This PR was squashed before being merged into the 3.4 branch (closes #22629).
Discussion
----------
[Security] Trigger a deprecation when a voter is missing the VoterInterface
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Right now it's possible to add voters to the access decision manager that do not have a `VoterInterface`.
- No Interface, no `vote()` method, and it will give a PHP error.
- No Interface, but `vote()` method, it will still work.
- If I don't implement the interface _and_ have no `vote()` method, I will get weird exception that's not meaningful: `Attempted to call an undefined method named "vote" of class "App\Voter\MyVoter".`
This PR will deprecate the ability to use voters without the interface, it will also throw a proper exception when missing the interface _and_ the `vote()` method. Why when using and not when setting? Due to the fact that the voters can be set lazily via the `IteratorArgument`. The SecurityBundle will trigger a deprecation if the interface is not implemented and an exception if there's not even a `vote()` method present (to prevent exceptions at run-time).
This should have full backwards compatibility with 3.3, but give more meaningful errors. The only behavioral difference, might be that the container will throw an exception instead of maybe succeeding in voting when 1 voter would be broken at the end of the list (based on strategy). This case however, will be detected during development and deployment, rather than run-time.
Commits
-------
9c253e1ff6
[Security] Trigger a deprecation when a voter is missing the VoterInterface
2.3 KiB
UPGRADE FROM 3.3 to 3.4
DependencyInjection
- Top-level anonymous services in XML are deprecated and will throw an exception in Symfony 4.0.
Finder
- The
Symfony\Component\Finder\Iterator\FilterIterator
class has been deprecated and will be removed in 4.0 as it used to fix a bug which existed before version 5.5.23/5.6.7.
FrameworkBundle
-
The
doctrine/cache
dependency has been removed; require it viacomposer require doctrine/cache
if you are using Doctrine cache in your project. -
The
validator.mapping.cache.doctrine.apc
service has been deprecated. -
The
symfony/stopwatch
dependency has been removed, require it viacomposer require symfony/stopwatch
in yourdev
environment. -
Using the
KERNEL_DIR
environment variable or the automatic guessing based on thephpunit.xml
/phpunit.xml.dist
file location is deprecated since 3.4. Set theKERNEL_CLASS
environment variable to the fully-qualified class name of your Kernel instead. Not setting theKERNEL_CLASS
environment variable will throw an exception on 4.0 unless you override theKernelTestCase::createKernel()
orKernelTestCase::getKernelClass()
method. -
The
KernelTestCase::getPhpUnitXmlDir()
andKernelTestCase::getPhpUnitCliConfigArgument()
methods are deprecated since 3.4 and will be removed in 4.0. -
The
--no-prefix
option of thetranslation:update
command is deprecated and will be removed in 4.0. Use the--prefix
option with an empty string as value instead (e.g.--prefix=""
)
Process
- The
Symfony\Component\Process\ProcessBuilder
class has been deprecated, use theSymfony\Component\Process\Process
class directly instead.
SecurityBundle
-
Using voters that do not implement the
VoterInterface
is now deprecated in theAccessDecisionManager
and this functionality will be removed in 4.0. -
FirewallContext::getListeners()
now returns\Traversable|array
Validator
- Not setting the
strict
option of theChoice
constraint totrue
is deprecated and will throw an exception in Symfony 4.0.
Yaml
- Using the non-specific tag
!
is deprecated and will have a different behavior in 4.0. Use a plain integer or!!float
instead.