diff --git a/book/internals.rst b/book/internals.rst index f0c1a86c2fd..51d27da51fd 100644 --- a/book/internals.rst +++ b/book/internals.rst @@ -40,8 +40,8 @@ variables: * The :class:`Symfony\\Component\\HttpFoundation\\Response` class abstracts some PHP functions like ``header()``, ``setcookie()``, and ``echo``; -* The :class:`Symfony\\Component\\HttpFoundation\\Session` class and - :class:`Symfony\\Component\\HttpFoundation\\SessionStorage\\SessionStorageInterface` +* The :class:`Symfony\\Component\\HttpFoundation\\Session\\Session` class and + :class:`Symfony\\Component\\HttpFoundation\\Session\\Storage\\SessionStorageInterface` interface abstract session management ``session_*()`` functions. .. note:: diff --git a/book/security.rst b/book/security.rst index a301fca0b4a..2f3ed0f30a6 100644 --- a/book/security.rst +++ b/book/security.rst @@ -1069,7 +1069,7 @@ the User object, and use the ``isGranted`` method (or Retrieving the User in a Template ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In a Twig Template this object can be accessed via the `app.user `_ +In a Twig Template this object can be accessed via the :ref:`app.user ` key: .. configuration-block:: diff --git a/components/translation/introduction.rst b/components/translation/introduction.rst index c8130e6f7ec..69b9e5d15ae 100644 --- a/components/translation/introduction.rst +++ b/components/translation/introduction.rst @@ -186,7 +186,7 @@ organization, translations were split into three different domains: loaded like this:: // ... - $translator->addLoader('xliff', new XliffLoader()); + $translator->addLoader('xliff', new XliffFileLoader()); $translator->addResource('xliff', 'messages.fr.xliff', 'fr_FR'); $translator->addResource('xliff', 'admin.fr.xliff', 'fr_FR', 'admin'); diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 0cf3bb3cfb3..df1d8b58574 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -103,6 +103,12 @@ Security Advisories This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0: +* April 1, 2015: `CVE-2015-2309: Unsafe methods in the Request class `_ (Symfony 2.3.27, 2.5.11 and 2.6.6) +* April 1, 2015: `CVE-2015-2308: Esi Code Injection `_ (Symfony 2.3.27, 2.5.11 and 2.6.6) +* September 3, 2014: `CVE-2014-6072: CSRF vulnerability in the Web Profiler `_ (Symfony 2.3.19, 2.4.9 and 2.5.4) +* September 3, 2014: `CVE-2014-6061: Security issue when parsing the Authorization header `_ (Symfony 2.3.19, 2.4.9 and 2.5.4) +* September 3, 2014: `CVE-2014-5245: Direct access of ESI URLs behind a trusted proxy `_ (Symfony 2.3.19, 2.4.9 and 2.5.4) +* September 3, 2014: `CVE-2014-5244: Denial of service with a malicious HTTP Host header `_ (Symfony 2.3.19, 2.4.9 and 2.5.4) * July 15, 2014: `Security releases: Symfony 2.3.18, 2.4.8, and 2.5.2 released `_ (`CVE-2014-4931 `_) * October 10, 2013: `Security releases: Symfony 2.0.25, 2.1.13, 2.2.9, and 2.3.6 released `_ (`CVE-2013-5958 `_) * August 7, 2013: `Security releases: Symfony 2.0.24, 2.1.12, 2.2.5, and 2.3.3 released `_ (`CVE-2013-4751 `_ and `CVE-2013-4752 `_) diff --git a/contributing/community/releases.rst b/contributing/community/releases.rst index 988e39dc38f..9088472abb4 100644 --- a/contributing/community/releases.rst +++ b/contributing/community/releases.rst @@ -98,7 +98,8 @@ Version Feature Freeze Release End of Maintenance End of Life 2.4 09/2013 11/2013 09/2014 (10 months [1]_) 01/2015 2.5 03/2014 05/2014 01/2015 (8 months) 07/2015 2.6 09/2014 11/2014 07/2015 (8 months) 01/2016 -**2.7** 03/2015 05/2015 05/2018 (36 months [2]_) 05/2019 +**2.7** 03/2015 05/2015 05/2018 (36 months) 05/2019 +**2.8** 09/2015 11/2015 11/2018 (36 months [2]_) 11/2019 3.0 09/2015 11/2015 07/2016 (8 months) 01/2017 3.1 03/2016 05/2016 01/2017 (8 months) 07/2017 3.2 09/2016 11/2016 07/2017 (8 months) 01/2018 @@ -107,7 +108,7 @@ Version Feature Freeze Release End of Maintenance End of Life ======= ============== ======= ======================== =========== .. [1] Symfony 2.4 maintenance has been `extended to September 2014`_. -.. [2] Symfony 2.7 is the last version of the Symfony 2.x branch. +.. [2] Symfony 2.8 is the last version of the Symfony 2.x branch. .. tip:: diff --git a/cookbook/security/entity_provider.rst b/cookbook/security/entity_provider.rst index bca65414289..9acd055705f 100644 --- a/cookbook/security/entity_provider.rst +++ b/cookbook/security/entity_provider.rst @@ -525,213 +525,6 @@ This tells Symfony to *not* query automatically for the User. Instead, when someone logs in, the ``loadUserByUsername()`` method on ``UserRepository`` will be called. -Managing Roles in the Database ------------------------------- - -The end of this tutorial focuses on how to store and retrieve a list of roles -from the database. As mentioned previously, when your user is loaded, its -``getRoles()`` method returns the array of security roles that should be -assigned to the user. You can load this data from anywhere - a hardcoded -list used for all users (e.g. ``array('ROLE_USER')``), a Doctrine array -property called ``roles``, or via a Doctrine relationship, as you'll learn -about in this section. - -.. caution:: - - In a typical setup, you should always return at least 1 role from the ``getRoles()`` - method. By convention, a role called ``ROLE_USER`` is usually returned. - If you fail to return any roles, it may appear as if your user isn't - authenticated at all. - -.. caution:: - - In order to work with the security configuration examples on this page - all roles must be prefixed with ``ROLE_`` (see - the :ref:`section about roles ` in the book). For - example, your roles will be ``ROLE_ADMIN`` or ``ROLE_USER`` instead of - ``ADMIN`` or ``USER``. - -In this example, the ``AppBundle:User`` entity class defines a -many-to-many relationship with a ``AppBundle:Role`` entity class. -A user can be related to several roles and a role can be composed of -one or more users. The previous ``getRoles()`` method now returns -the list of related roles. Notice that ``__construct()`` and ``getRoles()`` -methods have changed:: - - // src/AppBundle/Entity/User.php - namespace AppBundle\Entity; - - use Doctrine\Common\Collections\ArrayCollection; - // ... - - class User implements AdvancedUserInterface, \Serializable - { - // ... - - /** - * @ORM\ManyToMany(targetEntity="Role", inversedBy="users") - * - */ - private $roles; - - public function __construct() - { - $this->roles = new ArrayCollection(); - } - - public function getRoles() - { - return $this->roles->toArray(); - } - - // ... - - } - -The ``AppBundle:Role`` entity class defines three fields (``id``, -``name`` and ``role``). The unique ``role`` field contains the role name -(e.g. ``ROLE_ADMIN``) used by the Symfony security layer to secure parts -of the application:: - - // src/AppBundle/Entity/Role.php - namespace AppBundle\Entity; - - use Symfony\Component\Security\Core\Role\RoleInterface; - use Doctrine\Common\Collections\ArrayCollection; - use Doctrine\ORM\Mapping as ORM; - - /** - * @ORM\Table(name="app_role") - * @ORM\Entity() - */ - class Role implements RoleInterface - { - /** - * @ORM\Column(name="id", type="integer") - * @ORM\Id() - * @ORM\GeneratedValue(strategy="AUTO") - */ - private $id; - - /** - * @ORM\Column(name="name", type="string", length=30) - */ - private $name; - - /** - * @ORM\Column(name="role", type="string", length=20, unique=true) - */ - private $role; - - /** - * @ORM\ManyToMany(targetEntity="User", mappedBy="roles") - */ - private $users; - - public function __construct() - { - $this->users = new ArrayCollection(); - } - - /** - * @see RoleInterface - */ - public function getRole() - { - return $this->role; - } - - // ... getters and setters for each property - } - -For brevity, the getter and setter methods are hidden, but you can -:ref:`generate them `: - -.. code-block:: bash - - $ php app/console doctrine:generate:entities AppBundle/Entity/User - -Don't forget also to update your database schema: - -.. code-block:: bash - - $ php app/console doctrine:schema:update --force - -This will create the ``app_role`` table and a ``user_role`` that stores -the many-to-many relationship between ``app_user`` and ``app_role``. If -you had one user linked to one role, your database might look something like -this: - -.. code-block:: bash - - $ mysql> SELECT * FROM app_role; - +----+-------+------------+ - | id | name | role | - +----+-------+------------+ - | 1 | admin | ROLE_ADMIN | - +----+-------+------------+ - - $ mysql> SELECT * FROM user_role; - +---------+---------+ - | user_id | role_id | - +---------+---------+ - | 1 | 1 | - +---------+---------+ - -And that's it! When the user logs in, Symfony security system will call the -``User::getRoles`` method. This will return an array of ``Role`` objects -that Symfony will use to determine if the user should have access to certain -parts of the system. - -.. sidebar:: What's the purpose of the RoleInterface? - - Notice that the ``Role`` class implements - :class:`Symfony\\Component\\Security\\Core\\Role\\RoleInterface`. This is - because Symfony's security system requires that the ``User::getRoles`` method - returns an array of either role strings or objects that implement this interface. - If ``Role`` didn't implement this interface, then ``User::getRoles`` - would need to iterate over all the ``Role`` objects, call ``getRole`` - on each, and create an array of strings to return. Both approaches are - valid and equivalent. - -.. _cookbook-doctrine-entity-provider-role-db-schema: - -Improving Performance with a Join -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To improve performance and avoid lazy loading of roles when retrieving a user -from the custom entity provider, you can use a Doctrine join to the roles -relationship in the ``UserRepository::loadUserByUsername()`` method. This will -fetch the user and their associated roles with a single query:: - - // src/AppBundle/Entity/UserRepository.php - namespace AppBundle\Entity; - - // ... - - class UserRepository extends EntityRepository implements UserProviderInterface - { - public function loadUserByUsername($username) - { - $q = $this - ->createQueryBuilder('u') - ->select('u, r') - ->leftJoin('u.roles', 'r') - ->where('u.username = :username OR u.email = :email') - ->setParameter('username', $username) - ->setParameter('email', $username) - ->getQuery(); - - // ... - } - - // ... - } - -The ``QueryBuilder::leftJoin()`` method joins and fetches related roles from -the ``AppBundle:User`` model class when a user is retrieved by their email -address or username. - .. _`cookbook-security-serialize-equatable`: Understanding serialize and how a User is Saved in the Session