374d70568c
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Use NullToken while checking authorization
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix #37523
| License | MIT
| Doc PR | tbd
This allows voters to grant access to unauthenticated users. E.g. some objects can be viewed by anyone, in this case the voter has to be able to grant access to unauthenticated users.
This *does break* the interface PHPdoc of `TokenInterface`: `getUser()` returns `null` instead of `string|UserInterface`. This is only true when using the new system, so not a real BC break. I think the only thing we can do to "guide" users is to add some custom handling for type errors related to `null` and `UserInterface` methods ("Did you forgot to check for `null` in the Voter?"). Is this something I should add to this PR?
Commits
-------
e37091541c
Use NullToken while checking authorization
1.1 KiB
1.1 KiB
UPGRADE FROM 5.1 to 5.2
DependencyInjection
- Deprecated
Definition::setPrivate()
andAlias::setPrivate()
, usesetPublic()
instead
Mime
- Deprecated
Address::fromString()
, useAddress::create()
instead
TwigBundle
- Deprecated the public
twig
service to private.
TwigBridge
- Changed 2nd argument type of
TranslationExtension::__construct()
toTranslationNodeVisitor
Validator
-
Deprecated the
allowEmptyString
option of theLength
constraint.Before:
use Symfony\Component\Validator\Constraints as Assert; /** * @Assert\Length(min=5, allowEmptyString=true) */
After:
use Symfony\Component\Validator\Constraints as Assert; /** * @Assert\AtLeastOneOf({ * @Assert\Blank(), * @Assert\Length(min=5) * }) */
Security
- [BC break] In the experimental authenticator-based system, *
TokenInterface::getUser()
returnsnull
in case of unauthenticated session.