New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A critical interface method was just removed in 5.3.0 #41470
Comments
/cc @wouterj I think the method has been removed from the interface with the intent of allowing new code to implement only the new method. But that's indeed wrong as that would make such implementations incompatible with code expecting the 5.x UserProviderInterface. |
Is this causing an actual problem or is this just about your static code analyzer complaining? |
Well, if you implement new code without the |
and the symfony core is not the only caller of that interface. Bundles providing custom auth methods are likely to rely on a UserProvider as well (they are even encouraged to do so) |
getUsername was renamed, I think this "break" was intentional It's a simple fix and |
As a software vendor we support and build upon e.g. Symfony 4+5 of all minors and we can only control so much of what customers are using (what combination of previously working packages get installed through composer). |
@JKapitein the renaming is indeed intentional. But the way is has been done does not respect our BC policy. The old method should not have been removed from the interface: https://symfony.com/doc/current/contributing/code/bc.html#changing-interfaces |
Code supporting both <5.3 and >=5.3 will have to use a For reference, I didn't do this at first, but was explained that this is how we have done such method renames in the past. See https://github.com/symfony/symfony/pull/30388/files#diff-4412ea6a8e82d6b291607b14e89869f152887f0cf57efdf97b5908f82ebc8e21 for instance.
|
@wouterj the issue is code written for 5.2 that gets incompatible with 5.3+. That's a BC break in a minor version (for code consuming the UserProviderInterface). |
@wouterj in the release blog it's described as such
As far as I can tell (and I could very well be wrong about this) this is not the case. The old getUsername still works if it was implemented, but the "new" interface requires getUserIdentifier. Further, static code analysis will fail on interface hints and the old getUsername method calls. With the prevalence of UserProviders and other Security related classes in vendor bundles, it seems like something that would fit better in Symfony 6. I like the change, and I realize that it's not easy to add deprecations to widely used interfaces in PHP, but I feel like this should not have been in a minor. |
For reference: I'm fine either way. As long as we can remove the old method in 6.0 and users are warned via the usual Symfony methodology about this before 6.0. |
That's the best case we could go for. Currently code written against (non experimental) ^5.2 could be incompatible with 5.3 which should not be possible |
Neither 3 suggestions I can come up with (2 of them implemented in the PR at some point) fulfill these requirements:
Of all these, it was decided in the PR (and previous interface method renaming procedures) that (1) is the solution with the least practical issues. (note that static analysis is never part of our BC policy, as that forbids us to make any change to anything) |
There is no BC break here, since code that used to work continues to behave the same. |
The static analysis isn't an issue imo since it would be a normal task to fix those during the upgrading of the framework. The renaming of the interface method from Take https://github.com/lexik/LexikJWTAuthenticationBundle for example, a popular bundle that claims to work against |
The BC promise is about ensuring that code that is already written will keep working despite the changes. |
@nicolas-grekas no. that's not the case. If I have written a bundle consuming a UserProviderInterface against 5.2, that bundle will suddenly break (with a fatal error) when a project using the bundle implements the UserProviderInterface of 5.3. Currently, we are backward compatible for cases implementing a UserProviderInterface in the old or new way and passing it to the core Symfony callers. But we are not backward compatible for other callers. |
Making the UserProviderInterface backward compatible for caller does not allow omitting the method. There's a reason why our BC promise says that removing a method from an interface is forbidden. If we allow it, it is impossible to consume the interface safely. |
that's not true. If you implement the method of the interface, that does not trigger a deprecation warning AFAICT. The deprecation warning is triggered if you miss implementing the new one. |
I get that, but that's still in line with what I wrote: no already written code will break because of the change we're talking about here. So, should we force ppl to implement both the new and the old methods in 5.4 to cover the scenario you're describing @stof? On my side, I think it could be enough to add two |
We are fine with the method annotation, while I still think that a proper way of deprecation would keep the method in place in code. |
Already written bundles declaring compatibility with |
Same is true for |
@wouterj The |
This PR was merged into the 1.9 branch. Discussion ---------- Symfony 5.3 breaks the build now. References: - symfony/symfony#41470 - symfony/symfony#41492 Commits ------- 41dad92 Use Symfony 5.2.* instead of ^5.2 for GitHub Actions
See #41493 |
I close this discussing then pending the PR merge. |
Thank you everyone for this healthy discussion. I must admit, I have underestimated the consequences of changing the interfaces the way we did. And I agree that we should add the methods to the interfaces again. That being said, if I may make a request:
Please test beta versions and RCs! This change has been in beta testing for quite some time. If you are building a software product that heavily relies on Symfony, please make sure that you test against pre-releases. If an issue like this pops up during the stabilization phase, it is way easier to fix than now that a stable release is already out there. |
…terj) This PR was merged into the 5.3 branch. Discussion ---------- [Security] Readd deprecated methods to the interfaces | Q | A | ------------- | --- | Branch? | 5.3 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #41470 | License | MIT | Doc PR | n/a Readd the deprecated methods to the interface, to make sure third party packages <5.3 work with objects created using the 5.3+ interfaces. I've tested in a project and the deprecation is not triggered when implementing the method, only when calling. So this should still allow applications to be deprecation free in 5.4. Commits ------- b024656 [Security] Readd deprecated methods to the interfaces
… (pamil) This PR was merged into the 1.9 branch. Discussion ---------- Symfony 5.3 breaks the build now. References: - symfony/symfony#41470 - symfony/symfony#41492 Commits ------- 41dad92 Use Symfony 5.2.* instead of ^5.2 for GitHub Actions
Symfony version(s) affected: 5.3.0
Description
Regression in minor release.
symfony/security-core@v5.2.8...v5.3.0
A critical interface method was just removed instead of normal deprecation workflow and removal in next major.
How to reproduce
Implement UserInterface on vendor or project level, code against interface and now find yourself missing this contract (to be sure that method is available and implemented properly.
Possible Solution
Keep it in with deprecation only or add this method as soft annotation at least (as implementing code cannot do that post-factum now for the vendor interface).
Additional context
The same seems to be true for
Authentication/RememberMe/PersistentTokenInterface.php
class.The text was updated successfully, but these errors were encountered: