Merge branch '4.4'

* 4.4:
  Revert "minor #12371 [Security] Deprecated using more than one role in access_control rules (javiereguiluz)"
  include xml and php examples
  Update security.rst
  Update mercure.rst

Author: wouterj

mercure.rst

@@ -99,7 +99,7 @@ Set it to the URL of the Mercure Hub (``http://localhost:3000/.well-known/mercur
 In addition, the Symfony application must bear a `JSON Web Token`_ (JWT)
 to the Mercure Hub to be authorized to publish updates.
 
-This JWT should be stored in the ``MERCURE_JWT_SECRET`` environment variable.
+This JWT should be stored in the ``MERCURE_JWT_TOKEN`` environment variable.
 
 The JWT must be signed with the same secret key as the one used by
 the Hub to verify the JWT (``aVerySecretKey`` in our example).
@@ -126,7 +126,7 @@ public updates (see the authorization_ section for further information).
 
 .. caution::
 
-    Don't put the secret key in ``MERCURE_JWT_SECRET``, it will not work!
+    Don't put the secret key in ``MERCURE_JWT_TOKEN``, it will not work!
     This environment variable must contain a JWT, signed with the secret key.
 
     Also, be sure to keep both the secret key and the JWTs... secrets!

security.rst

@@ -438,6 +438,9 @@ start with ``/admin``, you can:
                 # require ROLE_ADMIN for /admin*
                 - { path: '^/admin', roles: ROLE_ADMIN }
 
+                # or require ROLE_ADMIN and IS_AUTHENTICATED_FULLY for /admin*
+                - { path: '^/admin', roles: [IS_AUTHENTICATED_FULLY, ROLE_ADMIN] }
+
                 # the 'path' value can be any valid regular expression
                 # (this one will match URLs like /api/post/7298 and /api/comment/528491)
                 - { path: ^/api/(post|comment)/\d+$, roles: ROLE_USER }
@@ -462,6 +465,12 @@ start with ``/admin``, you can:
                 <!-- require ROLE_ADMIN for /admin* -->
                 <rule path="^/admin" role="ROLE_ADMIN"/>
 
+                <!-- require ROLE_ADMIN and IS_AUTHENTICATED_FULLY for /admin* -->
+                <rule path="^/admin">
+                    <role>ROLE_ADMIN</role>
+                    <role>IS_AUTHENTICATED_FULLY</role>
+                </rule>
+
                 <!-- the 'path' value can be any valid regular expression
                      (this one will match URLs like /api/post/7298 and /api/comment/528491) -->
                 <rule path="^/api/(post|comment)/\d+$" role="ROLE_USER"/>
@@ -484,6 +493,9 @@ start with ``/admin``, you can:
                 // require ROLE_ADMIN for /admin*
                 ['path' => '^/admin', 'roles' => 'ROLE_ADMIN'],
 
+                // require ROLE_ADMIN and IS_AUTHENTICATED_FULLY for /admin*
+                ['path' => '^/admin', 'roles' => ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY']],
+
                 // the 'path' value can be any valid regular expression
                 // (this one will match URLs like /api/post/7298 and /api/comment/528491)
                 ['path' => '^/api/(post|comment)/\d+$', 'roles' => 'ROLE_USER'],

security/access_control.rst

@@ -142,7 +142,8 @@ options:
 
 * ``roles`` If the user does not have the given role, then access is denied
   (internally, an :class:`Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException`
-  is thrown).
+  is thrown). If this value is an array of multiple roles, the user must have
+  at least one of them.
 
 * ``allow_if`` If the expression returns false, then access is denied;