diff options
| author | Fabien Potencier <fabien.potencier@gmail.com> | 2016-10-05 18:42:44 -0700 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2016-10-05 18:42:44 -0700 |
| commit | d0d852abb163a9371a7f07d2bc80824cf2d81b4d (patch) | |
| tree | 4fb35a666c900e9c79cb9c6ddfb11564743a597c | |
| parent | 3c2e4597e194d96d0eb10106b0a3e410de56f202 (diff) | |
| parent | 942c0b2c8429f60a3a43545dc35eee9c836abad5 (diff) | |
| download | symfony-security-d0d852abb163a9371a7f07d2bc80824cf2d81b4d.zip symfony-security-d0d852abb163a9371a7f07d2bc80824cf2d81b4d.tar.gz symfony-security-d0d852abb163a9371a7f07d2bc80824cf2d81b4d.tar.bz2 | |
bug #19725 [Security] $attributes can be anything, but RoleVoter assumes strings (Jonatan Männchen)v2.7.20
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] $attributes can be anything, but RoleVoter assumes strings
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #18042
| License | MIT
| Doc PR | reference to the documentation PR, if any
Commits
-------
ad3ac95 bug #18042 [Security] $attributes can be anything, but RoleVoter assumes strings
| -rw-r--r-- | Core/Authorization/Voter/RoleVoter.php | 7 | ||||
| -rw-r--r-- | Core/Tests/Authorization/Voter/RoleVoterTest.php | 6 |
2 files changed, 12 insertions, 1 deletions
diff --git a/Core/Authorization/Voter/RoleVoter.php b/Core/Authorization/Voter/RoleVoter.php index 722675d..539dcda 100644 --- a/Core/Authorization/Voter/RoleVoter.php +++ b/Core/Authorization/Voter/RoleVoter.php @@ -12,6 +12,7 @@ namespace Symfony\Component\Security\Core\Authorization\Voter; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Role\RoleInterface; /** * RoleVoter votes if any attribute starts with a given prefix. @@ -37,7 +38,7 @@ class RoleVoter implements VoterInterface */ public function supportsAttribute($attribute) { - return 0 === strpos($attribute, $this->prefix); + return is_string($attribute) && 0 === strpos($attribute, $this->prefix); } /** @@ -57,6 +58,10 @@ class RoleVoter implements VoterInterface $roles = $this->extractRoles($token); foreach ($attributes as $attribute) { + if ($attribute instanceof RoleInterface) { + $attribute = $attribute->getRole(); + } + if (!$this->supportsAttribute($attribute)) { continue; } diff --git a/Core/Tests/Authorization/Voter/RoleVoterTest.php b/Core/Tests/Authorization/Voter/RoleVoterTest.php index 03ab2da..c15e936 100644 --- a/Core/Tests/Authorization/Voter/RoleVoterTest.php +++ b/Core/Tests/Authorization/Voter/RoleVoterTest.php @@ -43,6 +43,12 @@ class RoleVoterTest extends \PHPUnit_Framework_TestCase array(array('ROLE_FOO'), array('ROLE_FOO'), VoterInterface::ACCESS_GRANTED), array(array('ROLE_FOO'), array('FOO', 'ROLE_FOO'), VoterInterface::ACCESS_GRANTED), array(array('ROLE_BAR', 'ROLE_FOO'), array('ROLE_FOO'), VoterInterface::ACCESS_GRANTED), + + // Test mixed Types + array(array(), array(array()), VoterInterface::ACCESS_ABSTAIN), + array(array(), array(new \stdClass()), VoterInterface::ACCESS_ABSTAIN), + array(array('ROLE_BAR'), array(new Role('ROLE_BAR')), VoterInterface::ACCESS_GRANTED), + array(array('ROLE_BAR'), array(new Role('ROLE_FOO')), VoterInterface::ACCESS_DENIED), ); } |