8000 [Security] User impersonation doesn't work as expected in 4.4 · Issue #34202 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] User impersonation doesn't work as expected in 4.4 #34202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
javiereguiluz opened this issue Oct 31, 2019 · 1 comment · Fixed by #34218
Closed

[Security] User impersonation doesn't work as expected in 4.4 #34202

javiereguiluz opened this issue Oct 31, 2019 · 1 comment · Fixed by #34218
Labels
Bug Security Status: Reviewed
Milestone
4.4

Comments

@javiereguiluz
Copy link
Member

Symfony version(s) affected: 4.4

Description
I was playing with "impersonating users" inside the Symfony Demo app. In the current version of the app, everything works as expected. In the pending PR that uses 4.4-dev (symfony/demo#1039) impersonation doesn't work and I end up with an anonymous user.

How to reproduce
Use the Symfony Demo app and add switch_user: ~ to the main firewall and ROLE_ALLOWED_TO_SWITCH to the ROLE_ADMIN hierarchy.

Additional context

These are the logs when using Symfony 4.3:

[2019-10-31 12:37:19] security.DEBUG: Read existing security token from the session. {"key":"_security_main","token_class":"Symfony\\Component\\Security\\Core\\Authentication\\Token\\SwitchUserToken"} []
[2019-10-31 12:37:19] doctrine.DEBUG: SELECT t0.id AS id_1, t0.full_name AS full_name_2, t0.username AS username_3, t0.email AS email_4, t0.password AS password_5, t0.roles AS roles_6 FROM symfony_demo_user t0 WHERE t0.id = ? [3] []
[2019-10-31 12:37:19] security.DEBUG: User was reloaded from a user provider. {"provider":"Symfony\\Bridge\\Doctrine\\Security\\User\\EntityUserProvider","username":"john_user","impersonator_username":"jane_admin"} []
[2019-10-31 12:37:19] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} []

These are the logs when using Symfony 4.4-dev:

[2019-10-31 12:35:15] security.DEBUG: Read existing security token from the session. {"key":"_security_main","token_class":"Symfony\\Component\\Security\\Core\\Authentication\\Token\\SwitchUserToken"} []
[2019-10-31 12:35:15] doctrine.DEBUG: SELECT t0.id AS id_1, t0.full_name AS full_name_2, t0.username AS username_3, t0.email AS email_4, t0.password AS password_5, t0.roles AS roles_6 FROM symfony_demo_user t0 WHERE t0.id = ? [3] []
[2019-10-31 12:35:15] security.DEBUG: Cannot refresh token because user has changed. {"username":"john_user","provider":"Symfony\\Bridge\\Doctrine\\Security\\User\\EntityUserProvider"} []
[2019-10-31 12:35:15] security.DEBUG: Token was deauthenticated after trying to refresh it. [] []
[2019-10-31 12:35:15] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
@javiereguiluz javiereguiluz added this to the 4.4 milestone Oct 31, 2019
@chalasr chalasr mentioned this issue Nov 2, 2019
Merged
@chalasr
Copy link
Member
chalasr commented Nov 2, 2019

Good catch! See #34218

@fabpot fabpot closed this as completed Nov 3, 2019
fabpot added a commit that referenced this issue Nov 3, 2019
@fabpot
bug #34218 [Security] Fix SwitchUserToken wrongly deauthenticated (ch…
08a218c 
…alasr)

This PR was merged into the 4.4 branch.

Discussion
----------

[Security] Fix SwitchUserToken wrongly deauthenticated

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #34202
| License       | MIT
| Doc PR        | -

Commits
-------

e47b31c [Security] Fix SwitchUserToken wrongly deauthenticated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
4.4
Development

Successfully merging a pull request may close this issue.

[Security] Fix SwitchUserToken wrongly deauthenticated chalasr/symfony
4 participants
@fabpot @javiereguiluz @chalasr @carsonbot
0