diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Security] always check the token on non-lazy firewalls

This commit is contained in:
Nicolas Grekas 2019-11-14 23:50:50 +01:00
parent 2a91f28ed4
commit 797450d6b8
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/Symfony/Component/Security/Http/Firewall/AccessListener.php
View File

@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface
use Symfony\Component\Security\Core\Exception\AccessDeniedException; use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException; use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
use Symfony\Component\Security\Http\AccessMapInterface; use Symfony\Component\Security\Http\AccessMapInterface;
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
/** /**
* AccessListener enforces access control rules. * AccessListener enforces access control rules.
@ -51,6 +52,10 @@ class AccessListener implements ListenerInterface
*/ */
public function __invoke(RequestEvent $event) public function __invoke(RequestEvent $event)
{ {
if (!$event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
}
$request = $event->getRequest(); $request = $event->getRequest();
list($attributes) = $this->map->getPatterns($request); list($attributes) = $this->map->getPatterns($request);
@ -59,7 +64,7 @@ class AccessListener implements ListenerInterface
return; return;
} }
if (null === $token = $this->tokenStorage->getToken()) { if ($event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.'); throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
} }

3
src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php
View File

@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterfac
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface; use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Symfony\Component\Security\Http\AccessMapInterface; use Symfony\Component\Security\Http\AccessMapInterface;
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
use Symfony\Component\Security\Http\Firewall\AccessListener; use Symfony\Component\Security\Http\Firewall\AccessListener;
class AccessListenerTest extends TestCase class AccessListenerTest extends TestCase
@ -219,7 +220,7 @@ class AccessListenerTest extends TestCase
->willReturn($request) ->willReturn($request)
; ;
$listener($event); $listener(new LazyResponseEvent($event));
} }
public function testHandleWhenTheSecurityTokenStorageHasNoToken() public function testHandleWhenTheSecurityTokenStorageHasNoToken()