Skip to content

[Security] Keep roles when serializing tokens #60688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 4, 2025
Merged

[Security] Keep roles when serializing tokens #60688

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
[Security] Keep roles when serializing tokens
  • Loading branch information
@nicolas-grekas
nicolas-grekas committed Jun 4, 2025
commit 8092ffd3a7e829d0c33e94372df146aae7870bc3
23 changes: 4 additions & 19 deletions src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,12 @@ abstract class AbstractToken implements TokenInterface, \Serializable
*/
public function __construct(array $roles = [])
{
$this->roleNames = [];

foreach ($roles as $role) {
$this->roleNames[] = (string) $role;
}
$this->roleNames = $roles;
}

public function getRoleNames(): array
{
return $this->roleNames ??= self::__construct($this->user->getRoles()) ?? $this->roleNames;
return $this->roleNames ??= $this->user?->getRoles() ?? [];
}

public function getUserIdentifier(): string
Expand Down Expand Up @@ -90,13 +86,7 @@ public function eraseCredentials(): void
*/
public function __serialize(): array
{
$data = [$this->user, true, null, $this->attributes];

if (!$this->user instanceof EquatableInterface) {
$data[] = $this->roleNames;
}

return $data;
return [$this->user, true, null, $this->attributes, $this->getRoleNames()];
}

/**
Expand Down Expand Up @@ -160,12 +150,7 @@ public function __toString(): string
$class = static::class;
$class = substr($class, strrpos($class, '\\') + 1);

$roles = [];
foreach ($this->roleNames as $role) {
$roles[] = $role;
}

return \sprintf('%s(user="%s", roles="%s")', $class, $this->getUserIdentifier(), implode(', ', $roles));
return \sprintf('%s(user="%s", roles="%s")', $class, $this->getUserIdentifier(), implode(', ', $this->getRoleNames()));
}

/**
Expand Down
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy