[Security] Fix SwitchUserToken wrongly deauthenticated
This commit is contained in:
parent
bbbbb2189a
commit
e47b31c43c
@ -318,9 +318,12 @@ abstract class AbstractToken implements TokenInterface
|
|||||||
}
|
}
|
||||||
|
|
||||||
$userRoles = array_map('strval', (array) $user->getRoles());
|
$userRoles = array_map('strval', (array) $user->getRoles());
|
||||||
$rolesChanged = \count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()));
|
|
||||||
|
|
||||||
if ($rolesChanged) {
|
if ($this instanceof SwitchUserToken) {
|
||||||
|
$userRoles[] = 'ROLE_PREVIOUS_ADMIN';
|
||||||
|
}
|
||||||
|
|
||||||
|
if (\count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()))) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -14,6 +14,7 @@ namespace Symfony\Component\Security\Core\Tests\Authentication\Token;
|
|||||||
use PHPUnit\Framework\TestCase;
|
use PHPUnit\Framework\TestCase;
|
||||||
use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
|
use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
|
||||||
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
|
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
|
||||||
|
use Symfony\Component\Security\Core\User\UserInterface;
|
||||||
|
|
||||||
class SwitchUserTokenTest extends TestCase
|
class SwitchUserTokenTest extends TestCase
|
||||||
{
|
{
|
||||||
@ -38,4 +39,38 @@ class SwitchUserTokenTest extends TestCase
|
|||||||
$this->assertSame('provider-key', $unserializedOriginalToken->getProviderKey());
|
$this->assertSame('provider-key', $unserializedOriginalToken->getProviderKey());
|
||||||
$this->assertEquals(['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'], $unserializedOriginalToken->getRoleNames());
|
$this->assertEquals(['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'], $unserializedOriginalToken->getRoleNames());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testSetUserDoesNotDeauthenticate()
|
||||||
|
{
|
||||||
|
$impersonated = new class() implements UserInterface {
|
||||||
|
public function getUsername()
|
||||||
|
{
|
||||||
|
return 'impersonated';
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getPassword()
|
||||||
|
{
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function eraseCredentials()
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getRoles()
|
||||||
|
{
|
||||||
|
return ['ROLE_USER'];
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getSalt()
|
||||||
|
{
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
$originalToken = new UsernamePasswordToken('impersonator', 'foo', 'provider-key', ['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH']);
|
||||||
|
$token = new SwitchUserToken($impersonated, 'bar', 'provider-key', ['ROLE_USER', 'ROLE_PREVIOUS_ADMIN'], $originalToken);
|
||||||
|
$token->setUser($impersonated);
|
||||||
|
$this->assertTrue($token->isAuthenticated());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user