bc4dd8f16b
This PR was squashed before being merged into the 3.4 branch (closes #22629).
Discussion
----------
[Security] Trigger a deprecation when a voter is missing the VoterInterface
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Right now it's possible to add voters to the access decision manager that do not have a `VoterInterface`.
- No Interface, no `vote()` method, and it will give a PHP error.
- No Interface, but `vote()` method, it will still work.
- If I don't implement the interface _and_ have no `vote()` method, I will get weird exception that's not meaningful: `Attempted to call an undefined method named "vote" of class "App\Voter\MyVoter".`
This PR will deprecate the ability to use voters without the interface, it will also throw a proper exception when missing the interface _and_ the `vote()` method. Why when using and not when setting? Due to the fact that the voters can be set lazily via the `IteratorArgument`. The SecurityBundle will trigger a deprecation if the interface is not implemented and an exception if there's not even a `vote()` method present (to prevent exceptions at run-time).
This should have full backwards compatibility with 3.3, but give more meaningful errors. The only behavioral difference, might be that the container will throw an exception instead of maybe succeeding in voting when 1 voter would be broken at the end of the list (based on strategy). This case however, will be detected during development and deployment, rather than run-time.
Commits
-------
9c253e1ff6 [Security] Trigger a deprecation when a voter is missing the VoterInterface
2.3 KiB
UPGRADE FROM 3.3 to 3.4
DependencyInjection
- Top-level anonymous services in XML are deprecated and will throw an exception in Symfony 4.0.
Finder
- The
Symfony\Component\Finder\Iterator\FilterIteratorclass has been deprecated and will be removed in 4.0 as it used to fix a bug which existed before version 5.5.23/5.6.7.
FrameworkBundle
-
The
doctrine/cachedependency has been removed; require it viacomposer require doctrine/cacheif you are using Doctrine cache in your project. -
The
validator.mapping.cache.doctrine.apcservice has been deprecated. -
The
symfony/stopwatchdependency has been removed, require it viacomposer require symfony/stopwatchin yourdevenvironment. -
Using the
KERNEL_DIRenvironment variable or the automatic guessing based on thephpunit.xml/phpunit.xml.distfile location is deprecated since 3.4. Set theKERNEL_CLASSenvironment variable to the fully-qualified class name of your Kernel instead. Not setting theKERNEL_CLASSenvironment variable will throw an exception on 4.0 unless you override theKernelTestCase::createKernel()orKernelTestCase::getKernelClass()method. -
The
KernelTestCase::getPhpUnitXmlDir()andKernelTestCase::getPhpUnitCliConfigArgument()methods are deprecated since 3.4 and will be removed in 4.0. -
The
--no-prefixoption of thetranslation:updatecommand is deprecated and will be removed in 4.0. Use the--prefixoption with an empty string as value instead (e.g.--prefix="")
Process
- The
Symfony\Component\Process\ProcessBuilderclass has been deprecated, use theSymfony\Component\Process\Processclass directly instead.
SecurityBundle
-
Using voters that do not implement the
VoterInterfaceis now deprecated in theAccessDecisionManagerand this functionality will be removed in 4.0. -
FirewallContext::getListeners()now returns\Traversable|array
Validator
- Not setting the
strictoption of theChoiceconstraint totrueis deprecated and will throw an exception in Symfony 4.0.
Yaml
- Using the non-specific tag
!is deprecated and will have a different behavior in 4.0. Use a plain integer or!!floatinstead.