feature #25092 [Security] #25091 add target user to SwitchUserListener (jwmickey)

chalasr · chalasr · commit 6e6ac9eaeec9 · 2018-01-18T13:34:40.000+01:00
This PR was squashed before being merged into the 4.1-dev branch (closes #25092). Discussion ---------- [Security] #25091 add target user to SwitchUserListener | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #25091 | License | MIT | Doc PR | This patch provides the target user to the SwitchUserListener's accessDecisionManager->decide() call as the $object parameter to give any registered voters extra information. Commits ------- 5cb6f2a [Security] #25091 add target user to SwitchUserListener
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -19,6 +19,7 @@ CHANGELOG
  * removed HTTP digest authentication
  * removed `GuardAuthenticatorInterface` in favor of `AuthenticatorInterface`
  * removed `AbstractGuardAuthenticator::supports()`
+ * added target user to `SwitchUserListener`
 
 3.4.0
 -----
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -126,7 +126,9 @@ private function attemptSwitchUser(Request $request, $username)
             throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));
         }
 
-        if (false === $this->accessDecisionManager->decide($token, array($this->role))) {
+        $user = $this->provider->loadUserByUsername($username);
+
+        if (false === $this->accessDecisionManager->decide($token, array($this->role), $user)) {
             $exception = new AccessDeniedException();
             $exception->setAttributes($this->role);
 
@@ -137,7 +139,6 @@ private function attemptSwitchUser(Request $request, $username)
             $this->logger->info('Attempting to switch to user.', array('username' => $username));
         }
 
-        $user = $this->provider->loadUserByUsername($username);
         $this->userChecker->checkPostAuth($user);
 
         $roles = $user->getRoles();
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
@@ -182,7 +182,7 @@ public function testSwitchUser()
         $this->request->query->set('_switch_user', 'kuba');
 
         $this->accessDecisionManager->expects($this->once())
-            ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'))
+            ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'), $user)
             ->will($this->returnValue(true));
 
         $this->userProvider->expects($this->once())
@@ -212,7 +212,7 @@ public function testSwitchUserKeepsOtherQueryStringParameters()
         ));
 
         $this->accessDecisionManager->expects($this->once())
-            ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'))
+            ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'), $user)
             ->will($this->returnValue(true));
 
         $this->userProvider->expects($this->once())
@@ -240,7 +240,7 @@ public function testSwitchUserWithReplacedToken()
         $this->request->query->set('_switch_user', 'kuba');
 
         $this->accessDecisionManager->expects($this->any())
-            ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'))
+            ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'), $user)
             ->will($this->returnValue(true));
 
         $this->userProvider->expects($this->any())
@@ -276,7 +276,7 @@ public function testSwitchUserStateless()
         $this->request->query->set('_switch_user', 'kuba');
 
         $this->accessDecisionManager->expects($this->once())
-            ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'))
+            ->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'), $user)
             ->will($this->returnValue(true));
 
         $this->userProvider->expects($this->once())

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,9 @@ private function attemptSwitchUser(Request $request, $username)`
`126`	`126`	`throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));`
`127`	`127`	`}`
`128`	`128`
`129`		`- if (false === $this->accessDecisionManager->decide($token, array($this->role))) {`
	`129`	`+ $user = $this->provider->loadUserByUsername($username);`
	`130`	`+`
	`131`	`+ if (false === $this->accessDecisionManager->decide($token, array($this->role), $user)) {`
`130`	`132`	`$exception = new AccessDeniedException();`
`131`	`133`	`$exception->setAttributes($this->role);`
`132`	`134`
`@@ -137,7 +139,6 @@ private function attemptSwitchUser(Request $request, $username)`
`137`	`139`	`$this->logger->info('Attempting to switch to user.', array('username' => $username));`
`138`	`140`	`}`
`139`	`141`
`140`		`- $user = $this->provider->loadUserByUsername($username);`
`141`	`142`	`$this->userChecker->checkPostAuth($user);`
`142`	`143`
`143`	`144`	`$roles = $user->getRoles();`