Core request fix #70
Core request fix #70
Conversation
|
I would rather see thus stashed on the listener. It doesn't make sense to store this on the request. |
|
kriswallsmith, where should we stash them, and how can we ensure to apply them to the correct response? |
|
again remember that we do not want to move all the security listeners to scope response, because then we would have to instantiate them again and again in every subrequest. |
|
I think the right solution is to set a listener to request scope and stash your response headers there. If performance becomes an issue, HttpCache or another reverse proxy should resolve that. |
|
so you are proposing to create yet more services to store something that needs to be written into something that needs to be created anyway within the subrequest? if you admit that this is a hack, i am willing to consider it based on wanting to not do any changes at this stage of development. but denying that this is a hack is driving me up the wall. :) |
|
I'm suggesting you create a request-scope listener that is connected to both |
|
I had the same concern when I initially suggested this. Turns out the framework's dispatcher respects scope now that it's been lazified: |
|
If your listener set to the request scope it will be created anew for each request. Each request's |
|
So where does that leave this PR? That design seems unfortunate, but I know yours is a particularly complex problem. Perhaps you can use |
|
Something that occurs to me while thinking about this problem:
To sum up, here is the most complex case that can occur in a single PHP process (with sub-requests and ESI handled by the Symfony2 gateway): So, with this in mind, if we stash the HTTP headers in the listener for the master request, we can get them in the response part of the listener when this is the master request without any ambiguity: |
|
LiipMultiplexBundle is one example, but just adding a render tag into your template. Then someone else decides the given action needs to be acl'ed. At this point the entire firewall concept falls apart for me. So imho its absolutely critical that we eventually also make it possible to secure subrequests, though this will bring with it its own can of worms, because in my app I already see two uses cases when a subrequest requires a role the current users doesnt have:
|
|
When I coded the first version of the security component, I decided to no apply security to sub-requests because it's really up to the developer to know what he is doing at this point. I think that changing that will lead to numerous problems. |
|
I've just tried another approach to fix the problem: The patch looks really similar to Johannes's one, but I have moved the code to the HttpKernel instead of adding the response headers to the request class. Two things to note:
|
|
Just discussed the issue of sub-request firewalling with Lukas. I think it could be fixed if we removed the _internal routes, and forced sub-requests/forwards/render calls to be done via real URLs. Then we need to be smart about handling authentication errors in the sub-requests, but anyway this is not the place so I think he's writing a mail to the ml to discuss this in further details. |
|
I've suggested the following alternatives:
If my first suggestion is not available to you because of a design decision, the second one should work. Furthermore, the fact that this is an issue because of a design decision in your component tells me any necessary workaround hacks should be confined to your component as well. I don't see any place for this in either HttpFoundation or HttpKernel. |
|
-1 If this is holding security, let's wait until RC1 to finish it, I'd rather we took longer to finish this, than merge a hack like this. |
|
What is the need to apply security firewalls to sub-requests? Is that something Spring implements (considering Spring is the model for Security component)? I could see perhaps for ACL restrictions on methods (I believe that uses annotations), but as for firewalls, those seem relevant only for master requests and routes. Internal sub-requests are essentially invoking other controller methods directly with a derivative Request object. |
…ter request in the ControllerListener. (voronkovich) This PR was merged into the master branch. Discussion ---------- Improve the checking if the current request is a master request in the ControllerListener. There is a more convenient way to check whether the current request is a master request. See http://api.symfony.com/2.7/Symfony/Component/HttpKernel/Event/KernelEvent.html#method_isMasterRequest Commits ------- a90021f Improve the checking if the current request is a master request in the ControllerListener
Add a consistency validation for the composer reference
Fixes symfony#69 fixing scrapping typos
This PR was merged into the 1.2-dev branch. Discussion ---------- Updated CHANGELOG * includes mention for a to-be-released 1.3.0 with the symfony 5 PR merged * also includes missing changelogs from older versions Commits ------- 9ad4bcc Updated CHANGELOG
…repo (fabpot, dunglas, KorvinSzanto, xabbuh, aimeos, ahundiak, Danielss89, rougin, csunolgomez, Jérôme Parmentier, mtibben, Nyholm, ajgarlag, uphlewis, samnela, grachevko, nicolas-grekas, tinyroy, danizord, Daniel Degasperi, rbaarsma, Ekman, 4rthem, derrabus, mleczakm, iluuu1994, Tobion, chalasr, lemon-juice, franmomu, cidosx, erikn69, AurelienPillevesse) This PR was merged into the 6.4 branch. Discussion ---------- [PsrHttpMessageBridge] Import the bridge into the monorepo | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | N/A | License | MIT | Doc PR | TODO⚠️ Don't squash! I propose to import the `symfony/psr-http-message-bridge` package into the Symfony monorepo for further maintenance. Commits ------- e40dd66 [PsrHttpMessageBridge] Patch return types and fix CS 266c09f [PsrHttpMessageBridge] Import the bridge into the monorepo 0c0323a Add 'src/Symfony/Bridge/PsrHttpMessage/' from commit '581ca6067eb62640de5ff08ee1ba6850a0ee472e' 581ca60 Prepare release 2.3.1 45d0349 Fix CS 6410dda bug #122 Don't rely on Request::getPayload() to populate the parsed body (nicolas-grekas) ef03b6d Don't rely on Request::getPayload() to populate the parsed body 3c62b81 minor #120 Prepare release 2.3.0 (derrabus) 96acbfd Prepare release 2.3.0 7eedd34 feature #119 Implement ValueResolverInterface (derrabus) 0b54b85 Implement ValueResolverInterface 6b2f5df feature #117 Leverage `Request::getPayload()` to populate the parsed body of PSR-7 requests (AurelienPillevesse) 3a8caad Leverage `Request::getPayload()` to populate the parsed body of PSR-7 requests 18c9e82 minor #118 Add native types where possible (derrabus) 4fd4323 Add native types where possible 28a732c minor #115 Prepare the 2.2.0 release (derrabus) 7944831 cs fix 99ddcaa Prepare the 2.2.0 release 8a5748d feature #113 Bump psr/http-message version (erikn69) ec83c1c Bump psr/http-message version 694016e feature #114 Drop support for Symfony 4 (derrabus) b360b35 Drop support for Symfony 4 998d8d2 minor #111 Adjustments for PHP CS Fixer 3 (derrabus) 5fa5f62 Adjustments for PHP CS Fixer 3 a125b93 minor #110 Add PHP 8.2 to CI (derrabus) 4592df2 Add PHP 8.2 to CI 4617ac3 bug #109 perf: ensure timely flush stream buffers (cidosx) 8c8a75b perf: ensure timely flush stream buffers d444f85 Update changelog 155a7ae bug #107 Ignore invalid HTTP headers when creating PSR7 objects (nicolas-grekas) 9a78a16 Ignore invalid HTTP headers when creating PSR7 objects bdb2871 minor #104 Add missing .gitattributes (franmomu) 808561a Add missing .gitattributes 316f5cb bug #103 Fix for wrong type passed to moveTo() (lemon-juice) 7f3b5c1 Fix for wrong type passed to moveTo() 22b37c8 minor #101 Release v2.1.2 (chalasr) c382d76 Release v2.1.2 c81476c feature #100 Allow Symfony 6 (chalasr) c7a0be3 Allow Symfony 6 df83a38 minor #98 Add PHP 8.1 to CI (derrabus) b2bd334 Add PHP 8.1 to CI 824711c minor #99 Add return types to fixtures (derrabus) f8f70fa Add return types to fixtures d558dcd minor #97 Inline $tmpDir (derrabus) d152649 Inline $tmpDir f12a9e6 minor #96 Run PHPUnit on GitHub Actions (derrabus) ab64c69 Run PHPUnit on GitHub Actions c901299 bug #95 Allow `psr/log` 2 and 3 (derrabus) 8e13ae4 Allow psr/log 2 and 3 26068fa Minor cleanups 87fabb9 Fix copyright year 3d9241f minor #92 remove link to sensio extra bundle which removed psr7 support (Tobion) 7078739 remove link to sensio extra bundle which removed psr7 support 81db2d4 feature #89 PSR HTTP message converters for controllers (derrabus) aa26e61 PSR HTTP message converters for controllers e62b239 minor #91 Fix CS (derrabus) 2bead22 Fix CS 488df9b minor #90 Fix CI failures with Xdebug 3 and test on PHP 7.4/8.0 as well (derrabus) a6697fd Fix CI failures with Xdebug 3 and test on PHP 7.4/8.0 as well c62f7d0 Update branch-alias 51a21cb Update changelog a20fff9 bug #87 Fix populating server params from URI in HttpFoundationFactory (nicolas-grekas) 4933e04 bug #86 Create cookies as raw in HttpFoundationFactory (nicolas-grekas) 66095a5 Fix populating server params from URI in HttpFoundationFactory 42cca49 Create cookies as raw in HttpFoundationFactory cffb3a8 bug #85 Fix BinaryFileResponse with range to psr response conversion (iluuu1994) 5d5932d Fix BinaryFileResponse with range to psr response conversion e44f249 bug #81 Don't normalize query string in PsrHttpFactory (nicolas-grekas) bc25829 Don't normalize query string in PsrHttpFactory df735ec bug #78 Fix populating default port and headers in HttpFoundationFactory (mleczakm) 4f30401 Fix populating default port and headers in HttpFoundationFactory 1309b64 bug #77 fix conversion for https requests (4rthem) e86de3f minor #79 Allow installation on php 8 (derrabus) 9243f93 Allow installation on php 8. d336c73 fix conversion for https requests 126903c Fix format of CHANGELOG.md ce709cd feature #75 Remove deprecated code (fabpot) dfc5238 Remove deprecated code 9d3e80d bug #72 Use adapter for UploadedFile objects (nicolas-grekas) a4f9f6d Use adapter for UploadedFile objects ec7892b Fix CHANGELOG, bump branch-alias 7ab4fe4 minor #70 Updated CHANGELOG (rbaarsma) 9ad4bcc Updated CHANGELOG c4c904a minor #71 Cleanup after bump to Symfony v4.4 (nicolas-grekas) e9a9557 Cleanup after bump to Symfony v4.4 3d10a6c feature #66 Add support for streamed Symfony request (Ekman) df26630 Add support for streamed Symfony request 5aa8ca9 bug #69 Allow Symfony 5.0 (rbaarsma) 1158149 Allow Symfony 5.0 81ae86d Merge branch '1.1' a33352a bug #64 Fixed createResponse (ddegasperi) 7a4b449 minor #65 Fix tests (ajgarlag) 19905b0 Fix tests 580de38 Fixed createResponse 9ab9d71 minor #63 Added links to documentation (Nyholm) 59b9406 Added links to documentation c1cb51c feature #50 Add support for streamed response (danizord) 4133c7a bug #48 Convert Request/Response multiple times (Nyholm) 8564bf7 Convert Request/Response multiple times 7cc1605 Add support for streamed response aebc14b feature #62 bump to PHP 7.1 (nicolas-grekas) 8e10923 bump to PHP 7.1 5e5e0c3 Revert "Undeprecate DiactorosFactory for 1.1" 921f866 Undeprecate DiactorosFactory for 1.1 8592ca3 bug #61 removed 'Set-Cookie' from header when it is already converted to a Symfony header cookie (tinyroy) dd1111e removed 'Set-Cookie' from header when it is already converted to a Symfony header cookie ba672d8 bump branch-alias 5f9a032 typo f2c48c5 fix tests 3a52e44 bug #59 Fix SameSite attribute conversion from PSR7 to HttpFoundation (ajgarlag) 5ee1f8f Fix SameSite attribute conversion from PSR7 to HttpFoundation f6d7d3a bug #58 [Bugfix] Typo header set-sookie (grachevko) 16eb6e1 minor #57 Excluded tests from classmap (samnela) 36a8065 Deprecate DiactorosFactory, use nyholm/psr7 for tests 5076934 bug #54 Fix #51 (compatability issue with zendframework/zend-diactoros ^2.0) (uphlewis) 757ea81 [Bugfix] Typo header set-sookie 25f9c3a Excluded tests from classmap 8ff61e5 Fix compatability issue with "zendframework/zend-diactoros": "^2.0." (#51) 53c15a6 updated CHANGELOG c821241 bumped version to 1.1 f26d01f minor #47 Updated changelog (Nyholm) c2282e3 Updated changelog eddd6c8 feature #43 Create PSR-7 messages using PSR-17 factories (ajgarlag) dd81b4b Create PSR-7 messages using PSR-17 factories f11f173 feature #45 Fixed broken build (Nyholm) 8780dd3 Fixed broken build c2b7579 bug #30 Fix the request target in PSR7 Request (mtibben) 94fcfa5 Fix the request target in PSR7 Request 64640ee minor #38 Run PHP 5.3 tests on Precise (Lctrs) 64c0cb0 Run PHP 5.3 tests on Precise b209840 minor #32 Allow Symfony 4 (dunglas) 97635f1 Allow Symfony 4 147a238 minor #31 test suite compatibility with PHPUnit 6 (xabbuh) f5c46f0 test suite compatibility with PHPUnit 6 66085f2 preparing 1.0 release 533d3e4 added a CHANGELOG for 1.0 14269f9 bug #28 Fix REQUEST_METHOD on symfony request (csunol) 98ab85a Fix REQUEST_METHOD on symfony request 29be4f8 updated LICENCE year d2db47c removed obsolete CHANGELOG file 1c30b17 bug #22 Fixes #16 Symfony Request created without any URI (rougin) a59c572 Fixes #16 Symfony Request created without any URI 7a5aa92 bug #23 Fixes #9 Bridge error when no file is selected (ahundiak, Danielss89) a1a631a Update assert error message e5d62e6 Fixes based on code-review 101b608 Handles null file in createrequest bridge. d16c63c bug #18 Allow multiple calls to Request::getContent() (aimeos) 9624b8b Allow multiple calls to Request::getContent() 9c747c4 Merge pull request #19 from xabbuh/travis-config a388c43 update Travis CI configuration ac5cd86 minor #14 Remove use of deprecated 'deep' parameter in tests (KorvinSzanto) 305c0fe Remove use of deprecated 'deep' parameter 3664dc0 minor #7 Test Diactoros Factory with PHP 5.4 (dunglas) bab1530 Test Diactoros Factory with PHP 5.4 d7660b8 Suggest psr/http-message-implementation dc7e308 removed the branch alias for now as we are pre 1.0 3f8977e feature #1 Initial support (dunglas) ca41146 Initial support 01b110b added the initial set of files
This commit allows headers/cookies to be set from a core.request listener easily without having to worry about our multi-request architecture, they are always set on the correct response.