[Validation] Activate auto-mapped validation via an annotation #32070
Comments
|
/cc @dunglas |
|
I didn't anticipated this case, and it's indeed a problem. However, it's a very specific one, that should be the exception, not the standard. Having to manually enabling auto-validation kind of defects the point of the feature: catching missing validation constraints, and providing a basic security by default. I do like the proposed annotations, but as this feature already has to be enabled explicitly in the configuration, I would prefer to have auto-validation enabled by default, and annotations allowing to opt-out: // Automatic validation is enabled, as currently
class Foo {
private $password;
}
// Automatic validation is disabled for the given property only
class Foo {
/** @DisableAutomaticValidation */
private $password;
}
// Automatic validation is disabled for the whole class
/** @DisableAutomaticValidation */
class Foo {
private $password;
private $foo;
}It's a better security practice to let the user enabling the potentially insecure feature, than having to optin for the secure behavior. WDYT? Such annotations will also fix #32015. |
|
Hmm, yes, I think we can try this :). 2 more questions:
Cheers! |
|
FYI we’ve disabled auto-mapping in the recipe for now. |
|
I’ll work on patch tonight. I also agree it qualifies as a bug fix. |
We would need to create that pack too :). But, looking into it, I don't think that any of the Symfony components directly require In MakerBundle, we *could( also (in any commands that require the validator) make sure that PropertyInfo is installed.
Also... any ideas for a non-quick fix? :) Or is the pack the only thing we can think of? |
Another alternative is to make |
|
I recognized an additional case / issue with the Doctrine Extension "Timestampable". |
|
Any way to fix validation for Doctrine Extension "Timestampable"? |
…sable auto-validation (dunglas) This PR was squashed before being merged into the 4.4 branch (closes #32107). Discussion ---------- [Validator] Add AutoMapping constraint to enable or disable auto-validation | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tests pass? | yes <!-- please add some, will be required by reviewers --> | Fixed tickets | #32070, #32015 <!-- #-prefixed issue number(s), if any --> | License | MIT | Doc PR | todo As discussed in #32070 and #32015, it's sometimes mandatory to prevent some classes or properties to be auto mapped (auto-validated). This PR introduces a new constraint, `@AutoMapping` allowing to do exactly that. Examples: Class: ```php use Doctrine\ORM\Mapping as ORM; use Symfony\Component\Validator\Constraints as Assert; /** * @Orm\Entity * @Assert\AutoMapping(false) */ class DoctrineLoaderNoAutoMappingEntity { /** * @Orm\Id * @Orm\Column */ public $id; /** * @Orm\Column(length=20, unique=true) */ public $maxLength; } ``` Property: ```php namespace Symfony\Bridge\Doctrine\Tests\Fixtures; use Doctrine\ORM\Mapping as ORM; use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity; use Symfony\Component\Validator\Constraints as Assert; /** * @Orm\Entity */ class DoctrineLoaderEntity extends DoctrineLoaderParentEntity { /** * @Orm\Id * @Orm\Column */ public $id; /** * @Orm\Column(length=10) * @Assert\AutoMapping(false) */ public $noAutoMapping; } ``` The rules are the following: * If the constraint is present on a property, and set to true, auto-mapping is always on, regardless of the config, and of any class level annotation * If the constraint is present on a property, and set to false, auto-mapping is always off, regardless of the config, and of any class level annotation * If the constraint is present on a class, and set to true, auto-mapping is always on except if a the annotation has been added to a specific property, and regardless of the config * If the constraint is present on a class, and set to false, auto-mapping is always off except if a the annotation has been added to a specific property, and regardless of the config Commits ------- f6519ce [Validator] Add AutoMapping constraint to enable or disable auto-validation
Description
The new auto-mapping validation feature is activated via configuration. I think this is too obtuse, and people are wondering "Why is this field required? Where did that validation come from"?
The problem is that ALL your validation currently lives as annotations (or XML, YAML)... except that now this automatic system is activated in an entirely different location. Additionally, the auto-mapping (as nice at it is) is imperfect - and always will be - automatic things will never always get it right. For example,
make:registrationis broken with auto-mapping as the feature addsNotNullto the$passwordfield, which will eventually hold the encoded password. This field should not have validation - symfony/maker-bundle#412Additionally, an annotation would allow you to specify the validation group.
Example
And ideally you could disable it automatic constraints on a property-by-property basis:
This makes the feature a bit less useful, I admit. But my initial instinct is that this is causing a bit more pain than convenience.
Btw, an added problem is that the presence/absence of
symfony/property-infomakes this feature behave differently - and that's very not obvious.The text was updated successfully, but these errors were encountered: