Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Can't login manually with multiple roles #35509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vellmur opened this issue Jan 29, 2020 · 5 comments
Closed

Can't login manually with multiple roles #35509

vellmur opened this issue Jan 29, 2020 · 5 comments
Labels
Security

Comments

@vellmur
Copy link

vellmur commented Jan 29, 2020

Yesterday my project moved from 4.3.4 to 4.4.3 and I got a problem.

I have a piece of code that allows to login as other user without sign out. So admin can login with ROLE_ADMIN first and then login as user and have roles: ROLE_ADMIN, ROLE_OWNER, ROLE_USER. In result admin will have permissions of admin and user. He can view admin and user pages at the same time.

Listing:

public function loginAsClient(TokenStorageInterface $tokenStorage, User $user)
{
    $user->setRoles(array_unique(array_merge($this->getUser()->getRoles(), $user->getRoles())));

    $token = new UsernamePasswordToken($user, null,  'main', $user->getRoles());
    $tokenStorage->setToken($token);

    $this->get('session')->set('_security_main', serialize($token));
    $this->get('session')->save();

    return $this->redirectToRoute('dashboard_index');
}

And everything worked until I did upgrade. Now nothing happens after this action. Just redirection without saving of new roles in a session.

Also, I notices that if do not merge roles, and give just user roles(without ROLE_ADMIN) authentication will work, but now admin will lost admin permissions and logout will be required.

Has something changed in the new security version or is this type of manual login is deprecated?
@linaori
Copy link
Contributor

linaori commented Jan 29, 2020
edited
Loading

You should not do anything with the user token in the session directly, let the security component handle this. Perhaps this can help you? https://symfonycasts.com/screencast/symfony-security/registration-auth

@vellmur
Copy link
Author

vellmur commented Jan 29, 2020

You should not do anything with the user token in the session directly, let the security component handle this. Perhaps this can help you? https://symfonycasts.com/screencast/symfony-security/registration-auth

I saw this solution, but looks like I need to mix admin and user roles on a fly, without saving roles to database. So permissions must stores only in a session. Your example load user from a db.

@linaori
Copy link
Contributor

linaori commented Jan 29, 2020

Have you tried this feature? https://symfony.com/doc/current/security/impersonating_user.html

@vellmur
Copy link
Author

vellmur commented Jan 30, 2020

Have you tried this feature? https://symfony.com/doc/current/security/impersonating_user.html

Thanks, this is helpful.

@vellmur vellmur closed this as completed Jan 30, 2020
@gorshkov-ag
Copy link

It is because of compare roles update in abstractToken class 4f4c30d.
Try to extend AbstractToken with custom token and override setUser method to use restricted roles.
Nothing else need to do.

public function loginAsClient(TokenStorageInterface $tokenStorage, User $user)
{
    $token = new CustomToken($user, null,  'main', ['ROLE_USER]);
    $tokenStorage->setToken($token);

    return $this->redirectToRoute('dashboard_index');
}

@gorshkov-ag gorshkov-ag mentioned this issue Jan 31, 2020
Closed
@xabbuh xabbuh mentioned this issue Mar 5, 2020
Closed
@wouterj wouterj mentioned this issue May 29, 2020
Merged
nicolas-grekas added a commit that referenced this issue May 30, 2020
@nicolas-grekas
bug #37008 [Security] Fixed AbstractToken::hasUserChanged() (wouterj)
bdb01db 
This PR was squashed before being merged into the 4.4 branch.

Discussion
----------

[Security] Fixed AbstractToken::hasUserChanged()

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #36989
| License       | MIT
| Doc PR        | -

This PR completely reverts #35944.

That PR tried to fix a BC break (ref #35941, #35509) introduced by #31177. However, this broke many authentications (ref #36989), as the User is serialized in the session (as hinted by @stof). Many applications don't include the `roles` property in the serialization (at least, the MakerBundle doesn't include it).

In 5.2, we should probably deprecate having different roles in token and user, which fixes the BC breaks all together.

Commits
-------

f297beb [Security] Fixed AbstractToken::hasUserChanged()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security] Fix user role restriction.
4 participants
@linaori @xabbuh @vellmur @gorshkov-ag