Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Fix legacy impersonation system #46748

Merged
merged 1 commit into from Jun 23, 2022
Merged

[Security] Fix legacy impersonation system #46748

merged 1 commit into from Jun 23, 2022
+5 −1

Conversation

dunglas
Copy link
Member

@dunglas dunglas commented Jun 23, 2022
edited

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets n/a
License MIT
Doc PR n/a

When using the legacy authentication system with a user class not
implementing EquatableInterface (for instance, the default when using
Sylius) a bug prevents the impersonation system from working properly.

The switch is done correctly, but then the user is disconnected on the
next request because SecurityContext::hasUserChanged() compares the
roles of the token in session with the roles of the temporary token, and they
aren't equal.

ROLE_PREVIOUS_ADMIN is added in
SwitchUserListener::attemptSwitchUser(), but then removed if the
legacy system is still enabled in UserAuthenticationProvider.

It looks like this bug has been introduced while deprecating support for
role classes: d64372d#diff-914ec544d4f7b26fda540aea3d7bc57cc5057d76bfb9ad72047d77739e3bb5a3L115

This patch fixes the issue (tested on a real Sylius project).

@dunglas
[Security] Fix legacy impersonation system
4d44563 
When using the legacy authentication system with a user class not
implementing `EquatableInterface` (for instance, the default when using
Sylius) a bug prevents the impersonation system to work properly.

The switch is done correctly, but then the user is disconnected on the
next request because `SecurityContext::hasUserChanged()` compares the
roles of the token in session with the roles of the temporary token, and they
aren't equal.

`ROLE_PREVIOUS_ADMIN` is added in
`SwitchUserListener::attemptSwitchUser()`, but then removed if the
legacy system is still enabled in `UserAuthenticationProvider`.

It looks like this bug has been introduced while deprecating support for
role classes: symfony@d64372d#diff-914ec544d4f7b26fda540aea3d7bc57cc5057d76bfb9ad72047d77739e3bb5a3L115

This patch fixes the issue (tested on a real Sylius project).
@dunglas dunglas requested a review from xabbuh Jun 23, 2022
@dunglas dunglas requested review from wouterj and chalasr as code owners Jun 23, 2022
@carsonbot carsonbot added this to the 5.4 milestone Jun 23, 2022
chalasr
chalasr approved these changes Jun 23, 2022
View changes
Copy link
Member

@chalasr chalasr left a comment

LGTM

stof
stof approved these changes Jun 23, 2022
View changes
fabpot
fabpot approved these changes Jun 23, 2022
View changes
@fabpot
Copy link
Member

@fabpot fabpot commented Jun 23, 2022

Thank you @dunglas.

@fabpot fabpot merged commit b3c1841 into symfony:5.4 Jun 23, 2022
10 of 11 checks passed
@dunglas dunglas deleted the fix/legacy-switch-user branch Jun 23, 2022
@fabpot fabpot mentioned this pull request Jun 26, 2022
Merged
@fabpot fabpot mentioned this pull request Jun 26, 2022
Merged
@fabpot fabpot mentioned this pull request Jun 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot

@stof stof

@chalasr chalasr

@xabbuh xabbuh

@wouterj wouterj

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dunglas @fabpot @stof @chalasr @carsonbot