[Security] Deprecate returning stringish objects from Security::getUser #27943
Conversation
|
Im also wondering if it's better to throw, rather then silently ignoring "non users" by returning null. To clarify the intend here. |
|
well, throwing for anonymous token would be a big BC break, and would make this API much less developer-friendly |
|
You're right. On 2nd thought i think the null default is fine indeed. There's no UserInterface available which is what we asked for, but it doesn't mean you're "logged out" per se in case of null. |
|
I’m following the logic. But, was this to solve some specific issue? It’s looks like a BC break to me, unfortunately. |
|
We had some discussion on slack about the inconsistency between the documented But no real issue :) it will just crash if this class is (ever) updated to have type declarations (#27944). To me that smells a violation. And yes, we can do an upgrade path with deprecations but i also think it qualifies a bugfix (otherwise the bugfix would be to update to |
|
Bug fix: that’s a good argument for the behavior change. I’d still prefer a deprecation and a merge into 4.2... after all, the bug isn’t currently hurting any functionality. So, waiting until 4.2 does not cause any issues. |
|
+1 for a BC layer |
|
Done. |
| @@ -46,6 +46,11 @@ public function getUser() | |||
| return null; | |||
| } | |||
|
|
|||
| if (!$user instanceof UserInterface) { | |||
| @trigger_error(sprintf('Accessing the user object "%s" that is not an instance of "%s" from "%s()" is deprecated since Symfony 4.2. Use "getToken()->getUser()" instead.', get_class($user), UserInterface::class, __METHOD__), E_USER_DEPRECATED); | |||
There was a problem hiding this comment.
...is deprecated since Symfony 4.2, use...
| @@ -46,6 +46,11 @@ public function getUser() | |||
| return null; | |||
| } | |||
|
|
|||
| if (!$user instanceof UserInterface) { | |||
| @trigger_error(sprintf('Accessing the user object "%s" that is not an instance of "%s" from "%s()" is deprecated since Symfony 4.2, use "getToken()->getUser()" instead.', get_class($user), UserInterface::class, __METHOD__), E_USER_DEPRECATED); | |||
There was a problem hiding this comment.
$user may not be an object here: is_object($user) ? get_class($user) : $user
Ah no, we check that just before.
|
I like the idea 👍 |
|
Thank you @ro0NL. |
…Security::getUser (ro0NL) This PR was squashed before being merged into the 4.2-dev branch (closes #27943). Discussion ---------- [Security] Deprecate returning stringish objects from Security::getUser | Q | A | ------------- | --- | Branch? | master | Bug fix? | yes-ish | New feature? | no | BC breaks? | no | Deprecations? | yes | Tests pass? | yes <!-- please add some, will be required by reviewers --> | Fixed tickets | #... <!-- #-prefixed issue number(s), if any --> | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> `$user` can also be an object implementing `__ toString`. Here we want only true user objects... Commits ------- 8c410da [Security] Deprecate returning stringish objects from Security::getUser
$usercan also be an object implementing__ toString. Here we want only true user objects...