8000 bug #13627 [Security] InMemoryUserProvider now concerns whether user'… · symfony/symfony@d3b8176 · GitHub
[go: up one dir, main page]

Skip to content

Commit d3b8176

Browse files
committed
bug #13627 [Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing (issei-m)
This PR was merged into the 2.3 branch. Discussion ---------- [Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - When a user has changed own password, I want to logout any sessions which is authenticated by its user except changer itself. [DaoAuthenticationManager::checkAuthentication()](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php#L59) method seems to concern about it. But, this situation actually never happens because both users that will be passed to this method are always identical in re-authentication. It's because the token refreshes own user via [ContextListener](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L90) before re-authentication. Commits ------- 729902a [Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
2 parents 2455b69 + 729902a commit d3b8176

File tree

2 files changed

+53
-17
lines changed

2 files changed

+53
-17
lines changed

src/Symfony/Component/Security/Core/User/InMemoryUserProvider.php

Lines changed: 26 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -67,17 +67,9 @@ public function createUser(UserInterface $user)
6767
*/
6868
public function loadUserByUsername($username)
6969
{
70-
if (!isset($this->users[strtolower($username)])) {
71-
$ex = new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
72-
$ex->setUsername($username);
73-
74-
throw $ex;
75-
}
70+
$user = $this->getUser($username);
7671

77-
$user = $this->users[strtolower($username)];
78-
79-
return new User($user->getUsername(), $user->getPassword(), $user->getRoles(), $user->isEnabled(), $user->isAccountNonExpired(),
80-
$user->isCredentialsNonExpired(), $user->isAccountNonLocked());
72+
return new User($user->getUsername(), $user->getPassword(), $user->getRoles(), $user->isEnabled(), $user->isAccountNonExpired(), $user->isCredentialsNonExpired(), $user->isAccountNonLocked());
8173
}
8274

8375
/**
@@ -89,7 +81,9 @@ public function refreshUser(UserInterface $user)
8981
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
9082
}
9183

92-
return $this->loadUserByUsername($user->getUsername());
84+
$storedUser = $this->getUser($user->getUsername());
85+
86+
return new User($storedUser->getUsername(), $storedUser->getPassword(), $storedUser->getRoles(), $storedUser->isEnabled(), $storedUser->isAccountNonExpired(), $storedUser->isCredentialsNonExpired() && $storedUser->getPassword() === $user->getPassword(), $storedUser->isAccountNonLocked());
9387
}
9488

9589
/**
@@ -99,4 +93,25 @@ public function supportsClass($class)
9993
{
10094
return $class === 'Symfony\Component\Security\Core\User\User';
10195
}
96+
97+
/**
98+
* Returns the user by given username.
99+
*
100+
* @param string $username The username.
101+
*
102+
* @return User
103+
*
104+
* @throws UsernameNotFoundException If user whose given username does not exist.
105+
*/
106+
private function getUser($username)
107+
{
108+
if (!isset($this->users[strtolower($username)])) {
109+
$ex = new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
110+
$ex->setUsername($username);
111+
112+
throw $ex;
113+
}
114+
115+
return $this->users[strtolower($username)];
116+
}
102117
}

src/Symfony/Component/Security/Tests/Core/User/InMemoryUserProviderTest.php

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,18 +18,39 @@ class InMemoryUserProviderTest extends \PHPUnit_Framework_TestCase
1818
{
1919
public function testConstructor()
2020
{
21-
$provider = new InMemoryUserProvider(array(
21+
$provider = $this->createProvider();
22+
23+
$user = $provider->loadUserByUsername('fabien');
24+
$this->assertEquals('foo', $user->getPassword());
25+
$this->assertEquals(array('ROLE_USER'), $user->getRoles());
26+
$this->assertFalse($user->isEnabled());
27+
}
28+
29+
public function testRefresh()
30+
{
31+
$user = new User('fabien', 'bar');
32+
33+
$provider = $this->createProvider();
34+
35+
$refreshedUser = $provider->refreshUser($user);
36+
$this->assertEquals('foo', $refreshedUser->getPassword());
37+
$this->assertEquals(array('ROLE_USER'), $refreshedUser->getRoles());
38+
$this->assertFalse($refreshedUser->isEnabled());
39+
$this->assertFalse($refreshedUser->isCredentialsNonExpired());
40+
}
41+
42+
/**
43+
* @return InMemoryUserProvider
44+
*/
45+
protected function createProvider()
46+
{
47+
return new InMemoryUserProvider(array(
2248
'fabien' => array(
2349
'password' => 'foo',
2450
'enabled' => false,
2551
'roles' => array('ROLE_USER'),
2652
),
2753
));
28-
29-
$user = $provider->loadUserByUsername('fabien');
30-
$this->assertEquals('foo', $user->getPassword());
31-
$this->assertEquals(array('ROLE_USER'), $user->getRoles());
32-
$this->assertFalse($user->isEnabled());
3354
}
3455

3556
public function testCreateUser()

0 commit comments

Comments
 (0)
0