[SecurityBundle] Set request stateless only if the attribute is not defined #49997
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thank you @tucksaun. |
|
Thanks @tucksaun, I missed this case ! |
OskarStark
added a commit
to symfony/symfony-docs
that referenced
this pull request
Apr 13, 2023
…ed (alamirault) This PR was squashed before being merged into the 6.3 branch. Discussion ---------- Set request stateless only if the attribute is not defined symfony/symfony#48044 added in 6.3 was updated in symfony/symfony#49997. This PR ajust behavior documentation Commits ------- 20ee4d7 Set request stateless only if the attribute is not defined
nicolas-grekas
added a commit
that referenced
this pull request
Aug 16, 2024
…he request when firewall is stateless and the attribute is not already set (MatTheCat) This PR was submitted for the 7.2 branch but it was merged into the 6.4 branch instead. Discussion ---------- [SecurityBundle] Revert adding `_stateless` attribute to the request when firewall is stateless and the attribute is not already set | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #50715 | License | MIT #40372 was about routes matching both stateful and stateless firewalls: you couldn’t easily configure them as stateless under a stateless firewall only. #48044 fixed it by linking these two attributes: a stateless firewall then implied a stateless request. While it can sound logical, this impacted many projects using the session while authenticating users in a stateless fashion. At last, #49997 allowed to override this behavior by explicitly configuring routes as *not* stateless. This kind of proved that #48044 was a mistake: you cannot tell a request must be stateless only because it matches a stateless firewall. As such, this PR reverts #48044 (and consequently #49997) so that configuring routes as stateless is the developers responsibility alone. It also reopens #40372, but I think this issue should be fixed in an opt-in way (with a new `firewall.stateless.with_routes` boolean configuration in the SecurityBundle e.g.). Commits ------- 47baed9 [SecurityBundle] Revert adding `_stateless` attribute to the request when firewall is stateless and the attribute is not already set
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current implementation makes sense for most cases but not for every case as one can have a stateless authentication but still requires sessions.
This PR allows setting the request as non-stateless while having a stateless firewall but keeping the new behavior by default.