Deprecated the AdvancedUserInterface #23508
Conversation
UPGRADE-3.4.md
Outdated
| Security | ||
| -------- | ||
|
|
||
| * Using the AdvancedUserInterface is now deprecated. To use the existing |
There was a problem hiding this comment.
AdvancedUserInterface should be enclosed with backticks
UPGRADE-3.4.md
Outdated
| -------- | ||
|
|
||
| * Using the AdvancedUserInterface is now deprecated. To use the existing | ||
| functionality, create a custom user-checker based off the |
UPGRADE-3.4.md
Outdated
| removed in Symfony 4.0. | ||
|
|
||
| * The in-memory user no longer uses the `AdvancedUserInterface` and has the | ||
| functionality inlined. |
UPGRADE-4.0.md
Outdated
| @@ -475,6 +475,14 @@ Security | |||
| * The `AccessDecisionManager::setVoters()` method has been removed. Pass the | |||
| voters to the constructor instead. | |||
|
|
|||
| * Using the AdvancedUserInterface is now deprecated. To use the existing | |||
There was a problem hiding this comment.
in 4.0 the AdvancedUserInterface would be removed right?
| @@ -32,6 +32,7 @@ | |||
| * | |||
| * @see UserInterface | |||
| * @see AccountStatusException | |||
| * @deprecated This interface is deprecated as of 3.4 and will be removed in 4.0. | |||
There was a problem hiding this comment.
@deprecated since 3.4, to be removed in 4.0 something like that i believe. Also missing a runtime deprecation? i.e. trigger_error
There was a problem hiding this comment.
@deprecated since version 3.4, will be removed in 4.0.
(but no runtime notice because that'd trigger it for existing classes in core)
| @@ -47,7 +46,7 @@ | |||
| * and populated in any number of different ways when the user object | |||
| * is created. | |||
| * | |||
| * @return (Role|string)[] The user roles | |||
| * @return Role|string[] The user roles | |||
There was a problem hiding this comment.
Should be reverted, it's intended as PSR-5 doc
There was a problem hiding this comment.
Hmm PhpStorm did not recognize this notation and PSR-5 is still not finished
There was a problem hiding this comment.
should be Role[]|string[] then I guess?
There was a problem hiding this comment.
¯_(ツ)_/¯ technically that's an array of either strings or roles, whereas PSR-5 allows a mixed array.
There was a problem hiding this comment.
It should stay (Role|string)[] it's an array that can contains a mix of both Role objects and strings
| } | ||
|
|
||
| /** | ||
| * @group legacy |
There was a problem hiding this comment.
missing @expectedDeprecation?
|
Btw if we deprecate AdvancedUserInterace, i dont see the need to inline those methods into User (as a side effect); we could deprecate those in turn as well. Probably allows to cleanup further :) |
| @@ -18,7 +18,7 @@ | |||
| * | |||
| * @author Fabien Potencier <[email protected]> | |||
| */ | |||
| final class User implements AdvancedUserInterface | |||
| final class User implements UserInterface, EquatableInterface | |||
There was a problem hiding this comment.
Consider this instead;
final class User implements UserInterface, EquatableInterface, AdvancedUserInterface
It should work just fine : https://3v4l.org/eRO4P, and avoids a BC-break for code that does this: $user instanceof AdvancedUserInterface
There was a problem hiding this comment.
Yes, that's what I've been thinking off as well after a discussion with @ro0NL on slack. On one side it feels like this behavior shouldn't be used too often, but I also know that if something can happen, it will happen.
I just need to find a way to not trigger a deprecation for that.
There was a problem hiding this comment.
I just need to find a way to not trigger a deprecation for that.
In the user checker? I guess you could check the classname before triggering, and if it is the core user class, don't trigger.
There was a problem hiding this comment.
Looking at RoleInterface; i think soft deprecating is fine. Implementing EquatableInterface is a new feature really. Perhaps simply revert this line?
|
@ro0NL They are already in the |
|
Side note, I was thinking of opening an RFC to rename the |
Deprecate |
|
That could make the deprecations of User complete and simply use a smaller InMemory user anyway, Might solve more issues |
|
Please, don't deprecate |
|
@javiereguiluz the |
|
@iltar I'm sorry. I should have checked twice before commenting (I was on the phone). If this is the non-persisted user, then |
| @@ -16,6 +16,8 @@ | |||
| use Symfony\Component\Security\Core\Role\Role; | |||
| use Symfony\Component\Security\Core\Role\SwitchUserRole; | |||
| use Symfony\Component\Security\Core\User\User; | |||
| use Symfony\Component\Security\Core\User\UserInterface; | |||
| use Symfony\Component\Security\Core\User\AdvancedUserInterface; | |||
| @@ -16,6 +16,7 @@ | |||
| use Symfony\Bridge\Doctrine\Tests\Fixtures\User; | |||
| use Symfony\Bridge\Doctrine\Security\User\EntityUserProvider; | |||
| use Doctrine\ORM\Tools\SchemaTool; | |||
| use Symfony\Component\Security\Core\User\UserInterface; | |||
There was a problem hiding this comment.
local alpha order: should be moved one line up
| @@ -156,7 +157,7 @@ public function testLoadUserByUserNameShouldLoadUserWhenProperInterfaceProvided( | |||
| ->method('loadUserByUsername') | |||
| ->with('name') | |||
| ->willReturn( | |||
| $this->getMockBuilder('\Symfony\Component\Security\Core\User\UserInterface')->getMock() | |||
| $this->getMockBuilder(UserInterface::class)->getMock() | |||
There was a problem hiding this comment.
please revert all the non required ::class, we favor helping future merges than doing these CS updates
| @@ -47,7 +46,7 @@ | |||
| * and populated in any number of different ways when the user object | |||
| * is created. | |||
| * | |||
| * @return (Role|string)[] The user roles | |||
| * @return Role|string[] The user roles | |||
There was a problem hiding this comment.
should be Role[]|string[] then I guess?
| @@ -264,6 +264,7 @@ private function hasUserChanged(UserInterface $user) | |||
| } | |||
|
|
|||
| if ($this->user instanceof AdvancedUserInterface && $user instanceof AdvancedUserInterface) { | |||
| @trigger_error(sprintf('Checking for the AdvancedUserInterface in %s has been deprecated in 3.4 and will be removed in 4.0. Implement the %s to check if the user has been changed,', __METHOD__, EquatableInterface::class), E_USER_DEPRECATED); | |||
There was a problem hiding this comment.
Perhaps I should check for the in memory user class here as well?
There was a problem hiding this comment.
it's equatable now.. so it wont get here right?
There was a problem hiding this comment.
The User, yes. The custom implementations of the AdvancedUserInterface, no
| public function testIsEqualToWithDifferentUser() | ||
| { | ||
| $user = new User('username', 'password'); | ||
| $this->assertFalse($user->isEqualTo($this->createMock(UserInterface::class))); |
There was a problem hiding this comment.
should be getMockBuilder(UserInterface::class)->getMock() (see travis)
|
@chalasr tests should be green now |
| @@ -28,10 +28,14 @@ class UserChecker implements UserCheckerInterface | |||
| */ | |||
| public function checkPreAuth(UserInterface $user) | |||
| { | |||
| if (!$user instanceof AdvancedUserInterface) { | |||
| if (!$user instanceof AdvancedUserInterface && !$user instanceof User) { | |||
There was a problem hiding this comment.
why do this? this will break any custom advanced user implem
There was a problem hiding this comment.
Previously it would return early if it wasn't an AdvancedUserInterface. In the future, this will be only if it's not a User (InMemoryUser). That's what I meant with the confusion about the naming.
| return false; | ||
| } | ||
|
|
||
| if ($this->isAccountNonExpired() !== $user->isAccountNonExpired()) { |
There was a problem hiding this comment.
We can't assume that this method exists on $user class since it can be any UserInterface implementation which does not provide it
|
Squashed and rebased against 3.4 to solve merge conflicts |
|
@iltar sorry another rebase is needed |
|
@nicolas-grekas fixed |
| @@ -184,11 +185,9 @@ public function testSetUser($user) | |||
|
|
|||
| public function getUsers() | |||
| { | |||
| $user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock(); | |||
| $advancedUser = $this->getMockBuilder('Symfony\Component\Security\Core\User\AdvancedUserInterface')->getMock(); | |||
| $user = $this->getMockBuilder(UserInterface::class)->getMock(); | |||
There was a problem hiding this comment.
all the non required "string to ::class" CS changes should be reverted to fit our policy and help reduce future merge conflicts as much as possible
There was a problem hiding this comment.
I've changed all usages in my changes to use the strings (in upcoming push). Due to how the diffing works, some of them are not displaying it correctly, as methods have been added/removed. By using the string everywhere, it should be less confusing for git as well.
| * @group legacy | ||
| * | ||
| * @expectedDeprecation Calling Symfony\Component\Security\Core\User\UserChecker::checkPostAuth with an AdvancedUserInterface is deprecated as of 3.4 and will be removed in 4.0. Create a custom user checker if you wish to keep this functionality. | ||
| * |
There was a problem hiding this comment.
extra blank line (same in other places)
| @@ -32,6 +32,7 @@ | |||
| * | |||
| * @see UserInterface | |||
| * @see AccountStatusException | |||
| * @deprecated This interface is deprecated as of 3.4 and will be removed in 4.0. | |||
There was a problem hiding this comment.
@deprecated since version 3.4, will be removed in 4.0.
(but no runtime notice because that'd trigger it for existing classes in core)
UPGRADE-3.4.md
Outdated
| @@ -277,6 +277,11 @@ Security | |||
| `DigestAuthenticationListener` and `DigestAuthenticationEntryPoint` will be | |||
| removed in 4.0. Use another authentication system like `http_basic` instead. | |||
|
|
|||
| * Using the `AdvancedUserInterface` is now deprecated. To use the existing | |||
| functionality, create a custom user-checker based on the | |||
| `Symfony\Component\Security\Core\UserChecker`. This functionality will be | |||
There was a problem hiding this comment.
Symfony\Component\Security\Core\User\UserChecker
There was a problem hiding this comment.
UserChecker !== UserCheckerInterface
Shouldnt we deprecate UserChecker? as it's tied to AdvancedUserInterface 🤔
There was a problem hiding this comment.
No, but imo it should be renamed to the InMemoryUserChecker (see other comments), just like the InMemoryUser. I wish to do this, but I don't have the time to do so before the feature freeze after this gets merged.
If you have time to do so, I'd gladly help out. I'm already stretching my time with non-project related stuff at the moment, so I can't handle another full PR within a few days
There was a problem hiding this comment.
I see. But in changelogs shouldnt we promote "based on UserCheckerInterface" instead?
Ill have a look at the InMemory story soonish :) i like it.
There was a problem hiding this comment.
@xabbuh This particular reference (and the one for CHANGELOG.md) are correctly referring to the implementation, how the conditions work based on the advanced user interface.
| @@ -13,6 +13,10 @@ CHANGELOG | |||
| the user will always be logged out when the user has changed between | |||
| requests. | |||
| * deprecated HTTP digest authentication | |||
| * Using the AdvancedUserInterface is now deprecated. To use the existing | |||
| functionality, create a custom user-checker based on the | |||
| `Symfony\Component\Security\Core\UserChecker`. This functionality will be | |||
There was a problem hiding this comment.
Symfony\Component\Security\Core\User\UserChecker
|
ping @iltar |
|
Merge conflicts resolved and namespaces in the md files fixed as comment by xabbuh |
|
Moving to 4.1 as 3.4 is in beta, thus closed for new feats. |
|
@iltar Can you rebase and update the changelog/update entries to account for 4.1? |
|
@xabbuh should be fixed now |
|
@fabpot still sceptical about this change? It would be good to move forward |
|
(small rebase needed) |
|
I'm sorry to come late in the game with this question, but what's the purpose of this change? What's the expected benefit? Every new deprecation has a clear downside: it is asking users to, someday, change their code. That's a cost for sure. What's the other side of the balance that justifies this? To be honest, I really don't know this part of Symfony, so I don't expect to understand your answer :) Any hints? |
|
@nicolas-grekas long story short: this particular part in Symfony is domain logic, rather than infrastructure. // comes with
public function isAccountNonExpired();
public function isAccountNonLocked();
public function isCredentialsNonExpired();
public function isEnabled();Those 4 "states" can be reused by an application, but usually does not. In addition to that, the code that everyone uses by default, has all kind of exceptions programmed for the advanced user interface.
This kind of logic does (in my opinion), not belong in the core framework. If you don't use the AdvancedUserInterface, Security will still work, but will still contain the domain logic in all the core framework classes. Symfony by default comes with 1 user class: So to sum it up:
As far as I can tell, the AdvancedUserInterface is based on a subset of methods from the Spring user: https://docs.spring.io/spring-security/site/docs/2.0.7.RELEASE/apidocs/org/springframework/security/userdetails/UserDetails.html (much as other parts, like the SecurityContext were based on). I feel that Symfony does not need this by default. If this PR comes through:
If you have any questions, I'll be happy to answer 👍 |
|
Thank you @iltar. |
This PR was merged into the 4.1-dev branch. Discussion ---------- Deprecated the AdvancedUserInterface | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #23292 | License | MIT | Doc PR | ~ This PR deprecates the usages of the `AdvancedUserInterface`. Commits ------- 8456f3b Deprecated the AdvancedUserInterface
| * | ||
| * @dataProvider getUserChangesAdvancedUser | ||
| */ | ||
| public function testSetUserSetsAuthenticatedToFalseWhenUserChangesdvancedUser($firstUser, $secondUser) |
There was a problem hiding this comment.
There's an 'A' missing here to complete the word 'Advanced' :)
There was a problem hiding this comment.
Heh, you're completely right! If you wish, you could make a PR to fix this (you can just click the edit file). Gives you a nice contributor tag
| @@ -212,53 +209,59 @@ public function testSetUserSetsAuthenticatedToFalseWhenUserChanges($firstUser, $ | |||
| } | |||
|
|
|||
| public function getUserChanges() | |||
| { | |||
| $user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock(); | |||
There was a problem hiding this comment.
I'm just wondering since I'm not too familiar with the Symfony testing guidelines: Wouldn't it be easier and more refactoring-friendly to use the ::class constants here instead of hand-writing the FQCN?
There was a problem hiding this comment.
Consistency in this case. I personally would update everything to use ::class, but that might cause merge conflicts for no reason when merging changes from lower branches upwards.
There was a problem hiding this comment.
Fair enough :) Thanks!
Opened #26349
This PR was merged into the 4.1-dev branch. Discussion ---------- Fix typo in test method name | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | License | MIT This fixes a small typo spotted in #23508 (see https://github.com/symfony/symfony/pull/23508/files/8456f3b32ce6ec394fb27b9fc9a2989ed54862b1#r171488418) Commits ------- e5734aa Fix typo in test method name
|
Hi, what should we use now instead of AdvancedUserInterface ? |
|
@h4ck3rm1k3 https://symfony.com/doc/current/security/user_checkers.html |
* Migrated SF AdvancedUserInterface to FOS UserInterface AdvancedUserInterface is deprecated since Symfony 4.1 - symfony/symfony#23508 Issue: - #2803 Deprecation with Symfony 4.1 - AdvancedUserInterface * Code style fixed and using `getMockBuilder` instead of `createMock` * Code style fixed and using attributes instead of `$this->expectException` * Change to restart travis * EquatableInterface added to `UserInterface` and implementation added to `User` * Tests after merge of master fixed * Tests after merge of master fixed * Update README.md * Added compatibility for apps that check against AdvancedUserInterface * Code style fixed to pass all travis tests * fos_user.user_checker Service marked as non-public
This PR deprecates the usages of the
AdvancedUserInterface.