Commits -------8a0e6d2
[HttpFoundation] Update changelog.4fc04fa
[HttpFoundation] Renamed MetaBag to MetadataBag2f03b31
[HttpFoundation] Added the ability to change the session cookie lifetime on migrate().39141e8
[HttpFoundation] Add ability to force the lifetime (allows update of session cookie expiry-time)ec3f88f
[HttpFoundation] Add methods to interface402254c
[HttpFoundation] Changed meta-data responsibility to SessionStorageInterfaced9fd14f
[HttpFoundation] Refactored for moved tests location.29bd787
[HttpFoundation] Added some basic meta-data to Session Discussion ---------- [2.1][HttpFoundation] Added some basic meta-data to Session Bug fix: no Feature addition: yes Backwards compatibility break: no Symfony2 tests pass: yes References the following tickets: #2171 Todo: - Session data is stored as an encoded string against a single id. If we want to store meta-data about the session, that data has to be stored as part of the session data to ensure the meta-data can persist using any session save handler. This patch makes it much easier to determine the logic of session expiration. In general a session expiry can be dealt with by the gc handlers, however, in some applications more specific expiry rules might be required. Session expiry may also be more complex than a simple, session was idle for x seconds. For example, in Zikula there are three security settings, Low, Medium and High. The rules for session expiry are more complex as under the Medium setting, a session will expire after x minutes idle time, unless the rememberme option was ticked on login. If so, the session will not idle. This gives the user some control over their experience. Under the high security setting, then there is no option, sessions will expire after the idle time is reached and login the UI has the rememberme checkbox removed. The other advantage is that under this methodology, there can be a UI experience on expiry, like "Sorry, your session expired due to being idle for 10 minutes". Keeping in the spirit of Symfony2 Components, I am seeking to make session handling flexible enough to accommodate these general requirements without specifically covering expiration rules. It would mean that it would be up to the implementing application to specifcally check and expire session after starting it. Expiration might look something like this: $session->start(); if (time() - $session->getMetadataBag()->getLastUpdate() > $maxIdleTime) { $session->invalidate(); throw new SessionExpired(); } This commit also brings the ability to change the `cookie_lifetime` when migrating a session. This means one could move from a default of browser only session cookie to long-lived cookie when changing from a anonymous to a logged in user for example. $session->migrate($destroy, $lifetime); --------------------------------------------------------------------------- by drak at 2012-03-30T18:18:43Z @fabpot I have removed [WIP] status. --------------------------------------------------------------------------- by drak at 2012-03-31T13:34:57Z NB: This PR has been rebased and the tests relocated as per recent master changes. --------------------------------------------------------------------------- by drak at 2012-04-03T02:16:43Z @fabpot - ping
18 KiB
CHANGELOG for 2.1.x
This changelog references the relevant changes (bug and security fixes) done in 2.1 minor versions.
To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.1.0...v2.1.1
2.1.0
DoctrineBridge
- added a default implementation of the ManagerRegistry
- added a session storage for Doctrine DBAL
TwigBridge
- added a csrf_token function
- added a way to specify a default domain for a Twig template (via the 'trans_default_domain' tag)
AbstractDoctrineBundle
- This bundle has been removed and the relevant code has been moved to the Doctrine bridge
DoctrineBundle
- This bundle has been moved to the Doctrine organization
- added optional
group_by
property toEntityType
that supports either aPropertyPath
or a\Closure
that is evaluated on the entity choices - The
em
option for theUniqueEntity
constraint is now optional (and should probably not be used anymore).
FrameworkBundle
- moved Symfony\Bundle\FrameworkBundle\ContainerAwareEventDispatcher to Symfony\Component\EventDispatcher\ContainerAwareEventDispatcher
- moved Symfony\Bundle\FrameworkBundle\Debug\TraceableEventDispatcher to Symfony\Component\EventDispatcher\ContainerAwareTraceableEventDispatcher
- added a router:match command
- added a config:dump-reference command
- added kernel.event_subscriber tag
- added a way to create relative symlinks when running assets:install command (--relative option)
- added Controller::getUser()
- [BC BREAK] assets_base_urls and base_urls merging strategy has changed
- changed the default profiler storage to use the filesystem instead of SQLite
- added support for placeholders in route defaults and requirements (replaced by the value set in the service container)
- added Filesystem component as a dependency
- added support for hinclude (use
standalone: 'js'
in render tag) - session options: lifetime, path, domain, secure, httponly were deprecated. Prefixed versions should now be used instead: cookie_lifetime, cookie_path, cookie_domain, cookie_secure, cookie_httponly
- [BC BREAK] following session options: 'lifetime', 'path', 'domain', 'secure', 'httponly' are now prefixed with cookie_ when dumped to the container
- Added
handler_id
configuration undersession
key to representsession.handler
service, defaults tosession.handler.native_file
. - Added
gc_maxlifetime
,gc_probability
, andgc_divisor
to session configuration.This means session garbage collection has agc_probability
/gc_divisor
chance of being run. Thegc_maxlifetime
means how long a session can idle for which is separate from cookie lifetime which defines how long a cookie can be store on the remote client.
MonologBundle
- This bundle has been moved to its own repository (https://github.com/symfony/MonologBundle)
SecurityBundle
-
[BC BREAK] The custom factories for the firewall configuration are now registered during the build method of bundles instead of being registered by the end-user (you need to remove the 'factories' keys in your security configuration).
-
[BC BREAK] The Firewall listener is now registered after the Router one. It means that specific Firewall URLs (like /login_check and /logout must now have proper route defined in your routing configuration)
-
[BC BREAK] refactored the user provider configuration. The configuration changed for the chain provider and the memory provider:
Before:
security: providers: my_chain_provider: providers: [my_memory_provider, my_doctrine_provider] my_memory_provider: users: toto: { password: foobar, roles: [ROLE_USER] } foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
After:
security: providers: my_chain_provider: chain: providers: [my_memory_provider, my_doctrine_provider] my_memory_provider: memory: users: toto: { password: foobar, roles: [ROLE_USER] } foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
-
[BC BREAK] Method
equals
was removed fromUserInterface
to its own newEquatableInterface
, now user class can implement this interface to override the default implementation of users equality test. -
added a validator for the user password
-
added 'erase_credentials' as a configuration key (true by default)
-
added new events:
security.authentication.success
andsecurity.authentication.failure
fired on authentication success/failure, regardless of authentication method, events are defined in new event class:Symfony\Component\Security\Core\AuthenticationEvents
. -
Added optional CSRF protection to LogoutListener:
security: firewalls: default: logout: path: /logout_path target: / csrf_parameter: _csrf_token # Optional (defaults to "_csrf_token") csrf_provider: form.csrf_provider # Required to enable protection intention: logout # Optional (defaults to "logout")
If the LogoutListener has CSRF protection enabled but cannot validate a token, then a LogoutException will be thrown.
-
Added
logout_url
templating helper and Twig extension, which may be used to generate logout URL's within templates. The security firewall's config key must be specified. If a firewall's logout listener has CSRF protection enabled, a token will be automatically added to the generated URL.
SwiftmailerBundle
- This bundle has been moved to its own repository (https://github.com/symfony/SwiftmailerBundle)
- moved the data collector to the bridge
- replaced MessageLogger class with the one from Swiftmailer 4.1.3
TwigBundle
- added the real template name when an error occurs in a Twig template
WebProfilerBundle
[BC BREAK] You must clear old profiles after upgrading to 2.1 (don't forget to remove the table if you are using a DB)
- added support for the request method
- added a routing panel
- added a timeline panel
- The toolbar position can now be configured via the
position
option (can betop
orbottom
)
BrowserKit
- [BC BREAK] The CookieJar internals have changed to allow cookies with the same name on different sub-domains/sub-paths
Config
- added a way to add documentation on configuration
- implemented
Serializable
on resources - LoaderResolverInterface is now used instead of LoaderResolver for type hinting
Console
- added a --raw option to the list command
- added support for STDERR in the console output class (errors are now sent to STDERR)
- made the defaults (helper set, commands, input definition) in Application more easily customizable
- added support for the shell even if readline is not available
- added support for process isolation in Symfony shell via
--process-isolation
switch - added support for
--
, which disables options parsing after that point (tokens will be parsed as arguments)
ClassLoader
- added a DebugClassLoader able to wrap any autoloader providing a findFile method
- added a new ApcClassLoader using composition to wrap other loaders
- added a new ClassLoader which does not distinguish between namespaced and pear-like classes (as the PEAR convention is a subset of PSR-0) and supports using Composer's namespace maps
- added a class map generator
- added support for loading globally-installed PEAR packages
DependencyInjection
- component exceptions that inherit base SPL classes are now used exclusively (this includes dumped containers)
DomCrawler
- refactor the Form class internals to support multi-dimensional fields (the public API is backward compatible)
- added a way to get parsing errors for Crawler::addHtmlContent() and Crawler::addXmlContent() via libxml functions
- added support for submitting a form without a submit button
EventDispatcher
- added a reference to the EventDispatcher on the Event
- added a reference to the Event name on the event
- added fluid interface to the dispatch() method which now returns the Event object
Filesystem
- created this new component
Finder
- Finder::exclude() now supports an array of directories as an argument
Form
-
[BC BREAK]
read_only
field attribute now renders asreadonly="readonly"
, usedisabled
instead -
[BC BREAK] child forms now aren't validated anymore by default
-
made validation of form children configurable (new option: cascade_validation)
-
added support for validation groups as callbacks
-
made the translation catalogue configurable via the "translation_domain" option
-
added Form::getErrorsAsString() to help debugging forms
-
allowed setting different options for RepeatedType fields (like the label)
-
added support for empty form name at root level, this enables rendering forms without form name prefix in field names
-
[BC BREAK] form and field names must start with a letter, digit or underscore and only contain letters, digits, underscores, hyphens and colons
-
[BC BREAK] changed default name of the prototype in the "collection" type from "$$name$$" to "_name_". No dollars are appended/prepended to custom names anymore.
-
[BC BREAK] improved ChoiceListInterface
-
[BC BREAK] added SimpleChoiceList and LazyChoiceList as replacement of ArrayChoiceList
-
added ChoiceList and ObjectChoiceList to use objects as choices
-
[BC BREAK] removed EntitiesToArrayTransformer and EntityToIdTransformer. The former has been replaced by CollectionToArrayTransformer in combination with EntityChoiceList, the latter is not required in the core anymore.
-
[BC BREAK] renamed
- ArrayToBooleanChoicesTransformer to ChoicesToBooleanArrayTransformer
- ScalarToBooleanChoicesTransformer to ChoiceToBooleanArrayTransformer
- ArrayToChoicesTransformer to ChoicesToValuesTransformer
- ScalarToChoiceTransformer to ChoiceToValueTransformer
to be consistent with the naming in ChoiceListInterface.
-
[BC BREAK] removed FormUtil::toArrayKey() and FormUtil::toArrayKeys(). They were merged into ChoiceList and have no public equivalent anymore.
-
choice fields now throw a FormException if neither the "choices" nor the "choice_list" option is set
-
the radio type is now a child of the checkbox type
-
the collection, choice (with multiple selection) and entity (with multiple selection) types now make use of addXxx() and removeXxx() methods in your model
-
added options "add_method" and "remove_method" to collection and choice type
-
forms now don't create an empty object anymore if they are completely empty and not required. The empty value for such forms is null.
-
added constant Guess::VERY_HIGH_CONFIDENCE
-
FormType::getDefaultOptions() now sees default options defined by parent types
-
[BC BREAK] FormType::getParent() does not see default options anymore
-
[BC BREAK] The methods
add
,remove
,setParent
,bind
andsetData
in class Form now throw an exception if the form is already bound
HttpFoundation
- added a getTargetUrl method to RedirectResponse
- added support for streamed responses
- made Response::prepare() method the place to enforce HTTP specification
- [BC BREAK] moved management of the locale from the Session class to the Request class
- added a generic access to the PHP built-in filter mechanism: ParameterBag::filter()
- made FileBinaryMimeTypeGuesser command configurable
- added Request::getUser() and Request::getPassword()
- added support for the PATCH method in Request
- removed the ContentTypeMimeTypeGuesser class as it is deprecated and never used on PHP 5.3
- added ResponseHeaderBag::makeDisposition() (implements RFC 6266)
- made mimetype to extension conversion configurable
- [BC BREAK] Moved all session related classes and interfaces into own namespace, as
Symfony\Component\HttpFoundation\Session
and renamed classes accordingly. Session handlers are located in the subnamespaceSymfony\Component\HttpFoundation\Session\Handler
. - SessionHandlers must implement
\SessionHandlerInterface
or extend from theSymfony\Component\HttpFoundation\Storage\Handler\NativeSessionHandler
base class. - Added internal storage driver proxy mechanism for forward compatibility with
PHP 5.4
\SessionHandler
class. - Added session handlers for PHP native Memcache, Memcached and SQLite session save handlers.
- Added session handlers for custom Memcache, Memcached and Null session save handlers.
- [BC BREAK] Removed
NativeSessionStorage
and replaced withNativeFileSessionHandler
. - [BC BREAK]
SessionStorageInterface
methods removed:write()
,read()
andremove()
. AddedgetBag()
,registerBag()
. TheNativeSessionStorage
class is a mediator for the session storage internals including the session handlers which do the real work of participating in the internal PHP session workflow. - [BC BREAK] Introduced mock implementations of
SessionStorage
to enable unit and functional testing without starting real PHP sessions. RemovedArraySessionStorage
, and replaced withMockArraySessionStorage
for unit tests; removedFilesystemSessionStorage
, and replaced withMockFileSessionStorage
for functional tests. These do not interact with global session ini configuration values, session functions or$_SESSION
supreglobal. This means they can be configured directly allowing multiple instances to work without conflicting in the same PHP process. - [BC BREAK] Removed the
close()
method from theSession
class, as this is now redundant. - Deprecated the following methods from the Session class:
setFlash()
,setFlashes()
getFlash()
,hasFlash()
, andremoveFlash()
. UsegetFlashBag()
instead which returns aFlashBagInterface
. Session->clear()
now only clears session attributes as before it cleared flash messages and attributes.Session->getFlashBag()->all()
clears flashes now.- Session data is now managed by
SessionBagInterface
which to better encapsulate session data. - Refactored session attribute and flash messages system to their own
SessionBagInterface
implementations. - Added
FlashBag
. Flashes expire when retrieved byget()
orall()
. This implementation is ESI compatible. - Added
AutoExpireFlashBag
(default) to replicate Symfony 2.0.x auto expire behaviour of messages auto expiring. after one page page load. Messages must be retrieved byget()
orall()
. - Added
Symfony\Component\HttpFoundation\Attribute\AttributeBag
to replicate attributes storage behaviour from 2.0.x (default). - Added
Symfony\Component\HttpFoundation\Attribute\NamespacedAttributeBag
for namespace session attributes. - Flash API can stores messages in an array so there may be multiple messages
per flash type. The old
Session
class API remains without BC break as it will single messages as before. - Added basic session meta-data to the session to record session create time, last updated time, and the lifetime of the session cookie that was provided to the client.
HttpKernel
- added CacheClearerInterface
- added a kernel.terminate event
- added a Stopwatch class
- added WarmableInterface
- improved extensibility between bundles
- added Memcache(d)-based profiler storages
- added a File-based profiler storage
- added a MongoDB-based profiler storage
- moved Filesystem class to its own component
Locale
- added Locale::getIcuVersion() and Locale::getIcuDataVersion()
Process
- added ProcessBuilder
Routing
- the UrlMatcher does not throw a \LogicException any more when the required scheme is not the current one
- added a TraceableUrlMatcher
- added the possibility to define default values and requirements for placeholders in prefix, including imported routes
- added RouterInterface::getRouteCollection
Security
- after login, the user is now redirected to
default_target_path
ifuse_referer
is true and the referrer is thelogin_path
. - added a way to remove a token from a session
- [BC BREAK] changed
MutableAclInterface::setParentAcl
to acceptnull
, review your implementation to reflect this change.
Serializer
-
[BC BREAK] changed
GetSetMethodNormalizer
's key names from all lowercased to camelCased (e.g.mypropertyvalue
tomyPropertyValue
) -
[BC BREAK] convert the
item
XML tag to an array<?xml version="1.0"?> <response> <item><title><![CDATA[title1]]></title></item><item><title><![CDATA[title2]]></title></item> </response>
Before:
Array()
After:
Array( [item] => Array( [0] => Array( [title] => title1 ) [1] => Array( [title] => title2 ) ) )
Translation
- changed the default extension for XLIFF files from .xliff to .xlf
- added support for gettext
- added support for more than one fallback locale
- added support for translations in ResourceBundles
- added support for extracting translation messages from templates (Twig and PHP)
- added dumpers for translation catalogs
- added support for QT translations
Validator
- added support for
ctype_*
assertions inTypeValidator
- added a Size validator
- added a SizeLength validator
- improved the ImageValidator with min width, max width, min height, and max height constraints
- added support for MIME with wildcard in FileValidator
- changed Collection validator to add "missing" and "extra" errors to individual fields
- changed default value for
extraFieldsMessage
andmissingFieldsMessage
in Collection constraint - made ExecutionContext immutable
- deprecated Constraint methods
setMessage
,getMessageTemplate
andgetMessageParameters
- added support for dynamic group sequences with the GroupSequenceProvider pattern
Yaml
- Yaml::parse() does not evaluate loaded files as PHP files by default anymore (call Yaml::enablePhpParsing() to get back the old behavior)