Tweaked the handling of error message in the login page

The template now receives the AuthenticationException instead of only
its message key, allowing to support translation parameters.
Other exceptions are not rendered anymore (it should not happen anyway
as the Security system always use an AuthenticationException to fill the
attribute).

Changelog.md

@@ -1,6 +1,11 @@
 Changelog
 =========
 
+### 2.0.0 (2014-XX-XX)
+
+* [BC break] The ``FOSUserBundle:Security:login.html.twig`` template now receives an AuthenticationException in the ``error``
+  variable rather than an error message.
+
 ### 2.0.0-alpha1 (2014-09-26)
 
 * Updated many translations

Controller/SecurityController.php

@@ -30,17 +30,13 @@ public function loginAction(Request $request)
             $error = $session->get(SecurityContextInterface::AUTHENTICATION_ERROR);
             $session->remove(SecurityContextInterface::AUTHENTICATION_ERROR);
         } else {
-            $error = '';
+            $error = null;
         }
 
-        if ($error) {
-            if ($error instanceof AuthenticationException) {
-                $error = $error->getMessageKey();
-            } else {
-                // TODO: this is a potential security risk (see http://trac.symfony-project.org/ticket/9523)
-                $error = $error->getMessage();
-            }
+        if (!$error instanceof AuthenticationException) {
+            $error = null; // The value does not come from the security component.
         }
+
         // last username entered by the user
         $lastUsername = (null === $session) ? '' : $session->get(SecurityContextInterface::LAST_USERNAME);
 

Resources/views/Security/login.html.twig

@@ -4,7 +4,7 @@
 
 {% block fos_user_content %}
 {% if error %}
-    <div>{{ error|trans({}, 'security') }}</div>
+    <div>{{ error.messageKey|trans(error.messageData, 'security') }}</div>
 {% endif %}
 
 <form action="{{ path("fos_user_security_check") }}" method="post">