Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e5b5d9e

Browse files
fabpotfabpot
committed
bug #37031 [Security] Fixed PUBLIC_ACCESS in authenticated sessions (wouterj)
This PR was merged into the 5.1 branch. Discussion ---------- [Security] Fixed PUBLIC_ACCESS in authenticated sessions | Q | A | ------------- | --- | Branch? | 5.1 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Found while testing scheb/2fa#8, sorry for not spotting it before the stable release 😞 Currently, authenticated users are denied access for pages that have `PUBLIC_ACCESS` set, as this attribute is only checked when no token was set. It should be checked for both cases. Commits ------- 0ac530f Also check PUBLIC_ACCESS for authenticated tokens
2 parents 1696f56 + 0ac530f commit e5b5d9e

File tree

2 files changed

+34
-3
lines changed

2 files changed

+34
-3
lines changed

src/Symfony/Component/Security/Http/Firewall/AccessListener.php

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -95,11 +95,13 @@ public function authenticate(RequestEvent $event)
9595
return;
9696
}
9797

98-
if ([self::PUBLIC_ACCESS] === $attributes) {
99-
return;
98+
if ([self::PUBLIC_ACCESS] !== $attributes) {
99+
throw $this->createAccessDeniedException($request, $attributes);
100100
}
101+
}
101102

102-
throw $this->createAccessDeniedException($request, $attributes);
103+
if ([self::PUBLIC_ACCESS] === $attributes) {
104+
return;
103105
}
104106

105107
if (!$token->isAuthenticated()) {

src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,10 @@
1818
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
1919
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
2020
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
21+
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
2122
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
2223
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
24+
use Symfony\Component\Security\Core\User\User;
2325
use Symfony\Component\Security\Http\AccessMapInterface;
2426
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
2527
use Symfony\Component\Security\Http\Firewall\AccessListener;
@@ -279,6 +281,33 @@ public function testHandleWhenPublicAccessIsAllowedAndExceptionOnTokenIsFalse()
279281
$this->expectNotToPerformAssertions();
280282
}
281283

284+
public function testHandleWhenPublicAccessWhileAuthenticated()
285+
{
286+
$token = new UsernamePasswordToken(new User('Wouter', null, ['ROLE_USER']), null, 'main', ['ROLE_USER']);
287+
$tokenStorage = new TokenStorage();
288+
$tokenStorage->setToken($token);
289+
$request = new Request();
290+
291+
$accessMap = $this->createMock(AccessMapInterface::class);
292+
$accessMap->expects($this->any())
293+
->method('getPatterns')
294+
->with($this->equalTo($request))
295+
->willReturn([[AccessListener::PUBLIC_ACCESS], null])
296+
;
297+
298+
$listener = new AccessListener(
299+
$tokenStorage,
300+
$this->getMockBuilder('Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface')->getMock(),
301+
$accessMap,
302+
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
303+
false
304+
);
305+
306+
$listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST));
307+
308+
$this->expectNotToPerformAssertions();
309+
}
310+
282311
public function testHandleMWithultipleAttributesShouldBeHandledAsAnd()
283312
{
284313
$request = new Request();

0 commit comments

Comments
 (0)