feat(symfony): deprecate Symfony Security AccessDeniedException#8318
Merged
soyuka merged 3 commits intoJun 17, 2026
Merged
Conversation
Deprecate ApiPlatform\Symfony\Security\Exception\AccessDeniedException in favor of ApiPlatform\Metadata\Exception\AccessDeniedException. Adds an @deprecated tag plus a trigger_deprecation in a new constructor mirroring the base Symfony signature (no BC break). The internal self-throw in AccessCheckerProvider is baselined; migrating it changes the thrown type and is 5.0 work. Refs TODO-4.4-5.0.md §C.3, §B.2.
…ows do not self-trigger The 4.4 deprecation self-triggered on every denied REST request because AccessCheckerProvider throws this class internally; baselining the ctor line then suppressed the same deprecation the dedicated test asserts, breaking CI. Add a triggerDeprecation ctor flag (default true, BC-safe) and pass false from the internal REST throw, so api-platform does not nag users for its own use while external instantiation still triggers. Drop the now-unnecessary phpunit.baseline.xml entry.
…nt suite The dedicated deprecation test ran in the root tests/ dir, collected by the full-suite "PHPUnit (PHP 8.x)" jobs alongside ApiTestCase + full kernel. In that environment the exception/deprecation handler stack is polluted by other tests (cf. PR api-platform#7949), so expectUserDeprecationMessage captured nothing and the test failed with "Expected deprecation ... was not triggered". It passed only when run standalone. Relocate it into the isolated Symfony component suite under src/Symfony/Tests/, matching the proven idiom (Group('legacy') + IgnoreDeprecations) used by every working expectUserDeprecationMessage test in the repo. No production change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Deprecates
ApiPlatform\Symfony\Security\Exception\AccessDeniedExceptionin favor ofApiPlatform\Metadata\Exception\AccessDeniedException. Adds an@deprecatedtag plus atrigger_deprecation('api-platform/core', '4.4', ...)in a new constructor that mirrors the base Symfony exception signature, so existingnew AccessDeniedException(...)callers are unaffected (no BC break).The internal self-throw in
AccessCheckerProvideris baselined rather than migrated: swapping it to the Metadata replacement would change the thrown type (SecurityAccessDeniedException→AccessDeniedHttpExceptionlineage), a behavioral/BC change deferred to 5.0.Roadmap
Part of the 4.4 preparation. Spec: TODO-4.4-5.0.md §C.3, §B.2 (folds in T18 — same symbol, no second deprecation site).
Phase: 4.4 (additive / deprecation-only, no BC break).
Test plan
@group legacy-style test asserts the deprecation message viaexpectUserDeprecationMessageand that base exception behavior (message / previous / 403 status / headers) is preserved.--fail-on-deprecation --use-baseline=phpunit.baseline.xml).