This PR was squashed before being merged into the 2.7 branch (closes#24605).
Discussion
----------
[FrameworkBundle] Do not load property_access.xml if the component isn't installed
| Q | A
| ------------- | ---
| Branch? | 2.7 <!-- see comment below -->
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/24563#issuecomment-337549147 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
This PR actually aims to fix https://github.com/symfony/symfony/pull/24563#issuecomment-337549147 as the exception introduced in the PR can't be reached anyway when using the FrameworkBundle without the property access component as you'll get:
> Uncaught Symfony\Component\Debug\Exception\ClassNotFoundException: Attempted to load class "PropertyAccessor" from namespace "Symfony\Component\PropertyAccess".
With this fix, you properly get:
> The ObjectNormalizer class requires the "PropertyAccess" component. Install "symfony/property-access" to use it.
Not sure this change really belongs to a patch release, but the original PR was accepted in the 2.7 branch.
Also, I'd rather remove the ObjectNormalizer definition if the component isn't available, as suggested by @xabbuh (https://github.com/symfony/symfony/pull/24563#issuecomment-336795644). But in 2.7, this is the only normalizer registered by default and the [`SerializerPass` throws an exception if no normalizer is registered.](https://github.com/symfony/symfony/blob/2.7/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/SerializerPass.php#L46)
To sum up, either:
1. we completly prevent using the FrameworkBundle and the serializer without the property access component, even if you don't really care about the ObjectNormalizer because you only use your owns specific ones. (and you'll get the exception hinting to install the property access component)
2. we allow using the FrameworkBundle and the serializer without the property access component, so we remove the ObjectNormalizer definition, but the user'll get a `You must tag at least one service as "serializer.normalizer" to use the Serializer service` exception until he configures a normalizer (and we don't get the hint about installing the property access component to enable the ObjectNormalizer. We already have a suggest entry in the composer.json file, though).
To me option 2 looks better. WDYT?
Commits
-------
d297e27600 [FrameworkBundle] Do not load property_access.xml if the component isn't installed
* 3.4:
Ensure DeprecationErrorHandler::collectDeprecations() is triggered
Config: mark builder property deprecated
fix CachePoolPrunerPass to use correct command service id
[TwigBridge] Re-add Bootstrap 3 Checkbox Layout
[FrameworkBundle] Allow to disable assets via framework:assets xml configuration
fixed $_ENV/$_SERVER precedence in test framework
[HttpFoundation] Fix FileBag issue with associative arrays
[DI] Throw when a service name or an alias contains dynamic values (prevent an infinite loop)
[HttpFoundation] Fix caching of session-enabled pages
[Guard] remove invalid deprecation notice
fix the phpdoc that is not really inherited from response
Minor docblock cleanup
Remove redundant sprintf arguments.
* 3.3:
Ensure DeprecationErrorHandler::collectDeprecations() is triggered
[FrameworkBundle] Allow to disable assets via framework:assets xml configuration
fixed $_ENV/$_SERVER precedence in test framework
[HttpFoundation] Fix FileBag issue with associative arrays
[DI] Throw when a service name or an alias contains dynamic values (prevent an infinite loop)
fix the phpdoc that is not really inherited from response
Minor docblock cleanup
Remove redundant sprintf arguments.
* 2.8:
[HttpFoundation] Fix FileBag issue with associative arrays
fix the phpdoc that is not really inherited from response
Minor docblock cleanup
Remove redundant sprintf arguments.
* 2.7:
[HttpFoundation] Fix FileBag issue with associative arrays
fix the phpdoc that is not really inherited from response
Minor docblock cleanup
Remove redundant sprintf arguments.
This PR was squashed before being merged into the 3.4 branch (closes#24620).
Discussion
----------
[FrameworkBundle][Workflow] Fix deprectation when checking workflow.registry service in dump command
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
This PR will declare `workflow.registry` as a public service to avoid deprecation when `WorkflowDumpCommand` checks its existence. It only concerns 3.4 since this `isEnabled` method will be removed in 4.0.
Commits
-------
9e75847090 [FrameworkBundle][Workflow] Fix deprectation when checking workflow.registry service in dump command
* 3.4: (26 commits)
[Routing] Fix resource miss
[Security] Fixed auth provider authenticate() cannot return void
[FrameworkBundle][Serializer] Move DateIntervalNormalizer definition to xml
declare argument type
Improving annotation loader message
[FrameworkBundle][Serializer] Move normalizer/encoders definitions to xml file & remove unnecessary checks
Update UPGRADE-4.0.md
streamed response should return $this
$isClientIpsVali is not used
[WebServerBundle] Prevent commands from being registered by convention
content can be a resource
Adding the Form default theme files to be warmed up in Twig's cache
Remove BC Break label from `NullDumper` class
Username and password in basic auth are allowed to contain '.'
Remove obsolete PHPDoc from UriSigner
[Serializer] YamlEncoder: throw if the Yaml component isn't installed
[Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed
[PropertyInfo] Add support for the iterable type
pdo session fix
Fixed pathinfo calculation for requests starting with a question mark. - fix bad conflict resolving issue - port symfony/symfony#21968 to 3.3+
...
* 3.3: (22 commits)
[Routing] Fix resource miss
[Security] Fixed auth provider authenticate() cannot return void
declare argument type
[FrameworkBundle][Serializer] Move normalizer/encoders definitions to xml file & remove unnecessary checks
streamed response should return $this
$isClientIpsVali is not used
content can be a resource
Adding the Form default theme files to be warmed up in Twig's cache
Remove BC Break label from `NullDumper` class
Username and password in basic auth are allowed to contain '.'
Remove obsolete PHPDoc from UriSigner
[Serializer] YamlEncoder: throw if the Yaml component isn't installed
[Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed
[PropertyInfo] Add support for the iterable type
pdo session fix
Fixed pathinfo calculation for requests starting with a question mark. - fix bad conflict resolving issue - port symfony/symfony#21968 to 3.3+
Fixed unsetting from loosely equal keys OrderedHashMap
add DOMElement as return type in Crawler::getIterator to support foreach support in ide
Fixed mistake in exception expectation
[Debug] Fix same vendor detection in class loader
...
* 2.8:
[Routing] Fix resource miss
[Security] Fixed auth provider authenticate() cannot return void
declare argument type
streamed response should return $this
content can be a resource
Adding the Form default theme files to be warmed up in Twig's cache
* 3.4:
bumped Symfony version to 3.4.0
updated VERSION for 3.4.0-BETA1
updated CHANGELOG for 3.4.0-BETA1
Do not process bindings in AbstractRecursivePass
don't bind scalar values to controller method arguments
Add extra autowiring aliases
adding AdapterInterface alias for cache.app
Adding a new debug:autowiring command
[HttpFoundation] Make sessions secure and lazy
[Routing] Ensure uniqueness without repeated check
[Console] Sync ConsoleLogger::interpolate with the one in HttpKernel
This PR was merged into the 3.4 branch.
Discussion
----------
adding AdapterInterface alias for cache.app
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no-ish
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | TODO
I'd like to add this alias for autowiring. If only `CacheItemPoolInterface` is available, then it's a bit weird to use the extra Symfony cache features (e.g. tagging), as I'm calling methods on the `CacheItemPoolInterface` that don't exist. I'd rather type-hint `AdapterInterface` and confidently call those (+ get auto-complete).
Commits
-------
454f65a77d adding AdapterInterface alias for cache.app
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpFoundation] Make sessions secure and lazy
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | not yet
| Fixed tickets | #6388, #6036, #12375, #12325
| License | MIT
| Doc PR | -
The `SessionUpdateTimestampHandlerInterface` (new to PHP 7.0) is mostly undocumented, and just not implemented anywhere. Yet, it's required to implement session fixation preventions and lazy write in userland session handlers (there is https://wiki.php.net/rfc/session-read_only-lazy_write which describes the behavior.)
By implementing it, we would make Symfony session handling much better and stronger. Meanwhile, doing some cookie headers management, this also gives the opportunity to fix the "don't start if session is only read issue".
So, here we are for the general idea. Now needs more (and green) tests, and review of course.
Commits
-------
347939c9b3 [HttpFoundation] Make sessions secure and lazy
* 3.4:
fix merge
fix merge
[FORM] Prevent forms from extending itself as a parent
fix merge
Fix 7.2 compat layer
[DI] Prefixed env vars and load time inlining are incompatible
bug #24499 [Bridge\PhpUnit] Fix infinite loop when running isolated method (bis) (nicolas-grekas)
Fix PHP 7.2 support
[HttpFoundation] Add missing session.lazy_write config option
[DI] Exclude inline services declared in XML from autowiring candidates
[HttpFoundation] Combine Cache-Control headers
[Form] fix parsing invalid floating point numbers
Escape command usage when displaying it in the text descriptor
[DI] Throw accurate failures when accessing removed services
[DI] Turn private defs to non-public ones before removing passes
Use for=ID on radio/checkbox label.
* the `phpdocumentor/type-resolver` package was not PHP 7.2 compatible
before release 0.2.1 (see see phpDocumentor/TypeResolver@e224fb2)
* the validator must not call `get_class()` if no object but a class
name was passed to the `validatePropertyValue()` method
* 2.8:
fix merge
Fix 7.2 compat layer
Fix PHP 7.2 support
[HttpFoundation] Add missing session.lazy_write config option
[HttpFoundation] Combine Cache-Control headers
[Form] fix parsing invalid floating point numbers
Escape command usage when displaying it in the text descriptor
Use for=ID on radio/checkbox label.
* 2.7:
Fix 7.2 compat layer
Fix PHP 7.2 support
[HttpFoundation] Add missing session.lazy_write config option
[HttpFoundation] Combine Cache-Control headers
[Form] fix parsing invalid floating point numbers
Escape command usage when displaying it in the text descriptor
Use for=ID on radio/checkbox label.
* 3.4:
Clarify the exceptions are going to be rendered just after
[DI] Remove colon from env placeholders
fixed CS
[Yaml] initialize inline line numbers
[Workflow] Added tests for the is_valid() guard expression
[Workflow] Added guard 'is_valid()' method support
Add & use OptionResolverIntrospector
Add debug:form type option
This PR was merged into the 3.4 branch.
Discussion
----------
[Workflow] add guard is_valid() method support
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | Yes
| License | MIT
Workflow guard configuration support expression language like **is_fully_authenticated()**, **has_role()** or **is_granted()**, etc...
I would like to add the support for a new **is_valid()** expression.
Configuration allow to validate subject against specific validation groups to check if a transition can be applied.
In the next configuration exemple, my issue must validate "affectable" validation group to apply "affect" transistion:
```yaml
framework:
workflows:
issue:
marking_store:
type: single_state
arguments:
- state
supports: AppBundle\Entity\Issue
initial_place: created
places:
- created
- affected
- closed
transitions:
affect:
guard: "is_valid(subject, ['affectable'])"
from: created
to: affected
close:
from: completed
to: closed
```
Commits
-------
06d8198714 [Workflow] Added tests for the is_valid() guard expression
9499bc291c [Workflow] Added guard 'is_valid()' method support
* 3.4: (26 commits)
bumped Symfony version to 3.3.11
updated VERSION for 3.3.10
updated CHANGELOG for 3.3.10
bumped Symfony version to 2.8.29
updated VERSION for 2.8.28
updated CHANGELOG for 2.8.28
bumped Symfony version to 2.7.36
updated VERSION for 2.7.35
update CONTRIBUTORS for 2.7.35
updated CHANGELOG for 2.7.35
Added deprecation to cwd not existing Fixes#18249
[Session] fix MongoDb session handler to gc all expired sessions
Add changelog for deprecated DbalSessionHandler
[Security] Look at headers for switch user username parameter
Updated Test name and exception name to be more accurate
newline at end of file
changed exception message
Ahh, I see. It actually wants a newline!
Removed newline
Created new Exception to throw and modified tests.
...
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Look at headers for switch_user username
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #24260
| License | MIT
| Doc PR | n/a
Allowing `switch_user.parameter` config node to be a header name.
It's supported by SwitchUserStatelessBundle and I think it makes sense.
Forgotten in #24260 so targets 3.4 but not a blocker.
Commits
-------
3c801951c8 [Security] Look at headers for switch user username parameter
* 3.4:
[Bridge\Doctrine][FrameworkBundle] Deprecate some remaining uses of ContainerAwareTrait
[FrameworkBundle] Fix bad interface hint in AbstractController
[VarDumper] deprecate MongoCaster
[HttpFoundation] deprecate using with the legacy mongo extension; use it with the mongodb/mongodb package and ext-mongodb instead
Fix BC layer
Reset profiler.
[DI] Improve some deprecation messages
[DI] remove inheritdoc from dumped container
[Config] Fix dumped files invalidation by OPCache
[Security] Add Guard authenticator <supports> method
[Cache] Fix race condition in TagAwareAdapter
[DI] Allow setting any public non-initialized services
[Yaml] parse references on merge keys
treat trailing backslashes in multi-line strings
[FrameworkBundle] Expose dotenv in bin/console about
fix refreshing line numbers for the inline parser
fix version in changelog
[FrameworkBundle] Make Controller helpers final
[DoctrineBridge] Deprecate DbalSessionHandler
* 3.3:
[FrameworkBundle] Fix bad interface hint in AbstractController
[DI] Improve some deprecation messages
[Cache] Fix race condition in TagAwareAdapter
[Yaml] parse references on merge keys
treat trailing backslashes in multi-line strings
This PR was merged into the 3.4 branch.
Discussion
----------
[Bridge\Doctrine][FrameworkBundle] Deprecate some remaining uses of ContainerAwareTrait
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
With this PR, the last two remaining uses of ContainerAwareTrait will be `Symfony\Component\HttpKernel\Bundle\Bundle` and `Symfony\Bundle\FrameworkBundle\Controller\Controller`.
For Bundle, I think it's legitimate, for Controller, I think it's not, but that we should wait for 4.1 before considering its deprecation, alongside with `ContainerAwareCommand` (maybe).
Commits
-------
df9c8748e3 [Bridge\Doctrine][FrameworkBundle] Deprecate some remaining uses of ContainerAwareTrait
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Make Controller helpers final
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
I propose to make all ControllerTrait methods final so we can add type hints.
I also propose to add ControllerTrait::has/get so that AbstractController also has the methods.
This will help move from Controller to AbstractController.
Commits
-------
bbc52a1d14 [FrameworkBundle] Make Controller helpers final
* 3.4: (33 commits)
Remove remaining `@experimental` annotations
Tests and fix for issue in array model data in EntityType field with multiple=true
[Validator] Add unique entity violation cause
[Lock] Automaticaly release lock when user forget it
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
fixed CS
[FrameworkBundle] Don't clear app pools on cache:clear
Hide label button when its setted to false
removed useless PHPDoc
[HttpFoundation] Return instance in StreamedResponse
[Form] Fix FormInterface::submit() annotation
[PHPUnitBridge] don't remove when set to empty string
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
...
* 3.3: (23 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
[PHPUnitBridge] don't remove when set to empty string
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
...
* 2.8: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
* 2.7: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Don't clear app pools on cache:clear
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no, but behavior change
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23685
| License | MIT
| Doc PR | -
The cache:clear command currently clears all cache pools by default.
This is not expected and is a bad default behavior (as explained in linked issue).
If we don't want to have that behavior forever, I see no other option than just doing the change, as done here, targeting 3.4.
Commits
-------
b0c04f8354 [FrameworkBundle] Don't clear app pools on cache:clear
* 3.4:
[FrameworkBundle] Register a NullLogger from test kernels
[SecurityBundle] Deprecate auto picking the first provider
[Security] Add user impersonation support for stateless authentication
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Register a NullLogger from test kernels
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see comment below -->
| Bug fix? | no
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | N/A <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
Relates to #24300
This will avoid unnecessary output on Travis or when running FrameworkBundle tests locally:
- before: https://travis-ci.org/symfony/symfony/jobs/281624658#L3594-L3635
- after: https://travis-ci.org/symfony/symfony/jobs/281643868#L3599-L3617
but also needed for anyone running functional tests on their project and using the default logger, in order to not get garbage output.
Do we need to find a more generic solution (like exposing a `framework.default_logger` option so users can set it to false for test)? Or just documenting this?
Commits
-------
c109dcd5ae [FrameworkBundle] Register a NullLogger from test kernels
This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] Deprecate auto picking the first provider
when no provider is explicitly configured on a firewall
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see comment below -->
| Bug fix? | no
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | yes <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | https://symfony-devs.slack.com/archives/C3A2XAQ20/p1506626210000345 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
From @Pierstoval on Slack:
> Hey, guys, I learnt a few days ago that if you don't specify a user provider in a firewall configuration, the security will use the first one in the list. Don't anyone think specifying the user provider should be mandatory ? Or at least mandatory if we have more than one provider registered?
- [x] UPGRADE files
- [x] CHANGELOG
- [x] Fix other tests
- [x] Removal PR #24380
Commits
-------
2d1e3347a6 [SecurityBundle] Deprecate auto picking the first provider
This PR was squashed before being merged into the 3.4 branch (closes#24300).
Discussion
----------
[HttpKernel][FrameworkBundle] Add a minimalist default PSR-3 logger
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
This PR provides a minimalist PSR-3 logger that is always available when FrameworkBundle is installed.
By default, it writes errors on `stderr`, regular logs on `stdout` and discards debug data (this is configurable).
This approach has several benefits:
- It's what expect from an app logging systems of major containerization and orchestration tools including [Docker](https://docs.docker.com/engine/admin/logging/view_container_logs/) and [Kubernetes](https://kubernetes.io/docs/concepts/cluster-administration/logging/), as well as most cloud providers such as [Heroku](https://devcenter.heroku.com/articles/logging#writing-to-your-log) and [Google Container Engine](https://kubernetes.io/docs/tasks/debug-application-cluster/logging-stackdriver/). If the app follows this standard (and it's not currently the case with Symfony by default) logs will be automatically collected, aggregated and stored.
- It's in sync with the "back to Unix roots" philosophy of Flex
- Logs are directly displayed in the console when running the integrated PHP web server (`bin/console server:start` or Flex's `make serve`), Create React App also do that for instance.
- It fixes a common problem when installing Flex recipes: many bundles expect a logger service but currently there is none available by default, and you usually get a `"logger" service not found error` (because packages depend of the PSR, but the PSR doesn't provide a logger service).
Commits
-------
9a06513ec7 [HttpKernel][FrameworkBundle] Add a minimalist default PSR-3 logger
* 3.4:
Argon2i Password Encoder
[DI] EnvVarProcessorInterface: fix missing use
[FrameworkBundle] Use PhpExtractor from Translation
[DowCrawler] Default to UTF-8 when possible
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Argon2i Password Encoder
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | WIP
Since the [libsodium RFC](https://wiki.php.net/rfc/libsodium) passed with flying colours, I'd like to kick start a discussion about adding Argon2i as a password encoder to the security component. The initial code proposal in this PR supports both the upcoming public API confirmed for PHP 7.2, and the [libsodium PECL extension](https://pecl.php.net/package/libsodium) for those below 7.2 (available for PHP 5.4+).
#### Concerns
- Should the test cover hash length? At the moment the result of Argon2i is 96 characters, but because the hashing parameters are included in the result (`$argon2i$v=19$m=32768,t=4,p=1$...`) this is not guaranteed.
- I've used one password encoder class because the result *should* be the same whether running natively in 7.2 or from the PECL extension, but should the logic be split out into separate private methods (like `Argon2iPasswordEncoder::encodePassword()`) or not (like in `Argon2iPasswordEncoder::isPasswordValid()`)? Since I can't really find anything concrete on Symfony choosing one way over another I'm assuming it's down to personal preference?
#### The Future
Whilst the libsodium RFC has been approved and the public API confirmed, there has been no confirmation of Argon2i becoming an official algorithm for `passhword_hash()`. If that is confirmed, then the implementation should *absolutely* use the native `password_*` functions since the `sodium_*` functions do not have an equivalent to the `password_needs_rehash()` function.
Any feedback would be greatly appreciated 😃
Commits
-------
be093dd79a Argon2i Password Encoder
Add the Argon2i hashing algorithm provided by libsodium as a core encoder in the Security component, and enable it in the SecurityBundle.
Credit to @chalasr for help with unit tests.
* 3.4:
Moved PhpExtractor and PhpStringTokenParser to Translation component
[Asset] Provide default context
[HttpKernel] Deprecate some compiler passes in favor of tagged iterator args
Add exclusive Twig namespace for bundles path
Share connection factories between cache and lock
This PR was merged into the 3.4 branch.
Discussion
----------
[TwigBundle] Improve the overriding of bundle templates
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #17557
| License | MIT
| Doc PR | -
### [Overriding a Template that also extends itself](https://twig.symfony.com/doc/2.x/recipes.html#overriding-a-template-that-also-extends-itself)
Now that bundles inheritance is deprecated and removed (#24160, #24161), I'm wondering if we can solve this old issue defining an exclusive namespace only for root bundles in `3.4` just bundles in `4.0`:
```yaml
twig:
paths:
# adding paths behind the scene into TwigExtension
app/Resources/FooBundle/views: Foo
vendor/acme/foo-bundle/Resources/views: Foo
vendor/acme/foo-bundle/Resources/views: !Foo # exclusive
```
Thus, one can decide when use the exclusive namespace to avoid the issue and then [we could to say also](http://symfony.com/doc/current/templating/overriding.html):
> To override the bundle template partially (which contains `block`) creates a new `index.html.twig` template in `app/Resources/AcmeBlogBundle/views/Blog/index.html.twig` and extends from `@!AcmeBlogBundle/Blog/index.html.twig` to customize the bundle template:
```twig
{# app/Resources/FooBundle/views/layout.html.twig #}
{# this does not work: circular reference to itself #}
{% extends '@Foo/layout.html.twig' %}
{# this will work: load bundle layout template #}
{% extends '@!Foo/layout.html.twig' %}
{% block title 'New title' %}
```
I hear other suggestions about the excluse namespace.
We will need to update http://symfony.com/doc/current/templating.html#referencing-templates-in-a-bundle too to add this convention.
WDYT?
Commits
-------
0a658c6eef Add exclusive Twig namespace for bundles path
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Deprecate some compiler passes in favor of tagged iterator args
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
More code that we can drop :)
Commits
-------
fa62e5068e [HttpKernel] Deprecate some compiler passes in favor of tagged iterator args
This PR was merged into the 3.4 branch.
Discussion
----------
[Lock] Use cache connection factories in lock
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no (feature removal)
| BC breaks? | no (if merged in 3.4)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
An alternative to https://github.com/symfony/symfony/pull/24267 to share code between cache and lock.
Commits
-------
95358ac98f Share connection factories between cache and lock
This PR was squashed before being merged into the 3.4 branch (closes#21027).
Discussion
----------
[Asset] Provide default context
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #19396
| License | MIT
| Doc PR | should be noted somewhere, ill create an issue
Allows configuring the default asset context to make things works on CLI for example. Same approach as the routing component.
Introduces
```yaml
# parameters.yml
asset.request_context.base_path: '/base/path'
asset.request_context.secure: false
```
Commits
-------
9137d57ecd [Asset] Provide default context
This PR was squashed before being merged into the 3.4 branch (closes#24337).
Discussion
----------
Adding a shortcuts for the main security functionality
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
| Doc PR | Big ol' TODO
I'd like one class that I can inject (especially with autowiring) to get access to the User and `isGranted()` methods. This is *really* important... because to get the User currently, you need to type-hint `TokenStorageInterface`... and there are *two*! That's really bad DX!
Questions:
A) I hi-jacked the existing `Security` class... I wanted a simple class called Security
B) I called the service `security.helper`... for lack of a better id.
C) I did not make `Security` implement the 2 other interfaces (`TokenStorageInterface`, `AuthorizationCheckerInterface`... but I suppose we could?)
Cheers!
Commits
-------
0851189 Adding a shortcuts for the main security functionality
This PR was merged into the 3.4 branch.
Discussion
----------
[TwigBundle] register an identity translator as fallback
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/pull/24303#issuecomment-331864529
| License | MIT
| Doc PR |
The Form component can be used without the Translation component.
However, to be able to use the default form themes provided by the
TwigBridge you need to have the `trans` filter to be available.
This change ensure that there will always be a `trans` filter which as
a fallback will just return the message key if no translator is present.
Commits
-------
f0876e5927 register an identity translator as fallback
* 3.4:
[DI] Fix missing use + minor tweaks
[Routing] Enhance PHP DSL traits docblocks
Fix AclSchemaListener deprecation
Set a NullLogger in ApcuAdapter when Apcu is disabled in CLI
Minor reword
[HttpKernel] Make array vs "::" controller definitions consistent
Fix tests
[TwigBundle] Remove profiler related scripting
[TwigBundle][WebProfilerBundle] Switch to DOMContentLoaded event
[WebProfilerBundle] Hide inactive tabs from CSS
[TwigBundle] Make deprecations scream in logs
[TwigBundle] Hide logs if unavailable, i.e. webprofiler
[TwigBundle] Break long lines in exceptions
[WebProfilerBundle] Added missing link to profile token
[DI] Fix decorated service merge in ResolveInstanceofConditionalsPass
Preserve URI fragment in HttpUtils::generateUri()
[PhpUnitBridge] do not require an error context
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] register class metadata factory alias
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #24296
| License | MIT
| Doc PR |
Commits
-------
d0235a00cc register class metadata factory alias
* 3.3:
Set a NullLogger in ApcuAdapter when Apcu is disabled in CLI
Minor reword
[HttpKernel] Make array vs "::" controller definitions consistent
Fix tests
[TwigBundle] Remove profiler related scripting
[TwigBundle][WebProfilerBundle] Switch to DOMContentLoaded event
[WebProfilerBundle] Hide inactive tabs from CSS
[TwigBundle] Make deprecations scream in logs
[TwigBundle] Hide logs if unavailable, i.e. webprofiler
[TwigBundle] Break long lines in exceptions
[WebProfilerBundle] Added missing link to profile token
[DI] Fix decorated service merge in ResolveInstanceofConditionalsPass
Preserve URI fragment in HttpUtils::generateUri()
[PhpUnitBridge] do not require an error context
The Form component can be used without the Translation component.
However, to be able to use the default form themes provided by the
TwigBridge you need to have the `trans` filter to be available.
This change ensure that there will always be a `trans` filter which as
a fallback will just return the message key if no translator is present.
* 3.4:
fixed CS
[Serializer] Add Support for in CustomNormalizer
Remove Validator\TypeTestCase and add validator logic to base TypeTestCase
[Lock] Include lock component in framework bundle
[WebProfilerBundle] Render file links for twig templates
CsvEncoder handling variable structures and custom header order
Saltless Encoder Interface
[Serializer] throw more specific exceptions
# Conflicts:
# src/Symfony/Bundle/FrameworkBundle/composer.json
# src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
# src/Symfony/Component/Serializer/Encoder/XmlEncoder.php
# src/Symfony/Component/Serializer/Normalizer/AbstractNormalizer.php
# src/Symfony/Component/Serializer/Serializer.php
This PR was merged into the 4.0-dev branch.
Discussion
----------
[HttpFoundation] Removed compatibility layer for PHP <5.4 sessions
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This is a follow-up of https://github.com/symfony/symfony/pull/24239. This PR removes the compatibility layer added for sessions for PHP <5.4.
Commits
-------
37d1a212f9 Removed compatibility layer for PHP <5.4 sessions
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Saltless Encoder Interface
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
A new interface for encoders that do not require a user-generated salt (generate their own built-in) as suggested by @stof ([comment](https://github.com/symfony/symfony/pull/21604/files#r101225470)), this will become useful as more password encoders are added in the future (such as symfony/symfony#21604).
Commits
-------
7c4aa0bccb Saltless Encoder Interface
* 3.4:
[PhpUnitBridge] Added a CoverageListener to enhance the code coverage report
Add a method to check if any results were found
[SecurityBundle] Deprecate ACL related code
[FrameworkBundle] Enable assets with templates only if the Asset component is installed
This PR was squashed before being merged into the 3.3 branch (closes#24244).
Discussion
----------
TwigBundle exception/deprecation tweaks
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes/no
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
- 1st commit) if you view a exception in the profiler, there is no logger available. Making the tab useless, disabled state is now triggered at zero log messages. There's a specialized panel here.
- 2nd commit) when an exception occurs this highlights deprecations in the log table outside the profiler with a warning status. This follows the same signal colors in the profiler.
- 3rd commit) hide the default inactive tabs from CSS to avoid scrollbar flickering.
- 4th commit) favors document.DOMContentLoaded over window.load, we dont want to wait for images to be loaded
Further out-of-scope improvements could be;
- From https://github.com/symfony/symfony/pull/24191; i think the logs table should show a direct `View file` link for every error/deprecation/red or yellow line in here. Traversing with `Show context` is tedious.
- links to file.php for your trigger_error() calls
- links to config.yml for trigger_error() calls by SF
- From #24151; having the same tooling on both sides is nice
- Events/Translations logs is noise, we have specialized panels for those. To further reduce the overall page size container logs can be moved away too, linked from Configuration and/or Logs. Also see #23247
Commits
-------
1c595fcf48 [TwigBundle][WebProfilerBundle] Switch to DOMContentLoaded event
ea4b0966ab [WebProfilerBundle] Hide inactive tabs from CSS
0c10f97f98 [TwigBundle] Make deprecations scream in logs
03cd9e553b [TwigBundle] Hide logs if unavailable, i.e. webprofiler
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Enable assets with templates only if the Asset component is installed
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | -
Commits
-------
5bc0b0527e [FrameworkBundle] Enable assets with templates only if the Asset component is installed
This PR was merged into the 3.3 branch.
Discussion
----------
[TwigBundle] Remove profiler related scripting
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
For sanity.
Also in case of an exception page we conflict with the profiler scripting/css.
```
Uncaught TypeError: Cannot set property 'className' of null
```
Happens because `Sfjs.createTabs` from the profiler tries to process tabs again, which twig has already done. The code doesnt handle this gracefully.
In case of ajax request (edgy yes) we see the CSS conflicting;
![image](https://user-images.githubusercontent.com/1047696/30712781-7680c8d2-9f0d-11e7-8a6c-27f460c1e780.png)
Note the table borders. Not sure how and if we want to solve this nor what it might affect otherwise; open for now.
Commits
-------
eb520e1e5b Minor reword
02dcdca014 [TwigBundle] Remove profiler related scripting
This PR was merged into the 3.4 branch.
Discussion
----------
Forward compatibility for the removal of bundle inheritance in 4.0
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Compat layer so that 3.4 and master combinations of framework/twig bundles and http-kernel work together.
Commits
-------
fba7e543d1 added foward compatibility for the removal of bundle inheritance in 4.0
* 3.4:
Passing the newly generated security token to the event during user switching.
Fix changelog and minor tweak for #23485
[Config] extracted the xml parsing from XmlUtils::loadFile into XmlUtils::parse
[Security][SecurityBundle] Deprecate the HTTP digest auth
add ability to configure catching exceptions
Extract method refactoring for ResourceCheckerConfigCache
This PR was squashed before being merged into the 3.4 branch (closes#24239).
Discussion
----------
[HttpFoundation] Deprecate compatibility with PHP <5.4 sessions
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This PR removes functionality added in Symfony 2.1 as a compatibility layer with sessions from PHP <5.4.
- [x] Fix tests
Commits
-------
3deb3940ab [HttpFoundation] Deprecate compatibility with PHP <5.4 sessions
This PR was squashed before being merged into the 3.4 branch (closes#23882).
Discussion
----------
[Security] Deprecated not being logged out after user change
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #17023
| License | MIT
| Doc PR | ~
This PR is an alternative approach to #19033. Due to a behavioral change that could break a lot of applications and websites, I've decided to trigger a deprecation instead of actually changing the behavior as that can be done for 4.0.
Whenever a user object is considered changed (`AbstractToken::hasUserChanged`) when setting a new user object after refreshing, it will now throw a deprecation, paving the way for a behavioral change in 4.0. The idea is that in 4.0 Symfony will simply trigger a logout when this case is encountered.
Commits
-------
22f525b [Security] Deprecated not being logged out after user change
* 3.4:
use the parseFile() method of the YAML parser
[Yaml] support parsing files
Adding Definition::addError() and a compiler pass to throw errors as exceptions
[DI] Add AutowireRequiredMethodsPass to fix bindings for `@required` methods
[Cache] Add ResettableInterface to allow resetting any pool's local state
[DI][DX] Throw exception on some ContainerBuilder methods used from extensions
added missing @author tag for new class
allow forms without translations and validator
[VarDumper] Make `dump()` a little bit more easier to use
[Form] Add ambiguous & exception debug:form tests
Reset the authentication token between requests.
[Serializer] Getter for extra attributes in ExtraAttributesException
[DI] Dont use JSON_BIGINT_AS_STRING
# Conflicts:
# src/Symfony/Component/Routing/composer.json
# src/Symfony/Component/Translation/composer.json
# src/Symfony/Component/Yaml/Inline.php
# src/Symfony/Component/Yaml/Tests/ParserTest.php
# src/Symfony/Component/Yaml/Yaml.php
This PR was merged into the 3.4 branch.
Discussion
----------
[Cache] Add ResettableInterface to allow resetting any pool's local state
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
To allow pools to leverage #24155 so that they can be used in multi-request loops.
Commits
-------
14c91f2 [Cache] Add ResettableInterface to allow resetting any pool's local state
* 3.4:
[DI] Turn services and aliases private by default, with BC layer
[WebProfiler] Fix z-index for pinned AJAX block
Require v3.4+ of the var-dumper component
This PR was merged into the 3.4 branch.
Discussion
----------
[DI] Turn services and aliases private by default, with BC layer
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #20048
| License | MIT
| Doc PR | -
With this PR, all services and aliases are made private by default.
This is done in a BC way, thanks to the layer introduced in #24104.
We will require bundles to explicitly opt-in for "public", either using "defaults", or stating `public="true"` explicitly. Same in DI extension, where calling `->setPublic(true)` will be required in 4.0.
Commits
-------
9948b09 [DI] Turn services and aliases private by default, with BC layer
This PR was merged into the 3.4 branch.
Discussion
----------
[DebugBundle] Fix the var-dumper requirement in composer.json
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
The v3.4 of the debug bundle calls `VarCloner::setMinDepth()` and thus requires v3.4+ of the var-dumper component. However, the composer file has not been updated in 30cd70d.
I upped the var-dumper requirement to `~3.4|~4.0`.
Commits
-------
d761a76 Require v3.4+ of the var-dumper component
This PR was squashed before being merged into the 3.4 branch (closes#23747).
Discussion
----------
[Serializer][FrameworkBundle] Add a DateInterval normalizer
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/8267
Could be useful for API needing to submit a duration.
Most code have been adapted from @MisatoTremor's DateInterval form type. Credits to him.
Commits
-------
6185cb1991 [Serializer][FrameworkBundle] Add a DateInterval normalizer