bug #34551 [Security] SwitchUser is broken when the User Provider always returns a valid user (tucksaun)
This PR was merged into the 4.3 branch. Discussion ---------- [Security] SwitchUser is broken when the User Provider always returns a valid user | Q | A | ------------- | --- | Branch? | 4.3 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | n/a | License | MIT | Doc PR | n/a Sincebcfc282d42
, if a UserProvider always returns a valid User object (which can happen in some OAuth workflow), switching user is not possible anymore as we hit the `LogicException`. This patch should be safe as the timing-attack prevention is kept. Commits -------2bf6cd2eea
[Security] Fix SwitchUser is broken when the User Provider always returns a valid user
This commit is contained in:
commit
32e1be81bf
@ -153,7 +153,6 @@ class SwitchUserListener implements ListenerInterface
|
||||
|
||||
try {
|
||||
$this->provider->loadUserByUsername($nonExistentUsername);
|
||||
throw new \LogicException('AuthenticationException expected');
|
||||
} catch (AuthenticationException $e) {
|
||||
}
|
||||
} catch (AuthenticationException $e) {
|
||||
|
Reference in New Issue
Block a user