diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #34218 [Security] Fix SwitchUserToken wrongly deauthenticated (chalasr) 

This PR was merged into the 4.4 branch.

Discussion
----------

[Security] Fix SwitchUserToken wrongly deauthenticated

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #34202
| License       | MIT
| Doc PR        | -

Commits
-------

e47b31c43c [Security] Fix SwitchUserToken wrongly deauthenticated
This commit is contained in:
Fabien Potencier 2019-11-03 13:01:14 +01:00
parent 0c784d2879 e47b31c43c
commit 08a218c79f
2 changed files with 40 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
View File

@ -318,9 +318,12 @@ abstract class AbstractToken implements TokenInterface
}
$userRoles = array_map('strval', (array) $user->getRoles());
$rolesChanged = \count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()));
if ($rolesChanged) {
if ($this instanceof SwitchUserToken) {
$userRoles[] = 'ROLE_PREVIOUS_ADMIN';
}
if (\count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()))) {
return true;
}

35
src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php
View File

@ -14,6 +14,7 @@ namespace Symfony\Component\Security\Core\Tests\Authentication\Token;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\User\UserInterface;
class SwitchUserTokenTest extends TestCase
{
@ -38,4 +39,38 @@ class SwitchUserTokenTest extends TestCase
$this->assertSame('provider-key', $unserializedOriginalToken->getProviderKey());
$this->assertEquals(['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'], $unserializedOriginalToken->getRoleNames());
}
public function testSetUserDoesNotDeauthenticate()
{
$impersonated = new class() implements UserInterface {
public function getUsername()
{
return 'impersonated';
}
public function getPassword()
{
return null;
}
public function eraseCredentials()
{
}
public function getRoles()
{
return ['ROLE_USER'];
}
public function getSalt()
{
return null;
}
};
$originalToken = new UsernamePasswordToken('impersonator', 'foo', 'provider-key', ['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH']);
$token = new SwitchUserToken($impersonated, 'bar', 'provider-key', ['ROLE_USER', 'ROLE_PREVIOUS_ADMIN'], $originalToken);
$token->setUser($impersonated);
$this->assertTrue($token->isAuthenticated());
}
}