From 8d3078dd351e8ea16222c72083db9ff28ab33e36 Mon Sep 17 00:00:00 2001
From: Robin Chalas <robin.chalas@gmail.com>
Date: Tue, 23 Feb 2021 23:49:04 +0100
Subject: [PATCH] [Security] #[CurrentUser] argument should resolve to null
 when it is anonymous

---
 .../Security/Http/Controller/UserValueResolver.php    |  9 +++------
 .../Http/Tests/Controller/UserValueResolverTest.php   | 11 +++++++++++
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php b/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php
index 396b430ac9..4b469edf8b 100644
--- a/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php
+++ b/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php
@@ -35,12 +35,9 @@ final class UserValueResolver implements ArgumentValueResolverInterface
 
     public function supports(Request $request, ArgumentMetadata $argument): bool
     {
-        if ($argument->getAttribute() instanceof CurrentUser) {
-            return true;
-        }
-
-        // only security user implementations are supported
-        if (UserInterface::class !== $argument->getType()) {
+        // with the attribute, the type can be any UserInterface implementation
+        // otherwise, the type must be UserInterface
+        if (UserInterface::class !== $argument->getType() && !$argument->getAttribute() instanceof CurrentUser) {
             return false;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php b/src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php
index b95aa465c3..ca3197e5e4 100644
--- a/src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php
@@ -83,6 +83,17 @@ class UserValueResolverTest extends TestCase
         $this->assertSame([$user], iterator_to_array($resolver->resolve(Request::create('/'), $metadata)));
     }
 
+    public function testResolveWithAttributeAndNoUser()
+    {
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken(new UsernamePasswordToken('username', 'password', 'provider'));
+
+        $resolver = new UserValueResolver($tokenStorage);
+        $metadata = new ArgumentMetadata('foo', null, false, false, null, false, new CurrentUser());
+
+        $this->assertFalse($resolver->supports(Request::create('/'), $metadata));
+    }
+
     public function testIntegration()
     {
         $user = $this->createMock(UserInterface::class);