Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commite5b5d9e

Browse files
committed
bug#37031 [Security] Fixed PUBLIC_ACCESS in authenticated sessions (wouterj)
This PR was merged into the 5.1 branch.Discussion----------[Security] Fixed PUBLIC_ACCESS in authenticated sessions| Q | A| ------------- | ---| Branch? | 5.1| Bug fix? | yes| New feature? | no| Deprecations? | no| Tickets | -| License | MIT| Doc PR | -Found while testingscheb/2fa#8, sorry for not spotting it before the stable release 😞Currently, authenticated users are denied access for pages that have `PUBLIC_ACCESS` set, as this attribute is only checked when no token was set. It should be checked for both cases.Commits-------0ac530f Also check PUBLIC_ACCESS for authenticated tokens
2 parents1696f56 +0ac530f commite5b5d9e

File tree

2 files changed

+34
-3
lines changed

2 files changed

+34
-3
lines changed

‎src/Symfony/Component/Security/Http/Firewall/AccessListener.php‎

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -95,11 +95,13 @@ public function authenticate(RequestEvent $event)
9595
return;
9696
}
9797

98-
if ([self::PUBLIC_ACCESS]===$attributes) {
99-
return;
98+
if ([self::PUBLIC_ACCESS]!==$attributes) {
99+
throw$this->createAccessDeniedException($request,$attributes);
100100
}
101+
}
101102

102-
throw$this->createAccessDeniedException($request,$attributes);
103+
if ([self::PUBLIC_ACCESS] ===$attributes) {
104+
return;
103105
}
104106

105107
if (!$token->isAuthenticated()) {

‎src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php‎

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,10 @@
1818
useSymfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
1919
useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
2020
useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
21+
useSymfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
2122
useSymfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
2223
useSymfony\Component\Security\Core\Exception\AccessDeniedException;
24+
useSymfony\Component\Security\Core\User\User;
2325
useSymfony\Component\Security\Http\AccessMapInterface;
2426
useSymfony\Component\Security\Http\Event\LazyResponseEvent;
2527
useSymfony\Component\Security\Http\Firewall\AccessListener;
@@ -279,6 +281,33 @@ public function testHandleWhenPublicAccessIsAllowedAndExceptionOnTokenIsFalse()
279281
$this->expectNotToPerformAssertions();
280282
}
281283

284+
publicfunctiontestHandleWhenPublicAccessWhileAuthenticated()
285+
{
286+
$token =newUsernamePasswordToken(newUser('Wouter',null, ['ROLE_USER']),null,'main', ['ROLE_USER']);
287+
$tokenStorage =newTokenStorage();
288+
$tokenStorage->setToken($token);
289+
$request =newRequest();
290+
291+
$accessMap =$this->createMock(AccessMapInterface::class);
292+
$accessMap->expects($this->any())
293+
->method('getPatterns')
294+
->with($this->equalTo($request))
295+
->willReturn([[AccessListener::PUBLIC_ACCESS],null])
296+
;
297+
298+
$listener =newAccessListener(
299+
$tokenStorage,
300+
$this->getMockBuilder('Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface')->getMock(),
301+
$accessMap,
302+
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
303+
false
304+
);
305+
306+
$listener(newRequestEvent($this->createMock(HttpKernelInterface::class),$request, HttpKernelInterface::MASTER_REQUEST));
307+
308+
$this->expectNotToPerformAssertions();
309+
}
310+
282311
publicfunctiontestHandleMWithultipleAttributesShouldBeHandledAsAnd()
283312
{
284313
$request =newRequest();

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp