diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Also check PUBLIC_ACCESS for authenticated tokens

Browse Source 
Currently, authenticated users are denied access for pages that have
PUBLIC_ACCESS, as this attribute is only checked when no token was set.
This commit is contained in:
Wouter de Jong 2020-05-31 23:35:18 +02:00
parent 2af156d6fe
commit 0ac530f460
2 changed files with 34 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Symfony/Component/Security/Http/Firewall/AccessListener.php
View File

@ -95,11 +95,13 @@ class AccessListener extends AbstractListener
return;
}
if ([self::PUBLIC_ACCESS] === $attributes) {
return;
if ([self::PUBLIC_ACCESS] !== $attributes) {
throw $this->createAccessDeniedException($request, $attributes);
}
}
throw $this->createAccessDeniedException($request, $attributes);
if ([self::PUBLIC_ACCESS] === $attributes) {
return;
}
if (!$token->isAuthenticated()) {

29
src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php
View File

@ -18,8 +18,10 @@ use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\User\User;
use Symfony\Component\Security\Http\AccessMapInterface;
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
use Symfony\Component\Security\Http\Firewall\AccessListener;
@ -279,6 +281,33 @@ class AccessListenerTest extends TestCase
$this->expectNotToPerformAssertions();
}
public function testHandleWhenPublicAccessWhileAuthenticated()
{
$token = new UsernamePasswordToken(new User('Wouter', null, ['ROLE_USER']), null, 'main', ['ROLE_USER']);
$tokenStorage = new TokenStorage();
$tokenStorage->setToken($token);
$request = new Request();
$accessMap = $this->createMock(AccessMapInterface::class);
$accessMap->expects($this->any())
->method('getPatterns')
->with($this->equalTo($request))
->willReturn([[AccessListener::PUBLIC_ACCESS], null])
;
$listener = new AccessListener(
$tokenStorage,
$this->getMockBuilder('Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface')->getMock(),
$accessMap,
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
false
);
$listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST));
$this->expectNotToPerformAssertions();
}
public function testHandleMWithultipleAttributesShouldBeHandledAsAnd()
{
$request = new Request();