Merge branch '5.1'

* 5.1:
  [Validator] use "allowedVariables" to configure the ExpressionLanguageSyntax constraint
  [Security] Fixed AbstractToken::hasUserChanged()
  [PropertyAccess] fix merge
  [DI] fix typo
This commit is contained in:
Nicolas Grekas 2020-05-30 23:59:47 +02:00
commit 608b770f1b
7 changed files with 81 additions and 12 deletions

View File

@ -172,7 +172,7 @@ class HttpClientDataCollectorTest extends TestCase
foreach ($tracedRequests as $request) { foreach ($tracedRequests as $request) {
$response = $httpClient->request($request['method'], $request['url'], $request['options'] ?? []); $response = $httpClient->request($request['method'], $request['url'], $request['options'] ?? []);
$response->getContent(false); // To avoid exception in ResponseTrait::doDestruct $response->getContent(false); // disables exceptions from destructors
} }
return $httpClient; return $httpClient;

View File

@ -408,11 +408,11 @@ class PropertyAccessor implements PropertyAccessorInterface
// handle uninitialized properties in PHP >= 7 // handle uninitialized properties in PHP >= 7
if (__FILE__ === $trace['file'] if (__FILE__ === $trace['file']
&& $access[self::ACCESS_NAME] === $trace['function'] && $name === $trace['function']
&& $object instanceof $trace['class'] && $object instanceof $trace['class']
&& preg_match((sprintf('/Return value (?:of .*::\w+\(\) )?must be of (?:the )?type (\w+), null returned$/')), $e->getMessage(), $matches) && preg_match((sprintf('/Return value (?:of .*::\w+\(\) )?must be of (?:the )?type (\w+), null returned$/')), $e->getMessage(), $matches)
) { ) {
throw new UninitializedPropertyException(sprintf('The method "%s::%s()" returned "null", but expected type "%3$s". Did you forget to initialize a property or to make the return type nullable using "?%3$s"?', false === strpos(\get_class($object), "@anonymous\0") ? \get_class($object) : (get_parent_class($object) ?: 'class').'@anonymous', $access[self::ACCESS_NAME], $matches[1]), 0, $e); throw new UninitializedPropertyException(sprintf('The method "%s::%s()" returned "null", but expected type "%3$s". Did you forget to initialize a property or to make the return type nullable using "?%3$s"?', false === strpos(\get_class($object), "@anonymous\0") ? \get_class($object) : (get_parent_class($object) ?: key(class_implements($object)) ?: 'class').'@anonymous', $name, $matches[1]), 0, $e);
} }
throw $e; throw $e;

View File

@ -270,10 +270,13 @@ abstract class AbstractToken implements TokenInterface
return true; return true;
} }
$currentUserRoles = array_map('strval', (array) $this->user->getRoles());
$userRoles = array_map('strval', (array) $user->getRoles()); $userRoles = array_map('strval', (array) $user->getRoles());
if (\count($userRoles) !== \count($currentUserRoles) || \count($userRoles) !== \count(array_intersect($userRoles, $currentUserRoles))) { if ($this instanceof SwitchUserToken) {
$userRoles[] = 'ROLE_PREVIOUS_ADMIN';
}
if (\count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()))) {
return true; return true;
} }

View File

@ -152,7 +152,7 @@ class AbstractTokenTest extends TestCase
*/ */
public function testSetUserDoesNotSetAuthenticatedToFalseWhenUserDoesNotChange($user) public function testSetUserDoesNotSetAuthenticatedToFalseWhenUserDoesNotChange($user)
{ {
$token = new ConcreteToken(['ROLE_FOO']); $token = new ConcreteToken();
$token->setAuthenticated(true); $token->setAuthenticated(true);
$this->assertTrue($token->isAuthenticated()); $this->assertTrue($token->isAuthenticated());
@ -162,6 +162,21 @@ class AbstractTokenTest extends TestCase
$token->setUser($user); $token->setUser($user);
$this->assertTrue($token->isAuthenticated()); $this->assertTrue($token->isAuthenticated());
} }
public function testIsUserChangedWhenSerializing()
{
$token = new ConcreteToken(['ROLE_ADMIN']);
$token->setAuthenticated(true);
$this->assertTrue($token->isAuthenticated());
$user = new SerializableUser('wouter', ['ROLE_ADMIN']);
$token->setUser($user);
$this->assertTrue($token->isAuthenticated());
$token = unserialize(serialize($token));
$token->setUser($user);
$this->assertTrue($token->isAuthenticated());
}
} }
class TestUser class TestUser
@ -179,6 +194,56 @@ class TestUser
} }
} }
class SerializableUser implements UserInterface, \Serializable
{
private $roles;
private $name;
public function __construct($name, array $roles = [])
{
$this->name = $name;
$this->roles = $roles;
}
public function getUsername()
{
return $this->name;
}
public function getPassword()
{
return '***';
}
public function getRoles()
{
if (empty($this->roles)) {
return ['ROLE_USER'];
}
return $this->roles;
}
public function eraseCredentials()
{
}
public function getSalt()
{
return null;
}
public function serialize()
{
return serialize($this->name);
}
public function unserialize($serialized)
{
$this->name = unserialize($serialized);
}
}
class ConcreteToken extends AbstractToken class ConcreteToken extends AbstractToken
{ {
private $credentials = 'credentials_value'; private $credentials = 'credentials_value';

View File

@ -29,8 +29,7 @@ class ExpressionLanguageSyntax extends Constraint
public $message = 'This value should be a valid expression.'; public $message = 'This value should be a valid expression.';
public $service; public $service;
public $validateNames = true; public $allowedVariables = null;
public $names = [];
/** /**
* {@inheritdoc} * {@inheritdoc}

View File

@ -16,6 +16,7 @@ use Symfony\Component\ExpressionLanguage\SyntaxError;
use Symfony\Component\Validator\Constraint; use Symfony\Component\Validator\Constraint;
use Symfony\Component\Validator\ConstraintValidator; use Symfony\Component\Validator\ConstraintValidator;
use Symfony\Component\Validator\Exception\UnexpectedTypeException; use Symfony\Component\Validator\Exception\UnexpectedTypeException;
use Symfony\Component\Validator\Exception\UnexpectedValueException;
/** /**
* @author Andrey Sevastianov <mrpkmail@gmail.com> * @author Andrey Sevastianov <mrpkmail@gmail.com>
@ -39,7 +40,7 @@ class ExpressionLanguageSyntaxValidator extends ConstraintValidator
} }
if (!\is_string($expression)) { if (!\is_string($expression)) {
throw new UnexpectedTypeException($expression, 'string'); throw new UnexpectedValueException($expression, 'string');
} }
if (null === $this->expressionLanguage) { if (null === $this->expressionLanguage) {
@ -47,7 +48,7 @@ class ExpressionLanguageSyntaxValidator extends ConstraintValidator
} }
try { try {
$this->expressionLanguage->lint($expression, ($constraint->validateNames ? ($constraint->names ?? []) : null)); $this->expressionLanguage->lint($expression, $constraint->allowedVariables);
} catch (SyntaxError $exception) { } catch (SyntaxError $exception) {
$this->context->buildViolation($constraint->message) $this->context->buildViolation($constraint->message)
->setParameter('{{ syntax_error }}', $this->formatValue($exception->getMessage())) ->setParameter('{{ syntax_error }}', $this->formatValue($exception->getMessage()))

View File

@ -18,7 +18,7 @@ use Symfony\Component\Validator\Constraints\ExpressionLanguageSyntax;
use Symfony\Component\Validator\Constraints\ExpressionLanguageSyntaxValidator; use Symfony\Component\Validator\Constraints\ExpressionLanguageSyntaxValidator;
use Symfony\Component\Validator\Test\ConstraintValidatorTestCase; use Symfony\Component\Validator\Test\ConstraintValidatorTestCase;
class ExpressionLanguageSyntaxTest extends ConstraintValidatorTestCase class ExpressionLanguageSyntaxValidatorTest extends ConstraintValidatorTestCase
{ {
/** /**
* @var \PHPUnit\Framework\MockObject\MockObject|ExpressionLanguage * @var \PHPUnit\Framework\MockObject\MockObject|ExpressionLanguage
@ -45,6 +45,7 @@ class ExpressionLanguageSyntaxTest extends ConstraintValidatorTestCase
$this->validator->validate($this->value, new ExpressionLanguageSyntax([ $this->validator->validate($this->value, new ExpressionLanguageSyntax([
'message' => 'myMessage', 'message' => 'myMessage',
'allowedVariables' => [],
])); ]));
$this->assertNoViolation(); $this->assertNoViolation();
@ -58,7 +59,6 @@ class ExpressionLanguageSyntaxTest extends ConstraintValidatorTestCase
$this->validator->validate($this->value, new ExpressionLanguageSyntax([ $this->validator->validate($this->value, new ExpressionLanguageSyntax([
'message' => 'myMessage', 'message' => 'myMessage',
'validateNames' => false,
])); ]));
$this->assertNoViolation(); $this->assertNoViolation();
@ -73,6 +73,7 @@ class ExpressionLanguageSyntaxTest extends ConstraintValidatorTestCase
$this->validator->validate($this->value, new ExpressionLanguageSyntax([ $this->validator->validate($this->value, new ExpressionLanguageSyntax([
'message' => 'myMessage', 'message' => 'myMessage',
'allowedVariables' => [],
])); ]));
$this->buildViolation('myMessage') $this->buildViolation('myMessage')