1fc7b86f07
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[Security] Refactor logout listener to dispatch an event instead
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes (sort of...)
| New feature? | yes
| Deprecations? | yes
| Tickets | Fix #25212, Fix #22473
| License | MIT
| Doc PR | tbd
The current `LogoutListener` has some extension points, but they are not really DX-friendly (ref #25212). It requires hacking a `addMethodCall('addHandler')` in the container builder to register a custom logout handler.
Also, it is impossible to overwrite the default logout functionality from a bundle (ref #22473).
This PR introduces a `LogoutEvent` that replaces both the `LogoutSuccessHandlerInterface` and `LogoutHandlerInterface`. This provides a DX-friendly extension point and also cleans up the authentication factories (no more `addMethodCall()`'s).
In order to allow different logout handlers for different firewalls, I created a specific event dispatcher for each firewall (as also shortly discussed in #33558). The `dispatcher` tag attribute allows you to specify which dispatcher it should be registered to (defaulting to the global dispatcher). The `EventBubblingLogoutListener` also dispatches logout events on the global dispatcher, to be used for listeners that should run on all firewalls.
_@weaverryan and I discussed this feature while working on #33558, but figured it was unrelated and could be done while preservering BC. So that's why a separate PR is created._
Commits
-------
a9f096eb1f [Security] Refactor logout listener to dispatch an event instead
4.7 KiB
4.7 KiB
UPGRADE FROM 5.0 to 5.1
Config
- The signature of method
NodeDefinition::setDeprecated()has been updated toNodeDefinition::setDeprecation(string $package, string $version, string $message). - The signature of method
BaseNode::setDeprecated()has been updated toBaseNode::setDeprecation(string $package, string $version, string $message). - Passing a null message to
BaseNode::setDeprecated()to un-deprecate a node is deprecated
Console
Command::setHidden()is final since Symfony 5.1
DependencyInjection
- The signature of method
Definition::setDeprecated()has been updated toDefinition::setDeprecation(string $package, string $version, string $message). - The signature of method
Alias::setDeprecated()has been updated toAlias::setDeprecation(string $package, string $version, string $message). - The signature of method
DeprecateTrait::deprecate()has been updated toDeprecateTrait::deprecation(string $package, string $version, string $message). - Deprecated the
Psr\Container\ContainerInterfaceandSymfony\Component\DependencyInjection\ContainerInterfacealiases of theservice_containerservice, configure them explicitly instead.
Dotenv
- Deprecated passing
$usePutenvargument to Dotenv's constructor, useDotenv::usePutenv()instead.
EventDispatcher
- Deprecated
LegacyEventDispatcherProxy. Use the event dispatcher without the proxy.
Form
- Implementing the
FormConfigInterfacewithout implementing thegetIsEmptyCallback()method is deprecated. The method will be added to the interface in 6.0. - Implementing the
FormConfigBuilderInterfacewithout implementing thesetIsEmptyCallback()method is deprecated. The method will be added to the interface in 6.0. - Added argument
callable|null $filtertoChoiceListFactoryInterface::createListFromChoices()andcreateListFromLoader()- not defining them is deprecated.
FrameworkBundle
- Deprecated passing a
RouteCollectionBuildertoMicroKernelTrait::configureRoutes(), type-hintRoutingConfiguratorinstead - Deprecated not setting the "framework.router.utf8" configuration option as it will default to
truein Symfony 6.0 - Deprecated
session.attribute_bagservice andsession.flash_bagservice.
HttpFoundation
- Deprecate
Response::create(),JsonResponse::create(),RedirectResponse::create(), andStreamedResponse::create()methods (use__construct()instead) - Made the Mime component an optional dependency
HttpKernel
- Deprecated support for
service:actionsyntax to reference controllers. UseserviceOrFqcn::methodinstead.
Mailer
- Deprecated passing Mailgun headers without their "h:" prefix.
Messenger
- Deprecated AmqpExt transport. It has moved to a separate package. Run
composer require symfony/amqp-messengerto use the new classes. - Deprecated Doctrine transport. It has moved to a separate package. Run
composer require symfony/doctrine-messengerto use the new classes. - Deprecated RedisExt transport. It has moved to a separate package. Run
composer require symfony/redis-messengerto use the new classes. - Deprecated use of invalid options in Redis and AMQP connections.
- Deprecated not declaring a
\Throwableargument inRetryStrategyInterface::isRetryable() - Deprecated not declaring a
\Throwableargument inRetryStrategyInterface::getWaitingTime()
Notifier
- [BC BREAK] The
ChatMessage::fromNotification()method's$recipientand$transportarguments were removed. - [BC BREAK] The
EmailMessage::fromNotification()andSmsMessage::fromNotification()methods'$transportargument was removed.
PhpUnitBridge
- Deprecated the
@expectedDeprecationannotation, use theExpectDeprecationTrait::expectDeprecation()method instead.
Routing
- Deprecated
RouteCollectionBuilderin favor ofRoutingConfigurator. - Added argument
$prioritytoRouteCollection::add() - Deprecated the
RouteCompiler::REGEX_DELIMITERconstant
Security
-
Deprecated
ROLE_PREVIOUS_ADMINrole in favor ofIS_IMPERSONATORattribute.before
{% if is_granted('ROLE_PREVIOUS_ADMIN') %} <a href="">Exit impersonation</a> {% endif %}after
{% if is_granted('IS_IMPERSONATOR') %} <a href="">Exit impersonation</a> {% endif %} -
Deprecated
LogoutSuccessHandlerInterfaceandLogoutHandlerInterface, register a listener on theLogoutEventevent instead. -
Deprecated
DefaultLogoutSuccessHandlerin favor ofDefaultLogoutListener.
Yaml
- Deprecated using the
!php/objectand!php/consttags without a value.