[Security] Ensure DocumentUserProvider::refreshUser() uses id
Fixes a security vulnerability in the DocumentUserProvider where a user might be refreshed by username, which could have been altered during form binding and failed validation. Apart from this fix, it's wise to clone the managed user object before using it in a form if it is also being tracked in security context. Furthermore, you should be careful not to allow document identifiers to be modified by untrusted forms. See: * http://symfony.com/blog/security-release-symfony-2-0-6 * symfony/symfony@9d2ab9c
Update unique validator functionality and tests
Update author attribution for Bulat
Logic inside isValid() now more closely resembles the entity validator, with the added benefit of not returning a false positive due to reliance on findOneBy(). Added comments throughout refactored methods and cleaned up the createQueryArray() method. Replaced thrown exceptions with ConstraintDefinitionException to be consistent with other validators Fixed reporting of invalid value when a constraint violation is added.
…ndOneBy() To correctly verify uniqueness, we need to query for all criteria matches. The document cannot be considered unique unless the single result is the document itself, or if the result set is empty.
…ent with the entity validator equivalent in Doctrine bridge Updated the fixture document class and assigned it a fairly specific collection name, since the functional test needs to drop this collection.
…ne bridge Removed code for proxy initialization as its reference to the __identifier property no longer complied with the current version of ProxyFactory (that property is private). Also removed identifier value comparison, as we should trust that ODM will return the same object if one with a specific identifier is already being managed. This is consistent with the entity validator in Doctrine bridge. Lastly, the original property path binding was no longer working (based on upstream changes no doubt), so this was also updated to be in sync with the entity validator.
Added @Annotation to ODM unique validator
Adding a basic README
Update commands for Symfony changes. Breaks compatibility with beta5
Update DocumentUserProvider to implement the new UserProviderInterface
Breaks compatibility with Symfony2beta4
Replace Yaml::load with Yaml::parse
…3cf28ee4a [Extension] fixed parameter name for database name in the DoctrineMongoDBExtension