From 8c410da7e77c8ef94add5d840891706b061fd844 Mon Sep 17 00:00:00 2001
From: Roland Franssen <franssen.roland@gmail.com>
Date: Fri, 13 Jul 2018 16:38:15 +0200
Subject: [PATCH] [Security] Deprecate returning stringish objects from
 Security::getUser

---
 UPGRADE-4.2.md                                |  1 +
 UPGRADE-5.0.md                                |  1 +
 src/Symfony/Component/Security/CHANGELOG.md   |  1 +
 .../Component/Security/Core/Security.php      |  5 +++
 .../Security/Core/Tests/SecurityTest.php      | 32 +++++++++++++++++++
 5 files changed, 40 insertions(+)

diff --git a/UPGRADE-4.2.md b/UPGRADE-4.2.md
index 9a8aa3ff49..0319f7ca92 100644
--- a/UPGRADE-4.2.md
+++ b/UPGRADE-4.2.md
@@ -94,6 +94,7 @@ Security
    custom anonymous and remember me token classes is deprecated. To
    use custom tokens, extend the existing `Symfony\Component\Security\Core\Authentication\Token\AnonymousToken`
    or `Symfony\Component\Security\Core\Authentication\Token\RememberMeToken`.
+ * Accessing the user object that is not an instance of `UserInterface` from `Security::getUser()` is deprecated.
 
 SecurityBundle
 --------------
diff --git a/UPGRADE-5.0.md b/UPGRADE-5.0.md
index c9db89edee..7fca4a927f 100644
--- a/UPGRADE-5.0.md
+++ b/UPGRADE-5.0.md
@@ -126,6 +126,7 @@ Security
  * The `FirewallMapInterface::getListeners()` method must return an array of 3 elements,
    the 3rd one must be either a `LogoutListener` instance or `null`.
  * The `AuthenticationTrustResolver` constructor arguments have been removed.
+ * A user object that is not an instance of `UserInterface` cannot be accessed from `Security::getUser()` anymore and returns `null` instead.
 
 SecurityBundle
 --------------
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
index 92d5a5b13d..5b6a192b2f 100644
--- a/src/Symfony/Component/Security/CHANGELOG.md
+++ b/src/Symfony/Component/Security/CHANGELOG.md
@@ -12,6 +12,7 @@ CHANGELOG
   use custom tokens, extend the existing `Symfony\Component\Security\Core\Authentication\Token\AnonymousToken`
   or `Symfony\Component\Security\Core\Authentication\Token\RememberMeToken`.
 * allow passing null as $filter in LdapUserProvider to get the default filter
+* accessing the user object that is not an instance of `UserInterface` from `Security::getUser()` is deprecated
 
 4.1.0
 -----
diff --git a/src/Symfony/Component/Security/Core/Security.php b/src/Symfony/Component/Security/Core/Security.php
index 5f25b41cca..1cb3056d1e 100644
--- a/src/Symfony/Component/Security/Core/Security.php
+++ b/src/Symfony/Component/Security/Core/Security.php
@@ -46,6 +46,11 @@ final class Security
             return null;
         }
 
+        if (!$user instanceof UserInterface) {
+            @trigger_error(sprintf('Accessing the user object "%s" that is not an instance of "%s" from "%s()" is deprecated since Symfony 4.2, use "getToken()->getUser()" instead.', get_class($user), UserInterface::class, __METHOD__), E_USER_DEPRECATED);
+            //return null; // 5.0 behavior
+        }
+
         return $user;
     }
 
diff --git a/src/Symfony/Component/Security/Core/Tests/SecurityTest.php b/src/Symfony/Component/Security/Core/Tests/SecurityTest.php
index b2ba5d0d5f..bad5541926 100644
--- a/src/Symfony/Component/Security/Core/Tests/SecurityTest.php
+++ b/src/Symfony/Component/Security/Core/Tests/SecurityTest.php
@@ -64,10 +64,34 @@ class SecurityTest extends TestCase
 
         yield array('string_username', null);
 
+        //yield array(new StringishUser(), null); // 5.0 behavior
+
         $user = new User('nice_user', 'foo');
         yield array($user, $user);
     }
 
+    /**
+     * @group legacy
+     * @expectedDeprecation Accessing the user object "Symfony\Component\Security\Core\Tests\StringishUser" that is not an instance of "Symfony\Component\Security\Core\User\UserInterface" from "Symfony\Component\Security\Core\Security::getUser()" is deprecated since Symfony 4.2, use "getToken()->getUser()" instead.
+     */
+    public function testGetUserLegacy()
+    {
+        $token = $this->getMockBuilder(TokenInterface::class)->getMock();
+        $token->expects($this->any())
+            ->method('getUser')
+            ->will($this->returnValue($user = new StringishUser()));
+        $tokenStorage = $this->getMockBuilder(TokenStorageInterface::class)->getMock();
+
+        $tokenStorage->expects($this->once())
+            ->method('getToken')
+            ->will($this->returnValue($token));
+
+        $container = $this->createContainer('security.token_storage', $tokenStorage);
+
+        $security = new Security($container);
+        $this->assertSame($user, $security->getUser());
+    }
+
     public function testIsGranted()
     {
         $authorizationChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
@@ -95,3 +119,11 @@ class SecurityTest extends TestCase
         return $container;
     }
 }
+
+class StringishUser
+{
+    public function __toString()
+    {
+        return 'stringish_user';
+    }
+}