8000 [Security] Do not make PasswordUpgraderInterface a generic by wouterj · Pull Request #51283 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] Do not make PasswordUpgraderInterface a generic #51283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 5, 2023
Merged

[Security] Do not make PasswordUpgraderInterface a generic #51283

merged 1 commit into from
Aug 5, 2023

Conversation

wouterj
Copy link
Member
@wouterj wouterj commented Aug 5, 2023
Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Ref #50399 (comment)
License MIT
Doc PR -

Making PasswordUpgraderInterface a generic in 6.3 (#48750) was a mistake. Nothing guarantees that the calling side will only pass TUser into the upgradePassword() method, as there is no way to check which users are supported. Passing a potentially unsupported user is expected behavior and we document in the PHPdoc that the method should silently fail in such cases. The referenced GitHub discussion contains some more details.

Removing the generic from the interface creates a static analysis failure in both Psalm and PHPstan. For this reason, I selected the 6.4 branch although this is a bug fix for 6.3. I'm fine with merging this in 6.3 as well, if this feels better.

@wouterj wouterj requested a review from chalasr as a code owner August 5, 2023 10:40
@carsonbot carsonbot added this to the 6.4 milestone Aug 5, 2023
@fabpot
Copy link
Member
fabpot commented Aug 5, 2023

Thank you @wouterj.

@fabpot fabpot merged commit 34f46c6 into symfony:6.4 Aug 5, 2023
@wouterj wouterj deleted the remove-generic-password-upgrader branch August 5, 2023 12:49
@rarila rarila mentioned this pull request Feb 10, 2025
Closed
This was referenced Mar 19, 2025
Merged
Merged
nicolas-grekas added a commit that referenced this pull request Mar 20, 2025
@nicolas-grekas
minor #60009 Improve documentation of PasswordUpgraderInterface (stof)
5a9a351 
This PR was squashed before being merged into the 7.3 branch.

Discussion
----------

Improve documentation of PasswordUpgraderInterface

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Issues        | n/a
| License       | MIT

Implementations of PasswordUpgraderInterface can be called with a user instance that they don't support and are expected to handle it gracefully.
Handling it gracefully can be done either by being silent or by throwing an UnsupportedUserException.

This is a follow-up of #51283 to document that throwing UnsupportedUserException is actually fine for implementations as the way to handle unsupported users, as shown by the implementation of the ChainUserProvider: https://github.com/symfony/symfony/blob/07e020abdd1ab820ca3c2ead8dfda75ea6e84eae/src/Symfony/Component/Security/Core/User/ChainUserProvider.php#L107-L113

Commits
-------

0784f98 Improve documentation of PasswordUpgraderInterface
@alexander-schranz alexander-schranz mentioned this pull request Mar 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.
5 participants
@wouterj @fabpot @nicolas-grekas @chalasr @carsonbot
0