bug #13627 [Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing (issei-m)
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
When a user has changed own password, I want to logout any sessions which is authenticated by its user except changer itself.
[DaoAuthenticationManager::checkAuthentication()](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php#L59) method seems to concern about it.
But, this situation actually never happens because both users that will be passed to this method are always identical in re-authentication.
It's because the token refreshes own user via [ContextListener](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L90) before re-authentication.
Commits
-------
729902a
[Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
This commit is contained in:
commit
d3b8176bc3
@ -67,17 +67,9 @@ class InMemoryUserProvider implements UserProviderInterface
|
|||||||
*/
|
*/
|
||||||
public function loadUserByUsername($username)
|
public function loadUserByUsername($username)
|
||||||
{
|
{
|
||||||
if (!isset($this->users[strtolower($username)])) {
|
$user = $this->getUser($username);
|
||||||
$ex = new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
|
|
||||||
$ex->setUsername($username);
|
|
||||||
|
|
||||||
throw $ex;
|
return new User($user->getUsername(), $user->getPassword(), $user->getRoles(), $user->isEnabled(), $user->isAccountNonExpired(), $user->isCredentialsNonExpired(), $user->isAccountNonLocked());
|
||||||
}
|
|
||||||
|
|
||||||
$user = $this->users[strtolower($username)];
|
|
||||||
|
|
||||||
return new User($user->getUsername(), $user->getPassword(), $user->getRoles(), $user->isEnabled(), $user->isAccountNonExpired(),
|
|
||||||
$user->isCredentialsNonExpired(), $user->isAccountNonLocked());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -89,7 +81,9 @@ class InMemoryUserProvider implements UserProviderInterface
|
|||||||
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
|
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->loadUserByUsername($user->getUsername());
|
$storedUser = $this->getUser($user->getUsername());
|
||||||
|
|
||||||
|
return new User($storedUser->getUsername(), $storedUser->getPassword(), $storedUser->getRoles(), $storedUser->isEnabled(), $storedUser->isAccountNonExpired(), $storedUser->isCredentialsNonExpired() && $storedUser->getPassword() === $user->getPassword(), $storedUser->isAccountNonLocked());
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -99,4 +93,25 @@ class InMemoryUserProvider implements UserProviderInterface
|
|||||||
{
|
{
|
||||||
return $class === 'Symfony\Component\Security\Core\User\User';
|
return $class === 'Symfony\Component\Security\Core\User\User';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the user by given username.
|
||||||
|
*
|
||||||
|
* @param string $username The username.
|
||||||
|
*
|
||||||
|
* @return User
|
||||||
|
*
|
||||||
|
* @throws UsernameNotFoundException If user whose given username does not exist.
|
||||||
|
*/
|
||||||
|
private function getUser($username)
|
||||||
|
{
|
||||||
|
if (!isset($this->users[strtolower($username)])) {
|
||||||
|
$ex = new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
|
||||||
|
$ex->setUsername($username);
|
||||||
|
|
||||||
|
throw $ex;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $this->users[strtolower($username)];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -18,18 +18,39 @@ class InMemoryUserProviderTest extends \PHPUnit_Framework_TestCase
|
|||||||
{
|
{
|
||||||
public function testConstructor()
|
public function testConstructor()
|
||||||
{
|
{
|
||||||
$provider = new InMemoryUserProvider(array(
|
$provider = $this->createProvider();
|
||||||
|
|
||||||
|
$user = $provider->loadUserByUsername('fabien');
|
||||||
|
$this->assertEquals('foo', $user->getPassword());
|
||||||
|
$this->assertEquals(array('ROLE_USER'), $user->getRoles());
|
||||||
|
$this->assertFalse($user->isEnabled());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testRefresh()
|
||||||
|
{
|
||||||
|
$user = new User('fabien', 'bar');
|
||||||
|
|
||||||
|
$provider = $this->createProvider();
|
||||||
|
|
||||||
|
$refreshedUser = $provider->refreshUser($user);
|
||||||
|
$this->assertEquals('foo', $refreshedUser->getPassword());
|
||||||
|
$this->assertEquals(array('ROLE_USER'), $refreshedUser->getRoles());
|
||||||
|
$this->assertFalse($refreshedUser->isEnabled());
|
||||||
|
$this->assertFalse($refreshedUser->isCredentialsNonExpired());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return InMemoryUserProvider
|
||||||
|
*/
|
||||||
|
protected function createProvider()
|
||||||
|
{
|
||||||
|
return new InMemoryUserProvider(array(
|
||||||
'fabien' => array(
|
'fabien' => array(
|
||||||
'password' => 'foo',
|
'password' => 'foo',
|
||||||
'enabled' => false,
|
'enabled' => false,
|
||||||
'roles' => array('ROLE_USER'),
|
'roles' => array('ROLE_USER'),
|
||||||
),
|
),
|
||||||
));
|
));
|
||||||
|
|
||||||
$user = $provider->loadUserByUsername('fabien');
|
|
||||||
$this->assertEquals('foo', $user->getPassword());
|
|
||||||
$this->assertEquals(array('ROLE_USER'), $user->getRoles());
|
|
||||||
$this->assertFalse($user->isEnabled());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testCreateUser()
|
public function testCreateUser()
|
||||||
|
Reference in New Issue
Block a user