deprecate finding deep items in request parameters

xabbuh · xabbuh · commit be11681afc4f · 2015-09-30T00:27:05.000+02:00
diff --git a/src/Symfony/Component/HttpFoundation/CHANGELOG.md b/src/Symfony/Component/HttpFoundation/CHANGELOG.md
@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+2.8.0
+-----
+
+ * Finding deep items in `ParameterBag::get()` is deprecated since version 2.8 and
+   will be removed in 3.0.
+
 2.6.0
 -----
 
diff --git a/src/Symfony/Component/HttpFoundation/ParameterBag.php b/src/Symfony/Component/HttpFoundation/ParameterBag.php
@@ -78,6 +78,8 @@ public function add(array $parameters = array())
     /**
      * Returns a parameter by name.
      *
+     * Note: Finding deep items is deprecated since version 2.8, to be removed in 3.0.
+     *
      * @param string $path    The key
      * @param mixed  $default The default value if the parameter key does not exist
      * @param bool   $deep    If true, a path like foo[bar] will find deeper items
@@ -88,6 +90,10 @@ public function add(array $parameters = array())
      */
     public function get($path, $default = null, $deep = false)
     {
+        if (true === $deep) {
+            @trigger_error('Using paths to find deeper items in '.__METHOD__.' is deprecated since version 2.8 and will be removed in 3.0. Filter the returned value in your own code instead.', E_USER_DEPRECATED);
+        }
+
         if (!$deep || false === $pos = strpos($path, '[')) {
             return array_key_exists($path, $this->parameters) ? $this->parameters[$path] : $default;
         }
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -714,6 +714,8 @@ public static function getHttpMethodParameterOverride()
      * It is better to explicitly get request parameters from the appropriate
      * public property instead (query, attributes, request).
      *
+     * Note: Finding deep items is deprecated since version 2.8, to be removed in 3.0.
+     *
      * @param string $key     the key
      * @param mixed  $default the default value
      * @param bool   $deep    is parameter deep in multidimensional array
@@ -722,6 +724,10 @@ public static function getHttpMethodParameterOverride()
      */
     public function get($key, $default = null, $deep = false)
     {
+        if (true === $deep) {
+            @trigger_error('Using paths to find deeper items in '.__METHOD__.' is deprecated since version 2.8 and will be removed in 3.0. Filter the returned value in your own code instead.', E_USER_DEPRECATED);
+        }
+
         if ($this !== $result = $this->query->get($key, $this, $deep)) {
             return $result;
         }
diff --git a/src/Symfony/Component/HttpFoundation/Tests/ParameterBagTest.php b/src/Symfony/Component/HttpFoundation/Tests/ParameterBagTest.php
@@ -86,6 +86,7 @@ public function testGetDoesNotUseDeepByDefault()
     }
 
     /**
+     * @group legacy
      * @dataProvider getInvalidPaths
      * @expectedException \InvalidArgumentException
      */
@@ -106,6 +107,9 @@ public function getInvalidPaths()
         );
     }
 
+    /**
+     * @group legacy
+     */
     public function testGetDeep()
     {
         $bag = new ParameterBag(array('foo' => array('bar' => array('moo' => 'boo'))));
diff --git a/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationFailureHandler.php b/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationFailureHandler.php
@@ -17,6 +17,7 @@
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\ParameterBagUtils;
 
 /**
  * Class with the default authentication failure handling logic.
@@ -82,7 +83,7 @@ public function setOptions(array $options)
      */
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
     {
-        if ($failureUrl = $request->get($this->options['failure_path_parameter'], null, true)) {
+        if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
             $this->options['failure_path'] = $failureUrl;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationSuccessHandler.php b/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationSuccessHandler.php
@@ -14,6 +14,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\ParameterBagUtils;
 
 /**
  * Class with the default authentication success handling logic.
@@ -108,7 +109,7 @@ protected function determineTargetUrl(Request $request)
             return $this->options['default_target_path'];
         }
 
-        if ($targetUrl = $request->get($this->options['target_path_parameter'], null, true)) {
+        if ($targetUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['target_path_parameter'])) {
             return $targetUrl;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php b/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
 use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;
+use Symfony\Component\Security\Http\ParameterBagUtils;
 
 /**
  * LogoutListener logout users.
@@ -98,7 +99,7 @@ public function handle(GetResponseEvent $event)
         }
 
         if (null !== $this->csrfTokenManager) {
-            $csrfToken = $request->get($this->options['csrf_parameter'], null, true);
+            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
             if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['intention'], $csrfToken))) {
                 throw new LogoutException('Invalid CSRF token.');
diff --git a/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
@@ -26,6 +26,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\ParameterBagUtils;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 use Psr\Log\LoggerInterface;
 
@@ -101,19 +102,19 @@ protected function requiresAuthentication(Request $request)
     protected function attemptAuthentication(Request $request)
     {
         if (null !== $this->csrfTokenManager) {
-            $csrfToken = $request->get($this->options['csrf_parameter'], null, true);
+            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
             if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['intention'], $csrfToken))) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }
 
         if ($this->options['post_only']) {
-            $username = trim($request->request->get($this->options['username_parameter'], null, true));
-            $password = $request->request->get($this->options['password_parameter'], null, true);
+            $username = trim(ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']));
+            $password = ParameterBagUtils::getParameterBagValue($request->request, $this->options['password_parameter']);
         } else {
-            $username = trim($request->get($this->options['username_parameter'], null, true));
-            $password = $request->get($this->options['password_parameter'], null, true);
+            $username = trim(ParameterBagUtils::getRequestParameterValue($request, $this->options['username_parameter']));
+            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
         }
 
         $request->getSession()->set(Security::LAST_USERNAME, $username);
diff --git a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
@@ -19,6 +19,7 @@
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Http\ParameterBagUtils;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
@@ -76,19 +77,19 @@ protected function requiresAuthentication(Request $request)
     protected function attemptAuthentication(Request $request)
     {
         if (null !== $this->csrfTokenManager) {
-            $csrfToken = $request->get($this->options['csrf_parameter'], null, true);
+            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
             if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['intention'], $csrfToken))) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }
 
         if ($this->options['post_only']) {
-            $username = trim($request->request->get($this->options['username_parameter'], null, true));
-            $password = $request->request->get($this->options['password_parameter'], null, true);
+            $username = trim(ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']));
+            $password = ParameterBagUtils::getParameterBagValue($request->request, $this->options['password_parameter']);
         } else {
-            $username = trim($request->get($this->options['username_parameter'], null, true));
-            $password = $request->get($this->options['password_parameter'], null, true);
+            $username = trim(ParameterBagUtils::getRequestParameterValue($request, $this->options['username_parameter']));
+            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
         }
 
         $request->getSession()->set(Security::LAST_USERNAME, $username);
diff --git a/src/Symfony/Component/Security/Http/ParameterBagUtils.php b/src/Symfony/Component/Security/Http/ParameterBagUtils.php
@@ -0,0 +1,83 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http;
+
+use Symfony\Component\HttpFoundation\ParameterBag;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\PropertyAccess\PropertyAccess;
+
+/**
+ * @internal
+ */
+final class ParameterBagUtils
+{
+    private static $propertyAccessor;
+
+    /**
+     * Returns a "parameter" value.
+     *
+     * Paths like foo[bar] will be evaluated to find deeper items in nested data structures.
+     *
+     * @param ParameterBag $parameters The parameter bag
+     * @param string       $path       The key
+     * @param mixed        $default    The default value if the parameter key does not exist
+     *
+     * @return mixed
+     */
+    public static function getParameterBagValue(ParameterBag $parameters, $path, $default = null)
+    {
+        if (false === $pos = strpos($path, '[')) {
+            return $parameters->get($path, $default);
+        }
+
+        $root = substr($path, 0, $pos);
+
+        if (null === $value = $parameters->get($root)) {
+            return $default;
+        }
+
+        if (null === self::$propertyAccessor) {
+            self::$propertyAccessor = PropertyAccess::createPropertyAccessor();
+        }
+
+        return self::$propertyAccessor->getValue($value, substr($path, $pos));
+    }
+
+    /**
+     * Returns a request "parameter" value.
+     *
+     * Paths like foo[bar] will be evaluated to find deeper items in nested data structures.
+     *
+     * @param Request $request The request
+     * @param string  $path    The key
+     *
+     * @return mixed
+     */
+    public static function getRequestParameterValue(Request $request, $path)
+    {
+        if (false === $pos = strpos($path, '[')) {
+            return $request->get($path);
+        }
+
+        $root = substr($path, 0, $pos);
+
+        if (null === $value = $request->get($root)) {
+            return;
+        }
+
+        if (null === self::$propertyAccessor) {
+            self::$propertyAccessor = PropertyAccess::createPropertyAccessor();
+        }
+
+        return self::$propertyAccessor->getValue($value, substr($path, $pos));
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php
@@ -23,6 +23,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Cookie;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Http\ParameterBagUtils;
 
 /**
  * Base class implementing the RememberMeServicesInterface.
@@ -319,7 +320,7 @@ protected function isRememberMeRequested(Request $request)
             return true;
         }
 
-        $parameter = $request->get($this->options['remember_me_parameter'], null, true);
+        $parameter = ParameterBagUtils::getRequestParameterValue($request, $this->options['remember_me_parameter']);
 
         if (null === $parameter && null !== $this->logger) {
             $this->logger->debug('Did not send remember-me cookie.', array('parameter' => $this->options['remember_me_parameter']));
diff --git a/src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php
@@ -145,7 +145,7 @@ public function testFailurePathCanBeOverwritten()
     public function testFailurePathCanBeOverwrittenWithRequest()
     {
         $this->request->expects($this->once())
-            ->method('get')->with('_failure_path', null, true)
+            ->method('get')->with('_failure_path', null, false)
             ->will($this->returnValue('/auth/login'));
 
         $this->httpUtils->expects($this->once())
@@ -155,12 +155,25 @@ public function testFailurePathCanBeOverwrittenWithRequest()
         $handler->onAuthenticationFailure($this->request, $this->exception);
     }
 
+    public function testFailurePathCanBeOverwrittenWithNestedAttributeInRequest()
+    {
+        $this->request->expects($this->once())
+            ->method('get')->with('_failure_path', null, false)
+            ->will($this->returnValue(array('value' => '/auth/login')));
+
+        $this->httpUtils->expects($this->once())
+            ->method('createRedirectResponse')->with($this->request, '/auth/login');
+
+        $handler = new DefaultAuthenticationFailureHandler($this->httpKernel, $this->httpUtils, array('failure_path_parameter' => '_failure_path[value]'), $this->logger);
+        $handler->onAuthenticationFailure($this->request, $this->exception);
+    }
+
     public function testFailurePathParameterCanBeOverwritten()
     {
         $options = array('failure_path_parameter' => '_my_failure_path');
 
         $this->request->expects($this->once())
-            ->method('get')->with('_my_failure_path', null, true)
+            ->method('get')->with('_my_failure_path', null, false)
             ->will($this->returnValue('/auth/login'));
 
         $this->httpUtils->expects($this->once())
diff --git a/src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php
@@ -68,6 +68,20 @@ public function testTargetPathIsPassedWithRequest()
         $this->assertSame($response, $result);
     }
 
+    public function testTargetPathIsPassedAsNestedParameterWithRequest()
+    {
+        $this->request->expects($this->once())
+            ->method('get')->with('_target_path')
+            ->will($this->returnValue(array('value' => '/dashboard')));
+
+        $response = $this->expectRedirectResponse('/dashboard');
+
+        $handler = new DefaultAuthenticationSuccessHandler($this->httpUtils, array('target_path_parameter' => '_target_path[value]'));
+        $result = $handler->onAuthenticationSuccess($this->request, $this->token);
+
+        $this->assertSame($response, $result);
+    }
+
     public function testTargetPathParameterIsCustomised()
     {
         $options = array('target_path_parameter' => '_my_target_path');
diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json
@@ -20,7 +20,8 @@
         "symfony/security-core": "~2.8",
         "symfony/event-dispatcher": "~2.1|~3.0.0",
         "symfony/http-foundation": "~2.4|~3.0.0",
-        "symfony/http-kernel": "~2.4|~3.0.0"
+        "symfony/http-kernel": "~2.4|~3.0.0",
+        "symfony/property-access": "~2.3|~3.0.0"
     },
     "require-dev": {
         "symfony/phpunit-bridge": "~2.7|~3.0.0",

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,8 @@ public function add(array $parameters = array())`
`78`	`78`	`/**`
`79`	`79`	`* Returns a parameter by name.`
`80`	`80`	`*`
	`81`	`+ * Note: Finding deep items is deprecated since version 2.8, to be removed in 3.0.`
	`82`	`+ *`
`81`	`83`	`* @param string $path The key`
`82`	`84`	`* @param mixed $default The default value if the parameter key does not exist`
`83`	`85`	`* @param bool $deep If true, a path like foo[bar] will find deeper items`
`@@ -88,6 +90,10 @@ public function add(array $parameters = array())`
`88`	`90`	`*/`
`89`	`91`	`public function get($path, $default = null, $deep = false)`
`90`	`92`	`{`
	`93`	`+ if (true === $deep) {`
	`94`	`+ @trigger_error('Using paths to find deeper items in '.__METHOD__.' is deprecated since version 2.8 and will be removed in 3.0. Filter the returned value in your own code instead.', E_USER_DEPRECATED);`
	`95`	`+ }`
	`96`	`+`
`91`	`97`	`if (!$deep \|\| false === $pos = strpos($path, '[')) {`
`92`	`98`	`return array_key_exists($path, $this->parameters) ? $this->parameters[$path] : $default;`
`93`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -714,6 +714,8 @@ public static function getHttpMethodParameterOverride()`
`714`	`714`	`* It is better to explicitly get request parameters from the appropriate`
`715`	`715`	`* public property instead (query, attributes, request).`
`716`	`716`	`*`
	`717`	`+ * Note: Finding deep items is deprecated since version 2.8, to be removed in 3.0.`
	`718`	`+ *`
`717`	`719`	`* @param string $key the key`
`718`	`720`	`* @param mixed $default the default value`
`719`	`721`	`* @param bool $deep is parameter deep in multidimensional array`
`@@ -722,6 +724,10 @@ public static function getHttpMethodParameterOverride()`
`722`	`724`	`*/`
`723`	`725`	`public function get($key, $default = null, $deep = false)`
`724`	`726`	`{`
	`727`	`+ if (true === $deep) {`
	`728`	`+ @trigger_error('Using paths to find deeper items in '.__METHOD__.' is deprecated since version 2.8 and will be removed in 3.0. Filter the returned value in your own code instead.', E_USER_DEPRECATED);`
	`729`	`+ }`
	`730`	`+`
`725`	`731`	`if ($this !== $result = $this->query->get($key, $this, $deep)) {`
`726`	`732`	`return $result;`
`727`	`733`	`}`
Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,7 @@ public function testGetDoesNotUseDeepByDefault()`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`/**`
	`89`	`+ * @group legacy`
`89`	`90`	`* @dataProvider getInvalidPaths`
`90`	`91`	`* @expectedException \InvalidArgumentException`
`91`	`92`	`*/`
`@@ -106,6 +107,9 @@ public function getInvalidPaths()`
`106`	`107`	`);`
`107`	`108`	`}`
`108`	`109`
	`110`	`+ /**`
	`111`	`+ * @group legacy`
	`112`	`+ */`
`109`	`113`	`public function testGetDeep()`
`110`	`114`	`{`
`111`	`115`	`$bag = new ParameterBag(array('foo' => array('bar' => array('moo' => 'boo'))));`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@`
`17`	`17`	`use Symfony\Component\Security\Core\Exception\AuthenticationException;`
`18`	`18`	`use Symfony\Component\Security\Core\Security;`
`19`	`19`	`use Symfony\Component\Security\Http\HttpUtils;`
	`20`	`+use Symfony\Component\Security\Http\ParameterBagUtils;`
`20`	`21`
`21`	`22`	`/**`
`22`	`23`	`* Class with the default authentication failure handling logic.`
`@@ -82,7 +83,7 @@ public function setOptions(array $options)`
`82`	`83`	`*/`
`83`	`84`	`public function onAuthenticationFailure(Request $request, AuthenticationException $exception)`
`84`	`85`	`{`
`85`		`- if ($failureUrl = $request->get($this->options['failure_path_parameter'], null, true)) {`
	`86`	`+ if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {`
`86`	`87`	`$this->options['failure_path'] = $failureUrl;`
`87`	`88`	`}`
`88`	`89`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@`
`14`	`14`	`use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;`
`15`	`15`	`use Symfony\Component\HttpFoundation\Request;`
`16`	`16`	`use Symfony\Component\Security\Http\HttpUtils;`
	`17`	`+use Symfony\Component\Security\Http\ParameterBagUtils;`
`17`	`18`
`18`	`19`	`/**`
`19`	`20`	`* Class with the default authentication success handling logic.`
`@@ -108,7 +109,7 @@ protected function determineTargetUrl(Request $request)`
`108`	`109`	`return $this->options['default_target_path'];`
`109`	`110`	`}`
`110`	`111`
`111`		`- if ($targetUrl = $request->get($this->options['target_path_parameter'], null, true)) {`
	`112`	`+ if ($targetUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['target_path_parameter'])) {`
`112`	`113`	`return $targetUrl;`
`113`	`114`	`}`
`114`	`115`