[Security] deprecate the Role and SwitchUserRole classes#22048
[Security] deprecate the Role and SwitchUserRole classes#22048fabpot merged 1 commit intosymfony:masterfrom
Conversation
729a3aa to
71b26ae
Compare
a8df9f2 to
1aec9b7
Compare
This PR was merged into the 2.7 branch. Discussion ---------- [Security] simplify the SwitchUserListenerTest | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | While working on #22048 I noticed that the `SwitchUserListenerTest` was more complicated than necessary by mocking a lot of stuff that didn't need to be mocked. Commits ------- 923bbdb [Security] simplify the SwitchUserListenerTest
src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
Outdated
Show resolved
Hide resolved
|
@symfony/deciders I would like to hear your opinion on this topic? Do you think it's worth to finish this approach? Should we take another road? |
src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php
Outdated
Show resolved
Hide resolved
|
IMO it's a good move. We still need to be able to get both impersonator/impersonated user from the token, I guess it's planed |
|
Agreed, that would remove the need for |
|
@xabbuh will you have tome to finish this PR for 3.4? |
|
Yes, I am working on it. |
|
should we move to 4.1? |
|
I think so. |
1aec9b7 to
daf09cb
Compare
daf09cb to
7194244
Compare
7194244 to
2054024
Compare
b871a65 to
b2cfbb3
Compare
b2cfbb3 to
d7aaa61
Compare
|
tests pass now Status: Needs Review |
src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
Show resolved
Hide resolved
|
Thank you @xabbuh. |
…es (xabbuh) This PR was merged into the 4.3-dev branch. Discussion ---------- [Security] deprecate the Role and SwitchUserRole classes | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #20824 | License | MIT | Doc PR | symfony/symfony-docs#11047 In #20801, we deprecated the `RoleInterface`. The next logical step would be to also deprecate the `Role` class. However, we currently have the `SwitchUserRole` class (a sub-class of `Role`) that acts as an indicator to check whether or not the authenticated user switched to another user. This PR proposes an alternative solution to the usage of the special `SwitchUserRole` class by storing the original token inside the `UsernamePasswordToken`. This PR is not complete, but rather acts as a proof of concept of how we could get rid of the `Role` and the `SwitchUserRole` classes. Please share your opinions whether you think this is a valid approach and I will be happy to finalise the PR. Commits ------- d7aaa61 deprecate the Role and SwitchUserRole classes
This PR was merged into the master branch. Discussion ---------- document the deprecation of the role classes see symfony/symfony#22048 Commits ------- 0fbef77 document the deprecation of the role classes
| * | ||
| * @author Fabien Potencier <[email protected]> | ||
| * | ||
| * @deprecated since Symfony 4.3, to be removed in 5.0. |
There was a problem hiding this comment.
Why deprecating this interface instead of asking to implement the new method in it ? Removing the interface would remove a supported extension point.
There was a problem hiding this comment.
I don't remember why I did that initially. I guess it was due to an earlier implementation. #30388 will revert this part.
…buh) This PR was merged into the 4.3-dev branch. Discussion ---------- [Security] undeprecate the RoleHierarchyInterface | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony/symfony#22048 (comment) | License | MIT | Doc PR | Instead of deprecating the interface it is sufficient to deprecate its getReachableRoles() method and add a new getReachableRoleNames() method in Symfony 5. Commits ------- 2d3f2b7a74 undeprecate the RoleHierarchyInterface
…buh) This PR was merged into the 4.3-dev branch. Discussion ---------- [Security] undeprecate the RoleHierarchyInterface | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #22048 (comment) | License | MIT | Doc PR | Instead of deprecating the interface it is sufficient to deprecate its getReachableRoles() method and add a new getReachableRoleNames() method in Symfony 5. Commits ------- 2d3f2b7 undeprecate the RoleHierarchyInterface
| * @param (Role|string)[] $roles An array of roles | ||
| * @param UserInterface $user The user! | ||
| * @param string $providerKey The provider (firewall) key | ||
| * @param string[] $roles An array of roles |
There was a problem hiding this comment.
Although the Role object is deprecated the $roles argument can still accept Roles object..
this change breaks my phpstan when I have something like this:
$newToken = new PostAuthenticationGuardToken($user, 'secured_area', $user->getRoles());
would it be acceptable to revert this docblock change?
There was a problem hiding this comment.
We normally do not document the deprecated arguments anymore. Same as if we deprecate an argument and use func_get_arg for BC. Otherwise people could think the deprecated way is still the right way and write code accordingly. So IMO we should not change that. Either fix the deprecation or ignore the phpstan error.
There was a problem hiding this comment.
We normally do not document the deprecated arguments anymore.
I guess the same does not apply here because it is a return argument?
There was a problem hiding this comment.
It should be changed there as well.
In #20801, we deprecated the
RoleInterface. The next logical step would be to also deprecate theRoleclass. However, we currently have theSwitchUserRoleclass (a sub-class ofRole) that acts as an indicator to check whether or not the authenticated user switched to another user.This PR proposes an alternative solution to the usage of the special
SwitchUserRoleclass by storing the original token inside theUsernamePasswordToken. This PR is not complete, but rather acts as a proof of concept of how we could get rid of theRoleand theSwitchUserRoleclasses.Please share your opinions whether you think this is a valid approach and I will be happy to finalise the PR.