From 7e7fd4227f440b782e8f9cf9ab5c2791a60bb86b Mon Sep 17 00:00:00 2001 From: Jody Mickey Date: Tue, 21 Nov 2017 16:36:53 -0500 Subject: [PATCH 1/5] [Security] #25091 add user to SwitchUserListener This patch provides the target user to the SwitchUserListener's accessDecisionManager->decide() call as the $object parameter to give any registered voters extra information. --- CHANGELOG-4.0.md | 2 ++ .../Security/Http/Firewall/SwitchUserListener.php | 9 ++++----- .../Http/Tests/Firewall/SwitchUserListenerTest.php | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG-4.0.md b/CHANGELOG-4.0.md index 3cdd1f358add2..85e9da7870dbe 100644 --- a/CHANGELOG-4.0.md +++ b/CHANGELOG-4.0.md @@ -1,6 +1,8 @@ CHANGELOG for 4.0.x =================== +* feature #25091 [Security] Add target user to SwitchUserListener (jwmickey) + This changelog references the relevant changes (bug and security fixes) done in 4.0 minor versions. diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php index 548ce7ce91900..5167adbeb5f00 100644 --- a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php @@ -126,18 +126,17 @@ private function attemptSwitchUser(Request $request, $username) throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername())); } - if (false === $this->accessDecisionManager->decide($token, array($this->role))) { - $exception = new AccessDeniedException(); - $exception->setAttributes($this->role); + $username = $request->get($this->usernameParameter); + $user = $this->provider->loadUserByUsername($username); - throw $exception; + if (false === $this->accessDecisionManager->decide($token, array($this->role), $user)) { + throw new AccessDeniedException(); } if (null !== $this->logger) { $this->logger->info('Attempting to switch to user.', array('username' => $username)); } - $user = $this->provider->loadUserByUsername($username); $this->userChecker->checkPostAuth($user); $roles = $user->getRoles(); diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php index 0e61ee208ee2c..d542208e851d1 100644 --- a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php @@ -182,7 +182,7 @@ public function testSwitchUser() $this->request->query->set('_switch_user', 'kuba'); $this->accessDecisionManager->expects($this->once()) - ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH')) + ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'), $user) ->will($this->returnValue(true)); $this->userProvider->expects($this->once()) From 730fd827145d0d40c9050a14852c166aa698b1fe Mon Sep 17 00:00:00 2001 From: Jody Mickey Date: Sat, 25 Nov 2017 11:07:32 -0500 Subject: [PATCH 2/5] pull-request reworks - moved message from the general changelog to the security component's changelog - restored exception attributes that were mistakenly removed --- CHANGELOG-4.0.md | 2 -- src/Symfony/Component/Security/CHANGELOG.md | 1 + .../Component/Security/Http/Firewall/SwitchUserListener.php | 4 +++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG-4.0.md b/CHANGELOG-4.0.md index 85e9da7870dbe..3cdd1f358add2 100644 --- a/CHANGELOG-4.0.md +++ b/CHANGELOG-4.0.md @@ -1,8 +1,6 @@ CHANGELOG for 4.0.x =================== -* feature #25091 [Security] Add target user to SwitchUserListener (jwmickey) - This changelog references the relevant changes (bug and security fixes) done in 4.0 minor versions. diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md index 2fc862f6e03a7..dfc7907b64cae 100644 --- a/src/Symfony/Component/Security/CHANGELOG.md +++ b/src/Symfony/Component/Security/CHANGELOG.md @@ -18,6 +18,7 @@ CHANGELOG * removed HTTP digest authentication * removed `GuardAuthenticatorInterface` in favor of `AuthenticatorInterface` * removed `AbstractGuardAuthenticator::supports()` + * added target user to `SwitchUserListener` 3.4.0 ----- diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php index 5167adbeb5f00..a81fcac9ee305 100644 --- a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php @@ -130,7 +130,9 @@ private function attemptSwitchUser(Request $request, $username) $user = $this->provider->loadUserByUsername($username); if (false === $this->accessDecisionManager->decide($token, array($this->role), $user)) { - throw new AccessDeniedException(); + $exception = new AccessDeniedException(); + $exception->setAttributes($this->role); + throw $exception; } if (null !== $this->logger) { From ade9e2ae8baac99e7be3ffd38f5185b3b74ad6be Mon Sep 17 00:00:00 2001 From: Jody Mickey Date: Sat, 25 Nov 2017 22:04:00 -0500 Subject: [PATCH 3/5] fixed issue where username would be overwritten --- .../Component/Security/Http/Firewall/SwitchUserListener.php | 1 - .../Security/Http/Tests/Firewall/SwitchUserListenerTest.php | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php index a81fcac9ee305..883eb164bfb84 100644 --- a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php @@ -126,7 +126,6 @@ private function attemptSwitchUser(Request $request, $username) throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername())); } - $username = $request->get($this->usernameParameter); $user = $this->provider->loadUserByUsername($username); if (false === $this->accessDecisionManager->decide($token, array($this->role), $user)) { diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php index d542208e851d1..bdab1f24d58eb 100644 --- a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php @@ -212,7 +212,7 @@ public function testSwitchUserKeepsOtherQueryStringParameters() )); $this->accessDecisionManager->expects($this->once()) - ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH')) + ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'), $user) ->will($this->returnValue(true)); $this->userProvider->expects($this->once()) @@ -240,7 +240,7 @@ public function testSwitchUserWithReplacedToken() $this->request->query->set('_switch_user', 'kuba'); $this->accessDecisionManager->expects($this->any()) - ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH')) + ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'), $user) ->will($this->returnValue(true)); $this->userProvider->expects($this->any()) @@ -276,7 +276,7 @@ public function testSwitchUserStateless() $this->request->query->set('_switch_user', 'kuba'); $this->accessDecisionManager->expects($this->once()) - ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH')) + ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'), $user) ->will($this->returnValue(true)); $this->userProvider->expects($this->once()) From 4acccfde3c1bc50c7bd6330564cbf782e2a820ea Mon Sep 17 00:00:00 2001 From: Jody Mickey Date: Wed, 13 Dec 2017 16:05:51 -0500 Subject: [PATCH 4/5] Re-added empty line before throw statement --- .../Component/Security/Http/Firewall/SwitchUserListener.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php index 883eb164bfb84..cd23271a8e6e0 100644 --- a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php @@ -131,6 +131,7 @@ private function attemptSwitchUser(Request $request, $username) if (false === $this->accessDecisionManager->decide($token, array($this->role), $user)) { $exception = new AccessDeniedException(); $exception->setAttributes($this->role); + throw $exception; } From 1acab4a17aeca10bcbddfce108d15f17460209d7 Mon Sep 17 00:00:00 2001 From: Jody Mickey Date: Wed, 13 Dec 2017 16:07:34 -0500 Subject: [PATCH 5/5] Update SwitchUserListener.php --- .../Component/Security/Http/Firewall/SwitchUserListener.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php index cd23271a8e6e0..c8cca7ea10f0b 100644 --- a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php @@ -131,7 +131,7 @@ private function attemptSwitchUser(Request $request, $username) if (false === $this->accessDecisionManager->decide($token, array($this->role), $user)) { $exception = new AccessDeniedException(); $exception->setAttributes($this->role); - + throw $exception; } pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy