Looks like fabbot.io is showing a falsepositive code style issue. When applying the (unrelated) changes, the tests are failing

Hi Christian,

The fact that whether built-inAccountStatusException are caught or not depends on thehide_user_not_found flag although they are notUserNotFoundException might sound weird, yet it is on purpose.
We did this as part ofa security fix 3 years ago. Reasoning was that the use case such exceptions serve is pretty much the same asUserNotFoundException ones regarding user enumeration.

So if we want to change this, that would definitely be a new feature.
Also it should not be about suddenly stopping to catch those, first because that would be too much of a BC break and also because it would go against the decision that led to the CVE mentioned above. What could be done is to rename the flag for the sake of clarity or split it in two. Given the traction on related issues, I would be fine doing so.

I'm not clear; is this fix now to revert the changes to only mask UserNotFoundException's?

Personally, I'm fine with that because I do not see much benefit to masking locked accounts. The account would be locked and there would normally be nothing a legitimate or malicious user could do to unlock the account. Only to accommodate others on this, it may be worth considering having two settings, eg. hideUserNotFoundExceptions and hideAllAuthExceptions.

In my project I see there are at least 3 places where this logic is implemented:

• security-http: Symfony\Component\Security\Http\Authentication\AuthenticatorManager: handleAuthenticationFailure
• security-core: Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider: authenticate
• security-guard: Symfony\Component\Security\Guard\Firewall\GuardAuthenticationListener: executeGuardAuthenticator

Will these also be updated or are these others being phased out? Also, I assume this will be patched in 5.4+ going forward.

How can we move on with this PR?

I updated the PR, so it should be BC now.

Closing in favor of#58300