diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
index d39e99c336067..8391763ceb53d 100644
--- a/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
+++ b/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
@@ -318,9 +318,12 @@ private function hasUserChanged(UserInterface $user): bool
}
$userRoles = array_map('strval', (array) $user->getRoles());
- $rolesChanged = \count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()));
- if ($rolesChanged) {
+ if ($this instanceof SwitchUserToken) {
+ $userRoles[] = 'ROLE_PREVIOUS_ADMIN';
+ }
+
+ if (\count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()))) {
return true;
}
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php
index 5841250959b09..da7354e9df9ed 100644
--- a/src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php
+++ b/src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php
@@ -14,6 +14,7 @@
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\User\UserInterface;
class SwitchUserTokenTest extends TestCase
{
@@ -38,4 +39,38 @@ public function testSerialize()
$this->assertSame('provider-key', $unserializedOriginalToken->getProviderKey());
$this->assertEquals(['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'], $unserializedOriginalToken->getRoleNames());
}
+
+ public function testSetUserDoesNotDeauthenticate()
+ {
+ $impersonated = new class() implements UserInterface {
+ public function getUsername()
+ {
+ return 'impersonated';
+ }
+
+ public function getPassword()
+ {
+ return null;
+ }
+
+ public function eraseCredentials()
+ {
+ }
+
+ public function getRoles()
+ {
+ return ['ROLE_USER'];
+ }
+
+ public function getSalt()
+ {
+ return null;
+ }
+ };
+
+ $originalToken = new UsernamePasswordToken('impersonator', 'foo', 'provider-key', ['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH']);
+ $token = new SwitchUserToken($impersonated, 'bar', 'provider-key', ['ROLE_USER', 'ROLE_PREVIOUS_ADMIN'], $originalToken);
+ $token->setUser($impersonated);
+ $this->assertTrue($token->isAuthenticated());
+ }
}
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy