[Security] Deprecated supportsAttribute and supportsClass methods #15151
Conversation
| @@ -77,6 +77,8 @@ public function decide(TokenInterface $token, array $attributes, $object = null) | |||
| */ | |||
| public function supportsAttribute($attribute) | |||
| { | |||
| trigger_error('The '.__METHOD__.' is deprecated since version 2.8 and will be removed in version 3.0.'); | |||
There was a problem hiding this comment.
You should append the trigger_error call with @
4da886e to
f98a05c
Compare
|
Thanks @dosten. Fixed everything you mentioned :) |
|
@wouterj I suggest you to mark methods as deprecated in the VoterInterface too, and to trigger the deprecation in the AbstractVoter when they are called. |
What do you mean? I use those methods on my Voters class, working with it. Sample: class DomainVoter extends AbstractVoter
{
const VIEW = 'view';
const EDIT = 'edit';
const DELETE = 'delete';
/**
* {@inheritdoc}
*/
protected function getSupportedClasses()
{
return [
'AppBundle\Entity\Domain',
];
}
/**
* {@inheritdoc}
*/
protected function getSupportedAttributes()
{
return [
self::VIEW,
self::EDIT,
self::DELETE,
];
}
/**
* @param string $attribute
* @param Domain $object
* @param UserInterface|string $user
*
* @return bool
*/
protected function isGranted($attribute, $object, $user = null)
{
return true; // Stuff
}
}What should be done instead of using those deprecated methods? |
|
@soullivaneuh if you look at the AbstractVoter, it uses these methods internally. But the methods of the interface are never used. |
|
And btw, the methods you are showing there are not the methods which are meant to be deprecated |
|
@wouterj Can you finish this one? |
|
@stof Indeed, my bad. Wrong reading. |
5bb4dd4 to
cb37f68
Compare
|
Updated this PR:
Fabbot's error is a bug in fabbot. |
|
👍 (should be rebased) |
|
ping @symfony/deciders |
| */ | ||
| protected function supports($attribute, $class) | ||
| { | ||
| @trigger_error('The getSupportedClasses and getSupportedAttributes methods are deprecated since version 2.8 and will be removed in version 3.0. Overwrite supports instead.'); |
There was a problem hiding this comment.
People have to override the supports method to see if the attribute and class are supported. If they didn't, this code will be executed and they will recieve a deprecation notice. If they did, this code is overriden and the deprecation notice isn't triggered.
The triggers in the getSupported* classes are there in case someone is executing this methods directly, to indicate that they have to use supports.
There was a problem hiding this comment.
Well, if this method is executed, then wouldn't the other deprecations also be triggered ? So basically here we will have at least 2 (and at most 3) deprecations warnings (one for the call on supports, which triggers this as BC, and one or two for the usage of getSupported* methods)
There was a problem hiding this comment.
Yes, but if we remove one of them, we'll loose information or we didn't cover all BC breaks. There are more cases in which you get 2 or more deprecation messages by using 1 deprecated feature (every deprecated setting configurable in yaml/xml/php for example)
There was a problem hiding this comment.
Getting the 2 deprecation messages for the deprecated calls to getSupported* are fine IMO, but I think the deprecation warning for this method is not necessary, that was my point.
cb37f68 to
64fd6bd
Compare
|
Rebased, so it can be merged directly if accepted by core |
| * | ||
| * @return bool True if the attribute and class is supported, false otherwise | ||
| */ | ||
| protected function supports($attribute, $class) |
There was a problem hiding this comment.
I guess this method will turn abstract on 3.0 ?
There was a problem hiding this comment.
yes it will. And this is why there is a deprecation warning in the provided implementation.
@wouterj please add a comment in the phpdoc saying it will become abstract in 3.0
|
Seems like some tests still test the deprecated features and should be added to the legacy group (:+1: when this is fixed). |
|
So it seems like we now had 2 tests for AbstractVoter (one in |
|
👍 (the failures don't seem to be related) Status: Reviewed |
|
Thank you @wouterj. |
|
@wouterj All the |
|
Whoa, thanks for catching this @weaverryan! Fixed in #15922 |
This PR was merged into the 2.8 branch. Discussion ---------- [Security] Fix trigger_error calls in voters Fixes typos found by @weaverryan in #15151 | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Commits ------- 69e80be Fix trigger_error calls
This PR was merged into the 2.8 branch. Discussion ---------- [2.8] Document some Security changes | Q | A | --- | --- | Doc fix? | no | New docs? | yes (symfony/symfony#15131, symfony/symfony#16493, symfony/symfony#15151 | Applies to | 2.8+ | Fixed tickets | - Commits ------- 0526ca0 Document deprecation of supports{Attribute,Class}() methods 22026ee Document Security key to secret renamings 4036d26 Use new Simple{Form,Pre}AuthenticatorInterface namespaces
These methods aren't used at all in a Symfony application and don't make sense to use in the application. They are only used internally in the voters. This means the voter interface can be made much easier.
I'm not sure how we do these deprecations, should we remove the methods from the interface now already? Also, I don't think it's possible to trigger deprecation notices for the voter methods?
Abstract Voter
There is one remaining question about the abstract voter. This currently has abstract
getSupportedAttributes()andgetSupportedClass()methods. One of the reasons to remove the methods for the interface was that these methods are not flexible. Does it make sense to deprecate these methods as well and replace them by an abstractprotected vote(array $attributes, $class)method in theAbstractVoter(which is called fromAbstractVoter#vote()) ?