Skip to content

Commit

Permalink
Merge branch '7.0' into 7.1
Browse files Browse the repository at this point in the history 
* 7.0:
  [Security] Replace a complex table by a list
  Remove the report section
  Use Doctor RST 1.57.1
  • Loading branch information
@javiereguiluz
javiereguiluz committed Mar 18, 2024
2 parents 20d1118 + 0d6b83f commit b9b4231
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 37 deletions.
2 changes: 2 additions & 0 deletions .doctor-rst.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ rules:
ensure_bash_prompt_before_composer_command: ~
ensure_exactly_one_space_before_directive_type: ~
ensure_exactly_one_space_between_link_definition_and_link: ~
ensure_github_directive_start_with_prefix:
prefix: 'Symfony'
ensure_link_bottom: ~
ensure_link_definition_contains_valid_url: ~
ensure_order_of_code_blocks_in_configuration_block: ~
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
key: ${{ runner.os }}-doctor-rst-${{ steps.extract_base_branch.outputs.branch }}

- name: "Run DOCtor-RST"
uses: docker://oskarstark/doctor-rst:1.54.0
uses: docker://oskarstark/doctor-rst:1.57.1
with:
args: --short --error-format=github --cache-file=/github/workspace/.cache/doctor-rst.cache

Expand Down
9 changes: 0 additions & 9 deletions contributing/code_of_conduct/care_team.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,12 +58,3 @@ The :doc:`Symfony project leader </contributing/code/core_team>` appoints the CA
team with candidates they see fit. The CARE team will consist of at least
3 people. The team should be representing as many demographics as possible,
ideally from different employers.

CARE Team Transparency Reports
------------------------------

The CARE team publishes a transparency report at the end of each year:

* `Symfony Code of Conduct Transparency Report 2018`_.

.. _`Symfony Code of Conduct Transparency Report 2018`: https://symfony.com/blog/symfony-code-of-conduct-transparency-report-2018
70 changes: 43 additions & 27 deletions security/access_control.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,33 +169,49 @@ For each incoming request, Symfony will decide which ``access_control``
to use based on the URI, the client's IP address, the incoming host name,
and the request method. Remember, the first rule that matches is used, and
if ``ip``, ``port``, ``host`` or ``method`` are not specified for an entry, that
``access_control`` will match any ``ip``, ``port``, ``host`` or ``method``:

+-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
| URI | IP | PORT | HOST | METHOD | ``access_control`` | Why? |
+=================+=============+=============+=============+============+================================+=============================================================+
| ``/admin/user`` | 127.0.0.1 | 80 | example.com | GET | rule #2 (``ROLE_USER_IP``) | The URI matches ``path`` and the IP matches ``ip``. |
+-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
| ``/admin/user`` | 127.0.0.1 | 80 | symfony.com | GET | rule #2 (``ROLE_USER_IP``) | The ``path`` and ``ip`` still match. This would also match |
| | | | | | | the ``ROLE_USER_HOST`` entry, but *only* the **first** |
| | | | | | | ``access_control`` match is used. |
+-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
| ``/admin/user`` | 127.0.0.1 | 8080 | symfony.com | GET | rule #1 (``ROLE_USER_PORT``) | The ``path``, ``ip`` and ``port`` match. |
+-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
| ``/admin/user`` | 168.0.0.1 | 80 | symfony.com | GET | rule #3 (``ROLE_USER_HOST``) | The ``ip`` doesn't match neither the first rule nor the |
| | | | | | | second rule. So the third rule (which matches) is used. |
+-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
| ``/admin/user`` | 168.0.0.1 | 80 | symfony.com | POST | rule #3 (``ROLE_USER_HOST``) | The third rule still matches. This would also match the |
| | | | | | | fourth rule (``ROLE_USER_METHOD``), but only the **first** |
| | | | | | | matched ``access_control`` is used. |
+-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
| ``/admin/user`` | 168.0.0.1 | 80 | example.com | POST | rule #4 (``ROLE_USER_METHOD``) | The ``ip`` and ``host`` don't match the first three |
| | | | | | | entries, but the fourth - ``ROLE_USER_METHOD`` - matches |
| | | | | | | and is used. |
+-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
| ``/foo`` | 127.0.0.1 | 80 | symfony.com | POST | matches no entries | This doesn't match any ``access_control`` rules, since its |
| | | | | | | URI doesn't match any of the ``path`` values. |
+-----------------+-------------+-------------+-------------+------------+--------------------------------+-------------------------------------------------------------+
``access_control`` will match any ``ip``, ``port``, ``host`` or ``method``.
See the following examples:

Example #1:
* **URI** ``/admin/user``
* **IP**: ``127.0.0.1``, **Port**: ``80``, **Host**: ``example.com``, **Method**: ``GET``
* **Rule applied**: rule #2 (``ROLE_USER_IP``)
* **Why?** The URI matches ``path`` and the IP matches ``ip``.
Example #2:
* **URI** ``/admin/user``
* **IP**: ``127.0.0.1``, **Port**: ``80``, **Host**: ``symfony.com``, **Method**: ``GET``
* **Rule applied**: rule #2 (``ROLE_USER_IP``)
* **Why?** The ``path`` and ``ip`` still match. This would also match the
``ROLE_USER_HOST`` entry, but *only* the **first** ``access_control`` match is used.
Example #3:
* **URI** ``/admin/user``
* **IP**: ``127.0.0.1``, **Port**: ``8080``, **Host**: ``symfony.com``, **Method**: ``GET``
* **Rule applied**: rule #1 (``ROLE_USER_PORT``)
* **Why?** The ``path``, ``ip`` and ``port`` match.
Example #4:
* **URI** ``/admin/user``
* **IP**: ``168.0.0.1``, **Port**: ``80``, **Host**: ``symfony.com``, **Method**: ``GET``
* **Rule applied**: rule #3 (``ROLE_USER_HOST``)
* **Why?** The ``ip`` doesn't match neither the first rule nor the second rule.
* So the third rule (which matches) is used.
Example #5:
* **URI** ``/admin/user``
* **IP**: ``168.0.0.1``, **Port**: ``80``, **Host**: ``symfony.com``, **Method**: ``POST``
* **Rule applied**: rule #3 (``ROLE_USER_HOST``)
* **Why?** The third rule still matches. This would also match the fourth rule
* (``ROLE_USER_METHOD``), but only the **first** matched ``access_control`` is used.
Example #6:
* **URI** ``/admin/user``
* **IP**: ``168.0.0.1``, **Port**: ``80``, **Host**: ``example.com``, **Method**: ``POST``
* **Rule applied**: rule #4 (``ROLE_USER_METHOD``)
* **Why?** The ``ip`` and ``host`` don't match the first three entries, but
* the fourth - ``ROLE_USER_METHOD`` - matches and is used.
Example #7:
* **URI** ``/foo``
* **IP**: ``127.0.0.1``, **Port**: ``80``, **Host**: ``symfony.com``, **Method**: ``POST``
* **Rule applied**: matches no entries
* **Why?** This doesn't match any ``access_control`` rules, since its URI
* doesn't match any of the ``path`` values.

.. caution::

Expand Down

0 comments on commit b9b4231

Please sign in to comment.