a violation even if the form is not submitted
* 2.3:
updated VERSION for 2.3.42
update CONTRIBUTORS for 2.3.42
updated CHANGELOG for 2.3.42
Revert "bug #18908 [DependencyInjection] force enabling the external XML entity loaders (xabbuh)"
Partial revert of previous PR
[DependencyInjection] Skip deep reference check for 'service_container'
Catch \Throwable
[Serializer] Add missing @throws annotations
Fix for #18843
force enabling the external XML entity loaders
Removed UTC specification with timestamp
* 2.3:
Update HTTP statuses list
[Console][#18619] Prevent fatal error when calling Command#getHelper() without helperSet
Add SplFileInfo array doc on Finder iterator methods so that IDE will know what it returns
[2.3] [Form] Modified iterator_to_array's 2nd parameter to false in ViolationMapper
Updated the link to the list of currency codes
fixes#14712 and #17789.
`ChoiceType` now always use `ChoiceToValueTransformer` or
`ChoicesToValuesTransformer` depending on `multiple` option.
Hence `CheckboxListMapper` and `RadioListMapper` don’t handle
the transformation anymore.
Fixes pre selection of choice with model values such as `null`,
`false` or empty string.
* 2.3:
[HttpFoundation] Improve phpdoc
[Logging] Add support for firefox in ChromePhpHandler
[Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken
[Form] fix "prototype" not required when parent form is not required
* 2.3:
[Form] NumberToLocalizedStringTransformer should return floats when possible
[DependencyInjection] Enabled alias for service_container
Conflicts:
src/Symfony/Component/DependencyInjection/Tests/Compiler/ReplaceAliasByActualDefinitionPassTest.php
* 2.3:
[ci] Get ICU/intl from github instead of nebm.ist.utl.pt/~glopes
[Debug] Fix handling of php7 throwables
[Process] remove dead code
[ClassLoader] Fix storing not-found classes in APC cache
[Form] cs fixes in date types
`ChoiceListFactoryInterface` expected `$group_by` to be a callable or
null not an array.
The factory defaults `group_by` to
`ChoiceListInterface::getStructuredValues`.
* 2.3:
Improved the PHPdoc of FileSystem::copy()
[Validator] Test DNS Email constraints using checkdnsrr() mock
[travis] Run real php subprocesses on hhvm for Process component tests
bug #18161 [Translation] Add support for fuzzy tags in PoFileLoader
[Form] Fix NumberToLocalizedStringTransformer::reverseTransform with big integers
[Form] Fix INT64 cast to float in IntegerType.
[SecurityBundle][PHPDoc] Added method doumentation for SecurityFactoryInterface
FrameworkBundle: Client: getContainer(): fixed phpdoc
[Validator] Updating inaccurate docblock comment
Conflicts:
.travis.yml
src/Symfony/Component/Validator/Tests/Constraints/EmailValidatorTest.php
This PR was squashed before being merged into the 2.7 branch (closes#16886).
Discussion
----------
[Form] [ChoiceType] Prefer placeholder to empty_value
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #16885
| License | MIT
| Doc PR | -
Prefer an explicitly set `placeholder` option (i.e. `false` or a non-empty
string) to an `empty_value` option when both are set.
The fix is to change the behaviour in the placeholder normalizer in
ChoiceType::configureOptions so that the value of the `empty_value` option is
used for placeholder only when the value of `placeholder` is null or an empty
string.
Commits
-------
a4d4c8a [Form] [ChoiceType] Prefer placeholder to empty_value
This PR was merged into the 2.7 branch.
Discussion
----------
[2.7] [Form] fix choice value "false" in ChoiceType
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #17292, #14712, #17789
| License | MIT
| Doc PR | -
- [x] Add tests for choices with `boolean` and `null` values, and with a placeholder
- [x] Fix FQCN in 2.8 tests, see #17759
- [x] Remove `choices_as_values` in 3.0 tests, see #17886
Commits
-------
8f918e5 [Form] refactor `RadioListMapper::mapDataToForm()`
3eac469 [Form] fix choice value "false" in ChoiceType
This PR was merged into the 2.7 branch.
Discussion
----------
[Form] Fix choice placeholder edge cases
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Fixing several problems with choice placeholder that enhances #9030 for more edge cases:
- A choice with an empty value manually added in the choices array should only be considered a placeholder when it is the first element in the final choice select.
This is part of the HTML spec and how browsers also behave. If you select a choice with an empty value that is not the first option, it will still pass the "required" check
and thus submit the empty value. So it's not a placeholder.
If in the example below you move the empty option to the first place, the browsers will error on submit that you
must select a value. So only then it is a placeholder to show as initial value.
```html
<select id="form_timezone" name="form[timezone]" required="required">
<option value="Africa/Abidjan">Abidjan</option>
<option value="">Empty</option>
</select>
```
Also the validator https://validator.w3.org/nu/ will mark the above code as error:
> The first child option element of a select element with a required attribute, and without a multiple attribute, and without a size attribute whose value is greater than 1, must have either an empty value attribute, or must have no text content. Consider either adding a placeholder option label, or adding a size attribute with a value equal to the number of option elements.
This is fixed by replacing`0 !== count($choiceList->getChoicesForValues(array('')))` with `$view->vars['placeholder_in_choices'] = $choiceListView->hasPlaceholder()`.
Which means, the required attribute is removed automatically because the select form element is required implicitly anyway due to the nature of the choice UI.
- As the above quote mentions, the `size` attribute also has impact. Namely for a select with size > 1 it can be possible to have a required attribute even without placeholder.
This is because when the size > 1, there is no default choice selected (similar to select with "multiple").
- A placeholder for required radio buttons or a select with size > 1 does not make sense as it would just be fake data that can be submitted (similar to the ignored placeholder for multi-select and checkboxes).
Commits
-------
0efbc30 [Form] fix edge cases with choice placeholder
* 2.3:
[DependencyInjection] fix dumped YAML snytax
Remove InputOption::VALUE_REQUIRED mode from $default parameter description as InputOption::setDefault() throws an exception only when called in InputOption::VALUE_NONE mode. In practice the $default value could still be accessed in InputOption::VALUE_REQUIRED mode in case InputOption was never set but accessed from InputDefinition::getOption() method
[Form] Fixed violation mapping if multiple forms are using the same (or part of the same) property path
[TwigBridge] Symfony 3.1 forward compatibility
This PR was squashed before being merged into the 2.3 branch (closes#17099).
Discussion
----------
[Form] Fixed violation mapping if multiple forms are using the same (or part of the same) property path
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #5656
| License | MIT
| Doc PR |
Commits
-------
f005c80 [Form] Fixed violation mapping if multiple forms are using the same (or part of the same) property path
