Symfony version(s) affected

7.1

Description

This PR introduced a BC break in 7.1, which can be very problematic.

I used class names as regular groups, before 7.1 and now, properties get serialized, which weren't serialized, before.

How to reproduce

Example:

class User {
    #[Groups(['CurrentUser'])]
    public string $name;
    #[Groups(['CurrentUser'])]
    public Membership $membership;
}

class Membership {
    #[Groups(['Membership'])]
    public string $privateKey;
    #[Groups(['CurrentUser', 'Membership'])]
    public string $name;
}

$user = $userRepository->findOneBy(['id' => '...']);
$serializer->normalize($user, 'json', ['groups' => ['CurrentUser']]);

In PHP 7.1 the privateKey property will get normalized, although I have changed nothing. This can be a security issue, because unprevileged users may see data which was not intended for them.

I just became aware of this, because of my automatic tests.

Possible Solution

I'd prefer to see this PR to be reverted, but I guess this won't happen. Maybe an option could be introduced to disable the addition of those magic groups.

Additional Context

No response