Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[BC][Security] Badge-specific user loader overridden by default user provider #51103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
guillaumesmo opened this issue Jul 25, 2023 · 1 comment
Closed

[BC][Security] Badge-specific user loader overridden by default user provider #51103

guillaumesmo opened this issue Jul 25, 2023 · 1 comment
Labels
Bug Security Status: Needs Review

Comments

@guillaumesmo
Copy link
Contributor

Symfony version(s) affected

6.3

Description

UserBadge accepts an optional callable $userLoader as second argument

The phpdoc states the following:

Optionally, you may pass a user loader. This callable receives the $userIdentifier as argument and must return a UserInterface object (otherwise an AuthenticationServiceException is thrown). If this is not set, the default user provider will be used with $userIdentifier as username.

Due to the following change, the default user provider is always used, even when explicitly set as described above:
https://github.com/symfony/symfony/pull/48272/files#diff-de9707bb338188f62878f2ebd42e7a7bf9547f6d0bf07a4fcd9c386c263c601b

How to reproduce

src/Security/AccessTokenHandler.php

<?php

use Symfony\Component\Security\Core\User\InMemoryUser;
use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;

class AccessTokenHandler implements AccessTokenHandlerInterface
{
    public function getUserBadgeFrom(#[\SensitiveParameter] string $accessToken): UserBadge
    {
        return new UserBadge('test', function (string $id) {
            return new InMemoryUser($id, null, ['ROLE_USER']);
        });
    }
}

config/packages/security.yaml

#...
    firewalls:
        main:
#...
            access_token:
                token_handler: App\Security\AccessTokenHandler

Possible Solution

Revert removal of null === $userBadge->getUserLoader() &&

Additional Context

There is also a similar check to prevent overriding the custom user loader in UserProviderListener:
https://github.com/symfony/symfony/blob/6.3/src/Symfony/Component/Security/Http/EventListener/UserProviderListener.php#L44
@guillaumesmo
Copy link
Contributor Author

seems to be a duplicate of #50511

@guillaumesmo guillaumesmo closed this as not planned Won't fix, can't repro, duplicate, stale Jul 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@guillaumesmo @carsonbot