Removed all deprecated attributes from the docs

Author: wouterj

components/security/authorization.rst

@@ -98,10 +98,12 @@ AuthenticatedVoter
 ~~~~~~~~~~~~~~~~~~
 
 The :class:`Symfony\\Component\\Security\\Core\\Authorization\\Voter\\AuthenticatedVoter`
-voter supports the attributes ``IS_AUTHENTICATED_FULLY``, ``IS_AUTHENTICATED_REMEMBERED``,
-and ``IS_AUTHENTICATED_ANONYMOUSLY`` and grants access based on the current
-level of authentication, i.e. is the user fully authenticated, or only based
-on a "remember-me" cookie, or even authenticated anonymously?::
+voter supports the attributes ``IS_ANONYMOUS``, ``IS_REMEMBERED``, ``IS_IMPERSONATED``
+and ``IS_AUTHENTICATED`` and ``IS_AUTHENTICATED_FULLY`` and grants access based on the current
+level of authentication, i.e. is the user authenticated or only based
+on a "remember-me" cookie or even only anonymous?
+
+.. code-block:: php
 
     use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
     use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;

security.rst

@@ -616,8 +616,10 @@ Securing other Services
 
 See :doc:`/security/securing_services`.
 
-Checking to see if a User is Logged In (IS_AUTHENTICATED_FULLY)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. _checking-to-see-if-a-user-is-logged-in-is_authenticated_fully:
+
+Checking to see if a User is Logged In (IS_AUTHENTICATED)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you *only* want to check if a user is logged in (you don't care about roles),
 you have two options. First, if you've given *every* user ``ROLE_USER``, you can
@@ -628,30 +630,40 @@ of a role::
 
     public function adminDashboard()
     {
-        $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
+        $this->denyAccessUnlessGranted('IS_AUTHENTICATED');
 
         // ...
     }
 
-You can use ``IS_AUTHENTICATED_FULLY`` anywhere roles are used: like ``access_control``
-or in Twig.
+You can use this ``IS_AUTHENTICATED`` attribute in security expression
+(like used in ``access_control``, or calls to ``isGranted()`` in PHP or
+``is_granted`` in Twig).
 
-``IS_AUTHENTICATED_FULLY`` isn't a role, but it kind of acts like one, and every
-user that has logged in will have this. Actually, there are 3 special attributes
+``IS_AUTHENTICATED`` isn't a role, but it kind of acts like one, and every
+user that has logged in will have this. Actually, there are some special attributes
 like this:
 
-* ``IS_AUTHENTICATED_REMEMBERED``: *All* logged in users have this, even
-  if they are logged in because of a "remember me cookie". Even if you don't
-  use the :doc:`remember me functionality </security/remember_me>`,
-  you can use this to check if the user is logged in.
+* ``IS_AUTHENTICATED``: Matches *all* users (even anonymous ones). This is
+  useful when *whitelisting* URLs to guarantee access - some details are in
+  :doc:`/security/access_control`.
+
+* ``IS_ANONYMOUS``: Only anonymous users are matched by this attribute.
 
-* ``IS_AUTHENTICATED_FULLY``: This is similar to ``IS_AUTHENTICATED_REMEMBERED``,
+* ``IS_REMEMBERED``: Matches users authenticated using the
+  :doc:`remember me functionality </security/remember_me>`, (i.e. a remember-me
+  cookie).
+
+* ``IS_IMPERSONATOR``: When the current session is an :doc:`impersonated user
+  * </security/impersonating_user>`, this attribute will match.
+
+* ``IS_AUTHENTICATED_FULLY``: This is similar to ``IS_AUTHENTICATED``,
   but stronger. Users who are logged in only because of a "remember me cookie"
-  will have ``IS_AUTHENTICATED_REMEMBERED`` but will not have ``IS_AUTHENTICATED_FULLY``.
+  and anonymous users will not be matched by ``IS_AUTHENTICATED_FULLY``.
+
+.. versionadded:: 4.4
 
-* ``IS_AUTHENTICATED_ANONYMOUSLY``: *All* users (even anonymous ones) have
-  this - this is useful when *whitelisting* URLs to guarantee access - some
-  details are in :doc:`/security/access_control`.
+    The ``IS_AUTHENTICATED``, ``IS_ANONYMOUS``, ``IS_REMEMBERED`` and
+    ``IS_IMPERSONATOR`` attributes were introduced in Symfony 4.4.
 
 .. _security-secure-objects:
 

security/access_control.rst

@@ -193,7 +193,7 @@ pattern so that it is only accessible by requests from the local server itself:
             access_control:
                 #
                 # the 'ips' option supports IP addresses and subnet masks
-                - { path: ^/internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1, 192.168.0.1/24] }
+                - { path: ^/internal, roles: IS_AUTHENTICATED, ips: [127.0.0.1, ::1, 192.168.0.1/24] }
                 - { path: ^/internal, roles: ROLE_NO_ACCESS }
 
     .. code-block:: xml
@@ -210,7 +210,7 @@ pattern so that it is only accessible by requests from the local server itself:
                 <!-- ... -->
 
                 <!-- the 'ips' option supports IP addresses and subnet masks -->
-                <rule path="^/internal" role="IS_AUTHENTICATED_ANONYMOUSLY">
+                <rule path="^/internal" role="IS_AUTHENTICATED">
                     <ip>127.0.0.1</ip>
                     <ip>::1</ip>
                 </rule>
@@ -227,7 +227,7 @@ pattern so that it is only accessible by requests from the local server itself:
             'access_control' => [
                 [
                     'path' => '^/internal',
-                    'role' => 'IS_AUTHENTICATED_ANONYMOUSLY',
+                    'role' => 'IS_AUTHENTICATED',
                     // the 'ips' option supports IP addresses and subnet masks
                     'ips' => ['127.0.0.1', '::1'],
                 ],
@@ -254,8 +254,8 @@ But if the same request comes from ``127.0.0.1`` or ``::1`` (the IPv6 loopback
 address):
 
 * Now, the first access control rule is enabled as both the ``path`` and the
-  ``ip`` match: access is allowed as the user always has the
-  ``IS_AUTHENTICATED_ANONYMOUSLY`` role.
+  ``ip`` match: access is allowed as the user always matches the
+  ``IS_AUTHENTICATED`` attribute.
 
 * The second access rule is not examined as the first rule matched.
 
@@ -342,7 +342,7 @@ access those URLs via a specific port. This could be useful for example for
         security:
             # ...
             access_control:
-                - { path: ^/cart/checkout, roles: IS_AUTHENTICATED_ANONYMOUSLY, port: 8080 }
+                - { path: ^/cart/checkout, roles: IS_AUTHENTICATED, port: 8080 }
 
     .. code-block:: xml
 
@@ -357,7 +357,7 @@ access those URLs via a specific port. This could be useful for example for
             <config>
                 <!-- ... -->
                 <rule path="^/cart/checkout"
-                    role="IS_AUTHENTICATED_ANONYMOUSLY"
+                    role="IS_AUTHENTICATED"
                     port="8080"
                 />
             </config>
@@ -371,7 +371,7 @@ access those URLs via a specific port. This could be useful for example for
             'access_control' => [
                 [
                     'path' => '^/cart/checkout',
-                    'role' => 'IS_AUTHENTICATED_ANONYMOUSLY',
+                    'role' => 'IS_AUTHENTICATED',
                     'port' => '8080',
                 ],
             ],
@@ -393,7 +393,7 @@ the user will be redirected to ``https``:
         security:
             # ...
             access_control:
-                - { path: ^/cart/checkout, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
+                - { path: ^/cart/checkout, roles: IS_AUTHENTICATED, requires_channel: https }
 
     .. code-block:: xml
 
@@ -408,7 +408,7 @@ the user will be redirected to ``https``:
             <config>
                 <!-- ... -->
                 <rule path="^/cart/checkout"
-                    role="IS_AUTHENTICATED_ANONYMOUSLY"
+                    role="IS_AUTHENTICATED"
                     requires-channel="https"
                 />
             </config>
@@ -422,7 +422,7 @@ the user will be redirected to ``https``:
             'access_control' => [
                 [
                     'path' => '^/cart/checkout',
-                    'role' => 'IS_AUTHENTICATED_ANONYMOUSLY',
+                    'role' => 'IS_AUTHENTICATED',
                     'requires_channel' => 'https',
                 ],
             ],

security/expressions.rst

@@ -18,7 +18,7 @@ accepts an :class:`Symfony\\Component\\ExpressionLanguage\\Expression` object::
     public function index()
     {
         $this->denyAccessUnlessGranted(new Expression(
-            '"ROLE_ADMIN" in roles or (not is_anonymous() and user.isSuperAdmin())'
+            '"ROLE_ADMIN" in roles or (not is_granted('IS_ANONYMOUS') and user.isSuperAdmin())'
         ));
 
         // ...
@@ -52,48 +52,12 @@ Inside the expression, you have access to a number of variables:
 
 Additionally, you have access to a number of functions inside the expression:
 
-``is_authenticated``
-    Returns ``true`` if the user is authenticated via "remember-me" or authenticated
-    "fully" - i.e. returns true if the user is "logged in".
-``is_anonymous``
-    Equal to using ``IS_AUTHENTICATED_ANONYMOUSLY`` with the ``isGranted()`` function.
-``is_remember_me``
-    Similar, but not equal to ``IS_AUTHENTICATED_REMEMBERED``, see below.
-``is_fully_authenticated``
-    Similar, but not equal to ``IS_AUTHENTICATED_FULLY``, see below.
 ``is_granted``
     Checks if the user has the given permission. Optionally accepts a second argument
     with the object where permission is checked on. It's equivalent to using
     the :doc:`isGranted() method </security/securing_services>` from the authorization
     checker service.
 
-.. sidebar:: ``is_remember_me`` is different than checking ``IS_AUTHENTICATED_REMEMBERED``
-
-    The ``is_remember_me()`` and ``is_fully_authenticated()`` functions are *similar*
-    to using ``IS_AUTHENTICATED_REMEMBERED`` and ``IS_AUTHENTICATED_FULLY``
-    with the ``isGranted()`` function - but they are **not** the same. The
-    following controller snippet shows the difference::
-
-        use Symfony\Component\ExpressionLanguage\Expression;
-        use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
-        // ...
-
-        public function index(AuthorizationCheckerInterface $authorizationChecker)
-        {
-            $access1 = $authorizationChecker->isGranted('IS_AUTHENTICATED_REMEMBERED');
-
-            $access2 = $authorizationChecker->isGranted(new Expression(
-                'is_remember_me() or is_fully_authenticated()'
-            ));
-        }
-
-    Here, ``$access1`` and ``$access2`` will be the same value. Unlike the
-    behavior of ``IS_AUTHENTICATED_REMEMBERED`` and ``IS_AUTHENTICATED_FULLY``,
-    the ``is_remember_me()`` function *only* returns true if the user is authenticated
-    via a remember-me cookie and ``is_fully_authenticated`` *only* returns
-    true if the user has actually logged in during this session (i.e. is
-    full-fledged).
-
 Learn more
 ----------
 

security/force_https.rst

@@ -24,9 +24,9 @@ access control:
 
                 access_control:
                     - { path: ^/secure, roles: ROLE_ADMIN, requires_channel: https }
-                    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
+                    - { path: ^/login, roles: IS_AUTHENTICATED, requires_channel: https }
                     # catch all other URLs
-                    - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
+                    - { path: ^/, roles: IS_AUTHENTICATED, requires_channel: https }
 
         .. code-block:: xml
 
@@ -43,11 +43,11 @@ access control:
 
                     <rule path="^/secure" role="ROLE_ADMIN" requires_channel="https"/>
                     <rule path="^/login"
-                        role="IS_AUTHENTICATED_ANONYMOUSLY"
+                        role="IS_AUTHENTICATED"
                         requires_channel="https"
                     />
                     <rule path="^/"
-                        role="IS_AUTHENTICATED_ANONYMOUSLY"
+                        role="IS_AUTHENTICATED"
                         requires_channel="https"
                     />
                 </config>
@@ -67,12 +67,12 @@ access control:
                     ],
                     [
                         'path'             => '^/login',
-                        'role'             => 'IS_AUTHENTICATED_ANONYMOUSLY',
+                        'role'             => 'IS_AUTHENTICATED',
                         'requires_channel' => 'https',
                     ],
                     [
                         'path'             => '^/',
-                        'role'             => 'IS_AUTHENTICATED_ANONYMOUSLY',
+                        'role'             => 'IS_AUTHENTICATED',
                         'requires_channel' => 'https',
                     ],
                 ],

security/form_login_setup.rst

@@ -86,7 +86,7 @@ Edit the ``security.yml`` file in order to allow access for anyone to the
             # ...
 
             access_control:
-                - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+                - { path: ^/login$, roles: IS_AUTHENTICATED }
                 # ...
 
     .. code-block:: xml
@@ -100,7 +100,7 @@ Edit the ``security.yml`` file in order to allow access for anyone to the
                 https://symfony.com/schema/dic/services/services-1.0.xsd">
 
             <config>
-                <rule path="^/login$" role="IS_AUTHENTICATED_ANONYMOUSLY"/>
+                <rule path="^/login$" role="IS_AUTHENTICATED"/>
                 <!-- ... -->
             </config>
         </srv:container>
@@ -113,7 +113,7 @@ Edit the ``security.yml`` file in order to allow access for anyone to the
             'access_control' => [
                 [
                     'path' => '^/login',
-                    'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY',
+                    'roles' => 'IS_AUTHENTICATED',
                 ],
                 // ...
             ],

security/multiple_guard_authenticators.rst

@@ -108,7 +108,7 @@ the solution is to split the configuration into two separate firewalls:
                         authenticators:
                             - App\Security\LoginFormAuthenticator
             access_control:
-                - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+                - { path: ^/login, roles: IS_AUTHENTICATED }
                 - { path: ^/api, roles: ROLE_API_USER }
                 - { path: ^/, roles: ROLE_USER }
 
@@ -135,7 +135,7 @@ the solution is to split the configuration into two separate firewalls:
                         <authenticator>App\Security\LoginFormAuthenticator</authenticator>
                     </guard>
                 </firewall>
-                <rule path="^/login" role="IS_AUTHENTICATED_ANONYMOUSLY"/>
+                <rule path="^/login" role="IS_AUTHENTICATED"/>
                 <rule path="^/api" role="ROLE_API_USER"/>
                 <rule path="^/" role="ROLE_USER"/>
             </config>
@@ -168,7 +168,7 @@ the solution is to split the configuration into two separate firewalls:
                 ],
             ],
             'access_control' => [
-                ['path' => '^/login', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
+                ['path' => '^/login', 'role' => 'IS_AUTHENTICATED'],
                 ['path' => '^/api', 'role' => 'ROLE_API_USER'],
                 ['path' => '^/', 'role' => 'ROLE_USER'],
             ],

security/remember_me.rst

@@ -177,7 +177,7 @@ users to change their password. You can do this by leveraing a few special "role
     {
         // allow any authenticated user - we don't care if they just
         // logged in, or are logged in via a remember me cookie
-        $this->denyAccessUnlessGranted('IS_AUTHENTICATED_REMEMBERED');
+        $this->denyAccessUnlessGranted('IS_AUTHENTICATED');
 
         // ...
     }

workflow.rst

@@ -439,8 +439,8 @@ transition. The value of this option is any valid expression created with the
                         from: draft
                         to:   reviewed
                     publish:
-                        # or "is_anonymous", "is_remember_me", "is_fully_authenticated", "is_granted"
-                        guard: "is_authenticated"
+                        # or "IS_ANONYMOUS", "IS_REMEMBER_ME", "IS_IMPERSONATOR" or "IS_AUTHENTICATED_FULLY"
+                        guard: "is_granted('IS_AUTHENTICATED')"
                         from: reviewed
                         to:   published
                     reject: