bug #30122 [Security] fix switch user without having current token (Antoine Lamirault)

This PR was merged into the 3.4 branch. Discussion ---------- [Security] fix switch user without having current token | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #22729 | License | MIT Attempting to switch a user cause an error when not having any token in the storage Commits ------- 15db914984 [Security] fix switch user without having current token
2019-02-12 08:21:07 +01:00 · 2019-02-12 08:21:07 +01:00 · d3d880a1e7
parent a205211d16 15db914984
commit d3d880a1e7
2 changed files with 16 additions and 1 deletions
--- a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@ -83,6 +83,10 @@ class SwitchUserListener implements ListenerInterface
            return;
        }

+        if (null === $this->tokenStorage->getToken()) {
+            throw new AuthenticationCredentialsNotFoundException('Could not find original Token object.');
+        }
+
        if (self::EXIT_VALUE === $username) {
            $this->tokenStorage->setToken($this->attemptExitUser($request));
        } else {
@ -164,7 +168,7 @@ class SwitchUserListener implements ListenerInterface
     */
    private function attemptExitUser(Request $request)
    {
-        if (null === ($currentToken = $this->tokenStorage->getToken()) || false === $original = $this->getOriginalToken($currentToken)) {
+        if (false === $original = $this->getOriginalToken($this->tokenStorage->getToken())) {
            throw new AuthenticationCredentialsNotFoundException('Could not find original Token object.');
        }

--- a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
@ -267,6 +267,17 @@ class SwitchUserListenerTest extends TestCase
        $this->assertSame($replacedToken, $this->tokenStorage->getToken());
    }

+    /**
+     * @expectedException \Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException
+     */
+    public function testSwitchtUserThrowsAuthenticationExceptionIfNoCurrentToken()
+    {
+        $this->tokenStorage->setToken(null);
+        $this->request->query->set('_switch_user', 'username');
+        $listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager);
+        $listener->handle($this->event);
+    }
+
    public function testSwitchUserStateless()
    {
        $token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);