Skip to content

Commit

Permalink
Merge branch '2.8'
Browse files Browse the repository at this point in the history 
* 2.8:
  Fix broken link in security chapter
  Add version 2.8 to the release roadmap
  bug #5162 Fix misplelled XliffFileLoader class in the Using Domains (Nicola Pietroluongo)
  Fix misplelled XliffFileLoader class in the Using Message Domains example
  Removing a section about Roles that I think has no real use-case
  add missing security advisories
  Fix misplelled XliffFileLoader class in the Using Message Domains example
  Use correct Session namespace
  • Loading branch information
@weaverryan
weaverryan committed Apr 17, 2015
2 parents 2e86186 + 93ecd0a commit b74593c
Show file tree
Hide file tree
Showing 6 changed files with 13 additions and 213 deletions.
4 changes: 2 additions & 2 deletions book/internals.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@ variables:
* The :class:`Symfony\\Component\\HttpFoundation\\Response` class abstracts
some PHP functions like ``header()``, ``setcookie()``, and ``echo``;

* The :class:`Symfony\\Component\\HttpFoundation\\Session` class and
:class:`Symfony\\Component\\HttpFoundation\\SessionStorage\\SessionStorageInterface`
* The :class:`Symfony\\Component\\HttpFoundation\\Session\\Session` class and
:class:`Symfony\\Component\\HttpFoundation\\Session\\Storage\\SessionStorageInterface`
interface abstract session management ``session_*()`` functions.

.. note::
Expand Down
2 changes: 1 addition & 1 deletion book/security.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1069,7 +1069,7 @@ the User object, and use the ``isGranted`` method (or
Retrieving the User in a Template
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In a Twig Template this object can be accessed via the `app.user <reference-twig-global-app>`_
In a Twig Template this object can be accessed via the :ref:`app.user <reference-twig-global-app>`
key:

.. configuration-block::
Expand Down
2 changes: 1 addition & 1 deletion components/translation/introduction.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ organization, translations were split into three different domains:
loaded like this::

// ...
$translator->addLoader('xliff', new XliffLoader());
$translator->addLoader('xliff', new XliffFileLoader());

$translator->addResource('xliff', 'messages.fr.xliff', 'fr_FR');
$translator->addResource('xliff', 'admin.fr.xliff', 'fr_FR', 'admin');
Expand Down
6 changes: 6 additions & 0 deletions contributing/code/security.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,12 @@ Security Advisories
This section indexes security vulnerabilities that were fixed in Symfony
releases, starting from Symfony 1.0.0:

* April 1, 2015: `CVE-2015-2309: Unsafe methods in the Request class <http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class>`_ (Symfony 2.3.27, 2.5.11 and 2.6.6)
* April 1, 2015: `CVE-2015-2308: Esi Code Injection <http://symfony.com/blog/cve-2015-2308-esi-code-injection>`_ (Symfony 2.3.27, 2.5.11 and 2.6.6)
* September 3, 2014: `CVE-2014-6072: CSRF vulnerability in the Web Profiler <http://symfony.com/blog/cve-2014-6072-csrf-vulnerability-in-the-web-profiler>`_ (Symfony 2.3.19, 2.4.9 and 2.5.4)
* September 3, 2014: `CVE-2014-6061: Security issue when parsing the Authorization header <http://symfony.com/blog/cve-2014-6061-security-issue-when-parsing-the-authorization-header>`_ (Symfony 2.3.19, 2.4.9 and 2.5.4)
* September 3, 2014: `CVE-2014-5245: Direct access of ESI URLs behind a trusted proxy <http://symfony.com/blog/cve-2014-5245-direct-access-of-esi-urls-behind-a-trusted-proxy>`_ (Symfony 2.3.19, 2.4.9 and 2.5.4)
* September 3, 2014: `CVE-2014-5244: Denial of service with a malicious HTTP Host header <http://symfony.com/blog/cve-2014-5244-denial-of-service-with-a-malicious-http-host-header>`_ (Symfony 2.3.19, 2.4.9 and 2.5.4)
* July 15, 2014: `Security releases: Symfony 2.3.18, 2.4.8, and 2.5.2 released <http://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released>`_ (`CVE-2014-4931 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4931>`_)
* October 10, 2013: `Security releases: Symfony 2.0.25, 2.1.13, 2.2.9, and 2.3.6 released <http://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released>`_ (`CVE-2013-5958 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5958>`_)
* August 7, 2013: `Security releases: Symfony 2.0.24, 2.1.12, 2.2.5, and 2.3.3 released <http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released>`_ (`CVE-2013-4751 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4751>`_ and `CVE-2013-4752 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4752>`_)
Expand Down
5 changes: 3 additions & 2 deletions contributing/community/releases.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,8 @@ Version Feature Freeze Release End of Maintenance End of Life
2.4 09/2013 11/2013 09/2014 (10 months [1]_) 01/2015
2.5 03/2014 05/2014 01/2015 (8 months) 07/2015
2.6 09/2014 11/2014 07/2015 (8 months) 01/2016
**2.7** 03/2015 05/2015 05/2018 (36 months [2]_) 05/2019
**2.7** 03/2015 05/2015 05/2018 (36 months) 05/2019
**2.8** 09/2015 11/2015 11/2018 (36 months [2]_) 11/2019
3.0 09/2015 11/2015 07/2016 (8 months) 01/2017
3.1 03/2016 05/2016 01/2017 (8 months) 07/2017
3.2 09/2016 11/2016 07/2017 (8 months) 01/2018
Expand All @@ -107,7 +108,7 @@ Version Feature Freeze Release End of Maintenance End of Life
======= ============== ======= ======================== ===========

.. [1] Symfony 2.4 maintenance has been `extended to September 2014`_.
.. [2] Symfony 2.7 is the last version of the Symfony 2.x branch.
.. [2] Symfony 2.8 is the last version of the Symfony 2.x branch.
.. tip::

Expand Down
207 changes: 0 additions & 207 deletions cookbook/security/entity_provider.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -525,213 +525,6 @@ This tells Symfony to *not* query automatically for the User. Instead, when
someone logs in, the ``loadUserByUsername()`` method on ``UserRepository``
will be called.

Managing Roles in the Database
------------------------------

The end of this tutorial focuses on how to store and retrieve a list of roles
from the database. As mentioned previously, when your user is loaded, its
``getRoles()`` method returns the array of security roles that should be
assigned to the user. You can load this data from anywhere - a hardcoded
list used for all users (e.g. ``array('ROLE_USER')``), a Doctrine array
property called ``roles``, or via a Doctrine relationship, as you'll learn
about in this section.

.. caution::

In a typical setup, you should always return at least 1 role from the ``getRoles()``
method. By convention, a role called ``ROLE_USER`` is usually returned.
If you fail to return any roles, it may appear as if your user isn't
authenticated at all.

.. caution::

In order to work with the security configuration examples on this page
all roles must be prefixed with ``ROLE_`` (see
the :ref:`section about roles <book-security-roles>` in the book). For
example, your roles will be ``ROLE_ADMIN`` or ``ROLE_USER`` instead of
``ADMIN`` or ``USER``.

In this example, the ``AppBundle:User`` entity class defines a
many-to-many relationship with a ``AppBundle:Role`` entity class.
A user can be related to several roles and a role can be composed of
one or more users. The previous ``getRoles()`` method now returns
the list of related roles. Notice that ``__construct()`` and ``getRoles()``
methods have changed::

// src/AppBundle/Entity/User.php
namespace AppBundle\Entity;

use Doctrine\Common\Collections\ArrayCollection;
// ...

class User implements AdvancedUserInterface, \Serializable
{
// ...

/**
* @ORM\ManyToMany(targetEntity="Role", inversedBy="users")
*
*/
private $roles;

public function __construct()
{
$this->roles = new ArrayCollection();
}

public function getRoles()
{
return $this->roles->toArray();
}

// ...

}

The ``AppBundle:Role`` entity class defines three fields (``id``,
``name`` and ``role``). The unique ``role`` field contains the role name
(e.g. ``ROLE_ADMIN``) used by the Symfony security layer to secure parts
of the application::

// src/AppBundle/Entity/Role.php
namespace AppBundle\Entity;

use Symfony\Component\Security\Core\Role\RoleInterface;
use Doctrine\Common\Collections\ArrayCollection;
use Doctrine\ORM\Mapping as ORM;

/**
* @ORM\Table(name="app_role")
* @ORM\Entity()
*/
class Role implements RoleInterface
{
/**
* @ORM\Column(name="id", type="integer")
* @ORM\Id()
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;

/**
* @ORM\Column(name="name", type="string", length=30)
*/
private $name;

/**
* @ORM\Column(name="role", type="string", length=20, unique=true)
*/
private $role;

/**
* @ORM\ManyToMany(targetEntity="User", mappedBy="roles")
*/
private $users;

public function __construct()
{
$this->users = new ArrayCollection();
}

/**
* @see RoleInterface
*/
public function getRole()
{
return $this->role;
}

// ... getters and setters for each property
}

For brevity, the getter and setter methods are hidden, but you can
:ref:`generate them <book-doctrine-generating-getters-and-setters>`:

.. code-block:: bash
$ php app/console doctrine:generate:entities AppBundle/Entity/User
Don't forget also to update your database schema:

.. code-block:: bash
$ php app/console doctrine:schema:update --force
This will create the ``app_role`` table and a ``user_role`` that stores
the many-to-many relationship between ``app_user`` and ``app_role``. If
you had one user linked to one role, your database might look something like
this:

.. code-block:: bash
$ mysql> SELECT * FROM app_role;
+----+-------+------------+
| id | name | role |
+----+-------+------------+
| 1 | admin | ROLE_ADMIN |
+----+-------+------------+
$ mysql> SELECT * FROM user_role;
+---------+---------+
| user_id | role_id |
+---------+---------+
| 1 | 1 |
+---------+---------+
And that's it! When the user logs in, Symfony security system will call the
``User::getRoles`` method. This will return an array of ``Role`` objects
that Symfony will use to determine if the user should have access to certain
parts of the system.

.. sidebar:: What's the purpose of the RoleInterface?

Notice that the ``Role`` class implements
:class:`Symfony\\Component\\Security\\Core\\Role\\RoleInterface`. This is
because Symfony's security system requires that the ``User::getRoles`` method
returns an array of either role strings or objects that implement this interface.
If ``Role`` didn't implement this interface, then ``User::getRoles``
would need to iterate over all the ``Role`` objects, call ``getRole``
on each, and create an array of strings to return. Both approaches are
valid and equivalent.

.. _cookbook-doctrine-entity-provider-role-db-schema:

Improving Performance with a Join
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To improve performance and avoid lazy loading of roles when retrieving a user
from the custom entity provider, you can use a Doctrine join to the roles
relationship in the ``UserRepository::loadUserByUsername()`` method. This will
fetch the user and their associated roles with a single query::

// src/AppBundle/Entity/UserRepository.php
namespace AppBundle\Entity;

// ...

class UserRepository extends EntityRepository implements UserProviderInterface
{
public function loadUserByUsername($username)
{
$q = $this
->createQueryBuilder('u')
->select('u, r')
->leftJoin('u.roles', 'r')
->where('u.username = :username OR u.email = :email')
->setParameter('username', $username)
->setParameter('email', $username)
->getQuery();

// ...
}

// ...
}

The ``QueryBuilder::leftJoin()`` method joins and fetches related roles from
the ``AppBundle:User`` model class when a user is retrieved by their email
address or username.

.. _`cookbook-security-serialize-equatable`:

Understanding serialize and how a User is Saved in the Session
Expand Down

0 comments on commit b74593c

Please sign in to comment.