[HttpKernel] Deprecate X-Status-Code for better alternative #19822
Conversation
b742e97 to
2eae976
Compare
2eae976 to
001c2da
Compare
| $response = $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST); | ||
| if (200 === $response->getStatusCode()) { | ||
| $response->headers->set('X-Status-Code', 401); | ||
| $response->setStatusCode(401); |
There was a problem hiding this comment.
@fabpot I'm not sure about this change, in the authentication listeners found in the Symfony\Component\Security\Http\Firewall namespace the response returned from the AuthenticationEntryPointInterface::start() method is set on the response. From what I can see the X-Status-Code is only ever used when handling the exception in the kernel, so I don't think this will have any adverse impact
There was a problem hiding this comment.
@fabpot interested on hearing your thoughts on the above? would be good to get this into 3.2 before the development window closes
There was a problem hiding this comment.
This looks suspicious to me. You are saying that this can basically be removed, right? If that's the case, we probably need to understand what changed between the time the PR adding this was merged and now.
001c2da to
75d9d7c
Compare
| parent::__construct($kernel, $request, $requestType); | ||
|
|
||
| $this->setException($e); | ||
| $this->allowSuccessfulResponse = false; |
There was a problem hiding this comment.
This should be set on variable declaration not in construct.
75d9d7c to
703108f
Compare
|
The build failure in AppVeyor is not look related to these changes. |
703108f to
cbcc2b4
Compare
|
@jameshalsall If you could rebase your PR so the Conflict can be resolved, I think we could switch this to Reviewed! |
cbcc2b4 to
51e8614
Compare
|
Rebased. |
|
Status: Reviewed |
| /** | ||
| * @var bool | ||
| */ | ||
| private $allowSuccessfulResponse = false; |
There was a problem hiding this comment.
Why did you choose this name? This feature is not limited to successful response codes, is it?
There was a problem hiding this comment.
Good point - I used this as it was proposed in the original issue, but I'll re-name it to something more appropriate.
There was a problem hiding this comment.
@xabbuh updated this now to allowCustomResponseCode
0c17566 to
96a8caa
Compare
|
Some notes from my research about this (I wanted to understand why it was not used more in Symfony itself):
|
|
@jameshalsall Do you have time to finish this one? |
|
@fabpot I will get to this early next week - it's completely slipped my mind |
f9ce498 to
6dbf9f7
Compare
|
@fabpot this is ready for re-review now |
|
|
||
| // the developer asked for a specific status code | ||
| if ($response->headers->has('X-Status-Code')) { | ||
| @trigger_error(sprintf('Using the X-Status-Code header is deprecated, use %s::allowCustomResponseCode() instead.', GetResponseForExceptionEvent::class), E_USER_DEPRECATED); |
There was a problem hiding this comment.
should be is deprecated since version 3.3 and will be removed in 4.0. Use ...
|
|
||
| try { | ||
| $event->setResponse($this->startAuthentication($event->getRequest(), $exception)); | ||
| if (method_exists($event, 'allowCustomResponseCode')) { |
There was a problem hiding this comment.
The condition should be removed and composer.json (both for symfony/security and symfony/security-http) should be updated to only allow symfony/http-kernel 3.3+. The reason is that you are using setStatusCode above anyway, so the code only works for patched versions oh http-kernel.
| $subRequest->attributes->set(Security::ACCESS_DENIED_ERROR, $exception); | ||
|
|
||
| $event->setResponse($event->getKernel()->handle($subRequest, HttpKernelInterface::SUB_REQUEST, true)); | ||
| if (method_exists($event, 'allowCustomResponseCode')) { |
| $listener->onKernelException($event); | ||
|
|
||
| $this->assertEquals('error', $event->getResponse()->getContent()); | ||
| if (method_exists($event, 'isAllowingCustomResponseCode')) { |
| $listener->onKernelException($event); | ||
|
|
||
| $this->assertEquals('OK', $event->getResponse()->getContent()); | ||
| if (method_exists($event, 'isAllowingCustomResponseCode')) { |
|
Also, we need to work on a PR on Silex to be sure that the code proposed here works there as well. |
6dbf9f7 to
01595e0
Compare
This marks the X-Status-Code header method of setting a custom response status code in exception listeners as deprecated. Instead there is now a new method on the GetResponseForExceptionEvent that allows successful status codes in the response sent to the client.
01595e0 to
cc0ef28
Compare
|
Thank you @jameshalsall. |
|
@jameshalsall Can you finish the PR for Silex? Thanks. |
…ative (jameshalsall) This PR was merged into the 3.3-dev branch. Discussion ---------- [HttpKernel] Deprecate X-Status-Code for better alternative | Q | A | | --- | --- | | Branch? | master | | Bug fix? | no | | New feature? | yes | | BC breaks? | no | | Deprecations? | yes | | Tests pass? | yes | | Fixed tickets | #12343 | | License | MIT | | Doc PR | symfony/symfony-docs#6948 | This marks the X-Status-Code header method of setting a custom response status code in exception listeners for a better alternative. There is now a new method on the `GetResponseForExceptionEvent` that allows successful status codes in the response sent to the client. The old method of setting the X-Status-Code header will now throw a deprecation warning. Instead, in your exception listener you simply call `GetResponseForExceptionEvent::allowCustomResponseCode()` which will tell the Kernel not to override the status code of the event's response object. Currenty the `X-Status-Code` header will still be removed, so as not to change the existing behaviour, but this is something we can remove in 4.0. TODO: - [x] Replace usage of X-Status-Code in `FormAuthenticationEntryPoint` - [x] Open Silex issue - [x] Rename method on the response - [x] Ensure correct response code is set in `AuthenticationEntryPointInterface` implementations - [x] Ensure the exception listeners are marking `GetResponseForExceptionEvent` as allowing a custom response code - [x] In the Security component we should only use the new method of setting a custom response code if it is available, and fall back to the `X-Status-Code` method Commits ------- cc0ef28 [HttpKernel] Deprecate X-Status-Code for better alternative
|
As a result of this change, PhpUnit functional tests no longer recognize redirects on ACL exceptions. When authenticated as a user without the required role, this fails: Functional tests have to resort to confirming that the response content matches the expected redirect page (e.g. the home page) instead of the tested forbidden page's content. This can also be seen in debug mode in the Symfony profiler - the HTTP status is 200, though a Sub Request exists with an Either of these changes to or: I can't tell what the original intent was for the change in this particular instance, so I'm not sure which would be preferred. |
… handler (jameshalsall) This PR was submitted for the master branch but it was merged into the 3.3 branch instead (closes #6948). Discussion ---------- Update docs for setting custom response code in exception handler Docs update for the changes applied in symfony/symfony#19822 Commits ------- 5f0becf Update docs for setting custom response code in exception handler
…obrev) This PR was merged into the 2.3.x-dev branch. Discussion ---------- Allow setting custom status code on exception response Closes #1450. Prior and related PRs and issues: - symfony/symfony#19822 - symfony/symfony-docs@5f0becf - symfony/symfony-docs#9336 Commits ------- 7103511 Allow setting custom status code on exception response
…Code Introduced in 5f0becf The functionality was introduced in symfony/symfony#19822. The method got renamed during code review, but was not updated in the docs. symfony/symfony#19822 (comment)
…onseCode (hkdobrev) This PR was submitted for the master branch but it was merged into the 3.4 branch instead (closes #9336). Discussion ---------- Rename allowSuccessfulResponse to correct allowCustomResponseCode Introduced in 5f0becf The functionality was introduced in symfony/symfony#19822. The method got renamed during code review, but was not updated in the docs. symfony/symfony#19822 (comment) Commits ------- 0cda0d5 Rename missing allowCustomResponseCode to correct allowCustomResponseCode
This marks the X-Status-Code header method of setting a custom response status
code in exception listeners for a better alternative. There is now a new method
on the
GetResponseForExceptionEventthat allows successful status codes inthe response sent to the client.
The old method of setting the X-Status-Code header will now throw a deprecation warning.
Instead, in your exception listener you simply call
GetResponseForExceptionEvent::allowCustomResponseCode()which will tell the Kernel not to override the status code of the event's response object.Currenty the
X-Status-Codeheader will still be removed, so as not to change the existing behaviour, but this is something we can remove in 4.0.TODO:
FormAuthenticationEntryPointAuthenticationEntryPointInterfaceimplementationsGetResponseForExceptionEventas allowing a custom response codeX-Status-Codemethod