symfony
diff --git a/‎book/installation.rst
+13-25 b/‎book/installation.rst
+13-25
diff --git a/‎book/templating.rst
+1-1 b/‎book/templating.rst
+1-1
diff --git a/‎book/translation.rst
+3 b/‎book/translation.rst
+3
diff --git a/‎book/validation.rst
+128 b/‎book/validation.rst
+128
diff --git a/‎components/console/introduction.rst
+1-1 b/‎components/console/introduction.rst
+1-1
diff --git a/‎components/dom_crawler.rst
+1-1 b/‎components/dom_crawler.rst
+1-1
diff --git a/‎components/http_kernel/introduction.rst
+1-1 b/‎components/http_kernel/introduction.rst
+1-1
diff --git a/‎components/security/firewall.rst
+13-2 b/‎components/security/firewall.rst
+13-2
diff --git a/‎cookbook/bundles/override.rst
+1-1 b/‎cookbook/bundles/override.rst
+1-1
diff --git a/‎cookbook/cache/varnish.rst
+31 b/‎cookbook/cache/varnish.rst
+31
diff --git a/‎cookbook/form/dynamic_form_modification.rst
+2 b/‎cookbook/form/dynamic_form_modification.rst
+2
diff --git a/‎cookbook/form/form_collections.rst
+4-4 b/‎cookbook/form/form_collections.rst
+4-4
diff --git a/‎cookbook/security/custom_authentication_provider.rst
+5-1 b/‎cookbook/security/custom_authentication_provider.rst
+5-1
diff --git a/‎reference/configuration/framework.rst
+2 b/‎reference/configuration/framework.rst
+2
@@ -225,48 +225,36 @@ If there are any issues, correct them now before moving on.
     line user, you can run the following commands just once in your project
     to ensure that permissions will be setup properly.
 
-    **Note that not all web servers run as the user** ``www-data`` as in the examples
-    below. Instead, check which user *your* web server is being run as and
-    use it in place of ``www-data``.
-
-    On a UNIX system, this can be done with one of the following commands:
-
-    .. code-block:: bash
-
-        $ ps aux | grep httpd
-
-    or
-
-    .. code-block:: bash
-
-        $ ps aux | grep apache
-
     **1. Using ACL on a system that supports chmod +a**
 
     Many systems allow you to use the ``chmod +a`` command. Try this first,
-    and if you get an error - try the next method. Be sure to replace ``www-data``
-    with your web server user on the first ``chmod`` command:
+    and if you get an error - try the next method. This uses a command to
+    try to determine your web server user and set is as ``APACHEUSER``:
 
     .. code-block:: bash
 
         $ rm -rf app/cache/*
         $ rm -rf app/logs/*
 
-        $ sudo chmod +a "www-data allow delete,write,append,file_inherit,directory_inherit" app/cache app/logs
-        $ sudo chmod +a "`whoami` allow delete,write,append,file_inherit,directory_inherit" app/cache app/logs
+		$ APACHEUSER=`ps aux | grep -E '[a]pache|[h]ttpd' | grep -v root | head -1 | cut -d\  -f1`
+		$ sudo chmod +a "$APACHEUSER allow delete,write,append,file_inherit,directory_inherit" app/cache app/logs
+		$ sudo chmod +a "`whoami` allow delete,write,append,file_inherit,directory_inherit" app/cache app/logs
+
 
     **2. Using Acl on a system that does not support chmod +a**
 
     Some systems don't support ``chmod +a``, but do support another utility
     called ``setfacl``. You may need to `enable ACL support`_ on your partition
-    and install setfacl before using it (as is the case with Ubuntu), like
-    so:
+    and install setfacl before using it (as is the case with Ubuntu). This
+    uses a command to try to determine your web server user and set is as
+    ``APACHEUSER``:
 
     .. code-block:: bash
 
-        $ sudo setfacl -R -m u:www-data:rwX -m u:`whoami`:rwX app/cache app/logs
-        $ sudo setfacl -dR -m u:www-data:rwx -m u:`whoami`:rwx app/cache app/logs
-
+		$ APACHEUSER=`ps aux | grep -E '[a]pache|[h]ttpd' | grep -v root | head -1 | cut -d\  -f1`
+		$ sudo setfacl -R -m u:$APACHEUSER:rwX -m u:`whoami`:rwX app/cache app/logs
+		$ sudo setfacl -dR -m u:$APACHEUSER:rwX -m u:`whoami`:rwX app/cache app/logs
+		
     **3. Without using ACL**
 
     If you don't have access to changing the ACL of the directories, you will
 
@@ -1398,7 +1398,7 @@ Debugging
 
 When using PHP, you can use ``var_dump()`` if you need to quickly find the
 value of a variable passed. This is useful, for example, inside your controller.
-The same can be achieved when using Twig thanks to the the debug extension.
+The same can be achieved when using Twig thanks to the debug extension.
 
 Template parameters can then be dumped using the ``dump`` function:
 
 
@@ -470,6 +470,9 @@ Symfony2 will discover these files and use them when translating either
 .. index::
    single: Translations; Message domains
 
+
+.. _using-message-domains:
+
 Using Message Domains
 ---------------------
 
 
@@ -930,6 +930,134 @@ In this example, it will first validate all constraints in the group ``User``
 (which is the same as the ``Default`` group). Only if all constraints in
 that group are valid, the second group, ``Strict``, will be validated.
 
+Group Sequence Providers
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Imagine a ``User`` entity which can be a normal user or a premium user. When
+it's a premium user, some extra constraints should be added to the user entity
+(e.g. the credit card details). To dynamically determine which groups should
+be activated, you can create a Group Sequence Provider. First, create the
+entity and a new constraint group called ``Premium``:
+
+.. configuration-block::
+
+    .. code-block:: php-annotations
+
+        // src/Acme/DemoBundle/Entity/User.php
+        namespace Acme\DemoBundle\Entity;
+
+        use Symfony\Component\Validator\Constraints as Assert;
+
+        class User
+        {
+            // ...
+
+            /**
+             * @Assert\NotBlank()
+             */
+            private $name;
+
+            /**
+             * @Assert\CardScheme(
+             *     schemes={"VISA"},
+             *     groups={"Premium"},
+             * )
+             */
+            private $creditCard;
+        }
+
+    .. code-block:: yaml
+
+        # src/Acme/DemoBundle/Resources/config/validation.yml
+        Acme\DemoBundle\Entity\User:
+            properties:
+                name:
+                    - NotBlank
+                creditCard:
+                    - CardScheme
+                        schemes: [VISA]
+                        groups: [Premium]
+
+    .. code-block:: xml
+
+        <!-- src/Acme/DemoBundle/Resources/config/validation.xml -->
+        <class name="Acme\DemoBundle\Entity\User">
+            <property name="name">
+                <constraint name="NotBlank" />
+            </property>
+
+            <property name="creditCard">
+                <constraint name="CardScheme">
+                    <option name="schemes">
+                        <value>VISA</value>
+                    </option>
+                    <option name="groups">
+                        <value>Premium</value>
+                    </option>
+                </constraint>
+            </property>
+        </class>
+
+    .. code-block:: php
+
+        // src/Acme/DemoBundle/Entity/User.php
+        namespace Acme\DemoBundle\Entity;
+
+        use Symfony\Component\Validator\Constraints as Assert;
+        use Symfony\Component\Validator\Mapping\ClassMetadata;
+
+        class User
+        {
+            private $name;
+            private $creditCard;
+
+            // ...
+
+            public static function loadValidatorMetadata(ClassMetadata $metadata)
+            {
+                $metadata->addPropertyConstraint('name', new Assert\NotBlank());
+                $metadata->addPropertyConstraint('creditCard', new Assert\CardScheme(
+                    'schemes' => array('VISA'),
+                    'groups'  => array('Premium'),
+                ));
+            }
+        }
+
+Now, change the ``User`` class to implement
+:class:`Symfony\\Component\\Validation\\GroupSequenceProviderInterface` and
+add the
+:method:`Symfony\\Component\\Validation\\GroupSequenceProviderInterface::getGroupSequence`,
+which should return an array of groups to use. Also, add the
+``@Assert\GroupSequenceProvider`` annotation to the class. If you imagine
+that a method called ``isPremium`` returns true if the user is a premium member,
+then your code might look like this::
+
+    // src/Acme/DemoBundle/Entity/User.php
+    namespace Acme\DemoBundle\Entity;
+
+    // ...
+    use Symfony\Component\Validation\GroupSequenceProviderInterface;
+
+    /**
+     * @Assert\GroupSequenceProvider
+     * ...
+     */
+    class User implements GroupSequenceProviderInterface
+    {
+        // ...
+
+        public function getGroupSequence()
+        {
+            $groups = array('User');
+
+            if ($this->isPremium()) {
+                $groups[] = 'Premium';
+            }
+
+            return $groups;
+        }
+    }
+
 .. _book-validation-raw-values:
 
 Validating Values and Arrays
 
@@ -492,4 +492,4 @@ Learn More!
 * :doc:`/components/console/single_command_tool`
 
 .. _Packagist: https://packagist.org/packages/symfony/console
-.. _ANSICON: http://adoxa.3eeweb.com/ansicon/
+.. _ANSICON: https://github.com/adoxa/ansicon/downloads
@@ -205,7 +205,7 @@ and :phpclass:`DOMNode` objects:
     $crawler->addNode($node);
     $crawler->add($document);
 
-.. component-dom-crawler-dumping:
+.. _component-dom-crawler-dumping:
 
 .. sidebar:: Manipulating and Dumping a ``Crawler``
 
 
@@ -128,7 +128,7 @@ For general information on adding listeners to the events below, see
 
 **Typical Purposes**: To add more information to the ``Request``, initialize
 parts of the system, or return a ``Response`` if possible (e.g. a security
-layer that denies access)
+layer that denies access).
 
 :ref:`Kernel Events Information Table<component-http-kernel-event-table>`
 
 
@@ -10,17 +10,28 @@ steps in the process of authenticating the user have been taken successfully,
 you can ask the security context if the authenticated user has access to a
 certain action or resource of the application::
 
-    use Symfony\Component\Security\SecurityContext;
+    use Symfony\Component\Security\Core\SecurityContext;
     use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+    
+    // instance of Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface
+    $authenticationManager = ...;
 
-    $securityContext = new SecurityContext();
+    // instance of Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface
+    $accessDecisionManager = ...;
+
+    $securityContext = new SecurityContext($authenticationManager, $accessDecisionManager);
 
     // ... authenticate the user
 
     if (!$securityContext->isGranted('ROLE_ADMIN')) {
         throw new AccessDeniedException();
     }
 
+.. note::
+
+    Read the dedicated sections to learn more about :doc:`/components/security/authentication`
+    and :doc:`/components/security/authorization`.
+
 .. _firewall:
 
 A Firewall for HTTP Requests
 
@@ -129,7 +129,7 @@ Translations
 
 Translations are not related to bundles, but to domains. That means that you
 can override the translations from any translation file, as long as it is in
-:ref:`the correct domain <translation-domains>`.
+:ref:`the correct domain <using-message-domains>`.
 
 .. caution::
 
 
@@ -176,5 +176,36 @@ that will invalidate the cache for a given resource:
             }
         }
 
+Routing and X-FORWARDED Headers
+-------------------------------
+
+To ensure that the Symfony Router generates urls correctly with Varnish,
+proper ```X-Forwarded``` headers must be added so that Symfony is aware of
+the original port number of the request. Exactly how this is done depends
+on your setup. As a simple example, Varnish and your web server are on the
+same machine and that Varnish is listening on one port (e.g. 80) and Apache
+on another (e.g. 8080). In this situation, Varnish should add the ``X-Forwarded-Port``
+header so that the Symfony application knows that the original port number
+is 80 and not 8080.
+
+If this header weren't set properly, Symfony may append ``8080`` when generating
+absolute URLs:
+
+.. code-block:: text
+
+    sub vcl_recv {
+        if (req.http.X-Forwarded-Proto == "https" ) {
+            set req.http.X-Forwarded-Port = "443";
+        } else {
+            set req.http.X-Forwarded-Port = "80"
+        }
+    }
+
+.. note::
+
+    Remember to configure :ref:`framework.trusted_proxies<reference-framework-trusted-proxies>`
+    in the Symfony configuration so that Varnish is seen as a trusted proxy
+    and the ``X-Forwarded-`` headers are used.
+
 .. _`Edge Architecture`: http://www.w3.org/TR/edge-arch
 .. _`GZIP and Varnish`: https://www.varnish-cache.org/docs/3.0/phk/gzip.html
@@ -473,6 +473,8 @@ The subscriber would now look like::
     use Symfony\Component\Form\FormFactoryInterface;
     use Doctrine\ORM\EntityManager;
     use Symfony\Component\Form\FormEvent;
+    use Symfony\Component\Form\FormEvents;
+    use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 
     class RegistrationSportListener implements EventSubscriberInterface
     {
 
@@ -423,12 +423,12 @@ for the tags in the ``Task`` class::
     {
         // ...
 
-        public function addTag($tag)
+        public function addTag(Tag $tag)
         {
             $this->tags->add($tag);
         }
 
-        public function removeTag($tag)
+        public function removeTag(Tag $tag)
         {
             // ...
         }
@@ -534,7 +534,7 @@ we talk about next!).
         // src/Acme/TaskBundle/Entity/Task.php
 
         // ...
-        public function addTag(ArrayCollection $tag)
+        public function addTag(Tag $tag)
         {
             $tag->addTask($this);
 
@@ -588,7 +588,7 @@ Now, you need to put some code into the ``removeTag`` method of ``Task``::
     {
         // ...
 
-        public function removeTag($tag)
+        public function removeTag(Tag $tag)
         {
             $this->tags->removeElement($tag);
         }
 
@@ -144,7 +144,11 @@ set an authenticated token in the security context if successful.
                 // ... you might log something here
 
                 // To deny the authentication clear the token. This will redirect to the login page.
-                // $this->securityContext->setToken(null);
+                // Make sure to only clear your token, not those of other authentication listeners.
+                // $token = $this->securityContext->getToken();
+                // if ($token instanceof WsseUserToken && $this->providerKey === $token->getProviderKey()) {
+                //     $this->securityContext->setToken(null);
+                // }
                 // return;
 
                 // Deny authentication with a '403 Forbidden' HTTP response
 
@@ -114,6 +114,8 @@ services related to testing your application (e.g. ``test.client``) are loaded.
 This setting should be present in your ``test`` environment (usually via
 ``app/config/config_test.yml``). For more information, see :doc:`/book/testing`.
 
+.. _reference-framework-trusted-proxies:
+
 trusted_proxies
 ~~~~~~~~~~~~~~~
Original file line number	Diff line number	Diff line change
`@@ -473,6 +473,8 @@ The subscriber would now look like::`
`473`	`473`	`use Symfony\Component\Form\FormFactoryInterface;`
`474`	`474`	`use Doctrine\ORM\EntityManager;`
`475`	`475`	`use Symfony\Component\Form\FormEvent;`
	`476`	`+ use Symfony\Component\Form\FormEvents;`
	`477`	`+ use Symfony\Component\EventDispatcher\EventSubscriberInterface;`
`476`	`478`
`477`	`479`	`class RegistrationSportListener implements EventSubscriberInterface`
`478`	`480`	`{`
Original file line number	Diff line number	Diff line change
@@ -423,12 +423,12 @@ for the tags in the ``Task`` class::
`423`	`423`	`{`
`424`	`424`	`// ...`
`425`	`425`
`426`		`- public function addTag($tag)`
	`426`	`+ public function addTag(Tag $tag)`
`427`	`427`	`{`
`428`	`428`	`$this->tags->add($tag);`
`429`	`429`	`}`
`430`	`430`
`431`		`- public function removeTag($tag)`
	`431`	`+ public function removeTag(Tag $tag)`
`432`	`432`	`{`
`433`	`433`	`// ...`
`434`	`434`	`}`
`@@ -534,7 +534,7 @@ we talk about next!).`
`534`	`534`	`// src/Acme/TaskBundle/Entity/Task.php`
`535`	`535`
`536`	`536`	`// ...`
`537`		`- public function addTag(ArrayCollection $tag)`
	`537`	`+ public function addTag(Tag $tag)`
`538`	`538`	`{`
`539`	`539`	`$tag->addTask($this);`
`540`	`540`
@@ -588,7 +588,7 @@ Now, you need to put some code into the ``removeTag`` method of ``Task``::
`588`	`588`	`{`
`589`	`589`	`// ...`
`590`	`590`
`591`		`- public function removeTag($tag)`
	`591`	`+ public function removeTag(Tag $tag)`
`592`	`592`	`{`
`593`	`593`	`$this->tags->removeElement($tag);`
`594`	`594`	`}`