Merge branch '2.6' into 2.7

weaverryan · weaverryan · commit 93ecd0a3b5a2 · 2015-04-17T06:05:36.000-04:00
* 2.6: Fix broken link in security chapter Add version 2.8 to the release roadmap bug #5162 Fix misplelled XliffFileLoader class in the Using Domains (Nicola Pietroluongo) Fix misplelled XliffFileLoader class in the Using Message Domains example Removing a section about Roles that I think has no real use-case add missing security advisories Fix misplelled XliffFileLoader class in the Using Message Domains example Use correct Session namespace
diff --git a/book/internals.rst b/book/internals.rst
@@ -40,8 +40,8 @@ variables:
 * The :class:`Symfony\\Component\\HttpFoundation\\Response` class abstracts
   some PHP functions like ``header()``, ``setcookie()``, and ``echo``;
 
-* The :class:`Symfony\\Component\\HttpFoundation\\Session` class and
-  :class:`Symfony\\Component\\HttpFoundation\\SessionStorage\\SessionStorageInterface`
+* The :class:`Symfony\\Component\\HttpFoundation\\Session\\Session` class and
+  :class:`Symfony\\Component\\HttpFoundation\\Session\\Storage\\SessionStorageInterface`
   interface abstract session management ``session_*()`` functions.
 
 .. note::
diff --git a/book/security.rst b/book/security.rst
@@ -1069,7 +1069,7 @@ the User object, and use the ``isGranted`` method (or
 Retrieving the User in a Template
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-In a Twig Template this object can be accessed via the `app.user <reference-twig-global-app>`_
+In a Twig Template this object can be accessed via the :ref:`app.user <reference-twig-global-app>`
 key:
 
 .. configuration-block::
diff --git a/components/translation/introduction.rst b/components/translation/introduction.rst
@@ -186,7 +186,7 @@ organization, translations were split into three different domains:
 loaded like this::
 
     // ...
-    $translator->addLoader('xliff', new XliffLoader());
+    $translator->addLoader('xliff', new XliffFileLoader());
 
     $translator->addResource('xliff', 'messages.fr.xliff', 'fr_FR');
     $translator->addResource('xliff', 'admin.fr.xliff', 'fr_FR', 'admin');
diff --git a/contributing/code/security.rst b/contributing/code/security.rst
@@ -103,6 +103,12 @@ Security Advisories
 This section indexes security vulnerabilities that were fixed in Symfony
 releases, starting from Symfony 1.0.0:
 
+* April 1, 2015: `CVE-2015-2309: Unsafe methods in the Request class <http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class>`_ (Symfony 2.3.27, 2.5.11 and 2.6.6)
+* April 1, 2015: `CVE-2015-2308: Esi Code Injection <http://symfony.com/blog/cve-2015-2308-esi-code-injection>`_ (Symfony 2.3.27, 2.5.11 and 2.6.6)
+* September 3, 2014: `CVE-2014-6072: CSRF vulnerability in the Web Profiler <http://symfony.com/blog/cve-2014-6072-csrf-vulnerability-in-the-web-profiler>`_ (Symfony 2.3.19, 2.4.9 and 2.5.4)
+* September 3, 2014: `CVE-2014-6061: Security issue when parsing the Authorization header <http://symfony.com/blog/cve-2014-6061-security-issue-when-parsing-the-authorization-header>`_ (Symfony 2.3.19, 2.4.9 and 2.5.4)
+* September 3, 2014: `CVE-2014-5245: Direct access of ESI URLs behind a trusted proxy <http://symfony.com/blog/cve-2014-5245-direct-access-of-esi-urls-behind-a-trusted-proxy>`_ (Symfony 2.3.19, 2.4.9 and 2.5.4)
+* September 3, 2014: `CVE-2014-5244: Denial of service with a malicious HTTP Host header <http://symfony.com/blog/cve-2014-5244-denial-of-service-with-a-malicious-http-host-header>`_ (Symfony 2.3.19, 2.4.9 and 2.5.4)
 * July 15, 2014: `Security releases: Symfony 2.3.18, 2.4.8, and 2.5.2 released <http://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released>`_ (`CVE-2014-4931 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4931>`_)
 * October 10, 2013: `Security releases: Symfony 2.0.25, 2.1.13, 2.2.9, and 2.3.6 released <http://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released>`_ (`CVE-2013-5958 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5958>`_)
 * August 7, 2013: `Security releases: Symfony 2.0.24, 2.1.12, 2.2.5, and 2.3.3 released <http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released>`_ (`CVE-2013-4751 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4751>`_ and `CVE-2013-4752 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4752>`_)
diff --git a/contributing/community/releases.rst b/contributing/community/releases.rst
@@ -98,7 +98,8 @@ Version  Feature Freeze  Release  End of Maintenance        End of Life
 2.4      09/2013         11/2013  09/2014 (10 months [1]_)  01/2015
 2.5      03/2014         05/2014  01/2015 (8 months)        07/2015
 2.6      09/2014         11/2014  07/2015 (8 months)        01/2016
-**2.7**  03/2015         05/2015  05/2018 (36 months [2]_)  05/2019
+**2.7**  03/2015         05/2015  05/2018 (36 months)       05/2019
+**2.8**  09/2015         11/2015  11/2018 (36 months [2]_)  11/2019
 3.0      09/2015         11/2015  07/2016 (8 months)        01/2017
 3.1      03/2016         05/2016  01/2017 (8 months)        07/2017
 3.2      09/2016         11/2016  07/2017 (8 months)        01/2018
@@ -107,7 +108,7 @@ Version  Feature Freeze  Release  End of Maintenance        End of Life
 =======  ==============  =======  ========================  ===========
 
 .. [1] Symfony 2.4 maintenance has been `extended to September 2014`_.
-.. [2] Symfony 2.7 is the last version of the Symfony 2.x branch.
+.. [2] Symfony 2.8 is the last version of the Symfony 2.x branch.
 
 .. tip::
 
diff --git a/cookbook/security/entity_provider.rst b/cookbook/security/entity_provider.rst
@@ -525,213 +525,6 @@ This tells Symfony to *not* query automatically for the User. Instead, when
 someone logs in, the ``loadUserByUsername()`` method on ``UserRepository``
 will be called.
 
-Managing Roles in the Database
-------------------------------
-
-The end of this tutorial focuses on how to store and retrieve a list of roles
-from the database. As mentioned previously, when your user is loaded, its
-``getRoles()`` method returns the array of security roles that should be
-assigned to the user. You can load this data from anywhere - a hardcoded
-list used for all users (e.g. ``array('ROLE_USER')``), a Doctrine array
-property called ``roles``, or via a Doctrine relationship, as you'll learn
-about in this section.
-
-.. caution::
-
-    In a typical setup, you should always return at least 1 role from the ``getRoles()``
-    method. By convention, a role called ``ROLE_USER`` is usually returned.
-    If you fail to return any roles, it may appear as if your user isn't
-    authenticated at all.
-
-.. caution::
-
-    In order to work with the security configuration examples on this page
-    all roles must be prefixed with ``ROLE_`` (see
-    the :ref:`section about roles <book-security-roles>` in the book). For
-    example, your roles will be ``ROLE_ADMIN`` or ``ROLE_USER`` instead of
-    ``ADMIN`` or ``USER``.
-
-In this example, the ``AppBundle:User`` entity class defines a
-many-to-many relationship with a ``AppBundle:Role`` entity class.
-A user can be related to several roles and a role can be composed of
-one or more users. The previous ``getRoles()`` method now returns
-the list of related roles. Notice that ``__construct()`` and ``getRoles()``
-methods have changed::
-
-    // src/AppBundle/Entity/User.php
-    namespace AppBundle\Entity;
-
-    use Doctrine\Common\Collections\ArrayCollection;
-    // ...
-
-    class User implements AdvancedUserInterface, \Serializable
-    {
-        // ...
-
-        /**
-         * @ORM\ManyToMany(targetEntity="Role", inversedBy="users")
-         *
-         */
-        private $roles;
-
-        public function __construct()
-        {
-            $this->roles = new ArrayCollection();
-        }
-
-        public function getRoles()
-        {
-            return $this->roles->toArray();
-        }
-
-        // ...
-
-    }
-
-The ``AppBundle:Role`` entity class defines three fields (``id``,
-``name`` and ``role``). The unique ``role`` field contains the role name
-(e.g. ``ROLE_ADMIN``) used by the Symfony security layer to secure parts
-of the application::
-
-    // src/AppBundle/Entity/Role.php
-    namespace AppBundle\Entity;
-
-    use Symfony\Component\Security\Core\Role\RoleInterface;
-    use Doctrine\Common\Collections\ArrayCollection;
-    use Doctrine\ORM\Mapping as ORM;
-
-    /**
-     * @ORM\Table(name="app_role")
-     * @ORM\Entity()
-     */
-    class Role implements RoleInterface
-    {
-        /**
-         * @ORM\Column(name="id", type="integer")
-         * @ORM\Id()
-         * @ORM\GeneratedValue(strategy="AUTO")
-         */
-        private $id;
-
-        /**
-         * @ORM\Column(name="name", type="string", length=30)
-         */
-        private $name;
-
-        /**
-         * @ORM\Column(name="role", type="string", length=20, unique=true)
-         */
-        private $role;
-
-        /**
-         * @ORM\ManyToMany(targetEntity="User", mappedBy="roles")
-         */
-        private $users;
-
-        public function __construct()
-        {
-            $this->users = new ArrayCollection();
-        }
-
-        /**
-         * @see RoleInterface
-         */
-        public function getRole()
-        {
-            return $this->role;
-        }
-
-        // ... getters and setters for each property
-    }
-
-For brevity, the getter and setter methods are hidden, but you can
-:ref:`generate them <book-doctrine-generating-getters-and-setters>`:
-
-.. code-block:: bash
-
-    $ php app/console doctrine:generate:entities AppBundle/Entity/User
-
-Don't forget also to update your database schema:
-
-.. code-block:: bash
-
-    $ php app/console doctrine:schema:update --force
-
-This will create the ``app_role`` table and a ``user_role`` that stores
-the many-to-many relationship between ``app_user`` and ``app_role``. If
-you had one user linked to one role, your database might look something like
-this:
-
-.. code-block:: bash
-
-    $ mysql> SELECT * FROM app_role;
-    +----+-------+------------+
-    | id | name  | role       |
-    +----+-------+------------+
-    |  1 | admin | ROLE_ADMIN |
-    +----+-------+------------+
-
-    $ mysql> SELECT * FROM user_role;
-    +---------+---------+
-    | user_id | role_id |
-    +---------+---------+
-    |       1 |       1 |
-    +---------+---------+
-
-And that's it! When the user logs in, Symfony security system will call the
-``User::getRoles`` method. This will return an array of ``Role`` objects
-that Symfony will use to determine if the user should have access to certain
-parts of the system.
-
-.. sidebar:: What's the purpose of the RoleInterface?
-
-    Notice that the ``Role`` class implements
-    :class:`Symfony\\Component\\Security\\Core\\Role\\RoleInterface`. This is
-    because Symfony's security system requires that the ``User::getRoles`` method
-    returns an array of either role strings or objects that implement this interface.
-    If ``Role`` didn't implement this interface, then ``User::getRoles``
-    would need to iterate over all the ``Role`` objects, call ``getRole``
-    on each, and create an array of strings to return. Both approaches are
-    valid and equivalent.
-
-.. _cookbook-doctrine-entity-provider-role-db-schema:
-
-Improving Performance with a Join
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-To improve performance and avoid lazy loading of roles when retrieving a user
-from the custom entity provider, you can use a Doctrine join to the roles
-relationship in the ``UserRepository::loadUserByUsername()`` method. This will
-fetch the user and their associated roles with a single query::
-
-    // src/AppBundle/Entity/UserRepository.php
-    namespace AppBundle\Entity;
-
-    // ...
-
-    class UserRepository extends EntityRepository implements UserProviderInterface
-    {
-        public function loadUserByUsername($username)
-        {
-            $q = $this
-                ->createQueryBuilder('u')
-                ->select('u, r')
-                ->leftJoin('u.roles', 'r')
-                ->where('u.username = :username OR u.email = :email')
-                ->setParameter('username', $username)
-                ->setParameter('email', $username)
-                ->getQuery();
-
-            // ...
-        }
-
-        // ...
-    }
-
-The ``QueryBuilder::leftJoin()`` method joins and fetches related roles from
-the ``AppBundle:User`` model class when a user is retrieved by their email
-address or username.
-
 .. _`cookbook-security-serialize-equatable`:
 
 Understanding serialize and how a User is Saved in the Session
