[Security] Look at headers for switch user username parameter
This commit is contained in:
Robin Chalas
parent
0c6eca34f6
commit
3c801951c8
@ -54,7 +54,7 @@ class SwitchUserTest extends WebTestCase
|
||||
public function testSwitchUserStateless()
|
||||
{
|
||||
$client = $this->createClient(array('test_case' => 'JsonLogin', 'root_config' => 'switchuser_stateless.yml'));
|
||||
$client->request('POST', '/chk', array('_switch_user' => 'dunglas'), array(), array('CONTENT_TYPE' => 'application/json'), '{"user": {"login": "user_can_switch", "password": "test"}}');
|
||||
$client->request('POST', '/chk', array(), array(), array('HTTP_X_SWITCH_USER' => 'dunglas', 'CONTENT_TYPE' => 'application/json'), '{"user": {"login": "user_can_switch", "password": "test"}}');
|
||||
$response = $client->getResponse();
|
||||
|
||||
$this->assertInstanceOf(JsonResponse::class, $response);
|
||||
|
||||
@ -10,4 +10,5 @@ security:
|
||||
firewalls:
|
||||
main:
|
||||
switch_user:
|
||||
parameter: X-Switch-User
|
||||
stateless: true
|
||||
|
||||
@ -79,16 +79,17 @@ class SwitchUserListener implements ListenerInterface
|
||||
public function handle(GetResponseEvent $event)
|
||||
{
|
||||
$request = $event->getRequest();
|
||||
$username = $request->get($this->usernameParameter) ?: $request->headers->get($this->usernameParameter);
|
||||
|
||||
if (!$request->get($this->usernameParameter)) {
|
||||
if (!$username) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (self::EXIT_VALUE === $request->get($this->usernameParameter)) {
|
||||
if (self::EXIT_VALUE === $username) {
|
||||
$this->tokenStorage->setToken($this->attemptExitUser($request));
|
||||
} else {
|
||||
try {
|
||||
$this->tokenStorage->setToken($this->attemptSwitchUser($request));
|
||||
$this->tokenStorage->setToken($this->attemptSwitchUser($request, $username));
|
||||
} catch (AuthenticationException $e) {
|
||||
throw new \LogicException(sprintf('Switch User failed: "%s"', $e->getMessage()));
|
||||
}
|
||||
@ -106,20 +107,21 @@ class SwitchUserListener implements ListenerInterface
|
||||
/**
|
||||
* Attempts to switch to another user.
|
||||
*
|
||||
* @param Request $request A Request instance
|
||||
* @param Request $request A Request instance
|
||||
* @param string $username
|
||||
*
|
||||
* @return TokenInterface|null The new TokenInterface if successfully switched, null otherwise
|
||||
*
|
||||
* @throws \LogicException
|
||||
* @throws AccessDeniedException
|
||||
*/
|
||||
private function attemptSwitchUser(Request $request)
|
||||
private function attemptSwitchUser(Request $request, $username)
|
||||
{
|
||||
$token = $this->tokenStorage->getToken();
|
||||
$originalToken = $this->getOriginalToken($token);
|
||||
|
||||
if (false !== $originalToken) {
|
||||
if ($token->getUsername() === $request->get($this->usernameParameter)) {
|
||||
if ($token->getUsername() === $username) {
|
||||
return $token;
|
||||
}
|
||||
|
||||
@ -133,8 +135,6 @@ class SwitchUserListener implements ListenerInterface
|
||||
throw $exception;
|
||||
}
|
||||
|
||||
$username = $request->get($this->usernameParameter);
|
||||
|
||||
if (null !== $this->logger) {
|
||||
$this->logger->info('Attempting to switch to user.', array('username' => $username));
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user