diff options
| author | Fabien Potencier <fabien.potencier@gmail.com> | 2013-12-29 16:53:43 +0100 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2013-12-29 16:53:43 +0100 |
| commit | 2edf1f33f7595aec863d3b23147ce389c50a7cf5 (patch) | |
| tree | e963624bc8a248bcbe4d337ca3c31d85e3712043 /Core | |
| parent | 64b27936a722b4fc759212882f9481b7dbf9b453 (diff) | |
| parent | 3e020d61729721b526c02c54f8cd6894c8ac9bd4 (diff) | |
| download | symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.zip symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.tar.gz symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.tar.bz2 | |
bug #8997 [Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role. (pawaclawczyk)
This PR was squashed before being merged into the 2.3 branch (closes #8997).
Discussion
----------
[Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role.
<table>
<tr>
<td><b>Q</b></td>
<td><b>A</b></td>
</tr>
<tr>
<td>Bug fix?</td>
<td>yes</td>
</tr>
<tr>
<td>New feature</td>
<td>no</td>
</tr>
<tr>
<td>BC breaks?</td>
<td>no</td>
</tr>
<tr>
<td>Deprecations?</td>
<td>no</td>
</tr>
<tr>
<td>Tests pass?</td>
<td>yes</td>
</tr>
<tr>
<td>Fixed tickets</td>
<td>#3085, #8974</td>
</tr>
<tr>
<td>License</td>
<td>MIT</td>
</tr>
<tr>
<td>Doc PR</td>
<td>n/a</td>
</tr>
</table>
Problem occurs while user is impersonated. Authentication process generates new token and doeas not preserve role ```ROLE_PREVIOUS_ADMIN```. Ex. when parameter ```security.always_authenticate_before_granting``` is enabled.
Commits
-------
a7baa3b [Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role.
Diffstat (limited to 'Core')
| -rw-r--r-- | Core/Authentication/Provider/UserAuthenticationProvider.php | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/Core/Authentication/Provider/UserAuthenticationProvider.php b/Core/Authentication/Provider/UserAuthenticationProvider.php index 626f50b..18c3e70 100644 --- a/Core/Authentication/Provider/UserAuthenticationProvider.php +++ b/Core/Authentication/Provider/UserAuthenticationProvider.php @@ -19,6 +19,7 @@ use Symfony\Component\Security\Core\Exception\BadCredentialsException; use Symfony\Component\Security\Core\Exception\AuthenticationServiceException; use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Role\SwitchUserRole; /** * UserProviderInterface retrieves users for UsernamePasswordToken tokens. @@ -92,7 +93,7 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter throw $e; } - $authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $user->getRoles()); + $authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $this->getRoles($user, $token)); $authenticatedToken->setAttributes($token->getAttributes()); return $authenticatedToken; @@ -107,6 +108,29 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter } /** + * Retrieves roles from user and appends SwitchUserRole if original token contained one. + * + * @param UserInterface $user The user + * @param TokenInterface $token The token + * + * @return Role[] The user roles + */ + private function getRoles(UserInterface $user, TokenInterface $token) + { + $roles = $user->getRoles(); + + foreach ($token->getRoles() as $role) { + if ($role instanceof SwitchUserRole) { + $roles[] = $role; + + break; + } + } + + return $roles; + } + + /** * Retrieves the user from an implementation-specific location. * * @param string $username The username to retrieve |