- [BC break] Removed the CouchDB ODM integration
- [BC break] Added return types in most methods
- [BC break] Marked classes as final when they were
@final
- Removed support for symfony <6.4
- Removed support for PHP <8.1
- Remove the mailer implementation based on Swiftmailer
- Added support for Symfony 7
- Deprecated the TwigSwiftMailer implementation
- Added a mailer implementation based on symfony/mailer and Twig
- Added tentative return types in most methods
- Deprecated the CouchDB ODM integration as the ODM is unmaintained
- Fixed remaining deprecations with Symfony 6.3
- Fixed deprecations with Symfony 6.3
- Fixed deprecations with Doctrine ORM (requires using DoctrineBundle 2.10.1 or newer for the fix to be effective)
- Fixed the way to access the session when enabling confirmation emails
- Fixed the way to access the firewall name when enabling the registration feature
- Added support for Symfony 6
- Fixed support for the remember-me in the programmatic login when using the new authentication system of Symfony.
- Fixed some deprecations when using Symfony 5.4.
- Fixed the wiring of controllers to avoid a deprecation warning when using Twig.
- [BC break] Change the base class of controllers to use the
AbstractController
(but extending the controllers is not officially supported anymore). - [BC break] Remove the group feature
- [BC break] Change the base class for events to
Symfony\Contracts\EventDispatcher\Event
instead ofSymfony\Component\EventDispatcher\Event
- [BC break] Remove the
Symfony\Component\Security\Core\User\AdvancedUserInterface
methods from ourUserInterface
- [BC break] The ResettingListener now longer blocks password resetting requests based on the
isAccountNonLocked
method of theAdvancedUserInterface
. Projects customizingisAccountNonLocked
for that purpose should instead register their own listener for theFOSUserEvents::RESETTING_RESET_REQUEST
event to set a response instead of processing the request. - [BC break] Made
\FOS\UserBundle\Model\User::serialize
and\FOS\UserBundle\Model\User::unserialize
final. Child classes needing to extend the serialization must override__serialize
and__unserialize
instead. - [BC break]
\FOS\UserBundle\Event\GetResponseNullableUserEvent
no longer inherits from\FOS\UserBundle\Event\GetResponseUserEvent
and\FOS\UserBundle\Event\UserEvent
as that was breaking variance rules. - [BC break] A few methods of
FOS\UserBundle\Model\User
now have return types (in methods where Symfony 6 requires them) - [BC break] The legacy mailer based on SwiftMailer and symfony/templating is no longer used by default. Selecting a mailer service is now mandatory when using a feature needing the mailer.
- [BC break] Remove the legacy mailer based on SwiftMailer and symfony/templating. Use
fos_user.mailer.twig_swift
or a custom mailer service. - Add support for Symfony 5.
- Add return types in most methods.
- Add autowiring support for
FOS\UserBundle\Mailer\MailerInterface
- Fixed a deprecation warning reported by DebugClassLoader in the AdvancedUserInterface BC layer due to the change done in 2.2.3.
- Added missing deprecations on some group-related event classes
- Fixed an invalid report of
UserInterface
being deprecated in static analyzers - Fixed the documented return type for
\FOS\UserBundle\Event\GetResponseNullableUserEvent::getUser
- Fixed a deprecation warning about groups being triggered when loading all Doctrine metadata.
- Fixed a deprecation warning about groups being triggered when loading the User class of the bundle.
- Deprecated the Groups feature.
- Marked all controllers final.
- Marked internal classes as such.
- Added Mongolian translation.
- Added an email provider.
- Added a custom user checker.
- Added PHP 7.4 and PHP 8.0 support.
- Removed fieldName attribute in MongoDB mapping.
- Registration confirmation now redirects to login page if token is invalid.
- User model will not rely on
AdvancedUserInterface
anymore. - Self-salting password encoders will not create a salt anymore.
- FlashListener constructor now accepts
SessionInterface
. - Fixed several Symfony deprecation notices.
- Fixed several translations.
- Bumped the min PHP version to 7.1.3.
- Bumped the min Symfony version to 4.4.
- Added compatibility with Twig 3.
- Added compatibility with doctrine/persistence 2.
- Fixed compatibility of controllers with Symfony 2.8
- Fixed the check for the required session, to account for the fact it is not always required.
- Dropped Symfony < 2.8 support.
- Add Symfony 4 compatibility.
- Refactored controllers and commands to use DI. Projects extending these classes will need to adapt their code (but should rather use supported extension points when possible).
- Redirect to login when requesting resetting password with invalid token.
- Added autocomplete hints for password inputs.
- Fixed several incorrect Turkish translations.
- Fix empty password in ChangePasswordFormType.
- Fix empty password in ProfileFormType.
- Introduced aliases for autowiring user and group managers.
- Added Bengali translation.
- Added Galician translation.
- Updated Danish translation.
- Updated Japanese translation.
- Add SwiftMailer 6 compatibility.
- Inject firewall
user_checker
intoLoginManager
. - Updated English translation.
- Updated Estonian translation.
- Updated Persian translation.
- Updated Turkish translation.
- Updated several docs.
- Removed default
fos_user.from_email
configuration values. - Removed usage of internal Twig APIs when rendering emails.
- Add a timeout for the reset retry request.
- Add Esperanto translations.
- Fixed incorrect confirmation url.
- Commented outdated entries in several translation files.
- [BC break] Use
UserManager::getRepository()
instead ofUserManager::$repository
. - [BC break] Use
UserManager::getClass()
instead ofUserManager::$class
.
- Use ceil in
ResettingController
for a better token lifetime approximation. - Removed unused translation keys.
- Removed form deprecations.
- Use
@
-based Twig syntax for templates. - Improved several language files.
- Improved documentation.
- Ability to disable the authentication listener.
- Removed
DateUtil
class. - [BC break] Changed validation max length to match the database structure.
- Dropped Symfony < 2.7 support.
- Dropped PHP < 5.5 support.
- Exclude tests from autoloader.
- Allow to use POST for logout.
- Fix UserPassword constraint validation groups.
- Harmonized email detection in
UserManager
. - Added unique index for
confirmation_token
field. - Added Kyrgyz translation files.
- Added user manipulator events.
- Replaced
checkPostAuth
bycheckPreAuth
inAuthenticationListener
. - [BC break] Method
ResettingController::getObfuscatedEmail
has been removed. - [BC break] Renamed templates to underscore case.
- [BC break] Removed
UserManager::refreshUser
. - [BC break] Removed
UserManager::loadUserByUsername
. - [BC break] Removed
UserManager::supportsClass
. - [BC break] Removed
FOS\UserBundle\Model\User
properties$locked
,$expired
,$expiredAt
,$credentialsExpired
,$credentialsExpiredAt
and associated setter and getter (see here). - [BC break] The signature of the
Initializer
constructor has changed. - [BC break] The signature of the
LoginManager
constructor has changed. - [BC break] The signature of the
UserListener
constructor has changed. - [BC break] The signature of the
UserManager
constructor has changed. - [BC break] The translation key
resetting.request.invalid_username
has been removed. - [BC break] The propel dependency was dropped.
- [BC break] The
salt
field of theUser
class is now nullable.
- Reverted the removed of the
expired
andcredentialsExpired
properties as the BC break could lead to corrupted objects being created if server sessions are not cleared when upgrading the bundle.
- The minimum requirement for Doctrine is now ORM 2.4 and MongoDB ODM 1.0-alpha10.
- [BC break] The deprecated entity classes have been removed.
- The minimum requirement for Symfony has been bumped to 2.3 (older versions are already EOLed).
- [BC break]
UserInterface::isUser
has been removed as it was used only by the old validation logic removed a long time ago. - [BC break] The
FOSUserBundle:Security:login.html.twig
template now receives an AuthenticationException in theerror
variable rather than an error message. - [BC break] The templating engine configuration has been removed, as well as the related code.
- [BC break] Changed the XML namespace to
http://friendsofsymfony.github.io/schema/dic/user
- [BC break] Added
UserInterface::getId
. - [BC break][Reverted] Removed unused properties
expired
andcredentialsExpired
including corresponding methods. This may break code, which makes use of this methods, extending classes, and/or existing installations because of missing mappings for required db fields.
- Updated many translations.
- Changed the way to pass the email to the page asking to check the email to avoid issues with non-blocking sessions.
- Changed the fos_user_security_check route to enforce POST.
- Removed the deprecated UserManager and GroupManager classes for the different Doctrine implementations.
- [BC break] Refactored the structure of controller to dispatch events instead of using form handlers.
- Removed all form handlers.
- [BC break] Changed Datetime properties of default User entity that were nullable to default to null when no value supplied.
- [BC break] Updated schema.xml for Propel BaseUser class to allow nullable and typehint accordingly.
- Fixed invalid
isAccountNonExpired
timestamp when year is 2038 - Fixed validation of blank passwords
- Removed any new lines in email subjects
- Added trailing dot flash messages
- Added trailing dot validator messages
- Added Galician translation
- Use
random_bytes
to generate tokens
- Fixed some yaml errors in translation files
- Fixed bad credentials translations
- Fixed canonicalizer with illegal chars
- Fixed deprecated routing configuration
- Fixed class name check in
UserProvider::refreshUser()
- Updated several translation files
- Removed colons from translation files
- Updated several documentation examples
- Converted documentation to rst format
- Fix compatibility with Symfony 2.7 #1777
This release fixes a security issue. You are encouraged to update as soon as possible.
BC break: The characters used in generated tokens have changed. They
now include dashes and underscores as well. Any routing requirement
matching them should be updated to [\w\-]+
.
- Fixed the TokenGenerator to preserve entropy.
- Fixed the compatibility with FrameworkBundle 2.5
- Fixed a few issues in translations
- Enforce the POST method for the login_check route
This releases prevents a potential DOS attack. You are encouraged to update as soon as possible.
- Added a max length validation on the password
- Changed the flash message handling to use the non-deprecated api
- Updated the composer constraint to allow Symfony 2.3
- Replaced the deprecated validation constraints by the new ones
- Added an error message when the repeated password is invalid
- Updated many translations
- Made the composer requirement compatible with Symfony 2.2.*
- Fixed the handling of the target url after the registration
- Refactored the Propel implementation to get rid of the UserProxy
- Changed the expectation for
FOS\UserBundle\Model\GroupableInterface#getGroups
toTraversable
- Moved the role constants to the UserInterface instead of the abstract User class
- Refactored the Doctrine implementations to use the same manager classes
- Removed the custom uniqueness validation in favor of the core constraints
- Added getRedirectionUrl method to ProfileController
- Added an extension point in the registration handler
- Moved the generation of the token to a dedicated class
- Added new user provider classes. They should be preferred over using the UserManager as UserProvider.
- Removed the custom password validation in favor of the Symfony 2.1 constraint
- Refactored the translation of form labels using the translation_domain option of Symfony 2.1
- Bumped the requirement to Symfony 2.1
This releases prevents a potential DOS attack. You are encouraged to update as soon as possible.
- Added a max length on the password field
- Fixed a Yaml parsing error in the Japanese translations
This release fixes another security issue. Please update to it as soon as possible.
- Fixes a security issue where the session could be hijacked
- Fixed the serialization of users to include the id
- Fixed a bug in the previous fix
This release fixes a security issue. You are encouraged to update to it as soon as possible.
- Fixed the user refreshing to check the identity by primary key instead of username
- Prefixed fos table names in propel schema with "fos_" to avoid using reserved sql words
- Added a fluent interface for the entities
- Added a mailer able to use twig blocks for the each part of the message
- Fixed the authentication in case of locked or disabled users. Github issue #464
- Add CSRF protection to the login form
- Added translations: bg, hr
- Updated translations
- Added translations for the validation errors and the login error
- Removed the user-level algorithm. Use FOSAdvancedEncoderBundle instead if you need such feature.
- Fixed resetting password clearing the token but not the token expiration. Github issue #501
- Renamed UsernameToUsernameTransformer to UserToUsernameTransformer and changed its service ID to
fos_user.user_to_username_transformer
.
- Added "custom" as valid driver
- Hide part of the email when requesting a password reset
- Changed the validation messages to translation keys
- Added the default validation group by default
- Fixed updating of changed fields in listener. Github issue #403
- Added support for Propel
- Added composer.json
- Made it possible to override the role constants in derived User class
- Updated translations: da, de, en, es, et, fr, hu, lb, nl, pl, pt_BR, pt_PT, ru
- Added translations: ca, cs, it, ja, ro, sk, sl, sv
- Changed the instanceof check for refreshUser to class instead of interface to allow multiple firewalls and correct use of UnsupportedUserException
- Added an extension point in the form handlers. Closes #291
- Rewrote the documentation entirely
- Initial release