[Security] Keep roles when serializing tokens

nicolas-grekas · nicolas-grekas · commit b1b0fd7faa23 · 2025-06-04T14:26:27.000+02:00
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
@@ -32,16 +32,12 @@ abstract class AbstractToken implements TokenInterface, \Serializable
      */
     public function __construct(array $roles = [])
     {
-        $this->roleNames = [];
-
-        foreach ($roles as $role) {
-            $this->roleNames[] = (string) $role;
-        }
+        $this->roleNames = $roles;
     }
 
     public function getRoleNames(): array
     {
-        return $this->roleNames ??= self::__construct($this->user->getRoles()) ?? $this->roleNames;
+        return $this->roleNames ??= $this->user?->getRoles() ?? [];
     }
 
     public function getUserIdentifier(): string
@@ -92,7 +88,7 @@ public function __serialize(): array
     {
         $data = [$this->user, true, null, $this->attributes];
 
-        if (!$this->user instanceof EquatableInterface) {
+        if (($this->user?->getRoles() ?? []) !== $this->getRoleNames()) {
             $data[] = $this->roleNames;
         }
 
@@ -161,7 +157,7 @@ public function __toString(): string
         $class = substr($class, strrpos($class, '\\') + 1);
 
         $roles = [];
-        foreach ($this->roleNames as $role) {
+        foreach ($this->getRoleNames() as $role) {
             $roles[] = $role;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -32,16 +32,12 @@ abstract class AbstractToken implements TokenInterface, \Serializable`
`32`	`32`	`*/`
`33`	`33`	`public function __construct(array $roles = [])`
`34`	`34`	`{`
`35`		`- $this->roleNames = [];`
`36`		`-`
`37`		`- foreach ($roles as $role) {`
`38`		`- $this->roleNames[] = (string) $role;`
`39`		`- }`
	`35`	`+ $this->roleNames = $roles;`
`40`	`36`	`}`
`41`	`37`
`42`	`38`	`public function getRoleNames(): array`
`43`	`39`	`{`
`44`		`- return $this->roleNames ??= self::__construct($this->user->getRoles()) ?? $this->roleNames;`
	`40`	`+ return $this->roleNames ??= $this->user?->getRoles() ?? [];`
`45`	`41`	`}`
`46`	`42`
`47`	`43`	`public function getUserIdentifier(): string`
`@@ -92,7 +88,7 @@ public function __serialize(): array`
`92`	`88`	`{`
`93`	`89`	`$data = [$this->user, true, null, $this->attributes];`
`94`	`90`
`95`		`- if (!$this->user instanceof EquatableInterface) {`
	`91`	`+ if (($this->user?->getRoles() ?? []) !== $this->getRoleNames()) {`
`96`	`92`	`$data[] = $this->roleNames;`
`97`	`93`	`}`
`98`	`94`
`@@ -161,7 +157,7 @@ public function __toString(): string`
`161`	`157`	`$class = substr($class, strrpos($class, '\\') + 1);`
`162`	`158`
`163`	`159`	`$roles = [];`
`164`		`- foreach ($this->roleNames as $role) {`
	`160`	`+ foreach ($this->getRoleNames() as $role) {`
`165`	`161`	`$roles[] = $role;`
`166`	`162`	`}`
`167`	`163`