Merge branch '2.8'

* 2.8: (29 commits)
  Updating AbstractVoter so that the method receives the TokenInterface
  Adding the necessary files so that Guard can be its own installable component
  Fix syntax in a test
  Normalize the way we check versions
  Avoid errors when generating the logout URL when there is no firewall key
  Removing unnecessary override
  fabbot
  Adding a new exception and throwing it when the User changes
  Fixing a bug where having an authentication failure would log you out.
  Tweaks thanks to Wouter
  Adding logging  on this step and switching the order - not for any huge reason
  Adding a base class to assist with form login authentication
  Allowing for other authenticators to be checked
  meaningless author and license changes
  Adding missing factory registration
  Thanks again fabbot!
  A few more changes thanks to @iltar
  Splitting the getting of the user and checking credentials into two steps
  Tweaking docblock on interface thanks to @iltar
  Adding periods at the end of exceptions, and changing one class name to LogicException thanks to @iltar
  ...

Conflicts:
	UPGRADE-2.8.md
	src/Symfony/Bridge/Twig/Tests/Node/DumpNodeTest.php
	src/Symfony/Bundle/FrameworkBundle/Command/ServerCommand.php
	src/Symfony/Component/Validator/Tests/Constraints/AbstractComparisonValidatorTestCase.php
	src/Symfony/Component/Validator/Tests/Constraints/IdenticalToValidatorTest.php
	src/Symfony/Component/Validator/Tests/Constraints/RangeValidatorTest.php

2 files changed, 73 insertions, 4 deletions

diff --git a/Core/Authorization/Voter/AbstractVoter.php b/Core/Authorization/Voter/AbstractVoter.php
index efa1562..6bbea36 100644
--- a/Core/Authorization/Voter/AbstractVoter.php
+++ b/Core/Authorization/Voter/AbstractVoter.php
@@ -65,6 +65,12 @@ abstract class AbstractVoter implements VoterInterface
         // abstain vote by default in case none of the attributes are supported
         $vote = self::ACCESS_ABSTAIN;
 
+        $reflector = new \ReflectionMethod($this, 'voteOnAttribute');
+        $isNewOverwritten = $reflector->getDeclaringClass()->getName() !== 'Symfony\Component\Security\Core\Authorization\Voter\AbstractVoter';
+        if (!$isNewOverwritten) {
+            @trigger_error(sprintf("The AbstractVoter::isGranted method is deprecated since 2.8 and won't be called anymore in 3.0. Override voteOnAttribute() instead.", $reflector->class), E_USER_DEPRECATED);
+        }
+
         foreach ($attributes as $attribute) {
             if (!$this->supportsAttribute($attribute)) {
                 continue;
@@ -73,9 +79,16 @@ abstract class AbstractVoter implements VoterInterface
             // as soon as at least one attribute is supported, default is to deny access
             $vote = self::ACCESS_DENIED;
 
-            if ($this->isGranted($attribute, $object, $token->getUser())) {
-                // grant access as soon as at least one voter returns a positive response
-                return self::ACCESS_GRANTED;
+            if ($isNewOverwritten) {
+                if ($this->voteOnAttribute($attribute, $object, $token)) {
+                    // grant access as soon as at least one voter returns a positive response
+                    return self::ACCESS_GRANTED;
+                }
+            } else {
+                if ($this->isGranted($attribute, $object, $token->getUser())) {
+                    // grant access as soon as at least one voter returns a positive response
+                    return self::ACCESS_GRANTED;
+                }
             }
         }
 
@@ -107,7 +120,32 @@ abstract class AbstractVoter implements VoterInterface
      * @param object               $object
      * @param UserInterface|string $user
      *
+     * @deprecated This method will be removed in 3.0 - override voteOnAttribute instead.
+     *
      * @return bool
      */
-    abstract protected function isGranted($attribute, $object, $user = null);
+    protected function isGranted($attribute, $object, $user = null)
+    {
+        return false;
+    }
+
+    /**
+     * Perform a single access check operation on a given attribute, object and (optionally) user
+     * It is safe to assume that $attribute and $object's class pass supportsAttribute/supportsClass
+     * $user can be one of the following:
+     *   a UserInterface object (fully authenticated user)
+     *   a string               (anonymously authenticated user).
+     *
+     * This method will become abstract in 3.0.
+     *
+     * @param string         $attribute
+     * @param object         $object
+     * @param TokenInterface $token
+     *
+     * @return bool
+     */
+    protected function voteOnAttribute($attribute, $object, TokenInterface $token)
+    {
+        return false;
+    }
 }
diff --git a/Core/Exception/AuthenticationExpiredException.php b/Core/Exception/AuthenticationExpiredException.php
new file mode 100644
index 0000000..caf2e6c
--- /dev/null
+++ b/Core/Exception/AuthenticationExpiredException.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Exception;
+
+/**
+ * AuthenticationServiceException is thrown when an authenticated token becomes un-authentcated between requests.
+ *
+ * In practice, this is due to the User changing between requests (e.g. password changes),
+ * causes the token to become un-authenticated.
+ *
+ * @author Ryan Weaver <ryan@knpuniversity.com>
+ */
+class AuthenticationExpiredException extends AccountStatusException
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getMessageKey()
+    {
+        return 'Authentication expired because your account information has changed.';
+    }
+}