Also check PUBLIC_ACCESS for authenticated tokens
Currently, authenticated users are denied access for pages that have PUBLIC_ACCESS, as this attribute is only checked when no token was set.
This commit is contained in:
parent
2af156d6fe
commit
0ac530f460
@ -95,11 +95,13 @@ class AccessListener extends AbstractListener
|
||||
return;
|
||||
}
|
||||
|
||||
if ([self::PUBLIC_ACCESS] === $attributes) {
|
||||
return;
|
||||
if ([self::PUBLIC_ACCESS] !== $attributes) {
|
||||
throw $this->createAccessDeniedException($request, $attributes);
|
||||
}
|
||||
}
|
||||
|
||||
throw $this->createAccessDeniedException($request, $attributes);
|
||||
if ([self::PUBLIC_ACCESS] === $attributes) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (!$token->isAuthenticated()) {
|
||||
|
@ -18,8 +18,10 @@ use Symfony\Component\HttpKernel\HttpKernelInterface;
|
||||
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
|
||||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
|
||||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
|
||||
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
|
||||
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||
use Symfony\Component\Security\Core\User\User;
|
||||
use Symfony\Component\Security\Http\AccessMapInterface;
|
||||
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
|
||||
use Symfony\Component\Security\Http\Firewall\AccessListener;
|
||||
@ -279,6 +281,33 @@ class AccessListenerTest extends TestCase
|
||||
$this->expectNotToPerformAssertions();
|
||||
}
|
||||
|
||||
public function testHandleWhenPublicAccessWhileAuthenticated()
|
||||
{
|
||||
$token = new UsernamePasswordToken(new User('Wouter', null, ['ROLE_USER']), null, 'main', ['ROLE_USER']);
|
||||
$tokenStorage = new TokenStorage();
|
||||
$tokenStorage->setToken($token);
|
||||
$request = new Request();
|
||||
|
||||
$accessMap = $this->createMock(AccessMapInterface::class);
|
||||
$accessMap->expects($this->any())
|
||||
->method('getPatterns')
|
||||
->with($this->equalTo($request))
|
||||
->willReturn([[AccessListener::PUBLIC_ACCESS], null])
|
||||
;
|
||||
|
||||
$listener = new AccessListener(
|
||||
$tokenStorage,
|
||||
$this->getMockBuilder('Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface')->getMock(),
|
||||
$accessMap,
|
||||
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
|
||||
false
|
||||
);
|
||||
|
||||
$listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST));
|
||||
|
||||
$this->expectNotToPerformAssertions();
|
||||
}
|
||||
|
||||
public function testHandleMWithultipleAttributesShouldBeHandledAsAnd()
|
||||
{
|
||||
$request = new Request();
|
||||
|
Reference in New Issue
Block a user