1fc7b86f07
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[Security] Refactor logout listener to dispatch an event instead
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes (sort of...)
| New feature? | yes
| Deprecations? | yes
| Tickets | Fix #25212, Fix #22473
| License | MIT
| Doc PR | tbd
The current `LogoutListener` has some extension points, but they are not really DX-friendly (ref #25212). It requires hacking a `addMethodCall('addHandler')` in the container builder to register a custom logout handler.
Also, it is impossible to overwrite the default logout functionality from a bundle (ref #22473).
This PR introduces a `LogoutEvent` that replaces both the `LogoutSuccessHandlerInterface` and `LogoutHandlerInterface`. This provides a DX-friendly extension point and also cleans up the authentication factories (no more `addMethodCall()`'s).
In order to allow different logout handlers for different firewalls, I created a specific event dispatcher for each firewall (as also shortly discussed in #33558). The `dispatcher` tag attribute allows you to specify which dispatcher it should be registered to (defaulting to the global dispatcher). The `EventBubblingLogoutListener` also dispatches logout events on the global dispatcher, to be used for listeners that should run on all firewalls.
_@weaverryan and I discussed this feature while working on #33558, but figured it was unrelated and could be done while preservering BC. So that's why a separate PR is created._
Commits
-------
a9f096eb1f
[Security] Refactor logout listener to dispatch an event instead
4.7 KiB
4.7 KiB
UPGRADE FROM 5.0 to 5.1
Config
- The signature of method
NodeDefinition::setDeprecated()
has been updated toNodeDefinition::setDeprecation(string $package, string $version, string $message)
. - The signature of method
BaseNode::setDeprecated()
has been updated toBaseNode::setDeprecation(string $package, string $version, string $message)
. - Passing a null message to
BaseNode::setDeprecated()
to un-deprecate a node is deprecated
Console
Command::setHidden()
is final since Symfony 5.1
DependencyInjection
- The signature of method
Definition::setDeprecated()
has been updated toDefinition::setDeprecation(string $package, string $version, string $message)
. - The signature of method
Alias::setDeprecated()
has been updated toAlias::setDeprecation(string $package, string $version, string $message)
. - The signature of method
DeprecateTrait::deprecate()
has been updated toDeprecateTrait::deprecation(string $package, string $version, string $message)
. - Deprecated the
Psr\Container\ContainerInterface
andSymfony\Component\DependencyInjection\ContainerInterface
aliases of theservice_container
service, configure them explicitly instead.
Dotenv
- Deprecated passing
$usePutenv
argument to Dotenv's constructor, useDotenv::usePutenv()
instead.
EventDispatcher
- Deprecated
LegacyEventDispatcherProxy
. Use the event dispatcher without the proxy.
Form
- Implementing the
FormConfigInterface
without implementing thegetIsEmptyCallback()
method is deprecated. The method will be added to the interface in 6.0. - Implementing the
FormConfigBuilderInterface
without implementing thesetIsEmptyCallback()
method is deprecated. The method will be added to the interface in 6.0. - Added argument
callable|null $filter
toChoiceListFactoryInterface::createListFromChoices()
andcreateListFromLoader()
- not defining them is deprecated.
FrameworkBundle
- Deprecated passing a
RouteCollectionBuilder
toMicroKernelTrait::configureRoutes()
, type-hintRoutingConfigurator
instead - Deprecated not setting the "framework.router.utf8" configuration option as it will default to
true
in Symfony 6.0 - Deprecated
session.attribute_bag
service andsession.flash_bag
service.
HttpFoundation
- Deprecate
Response::create()
,JsonResponse::create()
,RedirectResponse::create()
, andStreamedResponse::create()
methods (use__construct()
instead) - Made the Mime component an optional dependency
HttpKernel
- Deprecated support for
service:action
syntax to reference controllers. UseserviceOrFqcn::method
instead.
Mailer
- Deprecated passing Mailgun headers without their "h:" prefix.
Messenger
- Deprecated AmqpExt transport. It has moved to a separate package. Run
composer require symfony/amqp-messenger
to use the new classes. - Deprecated Doctrine transport. It has moved to a separate package. Run
composer require symfony/doctrine-messenger
to use the new classes. - Deprecated RedisExt transport. It has moved to a separate package. Run
composer require symfony/redis-messenger
to use the new classes. - Deprecated use of invalid options in Redis and AMQP connections.
- Deprecated not declaring a
\Throwable
argument inRetryStrategyInterface::isRetryable()
- Deprecated not declaring a
\Throwable
argument inRetryStrategyInterface::getWaitingTime()
Notifier
- [BC BREAK] The
ChatMessage::fromNotification()
method's$recipient
and$transport
arguments were removed. - [BC BREAK] The
EmailMessage::fromNotification()
andSmsMessage::fromNotification()
methods'$transport
argument was removed.
PhpUnitBridge
- Deprecated the
@expectedDeprecation
annotation, use theExpectDeprecationTrait::expectDeprecation()
method instead.
Routing
- Deprecated
RouteCollectionBuilder
in favor ofRoutingConfigurator
. - Added argument
$priority
toRouteCollection::add()
- Deprecated the
RouteCompiler::REGEX_DELIMITER
constant
Security
-
Deprecated
ROLE_PREVIOUS_ADMIN
role in favor ofIS_IMPERSONATOR
attribute.before
{% if is_granted('ROLE_PREVIOUS_ADMIN') %} <a href="">Exit impersonation</a> {% endif %}
after
{% if is_granted('IS_IMPERSONATOR') %} <a href="">Exit impersonation</a> {% endif %}
-
Deprecated
LogoutSuccessHandlerInterface
andLogoutHandlerInterface
, register a listener on theLogoutEvent
event instead. -
Deprecated
DefaultLogoutSuccessHandler
in favor ofDefaultLogoutListener
.
Yaml
- Deprecated using the
!php/object
and!php/const
tags without a value.