Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[Security] Make sure RoleVoter only votes for RoleInterface objects and strings#19965
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
sstok commentedSep 19, 2016
👍 for this change, but the CS needs some fixing. Please review the fabbot patch (once it's available). Status: needs work |
…fatal error on non-strings
backbone87 commentedSep 21, 2016
Gladhon commentedSep 21, 2016
what's need to merge it in ? |
javiereguiluz commentedSep 28, 2016
👍 This looks like "the right thing to do" ... but we need to think carefully about the possible BC breaks. |
backbone87 commentedSep 28, 2016
The only BC break was mentioned in the start post: When someone uses an object with __toString method without implementing the RoleInterface and using this object as an attribute to be checked by the role voter. I would consider this as a usage out of scope of the role voter API, because this voter is meant to operate on real strings or objects of type RoleInterface. |
fabpot commentedOct 6, 2016
merged in 2.7 via#19725 |
Gladhon commentedOct 6, 2016 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
@fabpot great but it still not solved in the master branch |
nicolas-grekas commentedOct 6, 2016 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
@Gladhon that's the process: bugs are fixed in the lowest branch where they apply, then these branches are merged up to master regularly by mergers. This could happen a few hours up to a few days later. |
Uh oh!
There was an error while loading.Please reload this page.
make sure RoleVoter only vote for roles and don't produce fatal error on non-strings.
The BC-Break happen, if someone use a Object as Role by not implementing the RoleInterface but adding a toString method which gives "ROLE_SOMETHING" back. This "feature" breaks.