Create impersonation_exit_path() and *_url() functions
This commit is contained in:
parent
4ab612cad9
commit
c1e3703efd
@ -4,6 +4,7 @@ CHANGELOG
|
||||
5.2.0
|
||||
-----
|
||||
|
||||
* added the `impersonation_exit_url()` and `impersonation_exit_path()` functions. They return a URL that allows to switch back to the original user.
|
||||
* added the `workflow_transition()` function to easily retrieve a specific transition object
|
||||
* added support for translating `Translatable` objects
|
||||
* added the `t()` function to easily create `Translatable` objects
|
||||
|
@ -14,6 +14,7 @@ namespace Symfony\Bridge\Twig\Extension;
|
||||
use Symfony\Component\Security\Acl\Voter\FieldVote;
|
||||
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
|
||||
use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
|
||||
use Symfony\Component\Security\Http\Impersonate\ImpersonateUrlGenerator;
|
||||
use Twig\Extension\AbstractExtension;
|
||||
use Twig\TwigFunction;
|
||||
|
||||
@ -26,9 +27,12 @@ final class SecurityExtension extends AbstractExtension
|
||||
{
|
||||
private $securityChecker;
|
||||
|
||||
public function __construct(AuthorizationCheckerInterface $securityChecker = null)
|
||||
private $impersonateUrlGenerator;
|
||||
|
||||
public function __construct(AuthorizationCheckerInterface $securityChecker = null, ImpersonateUrlGenerator $impersonateUrlGenerator = null)
|
||||
{
|
||||
$this->securityChecker = $securityChecker;
|
||||
$this->impersonateUrlGenerator = $impersonateUrlGenerator;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -51,6 +55,24 @@ final class SecurityExtension extends AbstractExtension
|
||||
}
|
||||
}
|
||||
|
||||
public function getImpersonateExitUrl(string $exitTo = null): string
|
||||
{
|
||||
if (null === $this->impersonateUrlGenerator) {
|
||||
return '';
|
||||
}
|
||||
|
||||
return $this->impersonateUrlGenerator->generateExitUrl($exitTo);
|
||||
}
|
||||
|
||||
public function getImpersonateExitPath(string $exitTo = null): string
|
||||
{
|
||||
if (null === $this->impersonateUrlGenerator) {
|
||||
return '';
|
||||
}
|
||||
|
||||
return $this->impersonateUrlGenerator->generateExitPath($exitTo);
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
@ -58,6 +80,8 @@ final class SecurityExtension extends AbstractExtension
|
||||
{
|
||||
return [
|
||||
new TwigFunction('is_granted', [$this, 'isGranted']),
|
||||
new TwigFunction('impersonation_exit_url', [$this, 'getImpersonateExitUrl']),
|
||||
new TwigFunction('impersonation_exit_path', [$this, 'getImpersonateExitPath']),
|
||||
];
|
||||
}
|
||||
}
|
||||
|
@ -48,6 +48,7 @@ use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
|
||||
use Symfony\Component\Security\Http\Controller\UserValueResolver;
|
||||
use Symfony\Component\Security\Http\Firewall;
|
||||
use Symfony\Component\Security\Http\HttpUtils;
|
||||
use Symfony\Component\Security\Http\Impersonate\ImpersonateUrlGenerator;
|
||||
use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
|
||||
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
|
||||
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
|
||||
@ -160,6 +161,13 @@ return static function (ContainerConfigurator $container) {
|
||||
])
|
||||
->tag('security.voter', ['priority' => 245])
|
||||
|
||||
->set('security.impersonate_url_generator', ImpersonateUrlGenerator::class)
|
||||
->args([
|
||||
service('request_stack'),
|
||||
service('security.firewall.map'),
|
||||
service('security.token_storage'),
|
||||
])
|
||||
|
||||
// Firewall related services
|
||||
->set('security.firewall', FirewallListener::class)
|
||||
->args([
|
||||
|
@ -25,6 +25,7 @@ return static function (ContainerConfigurator $container) {
|
||||
->set('twig.extension.security', SecurityExtension::class)
|
||||
->args([
|
||||
service('security.authorization_checker')->ignoreOnInvalid(),
|
||||
service('security.impersonate_url_generator')->ignoreOnInvalid(),
|
||||
])
|
||||
->tag('twig.extension')
|
||||
;
|
||||
|
@ -19,18 +19,21 @@ namespace Symfony\Component\Security\Core\Authentication\Token;
|
||||
class SwitchUserToken extends UsernamePasswordToken
|
||||
{
|
||||
private $originalToken;
|
||||
private $originatedFromUri;
|
||||
|
||||
/**
|
||||
* @param string|object $user The username (like a nickname, email address, etc.), or a UserInterface instance or an object implementing a __toString method
|
||||
* @param mixed $credentials This usually is the password of the user
|
||||
* @param string|null $originatedFromUri The URI where was the user at the switch
|
||||
*
|
||||
* @throws \InvalidArgumentException
|
||||
*/
|
||||
public function __construct($user, $credentials, string $firewallName, array $roles, TokenInterface $originalToken)
|
||||
public function __construct($user, $credentials, string $firewallName, array $roles, TokenInterface $originalToken, string $originatedFromUri = null)
|
||||
{
|
||||
parent::__construct($user, $credentials, $firewallName, $roles);
|
||||
|
||||
$this->originalToken = $originalToken;
|
||||
$this->originatedFromUri = $originatedFromUri;
|
||||
}
|
||||
|
||||
public function getOriginalToken(): TokenInterface
|
||||
@ -38,12 +41,17 @@ class SwitchUserToken extends UsernamePasswordToken
|
||||
return $this->originalToken;
|
||||
}
|
||||
|
||||
public function getOriginatedFromUri(): ?string
|
||||
{
|
||||
return $this->originatedFromUri;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
public function __serialize(): array
|
||||
{
|
||||
return [$this->originalToken, parent::__serialize()];
|
||||
return [$this->originalToken, $this->originatedFromUri, parent::__serialize()];
|
||||
}
|
||||
|
||||
/**
|
||||
@ -51,7 +59,7 @@ class SwitchUserToken extends UsernamePasswordToken
|
||||
*/
|
||||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->originalToken, $parentData] = $data;
|
||||
[$this->originalToken, $this->originatedFromUri, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
|
@ -21,7 +21,7 @@ class SwitchUserTokenTest extends TestCase
|
||||
public function testSerialize()
|
||||
{
|
||||
$originalToken = new UsernamePasswordToken('user', 'foo', 'provider-key', ['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH']);
|
||||
$token = new SwitchUserToken('admin', 'bar', 'provider-key', ['ROLE_USER'], $originalToken);
|
||||
$token = new SwitchUserToken('admin', 'bar', 'provider-key', ['ROLE_USER'], $originalToken, 'https://symfony.com/blog');
|
||||
|
||||
$unserializedToken = unserialize(serialize($token));
|
||||
|
||||
@ -30,6 +30,7 @@ class SwitchUserTokenTest extends TestCase
|
||||
$this->assertSame('bar', $unserializedToken->getCredentials());
|
||||
$this->assertSame('provider-key', $unserializedToken->getFirewallName());
|
||||
$this->assertEquals(['ROLE_USER'], $unserializedToken->getRoleNames());
|
||||
$this->assertSame('https://symfony.com/blog', $unserializedToken->getOriginatedFromUri());
|
||||
|
||||
$unserializedOriginalToken = $unserializedToken->getOriginalToken();
|
||||
|
||||
@ -73,4 +74,14 @@ class SwitchUserTokenTest extends TestCase
|
||||
$token->setUser($impersonated);
|
||||
$this->assertTrue($token->isAuthenticated());
|
||||
}
|
||||
|
||||
public function testSerializeNullImpersonateUrl()
|
||||
{
|
||||
$originalToken = new UsernamePasswordToken('user', 'foo', 'provider-key', ['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH']);
|
||||
$token = new SwitchUserToken('admin', 'bar', 'provider-key', ['ROLE_USER'], $originalToken);
|
||||
|
||||
$unserializedToken = unserialize(serialize($token));
|
||||
|
||||
$this->assertNull($unserializedToken->getOriginatedFromUri());
|
||||
}
|
||||
}
|
||||
|
@ -181,7 +181,8 @@ class SwitchUserListener extends AbstractListener
|
||||
|
||||
$roles = $user->getRoles();
|
||||
$roles[] = 'ROLE_PREVIOUS_ADMIN';
|
||||
$token = new SwitchUserToken($user, $user->getPassword(), $this->firewallName, $roles, $token);
|
||||
$originatedFromUri = str_replace('/&', '/?', preg_replace('#[&?]'.$this->usernameParameter.'=[^&]*#', '', $request->getRequestUri()));
|
||||
$token = new SwitchUserToken($user, $user->getPassword(), $this->firewallName, $roles, $token, $originatedFromUri);
|
||||
|
||||
if (null !== $this->dispatcher) {
|
||||
$switchEvent = new SwitchUserEvent($request, $token->getUser(), $token);
|
||||
|
@ -0,0 +1,76 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
* This file is part of the Symfony package.
|
||||
*
|
||||
* (c) Fabien Potencier <fabien@symfony.com>
|
||||
*
|
||||
* For the full copyright and license information, please view the LICENSE
|
||||
* file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
namespace Symfony\Component\Security\Http\Impersonate;
|
||||
|
||||
use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
|
||||
use Symfony\Component\HttpFoundation\RequestStack;
|
||||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||
use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
|
||||
use Symfony\Component\Security\Http\Firewall\SwitchUserListener;
|
||||
|
||||
/**
|
||||
* Provides generator functions for the impersonate url exit.
|
||||
*
|
||||
* @author Amrouche Hamza <hamza.simperfit@gmail.com>
|
||||
* @author Damien Fayet <damienf1521@gmail.com>
|
||||
*/
|
||||
class ImpersonateUrlGenerator
|
||||
{
|
||||
private $requestStack;
|
||||
private $tokenStorage;
|
||||
private $firewallMap;
|
||||
|
||||
public function __construct(RequestStack $requestStack, FirewallMap $firewallMap, TokenStorageInterface $tokenStorage)
|
||||
{
|
||||
$this->requestStack = $requestStack;
|
||||
$this->tokenStorage = $tokenStorage;
|
||||
$this->firewallMap = $firewallMap;
|
||||
}
|
||||
|
||||
public function generateExitPath(string $targetUri = null): string
|
||||
{
|
||||
return $this->buildExitPath($targetUri);
|
||||
}
|
||||
|
||||
public function generateExitUrl(string $targetUri = null): string
|
||||
{
|
||||
if (null === $request = $this->requestStack->getCurrentRequest()) {
|
||||
return '';
|
||||
}
|
||||
|
||||
return $request->getUriForPath($this->buildExitPath($targetUri));
|
||||
}
|
||||
|
||||
private function isImpersonatedUser(): bool
|
||||
{
|
||||
return $this->tokenStorage->getToken() instanceof SwitchUserToken;
|
||||
}
|
||||
|
||||
private function buildExitPath(string $targetUri = null): string
|
||||
{
|
||||
if (null === ($request = $this->requestStack->getCurrentRequest()) || !$this->isImpersonatedUser()) {
|
||||
return '';
|
||||
}
|
||||
|
||||
if (null === $switchUserConfig = $this->firewallMap->getFirewallConfig($request)->getSwitchUser()) {
|
||||
throw new \LogicException('Unable to generate the impersonate exit URL without a firewall configured for the user switch.');
|
||||
}
|
||||
|
||||
if (null === $targetUri) {
|
||||
$targetUri = $request->getRequestUri();
|
||||
}
|
||||
|
||||
$targetUri .= (parse_url($targetUri, \PHP_URL_QUERY) ? '&' : '?').http_build_query([$switchUserConfig['parameter'] => SwitchUserListener::EXIT_VALUE]);
|
||||
|
||||
return $targetUri;
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user