From 75559422251e4ce53d305c178ecc3433a5d06d4e Mon Sep 17 00:00:00 2001 From: Jhonny Lidfors Date: Fri, 10 Apr 2015 08:15:12 +0000 Subject: [PATCH 1/8] Use correct Session namespace --- book/internals.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/internals.rst b/book/internals.rst index 0aebef69362..ff9e8c6f5cf 100644 --- a/book/internals.rst +++ b/book/internals.rst @@ -40,8 +40,8 @@ variables: * The :class:`Symfony\\Component\\HttpFoundation\\Response` class abstracts some PHP functions like ``header()``, ``setcookie()``, and ``echo``; -* The :class:`Symfony\\Component\\HttpFoundation\\Session` class and - :class:`Symfony\\Component\\HttpFoundation\\SessionStorage\\SessionStorageInterface` +* The :class:`Symfony\\Component\\HttpFoundation\\Session\\Session` class and + :class:`Symfony\\Component\\HttpFoundation\\Session\\Storage\\SessionStorageInterface` interface abstract session management ``session_*()`` functions. .. note:: From 6ecf3b0a0e5a84c0229186505d4857d08e4460fa Mon Sep 17 00:00:00 2001 From: Nicola Pietroluongo Date: Fri, 10 Apr 2015 09:36:43 +0100 Subject: [PATCH 2/8] Fix misplelled XliffFileLoader class in the Using Message Domains example --- components/translation/introduction.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/translation/introduction.rst b/components/translation/introduction.rst index c8130e6f7ec..69b9e5d15ae 100644 --- a/components/translation/introduction.rst +++ b/components/translation/introduction.rst @@ -186,7 +186,7 @@ organization, translations were split into three different domains: loaded like this:: // ... - $translator->addLoader('xliff', new XliffLoader()); + $translator->addLoader('xliff', new XliffFileLoader()); $translator->addResource('xliff', 'messages.fr.xliff', 'fr_FR'); $translator->addResource('xliff', 'admin.fr.xliff', 'fr_FR', 'admin'); From e34d663665bd755396da800c8bf46236c918de8d Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Mon, 13 Apr 2015 17:10:45 +0200 Subject: [PATCH 3/8] add missing security advisories --- contributing/code/security.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 8275729972b..794abbb4157 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -96,6 +96,12 @@ Security Advisories This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0: +* April 1, 2015: `CVE-2015-2309: Unsafe methods in the Request class `_ (Symfony 2.3.27, 2.5.11 and 2.6.6) +* April 1, 2015: `CVE-2015-2308: Esi Code Injection `_ (Symfony 2.3.27, 2.5.11 and 2.6.6) +* September 3, 2014: `CVE-2014-6072: CSRF vulnerability in the Web Profiler `_ (Symfony 2.3.19, 2.4.9 and 2.5.4) +* September 3, 2014: `CVE-2014-6061: Security issue when parsing the Authorization header `_ (Symfony 2.3.19, 2.4.9 and 2.5.4) +* September 3, 2014: `CVE-2014-5245: Direct access of ESI URLs behind a trusted proxy `_ (Symfony 2.3.19, 2.4.9 and 2.5.4) +* September 3, 2014: `CVE-2014-5244: Denial of service with a malicious HTTP Host header `_ (Symfony 2.3.19, 2.4.9 and 2.5.4) * July 15, 2014: `Security releases: Symfony 2.3.18, 2.4.8, and 2.5.2 released `_ (`CVE-2014-4931 `_) * October 10, 2013: `Security releases: Symfony 2.0.25, 2.1.13, 2.2.9, and 2.3.6 released `_ (`CVE-2013-5958 `_) * August 7, 2013: `Security releases: Symfony 2.0.24, 2.1.12, 2.2.5, and 2.3.3 released `_ (`CVE-2013-4751 `_ and `CVE-2013-4752 `_) From 6c9ce9c344897af7014efc6e55731a43b29c495e Mon Sep 17 00:00:00 2001 From: Ryan Weaver Date: Wed, 15 Apr 2015 20:05:23 -0400 Subject: [PATCH 4/8] Removing a section about Roles that I think has no real use-case It was added 4 years ago at sha: 5a2824b6, and it's original purpose was to talk about Roles as domain objects. If this has a real-use case, then we should clarify what it is, and move it to its own cookbook. This is a details that beginners are trying to deal with, unnecessarily. --- cookbook/security/entity_provider.rst | 207 -------------------------- 1 file changed, 207 deletions(-) diff --git a/cookbook/security/entity_provider.rst b/cookbook/security/entity_provider.rst index afdb719fd4a..a46fab48d02 100644 --- a/cookbook/security/entity_provider.rst +++ b/cookbook/security/entity_provider.rst @@ -525,213 +525,6 @@ This tells Symfony to *not* query automatically for the User. Instead, when someone logs in, the ``loadUserByUsername()`` method on ``UserRepository`` will be called. -Managing Roles in the Database ------------------------------- - -The end of this tutorial focuses on how to store and retrieve a list of roles -from the database. As mentioned previously, when your user is loaded, its -``getRoles()`` method returns the array of security roles that should be -assigned to the user. You can load this data from anywhere - a hardcoded -list used for all users (e.g. ``array('ROLE_USER')``), a Doctrine array -property called ``roles``, or via a Doctrine relationship, as you'll learn -about in this section. - -.. caution:: - - In a typical setup, you should always return at least 1 role from the ``getRoles()`` - method. By convention, a role called ``ROLE_USER`` is usually returned. - If you fail to return any roles, it may appear as if your user isn't - authenticated at all. - -.. caution:: - - In order to work with the security configuration examples on this page - all roles must be prefixed with ``ROLE_`` (see - the :ref:`section about roles ` in the book). For - example, your roles will be ``ROLE_ADMIN`` or ``ROLE_USER`` instead of - ``ADMIN`` or ``USER``. - -In this example, the ``AppBundle:User`` entity class defines a -many-to-many relationship with a ``AppBundle:Role`` entity class. -A user can be related to several roles and a role can be composed of -one or more users. The previous ``getRoles()`` method now returns -the list of related roles. Notice that ``__construct()`` and ``getRoles()`` -methods have changed:: - - // src/AppBundle/Entity/User.php - namespace AppBundle\Entity; - - use Doctrine\Common\Collections\ArrayCollection; - // ... - - class User implements AdvancedUserInterface, \Serializable - { - // ... - - /** - * @ORM\ManyToMany(targetEntity="Role", inversedBy="users") - * - */ - private $roles; - - public function __construct() - { - $this->roles = new ArrayCollection(); - } - - public function getRoles() - { - return $this->roles->toArray(); - } - - // ... - - } - -The ``AppBundle:Role`` entity class defines three fields (``id``, -``name`` and ``role``). The unique ``role`` field contains the role name -(e.g. ``ROLE_ADMIN``) used by the Symfony security layer to secure parts -of the application:: - - // src/AppBundle/Entity/Role.php - namespace AppBundle\Entity; - - use Symfony\Component\Security\Core\Role\RoleInterface; - use Doctrine\Common\Collections\ArrayCollection; - use Doctrine\ORM\Mapping as ORM; - - /** - * @ORM\Table(name="app_role") - * @ORM\Entity() - */ - class Role implements RoleInterface - { - /** - * @ORM\Column(name="id", type="integer") - * @ORM\Id() - * @ORM\GeneratedValue(strategy="AUTO") - */ - private $id; - - /** - * @ORM\Column(name="name", type="string", length=30) - */ - private $name; - - /** - * @ORM\Column(name="role", type="string", length=20, unique=true) - */ - private $role; - - /** - * @ORM\ManyToMany(targetEntity="User", mappedBy="roles") - */ - private $users; - - public function __construct() - { - $this->users = new ArrayCollection(); - } - - /** - * @see RoleInterface - */ - public function getRole() - { - return $this->role; - } - - // ... getters and setters for each property - } - -For brevity, the getter and setter methods are hidden, but you can -:ref:`generate them `: - -.. code-block:: bash - - $ php app/console doctrine:generate:entities AppBundle/Entity/User - -Don't forget also to update your database schema: - -.. code-block:: bash - - $ php app/console doctrine:schema:update --force - -This will create the ``app_role`` table and a ``user_role`` that stores -the many-to-many relationship between ``app_user`` and ``app_role``. If -you had one user linked to one role, your database might look something like -this: - -.. code-block:: bash - - $ mysql> SELECT * FROM app_role; - +----+-------+------------+ - | id | name | role | - +----+-------+------------+ - | 1 | admin | ROLE_ADMIN | - +----+-------+------------+ - - $ mysql> SELECT * FROM user_role; - +---------+---------+ - | user_id | role_id | - +---------+---------+ - | 1 | 1 | - +---------+---------+ - -And that's it! When the user logs in, Symfony security system will call the -``User::getRoles`` method. This will return an array of ``Role`` objects -that Symfony will use to determine if the user should have access to certain -parts of the system. - -.. sidebar:: What's the purpose of the RoleInterface? - - Notice that the ``Role`` class implements - :class:`Symfony\\Component\\Security\\Core\\Role\\RoleInterface`. This is - because Symfony's security system requires that the ``User::getRoles`` method - returns an array of either role strings or objects that implement this interface. - If ``Role`` didn't implement this interface, then ``User::getRoles`` - would need to iterate over all the ``Role`` objects, call ``getRole`` - on each, and create an array of strings to return. Both approaches are - valid and equivalent. - -.. _cookbook-doctrine-entity-provider-role-db-schema: - -Improving Performance with a Join -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To improve performance and avoid lazy loading of roles when retrieving a user -from the custom entity provider, you can use a Doctrine join to the roles -relationship in the ``UserRepository::loadUserByUsername()`` method. This will -fetch the user and their associated roles with a single query:: - - // src/AppBundle/Entity/UserRepository.php - namespace AppBundle\Entity; - - // ... - - class UserRepository extends EntityRepository implements UserProviderInterface - { - public function loadUserByUsername($username) - { - $q = $this - ->createQueryBuilder('u') - ->select('u, r') - ->leftJoin('u.roles', 'r') - ->where('u.username = :username OR u.email = :email') - ->setParameter('username', $username) - ->setParameter('email', $username) - ->getQuery(); - - // ... - } - - // ... - } - -The ``QueryBuilder::leftJoin()`` method joins and fetches related roles from -the ``AppBundle:User`` model class when a user is retrieved by their email -address or username. - .. _`cookbook-security-serialize-equatable`: Understanding serialize and how a User is Saved in the Session From ed219a72363e73bd20353605ac997baf6eb6fa62 Mon Sep 17 00:00:00 2001 From: Nicola Pietroluongo Date: Fri, 10 Apr 2015 09:36:43 +0100 Subject: [PATCH 5/8] Fix misplelled XliffFileLoader class in the Using Message Domains example --- components/translation/introduction.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/translation/introduction.rst b/components/translation/introduction.rst index c637dce0b5a..02cb543424b 100644 --- a/components/translation/introduction.rst +++ b/components/translation/introduction.rst @@ -188,7 +188,7 @@ organization, translations were split into three different domains: loaded like this:: // ... - $translator->addLoader('xliff', new XliffLoader()); + $translator->addLoader('xliff', new XliffFileLoader()); $translator->addResource('xliff', 'messages.fr.xliff', 'fr_FR'); $translator->addResource('xliff', 'admin.fr.xliff', 'fr_FR', 'admin'); From 6fb2eeae5abdf4f401c58755681f63232c104419 Mon Sep 17 00:00:00 2001 From: WouterJ Date: Thu, 16 Apr 2015 17:16:25 +0200 Subject: [PATCH 6/8] bug #5162 Fix misplelled XliffFileLoader class in the Using Domains (Nicola Pietroluongo) From ecaa55904764bf03a828c56d360e0b331a3ed785 Mon Sep 17 00:00:00 2001 From: Maks3w Date: Sat, 11 Apr 2015 18:15:57 +0200 Subject: [PATCH 7/8] Add version 2.8 to the release roadmap Following the announced published at http://symfony.com/blog/transition-from-symfony-2-7-to-3-0-symfony-2-8-on-its-way > Symfony 2.8 will be released in November 2015 at the same time as Symfony 3.0. Symfony 2.8 is going to be a LTS release as well to allow people to still have a year to upgrade from 2.8 to 3.2 when it comes out (3.2 being the next LTS release and the first one of the 3.x branch). --- contributing/community/releases.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/contributing/community/releases.rst b/contributing/community/releases.rst index 988e39dc38f..9088472abb4 100644 --- a/contributing/community/releases.rst +++ b/contributing/community/releases.rst @@ -98,7 +98,8 @@ Version Feature Freeze Release End of Maintenance End of Life 2.4 09/2013 11/2013 09/2014 (10 months [1]_) 01/2015 2.5 03/2014 05/2014 01/2015 (8 months) 07/2015 2.6 09/2014 11/2014 07/2015 (8 months) 01/2016 -**2.7** 03/2015 05/2015 05/2018 (36 months [2]_) 05/2019 +**2.7** 03/2015 05/2015 05/2018 (36 months) 05/2019 +**2.8** 09/2015 11/2015 11/2018 (36 months [2]_) 11/2019 3.0 09/2015 11/2015 07/2016 (8 months) 01/2017 3.1 03/2016 05/2016 01/2017 (8 months) 07/2017 3.2 09/2016 11/2016 07/2017 (8 months) 01/2018 @@ -107,7 +108,7 @@ Version Feature Freeze Release End of Maintenance End of Life ======= ============== ======= ======================== =========== .. [1] Symfony 2.4 maintenance has been `extended to September 2014`_. -.. [2] Symfony 2.7 is the last version of the Symfony 2.x branch. +.. [2] Symfony 2.8 is the last version of the Symfony 2.x branch. .. tip:: From 12df567be15a8d920f4dc746e55f1af1b28ac0b4 Mon Sep 17 00:00:00 2001 From: Vladimir Gavrylov Date: Thu, 16 Apr 2015 18:40:13 +0300 Subject: [PATCH 8/8] Fix broken link in security chapter --- book/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/security.rst b/book/security.rst index bd4d91fba16..2bf071c0cbe 100644 --- a/book/security.rst +++ b/book/security.rst @@ -1000,7 +1000,7 @@ the User object, and use the ``isGranted`` method (or Retrieving the User in a Template ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In a Twig Template this object can be accessed via the `app.user `_ +In a Twig Template this object can be accessed via the :ref:`app.user ` key: .. configuration-block::