Merge branch '4.3' into 4.4

* 4.3:
  fix merge
  CS
  [Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer
  stop using deprecated Doctrine persistence classes
  [Cache] Fix wrong classname in deprecation message
  Fix regex lookahead syntax in ApplicationTest
  Fixed syntax in comment
  [SecurityBundle][FirewallMap] Remove unused property
  [Messenger][AMQP] Use delivery_mode=2 by default
  [DI] Improve performance of processDefinition
  Fix invalid Windows path normalization
  [Validator][ConstraintValidator] Safe fail on invalid timezones
  [DoctrineBridge] Fixed submitting invalid ids when using queries with limit
  [FrameworkBundle] Add info & example to auto_mapping config
  fix comparisons with null values at property paths

Author: nicolas-grekas

Form/ChoiceList/ORMQueryBuilderLoader.php

@@ -50,6 +50,21 @@ public function getEntities()
      */
     public function getEntitiesByIds($identifier, array $values)
     {
+        if (null !== $this->queryBuilder->getMaxResults() || null !== $this->queryBuilder->getFirstResult()) {
+            // an offset or a limit would apply on results including the where clause with submitted id values
+            // that could make invalid choices valid
+            $choices = [];
+            $metadata = $this->queryBuilder->getEntityManager()->getClassMetadata(current($this->queryBuilder->getRootEntities()));
+
+            foreach ($this->getEntities() as $entity) {
+                if (\in_array(current($metadata->getIdentifierValues($entity)), $values, true)) {
+                    $choices[] = $entity;
+                }
+            }
+
+            return $choices;
+        }
+
         $qb = clone $this->queryBuilder;
         $alias = current($qb->getRootAliases());
         $parameter = 'ORMQueryBuilderLoader_getEntitiesByIds_'.$identifier;

Tests/Form/Type/EntityTypeTest.php

@@ -953,6 +953,31 @@ public function testDisallowChoicesThatAreNotIncludedQueryBuilderSingleIdentifie
         $this->assertNull($field->getData());
     }
 
+    public function testDisallowChoicesThatAreNotIncludedQueryBuilderSingleIdentifierWithLimit()
+    {
+        $entity1 = new SingleIntIdEntity(1, 'Foo');
+        $entity2 = new SingleIntIdEntity(2, 'Bar');
+        $entity3 = new SingleIntIdEntity(3, 'Baz');
+
+        $this->persist([$entity1, $entity2, $entity3]);
+
+        $repository = $this->em->getRepository(self::SINGLE_IDENT_CLASS);
+
+        $field = $this->factory->createNamed('name', static::TESTED_TYPE, null, [
+            'em' => 'default',
+            'class' => self::SINGLE_IDENT_CLASS,
+            'query_builder' => $repository->createQueryBuilder('e')
+                ->where('e.id IN (1, 2, 3)')
+                ->setMaxResults(1),
+            'choice_label' => 'name',
+        ]);
+
+        $field->submit('3');
+
+        $this->assertFalse($field->isSynchronized());
+        $this->assertNull($field->getData());
+    }
+
     public function testDisallowChoicesThatAreNotIncludedQueryBuilderSingleAssocIdentifier()
     {
         $innerEntity1 = new SingleIntIdNoToStringEntity(1, 'InFoo');