[SecurityBundle] Allow for custom logout request matcher

symfony · ro0NL · Apr 28, 2017 · Apr 29, 2017 · 09a1dbd2bf5770afb8d9c3f9881223a455227856 · weaverryan
commit 09a1dbd2bf5770afb8d9c3f9881223a455227856
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -235,6 +235,7 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                     ->scalarNode('csrf_parameter')->defaultValue('_csrf_token')->end()
                     ->scalarNode('csrf_token_generator')->cannotBeEmpty()->end()
                     ->scalarNode('csrf_token_id')->defaultValue('logout')->end()
+                    ->scalarNode('request_matcher')->end()
                     ->scalarNode('path')->defaultValue('/logout')->end()
                     ->scalarNode('target')->defaultValue('/')->end()
                     ->scalarNode('success_handler')->end()

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -370,9 +370,10 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
             $listener->replaceArgument(2, new Reference($logoutSuccessHandlerId));
 
             // add CSRF provider
-            if (isset($firewall['logout']['csrf_token_generator'])) {
-                $listener->addArgument(new Reference($firewall['logout']['csrf_token_generator']));
-            }
+            $listener->replaceArgument(4, isset($firewall['logout']['csrf_token_generator']) ? new Reference($firewall['logout']['csrf_token_generator']) : null);
+
+            // add request matcher
+            $listener->replaceArgument(5, isset($firewall['logout']['request_matcher']) ? new Reference($firewall['logout']['request_matcher']) : null);
 
             // add session logout handler
             if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {

diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
@@ -50,6 +50,8 @@
             <argument type="service" id="security.http_utils" />
             <argument type="service" id="security.logout.success_handler" />
             <argument /> <!-- Options -->
+            <argument /> <!-- CSRF token manager -->
+            <argument /> <!-- Request matcher -->
         </service>
 
         <service id="security.logout.handler.session" class="Symfony\Component\Security\Http\Logout\SessionLogoutHandler" public="false" />

diff --git a/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php b/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\RequestMatcherInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Exception\LogoutException;
@@ -36,6 +37,7 @@ class LogoutListener implements ListenerInterface
     private $successHandler;
     private $httpUtils;
     private $csrfTokenManager;
+    private $requestMatcher;
 
     /**
      * Constructor.
@@ -45,8 +47,9 @@ class LogoutListener implements ListenerInterface
      * @param LogoutSuccessHandlerInterface $successHandler   A LogoutSuccessHandlerInterface instance
      * @param array                         $options          An array of options to process a logout attempt
      * @param CsrfTokenManagerInterface     $csrfTokenManager A CsrfTokenManagerInterface instance
+     * @param RequestMatcherInterface|null  $requestMatcher   A RequestMatcherInterface instance
      */
-    public function __construct(TokenStorageInterface $tokenStorage, HttpUtils $httpUtils, LogoutSuccessHandlerInterface $successHandler, array $options = array(), CsrfTokenManagerInterface $csrfTokenManager = null)
+    public function __construct(TokenStorageInterface $tokenStorage, HttpUtils $httpUtils, LogoutSuccessHandlerInterface $successHandler, array $options = array(), CsrfTokenManagerInterface $csrfTokenManager = null, RequestMatcherInterface $requestMatcher = null)
     {
         $this->tokenStorage = $tokenStorage;
         $this->httpUtils = $httpUtils;
@@ -57,6 +60,7 @@ public function __construct(TokenStorageInterface $tokenStorage, HttpUtils $http
         ), $options);
         $this->successHandler = $successHandler;
         $this->csrfTokenManager = $csrfTokenManager;
+        $this->requestMatcher = $requestMatcher;
         $this->handlers = array();
     }
 
@@ -127,6 +131,18 @@ public function handle(GetResponseEvent $event)
      */
     protected function requiresLogout(Request $request)
     {
-        return $this->httpUtils->checkRequestPath($request, $this->options['logout_path']);
+        if (!isset($this->options['logout_path']) && null === $this->requestMatcher) {
+            return false;
+        }
+
+        if (isset($this->options['logout_path']) && !$this->httpUtils->checkRequestPath($request, $this->options['logout_path'])) {
+            return false;
+        }
+
+        if (null !== $this->requestMatcher && !$this->requestMatcher->matches($request)) {
+            return false;
+        }
+
+        return true;
     }
 }