[HttpKernel] Deprecate X-Status-Code for better alternative

James Halsall · jameshalsall · commit f9ce4981d16a · 2017-02-20T22:12:44.000Z
This marks the X-Status-Code header method of setting a custom response
status code in exception listeners as deprecated. Instead there is now
a new method on the GetResponseForExceptionEvent that allows successful
status codes in the response sent to the client.
diff --git a/UPGRADE-3.3.md b/UPGRADE-3.3.md
@@ -76,6 +76,11 @@ HttpKernel
 
  * The `Psr6CacheClearer::addPool()` method has been deprecated. Pass an array of pools indexed
    by name to the constructor instead.
+   
+ * The `X-Status-Code` header method of setting a custom status code in the response
+   when handling exceptions has been removed. There is now a new
+   `GetResponseForExceptionEvent::allowCustomResponseCode()` method instead, which
+   will tell the Kernel to use the response code set on the event's response object.
 
 Process
 -------
diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md
@@ -236,6 +236,11 @@ HttpKernel
 
  * The `Psr6CacheClearer::addPool()` method has been removed. Pass an array of pools indexed
    by name to the constructor instead.
+   
+ * The `X-Status-Code` header method of setting a custom status code in the response
+   when handling exceptions has been removed. There is now a new
+   `GetResponseForExceptionEvent::allowCustomResponseCode()` method instead, which
+   will tell the Kernel to use the response code set on the event's response object.
 
 Process
 -------
diff --git a/src/Symfony/Component/HttpKernel/Event/GetResponseForExceptionEvent.php b/src/Symfony/Component/HttpKernel/Event/GetResponseForExceptionEvent.php
@@ -36,6 +36,11 @@ class GetResponseForExceptionEvent extends GetResponseEvent
      */
     private $exception;
 
+    /**
+     * @var bool
+     */
+    private $allowCustomResponseCode = false;
+
     public function __construct(HttpKernelInterface $kernel, Request $request, $requestType, \Exception $e)
     {
         parent::__construct($kernel, $request, $requestType);
@@ -64,4 +69,22 @@ public function setException(\Exception $exception)
     {
         $this->exception = $exception;
     }
+
+    /**
+     * Mark the event as allowing a custom response code.
+     */
+    public function allowCustomResponseCode()
+    {
+        $this->allowCustomResponseCode = true;
+    }
+
+    /**
+     * Returns true if the event allows a custom response code.
+     *
+     * @return bool
+     */
+    public function isAllowingCustomResponseCode()
+    {
+        return $this->allowCustomResponseCode;
+    }
 }
diff --git a/src/Symfony/Component/HttpKernel/HttpKernel.php b/src/Symfony/Component/HttpKernel/HttpKernel.php
@@ -242,10 +242,12 @@ private function handleException(\Exception $e, $request, $type)
 
         // the developer asked for a specific status code
         if ($response->headers->has('X-Status-Code')) {
+            @trigger_error(sprintf('Using the X-Status-Code header is deprecated, use %s::allowCustomResponseCode() instead.', GetResponseForExceptionEvent::class), E_USER_DEPRECATED);
+
             $response->setStatusCode($response->headers->get('X-Status-Code'));
 
             $response->headers->remove('X-Status-Code');
-        } elseif (!$response->isClientError() && !$response->isServerError() && !$response->isRedirect()) {
+        } elseif (!$event->isAllowingCustomResponseCode() && !$response->isClientError() && !$response->isServerError() && !$response->isRedirect()) {
             // ensure that we actually have an error response
             if ($e instanceof HttpExceptionInterface) {
                 // keep the HTTP status code and headers
diff --git a/src/Symfony/Component/HttpKernel/Tests/Event/GetResponseForExceptionEventTest.php b/src/Symfony/Component/HttpKernel/Tests/Event/GetResponseForExceptionEventTest.php
@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpKernel\Tests\Event;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
+use Symfony\Component\HttpKernel\Tests\TestHttpKernel;
+
+class GetResponseForExceptionEventTest extends \PHPUnit_Framework_TestCase
+{
+    public function testAllowSuccessfulResponseIsFalseByDefault()
+    {
+        $event = new GetResponseForExceptionEvent(new TestHttpKernel(), new Request(), 1, new \Exception());
+
+        $this->assertFalse($event->isAllowingCustomResponseCode());
+    }
+}
diff --git a/src/Symfony/Component/HttpKernel/Tests/HttpKernelTest.php b/src/Symfony/Component/HttpKernel/Tests/HttpKernelTest.php
@@ -17,6 +17,7 @@
 use Symfony\Component\HttpKernel\Controller\ArgumentResolverInterface;
 use Symfony\Component\HttpKernel\Controller\ControllerResolverInterface;
 use Symfony\Component\HttpKernel\Event\FilterControllerArgumentsEvent;
+use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
 use Symfony\Component\HttpKernel\HttpKernel;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\HttpKernel\KernelEvents;
@@ -111,9 +112,10 @@ public function testHandleHttpException()
     }
 
     /**
+     * @group legacy
      * @dataProvider getStatusCodes
      */
-    public function testHandleWhenAnExceptionIsHandledWithASpecificStatusCode($responseStatusCode, $expectedStatusCode)
+    public function testLegacyHandleWhenAnExceptionIsHandledWithASpecificStatusCode($responseStatusCode, $expectedStatusCode)
     {
         $dispatcher = new EventDispatcher();
         $dispatcher->addListener(KernelEvents::EXCEPTION, function ($event) use ($responseStatusCode, $expectedStatusCode) {
@@ -137,6 +139,32 @@ public function getStatusCodes()
         );
     }
 
+    /**
+     * @dataProvider getSpecificStatusCodes
+     */
+    public function testHandleWhenAnExceptionIsHandledWithASpecificStatusCode($expectedStatusCode)
+    {
+        $dispatcher = new EventDispatcher();
+        $dispatcher->addListener(KernelEvents::EXCEPTION, function (GetResponseForExceptionEvent $event) use ($expectedStatusCode) {
+            $event->allowCustomResponseCode();
+            $event->setResponse(new Response('', $expectedStatusCode));
+        });
+
+        $kernel = $this->getHttpKernel($dispatcher, function () { throw new \RuntimeException(); });
+        $response = $kernel->handle(new Request());
+
+        $this->assertEquals($expectedStatusCode, $response->getStatusCode());
+    }
+
+    public function getSpecificStatusCodes()
+    {
+        return array(
+            array(200),
+            array(302),
+            array(403),
+        );
+    }
+
     public function testHandleWhenAListenerReturnsAResponse()
     {
         $dispatcher = new EventDispatcher();
diff --git a/src/Symfony/Component/Security/Http/EntryPoint/FormAuthenticationEntryPoint.php b/src/Symfony/Component/Security/Http/EntryPoint/FormAuthenticationEntryPoint.php
@@ -54,7 +54,7 @@ public function start(Request $request, AuthenticationException $authException =
 
             $response = $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
             if (200 === $response->getStatusCode()) {
-                $response->headers->set('X-Status-Code', 401);
+                $response->setStatusCode(401);
             }
 
             return $response;
diff --git a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
@@ -112,6 +112,9 @@ private function handleAuthenticationException(GetResponseForExceptionEvent $eve
 
         try {
             $event->setResponse($this->startAuthentication($event->getRequest(), $exception));
+            if (method_exists($event, 'allowCustomResponseCode')) {
+                $event->allowCustomResponseCode();
+            }
         } catch (\Exception $e) {
             $event->setException($e);
         }
@@ -155,6 +158,9 @@ private function handleAccessDeniedException(GetResponseForExceptionEvent $event
                 $subRequest->attributes->set(Security::ACCESS_DENIED_ERROR, $exception);
 
                 $event->setResponse($event->getKernel()->handle($subRequest, HttpKernelInterface::SUB_REQUEST, true));
+                if (method_exists($event, 'allowCustomResponseCode')) {
+                    $event->allowCustomResponseCode();
+                }
             }
         } catch (\Exception $e) {
             if (null !== $this->logger) {
diff --git a/src/Symfony/Component/Security/Http/Tests/EntryPoint/FormAuthenticationEntryPointTest.php b/src/Symfony/Component/Security/Http/Tests/EntryPoint/FormAuthenticationEntryPointTest.php
@@ -64,6 +64,6 @@ public function testStartWithUseForward()
         $entryPointResponse = $entryPoint->start($request);
 
         $this->assertEquals($response, $entryPointResponse);
-        $this->assertEquals(401, $entryPointResponse->headers->get('X-Status-Code'));
+        $this->assertEquals(401, $entryPointResponse->getStatusCode());
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php
@@ -44,14 +44,18 @@ public function testAuthenticationExceptionWithoutEntryPoint(\Exception $excepti
     /**
      * @dataProvider getAuthenticationExceptionProvider
      */
-    public function testAuthenticationExceptionWithEntryPoint(\Exception $exception, \Exception $eventException = null)
+    public function testAuthenticationExceptionWithEntryPoint(\Exception $exception)
     {
-        $event = $this->createEvent($exception = new AuthenticationException());
+        $event = $this->createEvent($exception);
+
+        $response = new Response('Forbidden', 403);
 
-        $listener = $this->createExceptionListener(null, null, null, $this->createEntryPoint());
+        $listener = $this->createExceptionListener(null, null, null, $this->createEntryPoint($response));
         $listener->onKernelException($event);
 
-        $this->assertEquals('OK', $event->getResponse()->getContent());
+        $this->assertTrue($event->isAllowingCustomResponseCode());
+        $this->assertEquals('Forbidden', $event->getResponse()->getContent());
+        $this->assertEquals(403, $event->getResponse()->getStatusCode());
         $this->assertSame($exception, $event->getException());
     }
 
@@ -100,7 +104,7 @@ public function testAccessDeniedExceptionFullFledgedAndWithoutAccessDeniedHandle
     public function testAccessDeniedExceptionFullFledgedAndWithoutAccessDeniedHandlerAndWithErrorPage(\Exception $exception, \Exception $eventException = null)
     {
         $kernel = $this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock();
-        $kernel->expects($this->once())->method('handle')->will($this->returnValue(new Response('error')));
+        $kernel->expects($this->once())->method('handle')->will($this->returnValue(new Response('Unauthorized', 401)));
 
         $event = $this->createEvent($exception, $kernel);
 
@@ -110,7 +114,9 @@ public function testAccessDeniedExceptionFullFledgedAndWithoutAccessDeniedHandle
         $listener = $this->createExceptionListener(null, $this->createTrustResolver(true), $httpUtils, null, '/error');
         $listener->onKernelException($event);
 
-        $this->assertEquals('error', $event->getResponse()->getContent());
+        $this->assertTrue($event->isAllowingCustomResponseCode());
+        $this->assertEquals('Unauthorized', $event->getResponse()->getContent());
+        $this->assertEquals(401, $event->getResponse()->getStatusCode());
         $this->assertSame(null === $eventException ? $exception : $eventException, $event->getException()->getPrevious());
     }
 
@@ -159,10 +165,10 @@ public function getAccessDeniedExceptionProvider()
         );
     }
 
-    private function createEntryPoint()
+    private function createEntryPoint(Response $response = null)
     {
         $entryPoint = $this->getMockBuilder('Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface')->getMock();
-        $entryPoint->expects($this->once())->method('start')->will($this->returnValue(new Response('OK')));
+        $entryPoint->expects($this->once())->method('start')->will($this->returnValue($response ?: new Response('OK')));
 
         return $entryPoint;
     }

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ public function start(Request $request, AuthenticationException $authException =`
`54`	`54`
`55`	`55`	`$response = $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);`
`56`	`56`	`if (200 === $response->getStatusCode()) {`
`57`		`- $response->headers->set('X-Status-Code', 401);`
	`57`	`+ $response->setStatusCode(401);`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`return $response;`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,6 @@ public function testStartWithUseForward()`
`64`	`64`	`$entryPointResponse = $entryPoint->start($request);`
`65`	`65`
`66`	`66`	`$this->assertEquals($response, $entryPointResponse);`
`67`		`- $this->assertEquals(401, $entryPointResponse->headers->get('X-Status-Code'));`
	`67`	`+ $this->assertEquals(401, $entryPointResponse->getStatusCode());`
`68`	`68`	`}`
`69`	`69`	`}`