374d70568c
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Use NullToken while checking authorization
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix #37523
| License | MIT
| Doc PR | tbd
This allows voters to grant access to unauthenticated users. E.g. some objects can be viewed by anyone, in this case the voter has to be able to grant access to unauthenticated users.
This *does break* the interface PHPdoc of `TokenInterface`: `getUser()` returns `null` instead of `string|UserInterface`. This is only true when using the new system, so not a real BC break. I think the only thing we can do to "guide" users is to add some custom handling for type errors related to `null` and `UserInterface` methods ("Did you forgot to check for `null` in the Voter?"). Is this something I should add to this PR?
Commits
-------
e37091541c Use NullToken while checking authorization
1.1 KiB
1.1 KiB
UPGRADE FROM 5.1 to 5.2
DependencyInjection
- Deprecated
Definition::setPrivate()andAlias::setPrivate(), usesetPublic()instead
Mime
- Deprecated
Address::fromString(), useAddress::create()instead
TwigBundle
- Deprecated the public
twigservice to private.
TwigBridge
- Changed 2nd argument type of
TranslationExtension::__construct()toTranslationNodeVisitor
Validator
-
Deprecated the
allowEmptyStringoption of theLengthconstraint.Before:
use Symfony\Component\Validator\Constraints as Assert; /** * @Assert\Length(min=5, allowEmptyString=true) */After:
use Symfony\Component\Validator\Constraints as Assert; /** * @Assert\AtLeastOneOf({ * @Assert\Blank(), * @Assert\Length(min=5) * }) */
Security
- [BC break] In the experimental authenticator-based system, *
TokenInterface::getUser()returnsnullin case of unauthenticated session.