fixes a bug in the SwitchUserListener

This commit is contained in:
Johannes M. Schmitt 2011-04-19 12:12:29 +02:00 committed by Fabien Potencier
parent 2014ff6856
commit c660fcd2f2
2 changed files with 8 additions and 1 deletions

View File

@ -26,6 +26,10 @@ PR11 to PR12
<app:engine>twig</app:engine>
<twig:extension>twig.extension.debug</twig:extension>
* Fixes a critical security issue which allowed all users to switch to
arbitrary accounts when the SwitchUserListener was activated. Configurations
which do not use the SwitchUserListener are not affected.
PR10 to PR11
------------

View File

@ -11,6 +11,7 @@
namespace Symfony\Component\Security\Http\Firewall;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Core\User\UserCheckerInterface;
@ -112,7 +113,9 @@ class SwitchUserListener implements ListenerInterface
throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));
}
$this->accessDecisionManager->decide($token, array($this->role));
if (false === $this->accessDecisionManager->decide($token, array($this->role))) {
throw new AccessDeniedException();
}
$username = $request->get($this->usernameParameter);