symfony · fabpot · Sep 26, 2017 · Sep 25, 2017
diff --git a/UPGRADE-3.4.md b/UPGRADE-3.4.md
@@ -264,10 +264,11 @@ SecurityBundle
   `Doctrine\DBAL\Connection`  as first argument. Not passing it is
    deprecated and will throw a `TypeError` in 4.0.

- * `SetAclCommand::__construct()` now takes an instance of
-   `Symfony\Component\Security\Acl\Model\MutableAclProviderInterfaceConnection`
-    as first argument. Not passing it is deprecated and will throw a `TypeError`
-    in 4.0.
+ * The `acl:set` command has been deprecated along with the `SetAclCommand` class,
+   both will be removed in 4.0. Install symfony/acl-bundle instead
+
+ * The `init:acl` command has been deprecated along with the `InitAclCommand` class,
+   both will be removed in 4.0. Install symfony/acl-bundle and use `acl:init` instead

 * Added `logout_on_user_change` to the firewall options. This config item will
   trigger a logout when the user has changed. Should be set to true to avoid

diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md
@@ -656,12 +656,9 @@ SecurityBundle

 * `UserPasswordEncoderCommand` does not extend `ContainerAwareCommand` nor implement `ContainerAwareInterface` anymore.

- * `InitAclCommand::__construct()` now requires an instance of
-   `Doctrine\DBAL\Connection`  as first argument.
+ * `InitAclCommand` has been removed. Use `Symfony\Bundle\AclBundle\Command\InitAclCommand` instead

- * `SetAclCommand::__construct()` now requires an instance of
-   `Symfony\Component\Security\Acl\Model\MutableAclProviderInterfaceConnection`
-    as first argument.
+ * `SetAclCommand` has been removed. Use `Symfony\Bundle\AclBundle\Command\SetAclCommand` instead

 * The firewall option `logout_on_user_change` is now always true, which will
   trigger a logout if the user changes between requests.

diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -8,14 +8,11 @@ CHANGELOG
   `VoterInterface` on the class is now deprecated and will be removed in 4.0.
 * [BC BREAK] `FirewallContext::getListeners()` now returns `\Traversable|array`
 * added info about called security listeners in profiler 
- * `InitAclCommand::__construct()` now takes an instance of
-   `Doctrine\DBAL\Connection`  as first argument
- * `SetAclCommand::__construct()` now takes an instance of
-   `Symfony\Component\Security\Acl\Model\MutableAclProviderInterfaceConnection`
-   as first argument
 * Added `logout_on_user_change` to the firewall options. This config item will
   trigger a logout when the user has changed. Should be set to true to avoid
   deprecations in the configuration.
+ * deprecated command `acl:set` along with `SetAclCommand` class
+ * deprecated command `init:acl` along with `InitAclCommand` class

 3.3.0
 -----

diff --git a/src/Symfony/Bundle/SecurityBundle/Command/InitAclCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/InitAclCommand.php
@@ -11,9 +11,13 @@

 namespace Symfony\Bundle\SecurityBundle\Command;

+@trigger_error(sprintf('Class "%s" is deprecated since version 3.4 and will be removed in 4.0. Use Symfony\Bundle\AclBundle\Command\SetAclCommand instead.', SetAclCommand::class), E_USER_DEPRECATED);
+
 use Symfony\Bundle\FrameworkBundle\Command\ContainerAwareCommand;
 use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\ConsoleOutputInterface;
 use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
 use Symfony\Component\Security\Acl\Dbal\Schema;
 use Doctrine\DBAL\Connection;
 use Doctrine\DBAL\Schema\SchemaException;
@@ -23,7 +27,7 @@
 *
 * @author Johannes M. Schmitt <schmittjoh@gmail.com>
 *
- * @final since version 3.4
+ * @deprecated since version 3.4, to be removed in 4.0. See Symfony\Bundle\AclBundle\Command\SetAclCommand instead.
 */
 class InitAclCommand extends ContainerAwareCommand
 {
@@ -32,15 +36,9 @@ class InitAclCommand extends ContainerAwareCommand
    private $connection;
    private $schema;

-    /**
-     * @param Connection $connection
-     * @param Schema     $schema
-     */
    public function __construct($connection = null, Schema $schema = null)
    {
        if (!$connection instanceof Connection) {
-            @trigger_error(sprintf('%s() expects an instance of "%s" as first argument since version 3.4. Not passing it is deprecated and will throw a TypeError in 4.0.', __METHOD__, Connection::class), E_USER_DEPRECATED);
-
            parent::__construct($connection);

            return;
@@ -54,8 +52,6 @@ public function __construct($connection = null, Schema $schema = null)

    /**
     * {@inheritdoc}
-     *
-     * BC to be removed in 4.0
     */
    public function isEnabled()
    {
@@ -93,7 +89,8 @@ protected function configure()
     */
    protected function execute(InputInterface $input, OutputInterface $output)
    {
-        // BC to be removed in 4.0
+        (new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output))->warning('Command "init:acl" is deprecated since version 3.4 and will be removed from SecurityBundle in 4.0. Install symfony/acl-bundle and use "acl:init" instead.');
+
        if (null === $this->connection) {
            $this->connection = $this->getContainer()->get('security.acl.dbal.connection');
            $this->schema = $this->getContainer()->get('security.acl.dbal.schema');

diff --git a/src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php
@@ -11,11 +11,15 @@

 namespace Symfony\Bundle\SecurityBundle\Command;

+@trigger_error(sprintf('Class "%s" is deprecated since version 3.4 and will be removed in 4.0. Use Symfony\Bundle\AclBundle\Command\SetAclCommand instead.', SetAclCommand::class), E_USER_DEPRECATED);
+
 use Symfony\Bundle\FrameworkBundle\Command\ContainerAwareCommand;
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\ConsoleOutputInterface;
 use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
 use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
 use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
 use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
@@ -28,7 +32,7 @@
 *
 * @author Kévin Dunglas <kevin@les-tilleuls.coop>
 *
- * @final since version 3.4
+ * @deprecated since version 3.4, to be removed in 4.0. See Symfony\Bundle\AclBundle\Command\SetAclCommand instead.
 */
 class SetAclCommand extends ContainerAwareCommand
 {
@@ -42,8 +46,6 @@ class SetAclCommand extends ContainerAwareCommand
    public function __construct($provider = null)
    {
        if (!$provider instanceof MutableAclProviderInterface) {
-            @trigger_error(sprintf('%s() expects an instance of "%s" as first argument since version 3.4. Not passing it is deprecated and will throw a TypeError in 4.0.', __METHOD__, MutableAclProviderInterface::class), E_USER_DEPRECATED);
-
            parent::__construct($provider);

            return;
@@ -56,8 +58,6 @@ public function __construct($provider = null)

    /**
     * {@inheritdoc}
-     *
-     * BC to be removed in 4.0
     */
    public function isEnabled()
    {
@@ -117,7 +117,8 @@ protected function configure()
     */
    protected function execute(InputInterface $input, OutputInterface $output)
    {
-        // BC to be removed in 4.0
+        (new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output))->warning('Command "acl:set" is deprecated since version 3.4 and will be removed from SecurityBundle in 4.0. Install symfony/acl-bundle to use this command.');
+
        if (null === $this->provider) {
            $this->provider = $this->getContainer()->get('security.acl.provider');
        }
@@ -192,8 +193,6 @@ protected function execute(InputInterface $input, OutputInterface $output)
    /**
     * Gets the mask builder.
     *
-     * BC to be removed in 4.0
-     *
     * @return MaskBuilder
     */
    protected function getMaskBuilder()

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -121,6 +121,7 @@ private function addAclSection(ArrayNodeDefinition $rootNode)
        $rootNode
            ->children()
                ->arrayNode('acl')
+                    ->setDeprecated('The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.')
                    ->children()
                        ->scalarNode('connection')
                            ->defaultNull()

diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -22,8 +22,6 @@

 abstract class CompleteConfigurationTest extends TestCase
 {
-    private static $containerCache = array();
-
    abstract protected function getLoader(ContainerBuilder $container);

    abstract protected function getFileExtension();
@@ -38,6 +36,20 @@ public function testRolesHierarchy()
        ), $container->getParameter('security.role_hierarchy.roles'));
    }

+    /**
+     * @group legacy
+     * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.
+     */
+    public function testRolesHierarchyWithAcl()
+    {
+        $container = $this->getContainer('container1_with_acl');
+        $this->assertEquals(array(
+            'ROLE_ADMIN' => array('ROLE_USER'),
+            'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'),
+            'ROLE_REMOTE' => array('ROLE_USER', 'ROLE_ADMIN'),
+        ), $container->getParameter('security.role_hierarchy.roles'));
+    }
+
    public function testUserProviders()
    {
        $container = $this->getContainer('container1');
@@ -314,14 +326,22 @@ public function testEncoders()
        )), $container->getDefinition('security.encoder_factory.generic')->getArguments());
    }

+    /**
+     * @group legacy
+     * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.
+     */
    public function testAcl()
    {
-        $container = $this->getContainer('container1');
+        $container = $this->getContainer('container1_with_acl');

        $this->assertTrue($container->hasDefinition('security.acl.dbal.provider'));
        $this->assertEquals('security.acl.dbal.provider', (string) $container->getAlias('security.acl.provider'));
    }

+    /**
+     * @group legacy
+     * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.
+     */
    public function testCustomAclProvider()
    {
        $container = $this->getContainer('custom_acl_provider');
@@ -421,9 +441,6 @@ protected function getContainer($file)
    {
        $file = $file.'.'.$this->getFileExtension();

-        if (isset(self::$containerCache[$file])) {
-            return self::$containerCache[$file];
-        }
        $container = new ContainerBuilder();
        $security = new SecurityExtension();
        $container->registerExtension($security);
@@ -436,6 +453,6 @@ protected function getContainer($file)
        $container->getCompilerPassConfig()->setRemovingPasses(array());
        $container->compile();

-        return self::$containerCache[$file] = $container;
+        return $container;
    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
@@ -1,7 +1,6 @@
 <?php

 $container->loadFromExtension('security', array(
-    'acl' => array(),
    'encoders' => array(
        'JMS\FooBundle\Entity\User1' => 'plaintext',
        'JMS\FooBundle\Entity\User2' => array(

diff --git a/...fony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php b/...fony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php
@@ -0,0 +1,102 @@
+<?php
+
+$container->loadFromExtension('security', array(
+    'acl' => array(),
+    'encoders' => array(
+        'JMS\FooBundle\Entity\User1' => 'plaintext',
+        'JMS\FooBundle\Entity\User2' => array(
+            'algorithm' => 'sha1',
+            'encode_as_base64' => false,
+            'iterations' => 5,
+        ),
+        'JMS\FooBundle\Entity\User3' => array(
+            'algorithm' => 'md5',
+        ),
+        'JMS\FooBundle\Entity\User4' => array(
+            'id' => 'security.encoder.foo',
+        ),
+        'JMS\FooBundle\Entity\User5' => array(
+            'algorithm' => 'pbkdf2',
+            'hash_algorithm' => 'sha1',
+            'encode_as_base64' => false,
+            'iterations' => 5,
+            'key_length' => 30,
+        ),
+        'JMS\FooBundle\Entity\User6' => array(
+            'algorithm' => 'bcrypt',
+            'cost' => 15,
+        ),
+    ),
+    'providers' => array(
+        'default' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER'),
+                ),
+            ),
+        ),
+        'digest' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER, ROLE_ADMIN'),
+                ),
+            ),
+        ),
+        'basic' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => 'ROLE_SUPER_ADMIN'),
+                    'bar' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => array('ROLE_USER', 'ROLE_ADMIN')),
+                ),
+            ),
+        ),
+        'service' => array(
+            'id' => 'user.manager',
+        ),
+        'chain' => array(
+            'chain' => array(
+                'providers' => array('service', 'basic'),
+            ),
+        ),
+    ),
+
+    'firewalls' => array(
+        'simple' => array('pattern' => '/login', 'security' => false),
+        'secure' => array('stateless' => true,
+            'http_basic' => true,
+            'http_digest' => array('secret' => 'TheSecret'),
+            'form_login' => true,
+            'anonymous' => true,
+            'switch_user' => true,
+            'x509' => true,
+            'remote_user' => true,
+            'logout' => true,
+            'remember_me' => array('secret' => 'TheSecret'),
+            'user_checker' => null,
+        ),
+        'host' => array(
+            'pattern' => '/test',
+            'host' => 'foo\\.example\\.org',
+            'methods' => array('GET', 'POST'),
+            'anonymous' => true,
+            'http_basic' => true,
+        ),
+        'with_user_checker' => array(
+            'user_checker' => 'app.user_checker',
+            'anonymous' => true,
+            'http_basic' => true,
+        ),
+    ),
+
+    'access_control' => array(
+        array('path' => '/blog/524', 'role' => 'ROLE_USER', 'requires_channel' => 'https', 'methods' => array('get', 'POST')),
+        array('path' => '/blog/.*', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'),
+        array('path' => '/blog/524', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', 'allow_if' => "token.getUsername() matches '/^admin/'"),
+    ),
+
+    'role_hierarchy' => array(
+        'ROLE_ADMIN' => 'ROLE_USER',
+        'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'),
+        'ROLE_REMOTE' => 'ROLE_USER,ROLE_ADMIN',
+    ),
+));
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml
@@ -6,8 +6,6 @@
    xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">

    <config>
-        <acl />
-
        <encoder class="JMS\FooBundle\Entity\User1" algorithm="plaintext" />

        <encoder class="JMS\FooBundle\Entity\User2" algorithm="sha1" encode-as-base64="false" iterations="5" />