fixes a bug in the SwitchUserListener

schmittjoh · fabpot · commit c660fcd2f231 · 2011-04-19T14:24:37.000+02:00
diff --git a/UPDATE.md b/UPDATE.md
@@ -26,6 +26,10 @@ PR11 to PR12
         <app:engine>twig</app:engine>
         <twig:extension>twig.extension.debug</twig:extension>
 
+* Fixes a critical security issue which allowed all users to switch to 
+  arbitrary accounts when the SwitchUserListener was activated. Configurations
+  which do not use the SwitchUserListener are not affected.
+
 PR10 to PR11
 ------------
 
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Firewall;
 
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
@@ -112,7 +113,9 @@ private function attemptSwitchUser(Request $request)
             throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));
         }
 
-        $this->accessDecisionManager->decide($token, array($this->role));
+        if (false === $this->accessDecisionManager->decide($token, array($this->role))) {
+            throw new AccessDeniedException();
+        }
 
         $username = $request->get($this->usernameParameter);
 
