[SecurityBundle] Add a FirewallConfigRegistry service as main entry point #20591
Conversation
| */ | ||
| private function getRequestMatcher(FirewallConfig $config) | ||
| { | ||
| if (empty($config->getRequestMatcher())) { |
There was a problem hiding this comment.
Note: this would be replaced by if (null === $config->getRequestMatcher()) { if #20589 is merged
There was a problem hiding this comment.
In case of this one is considered before #20589, I think it should be if (!$config->getRequestMatcher())
There was a problem hiding this comment.
I prefer empty which is semantically better IMHO.
|
Imho, adding this registry makes sense as soon as (and only if) we need some more accessors for the The Given I can't find valid use cases for Of course that's just my opinion and I may be wrong but I would favor #20592 instead of this one, even if your implementation looks very good. edit: considering the use cases, maybe it's worth it. |
|
Despite I prefer having this clear entrypoint separated from the security execution context, I do think identifying proper use cases to legitimate this approach is required. Maybe @julienfalque could give us some hints? |
| } | ||
| } | ||
|
|
||
| return $configs; |
There was a problem hiding this comment.
Maybe
- $configs = array();
- foreach ($this->firewallConfigs as $config) {
- if ($config->getContext() === $context) {
- $configs[] = $config;
- }
- }
-
- return $configs;
+ return array_filter($this->firewallConfigs, function (FirewallConfig $config) {
+ return $context === config->getContext();
+ });?
| */ | ||
| private function getRequestMatcher(FirewallConfig $config) | ||
| { | ||
| if (empty($config->getRequestMatcher())) { |
There was a problem hiding this comment.
In case of this one is considered before #20589, I think it should be if (!$config->getRequestMatcher())
…oint for firewall configs
|
I need to be able to retrieve a Making the |
|
This one is way too late in the 3.2 release cycle IMHO. Is it superseded by #20592? |
|
Of course I suspected this. The time left before releasing 3.2 is probably too short for such a change, but If we want to do it later, we fall in the deprecation cycle. So I had to at least try. #20592 would be enough for use-cases I can imagine right now. But as you said, this is actually solvable by defining aliases on userland. |
|
So maybe close this one until someone comes with a use case? |
|
@nicolas-grekas Apparently there is one use case at least (#20591 (comment)) for retrieving firewall config by name at runtime without having the whole container injected, so maybe this one is good to keep on 3.3. Another alternative could be to add the logic needed by #20591 (comment) in the |
|
As a side note: WDYT about removing the deprecation in FirewallContext ? Having the configuration object on the |
|
👍 for removing the deprecation on 3.2. |
|
@ogizanagi can you update #20589 to remove the deprecation? |
|
Done. Closing this one for now. |
|
So... Is this totally abandoned or do we still want it on 3.3? I don't think using public aliases will help for the use case I mentioned. |
|
@julienfalque : We must have enough arguments for this to happen in 3.3, because it'll require extra work to deprecate paths introduced in 3.2 and ensuring BC until 4.0. That's why I thought we may rework it before it's too late and 3.2 is released...but it's already too late 😅 Note that #20585 may still happen in 3.3 as is if we don't mind mixing responsibilities between the security flow and getting the config objects. |
…izanagi) This PR was squashed before being merged into the 3.2 branch (closes #20589). Discussion ---------- [SecurityBundle] Fix FirewallConfig nullable arguments | Q | A | ------------- | --- | Branch? | 3.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no, but removes one | Tests pass? | yes | Fixed tickets | N/A | License | MIT | Doc PR | N/A Nullable arguments were replaced by empty strings by the DIC config if values weren't replaced in the extension. Another solution (looking safer to me) is to apply the following changes in the DIC configuration: ```diff diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml index 54e5734..499dd5e 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml @@ -116,15 +116,15 @@ <service id="security.firewall.config" class="Symfony\Bundle\SecurityBundle\Security\FirewallConfig" abstract="true" public="false"> <argument /> <!-- name --> - <argument /> <!-- user_checker --> - <argument /> <!-- request_matcher --> - <argument /> <!-- security enabled --> - <argument /> <!-- stateless --> - <argument /> <!-- provider --> - <argument /> <!-- context --> - <argument /> <!-- entry_point --> - <argument /> <!-- access_denied_handler --> - <argument /> <!-- access_denied_url --> + <argument>null</argument> <!-- user_checker --> + <argument>null</argument> <!-- request_matcher --> + <argument>true</argument> <!-- security enabled --> + <argument>false</argument> <!-- stateless --> + <argument>null</argument> <!-- provider --> + <argument>null</argument> <!-- context --> + <argument>null</argument> <!-- entry_point --> + <argument>null</argument> <!-- access_denied_handler --> + <argument>null</argument> <!-- access_denied_url --> <argument type="collection" /> <!-- listeners --> </service> ``` But it doesn't seem to be the way we deal with arguments meant to be replaced by extensions in the Symfony core. cc @chalasr This PR also removes the FirewallContext mandatory `FirewallConfig` argument deprecation for reasons expressed in #20591 (comment) Commits ------- 79ef474 [SecurityBundle] Remove FirewallContext mandatory FirewallConfig argument deprecation f09ccf4 [SecurityBundle] Fix FirewallConfig nullable arguments
This PR reworks some parts of #19398 for solving issues like #20585 about accessing the firewall configs in different ways.
The main entry point for getting firewall configs becomes the
security.firewall.config_registryservice.FirewallMap&FirewallContextstay unchanged, as they are more about the security execution context than getting the configuration.It also removes the deprecation introduced in
FirewallContext(and even in case this one is not merged, I'd like to challenge this deprecation which seems superfluous instead of simply allowingnull)However, if the only real uses-cases are only to access the config at runtime from the firewall name, we may not need that "complexity" and refactoring (see #20592 instead).
WDYT?
cc @chalasr