Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[Security] Fixed SwitchUserListener when exiting an impersonation with AnonymousToken#18425
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
| } | ||
| if (null !==$this->dispatcher) { | ||
| if (null !==$this->dispatcher && !$originalinstanceof AnonymousToken) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think it would be better to check if$original->getUser is an instance of theUserInterface to also support custom tokens that might return something else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
you are right. I updated the code and added some tests.
nicolas-grekas commentedApr 4, 2016
👍 |
| $listener->handle($this->event); | ||
| } | ||
| publicfunctiontestExitUserDontDispatchesEventWithStringUser() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
testExitUserDoesNotDispatchEventWithStringUser
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@xabbuh thanks & fixed.
stof commentedApr 4, 2016
@lyrixx are you really allowing anonymous users to impersonate users ? This looks weird. But the fix is indeed valid |
lyrixx commentedApr 4, 2016
@stof Yes I do that. It's an awesome idea for demo app (you may see it on thursday). |
…ith AnonymousTokenIf you configure a firewall with switch user with `role: IS_AUTHENTICATED_ANONYMOUSLY` it's impossible to exit theimpersonation because the next line `$this->provider->refreshUser($original->getUser())` will fail. It fails because `RefreshUser`expects an instance of `UserInterface` and here it's a string.Therefore, it does not make sense to refresh an Anonymous Token, right ?
fabpot commentedApr 5, 2016
Thank you@lyrixx. |
…onation with AnonymousToken (lyrixx)This PR was merged into the 2.3 branch.Discussion----------[Security] Fixed SwitchUserListener when exiting an impersonation with AnonymousToken| Q | A| ------------- | ---| Branch? | 2.3| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets | -| License | MIT| Doc PR | -If you configure a firewall with switch user with `role: IS_AUTHENTICATED_ANONYMOUSLY` it's impossible to exit theimpersonation because the next line `$this->provider->refreshUser($original->getUser())` will fail. It fails because `RefreshUser`expects an instance of `UserInterface` and here it's a string.Therefore, it does not make sense to refresh an Anonymous Token, right ?Commits-------59fea72 [Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken
If you configure a firewall with switch user with
role: IS_AUTHENTICATED_ANONYMOUSLYit's impossible to exit theimpersonation because the next line
$this->provider->refreshUser($original->getUser())will fail. It fails becauseRefreshUserexpects an instance of
UserInterfaceand here it's a string.Therefore, it does not make sense to refresh an Anonymous Token, right ?