Thanks to visit codestin.com
Credit goes to github.com

Skip to content

$token->getUser() should return null instead of empty string when there is no user #44909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jellynoone opened this issue Jan 5, 2022 · 6 comments
Closed

$token->getUser() should return null instead of empty string when there is no user #44909

jellynoone opened this issue Jan 5, 2022 · 6 comments
Labels
Bug Security Status: Needs Review

Comments

@jellynoone
Copy link

Symfony version(s) affected

5.4.*

Description

When using voters and accessing the user through TokenInterface and there is no user logged in, the function returns an empty string '' instead of null. Failing a strict comparison test null === $user.

How to reproduce

<?php

declare(strict_types=1);

namespace App\Security;

use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\CacheableVoterInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;

class AuthenticationVoter implements CacheableVoterInterface
{
    public function supportsAttribute(string $attribute): bool
    {
        return \in_array($attribute, [
            'IS_AUTHENTICATED_NOT',
        ], true);
    }

    public function supportsType(string $subjectType): bool
    {
        return 'null' === $subjectType;
    }

    public function vote(TokenInterface $token, $subject, array $attributes): int
    {
        \assert(null === $subject);
        $vote = VoterInterface::ACCESS_ABSTAIN;
        $user = $token->getUser();

        foreach ($attributes as $attr) {
            if ($attr !== 'IS_AUTHENTICATED_NOT') continue;

            $vote = VoterInterface::ACCESS_DENIED;

            if (null === $user) return VoterInterface::ACCESS_GRANTED;
        }

        return $vote;
    }
}
<?php

declare(strict_types=1);

namespace App\Controller;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Security;

class LoginController
{
    #[Route('/sign-in')]
    public function signIn(Request $request, Security $security): Response
    {
        if ($security->isGranted('IS_AUTHENTICATED_NOT')) {
            return new Response('Login');
        }

        return new Response('Only logged out users can login.');
    }
}

Possible Solution

No response

Additional Context

No response
@jellynoone jellynoone added the Bug label Jan 5, 2022
@xabbuh xabbuh added the Security label Jan 5, 2022
@xabbuh
Copy link
Member

xabbuh commented Jan 5, 2022

Can you create a small example application that allows to reproduce your issue?

@jellynoone
Copy link
Author

Hi, @xabbuh . I was able to take a look at the source. Putting \dump($token) in the function call showed $tokenwas of type \Symfony\Component\Security\Core\Authentication\Token\NullToken.

Checking it's implementation I see it returns an empty string instead of null for the getUser method. Going against the signature in the docblocks. This seems to be the problem.

Could you confirm? Or do you still need an example?

@jellynoone
Copy link
Author

OK, never mind. Looking at the v 6.0 branch this was fixed.

But the 5.4 wasn't?

I thought, 5.4 still receives bug fixes or am I wrong?

@jellynoone
Copy link
Author

Hi, @xabbuh . Was this enough information?

@BernardA
Copy link

I used it like so:

   if (!is_object($user = $token->getUser())) {
        return;
    }

@chalasr chalasr mentioned this issue Mar 10, 2022
Merged
@chalasr
Copy link
Member

chalasr commented Mar 10, 2022

See #45697

@fabpot fabpot closed this as completed Mar 12, 2022
fabpot added a commit that referenced this issue Mar 12, 2022
@fabpot
bug #45697 [Security] Fix return value of NullToken::getUser() (cha…
486a39c 
…lasr)

This PR was merged into the 5.4 branch.

Discussion
----------

[Security] Fix return value of `NullToken::getUser()`

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | #44909
| License       | MIT
| Doc PR        | -

We went back & forth on this one but according to the history, we've just forgot to do it in #42650.
Note: it's already `null` on 6.0+

Commits
-------

d892a51 Fix return value of `NullToken::getUser()`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fabpot @xabbuh @chalasr @BernardA @carsonbot @jellynoone