[Security] context listener: hardening user provider handling #21865
After the wrong fix in #21791 this is the second attempt to solve #4498. If more than one user provider support the user for the current context, all of them will be applied instead of returning prematurely when the first user provider does not find the logged in user.
This was referenced
Mar 4, 2017
referenced this pull request
Mar 4, 2017
With this patch this scenario will work out of the box. But to be honest I would say its just a quick hack, which is doable from the other way around (this patch is better than the other way).
The main problem is that, if you have eg 3 providers and you need a user from the last, then every user will have 3 queries for every page load (say we are using fos user bundle, and just query from the db). Because the provider will need to load the user from the db (or api or from hell) first to check if its supported. Then throw the exception, and the next provider will do the same, stacking queries.
So with this patch this feature will work, but won't be optimal cause this :(
I liked the other approach more, where I could define a provider to use on refresh (I know that wont work, cause bc break, so just saying :P).
Im sorry but I think the only way to solve it:
If these points are not possible, I support the merge of this patch. At least people will not have errors, just a bit degraded performance sometimes that they may not even notice or could live with that.
Would you like to open an issue or even better create a pull request to improve the docs?
That would indeed be better solutions, but will need to be done on
Mar 6, 2017
@xabbuh I could imagine something like the above, into a warning block with Be aware or something start, in: http://symfony.com/doc/current/security/custom_provider.html or http://symfony.com/doc/current/security/multiple_user_providers.html or somewhere.
Just to note, this is a limitation in all versions, not just 2.7.