API Remove deprecated API #11524
API Remove deprecated API #11524
Conversation
GuySartorelli
force-pushed
the
pulls/6.0/remove-deprecated
branch
5 times, most recently
from
6fb1e86 to
5169aa3
Compare
_config/encryptors.yml
Outdated
| md5: | ||
| 'SilverStripe\Security\PasswordEncryptor_LegacyPHPHash': md5 |
There was a problem hiding this comment.
Not keeping this key and setting it to PasswordEncryptor_PHPHash because md5 is inherently insecure, so anyone already using it should be prompted to consider changing to something else.
There was a problem hiding this comment.
This, isn't just removing deprecated code? Seems like this is something else where we're making a decision that md5 is not good? Seems a bit out of scope?. Wouldn't this means there are other things to consider, for instance is it worth considering if sha1 and blowfish also up to scratch? Also there's an md5_v2.4 key below that's retained
There was a problem hiding this comment.
This is literally just removing code. I have decided not to add other code because md5 sucks - but as far as this PR which is to remove deprecated code, that's exactly what is being done here.
There was a problem hiding this comment.
I get that md5 isn't good, though we still have md5 support via the md5_v2.4 key below. Also, again, removing md5 support is out of scope since the scope of this issue is to only to remove deprecated code and we haven't "deprecated" md5 support.
Seems like the correct thing would be to retain the md5 key and just change its class to SilverStripe\Security\PasswordEncryptor_PHPHash like you did for sha1?
There was a problem hiding this comment.
I wholeheartedly and completely disagree with every fibre of my being but I'll do it anyway so we can move on.
The implication to me is that the encryptor being deprecated means the config that instantiates it is also deprecated. Anyone who has explicitly set their project to use md5 will currently be getting a deprecation notice telling them that the legacy PHP hash encrpytor is deprecated.
I only migrated the sha1 key because that's still a sensible hash algorithm to use. md5 very very very much isn't. We should really remove it even from the encryptor we are keeping but that is farther out of scope than I want to do in this PR.
Anyway, md5 is back :(
There was a problem hiding this comment.
The class which is deprecated is separate from the algorithm. People would also be getting deprecation notices for the sha1 algorithm as well though we're not removing that
I've backlogged a new issue for this #11530
| * | ||
| * @return string|null null if not overridden, otherwise the actual value | ||
| */ | ||
| public static function get_session_environment_type(?HTTPRequest $request = null) |
There was a problem hiding this comment.
This isn't used anywhere in core or supported modules. It was added in ca56e8d#diff-983f05f9a107b9bf66a1ed4230e524be82118dd71f4a795529f8794b762c8b47R1091 as a replacement for CoreKernel::sessionEnvironment(). It was removed in #10456.
It and this method seem to have only existed to support the isDev and isTest GET variables, which were intentionally removed in CMS 5.
isDevandisTestquery string arguments have been removed due to security concerns (see ss-2018-005).
There was a problem hiding this comment.
Should have been removed in #10456 back when we did CMS 5 work.
No need to mention this in the changelog, since this is dead code as the tests mentioned in the linked PR prove.
| public static function urlRewriter($content, $code) | ||
| public static function urlRewriter($content, callable $code) | ||
| { | ||
| if (!is_callable($code)) { | ||
| throw new InvalidArgumentException( | ||
| 'HTTP::urlRewriter expects a callable as the second parameter' | ||
| ); | ||
| } |
There was a problem hiding this comment.
Not really a deprecation but seems sensible to have an explicit typed parameter instead of an exception here.
There was a problem hiding this comment.
See comment about SessionEnvTypeSwitcher
| @@ -4,7 +4,6 @@ | |||
|
|
|||
| use InvalidArgumentException; | |||
| use SilverStripe\Core\Validation\ValidationResult; | |||
| use SilverStripe\Dev\Deprecation; | |||
| $result = PolymorphicHasManyList::create($componentClass, $details['joinField'], static::class); | ||
| if ($details['needsRelation']) { | ||
| Deprecation::withSuppressedNotice(fn () => $result->setForeignRelation($componentName)); | ||
| } | ||
| $relation = $details['needsRelation'] ? $componentName : null; | ||
| $result = PolymorphicHasManyList::create($componentClass, $details['joinField'], static::class, $relation); |
There was a problem hiding this comment.
setForeignRelation() is removed, and a new constructor arg is added in its place.
| @@ -9,7 +9,6 @@ | |||
| use SilverStripe\Core\Manifest\ModuleLoader; | |||
| use SilverStripe\Core\Manifest\ModuleResourceLoader; | |||
| use SilverStripe\Core\Path; | |||
| use SilverStripe\Dev\Deprecation; | |||
| @@ -3,7 +3,6 @@ | |||
| namespace SilverStripe\Cli\Tests; | |||
|
|
|||
| use PHPUnit\Framework\Attributes\DataProvider; | |||
| use PHPUnit\Framework\Error\Deprecated; | |||
| $obj = new GridField('testfield', 'testfield'); | ||
| $list = ArrayList::create(); | ||
| $obj = new GridField('testfield', 'testfield', $list); |
There was a problem hiding this comment.
Needed to avoid LogicException now that setThrowExceptionOnBadDataType() is removed from various components.
GuySartorelli
force-pushed
the
pulls/6.0/remove-deprecated
branch
2 times, most recently
from
3e7be21 to
e70fcc0
Compare
_config/encryptors.yml
Outdated
| md5: | ||
| 'SilverStripe\Security\PasswordEncryptor_LegacyPHPHash': md5 |
There was a problem hiding this comment.
This, isn't just removing deprecated code? Seems like this is something else where we're making a decision that md5 is not good? Seems a bit out of scope?. Wouldn't this means there are other things to consider, for instance is it worth considering if sha1 and blowfish also up to scratch? Also there's an md5_v2.4 key below that's retained
| */ | ||
| public function __construct($dataClass, $foreignField, $foreignClass) | ||
| public function __construct(string $dataClass, string $foreignField, string $foreignClass, ?string $foreignRelation = null) |
There was a problem hiding this comment.
Why is a new param being added here?
There was a problem hiding this comment.
Because that was always the intention. As per the deprecation notice:
@deprecated 5.2.0 Will be replaced with a parameter in the constructor
GuySartorelli
force-pushed
the
pulls/6.0/remove-deprecated
branch
from
e70fcc0 to
003e119
Compare
Issue