symfony · fabpot · Jul 18, 2018 · Jul 13, 2018 · xabbuh · Jul 16, 2018
diff --git a/UPGRADE-4.2.md b/UPGRADE-4.2.md
@@ -94,6 +94,7 @@ Security
    custom anonymous and remember me token classes is deprecated. To
    use custom tokens, extend the existing `Symfony\Component\Security\Core\Authentication\Token\AnonymousToken`
    or `Symfony\Component\Security\Core\Authentication\Token\RememberMeToken`.
+ * Accessing the user object that is not an instance of `UserInterface` from `Security::getUser()` is deprecated.
 
 SecurityBundle
 --------------

diff --git a/UPGRADE-5.0.md b/UPGRADE-5.0.md
@@ -126,6 +126,7 @@ Security
  * The `FirewallMapInterface::getListeners()` method must return an array of 3 elements,
    the 3rd one must be either a `LogoutListener` instance or `null`.
  * The `AuthenticationTrustResolver` constructor arguments have been removed.
+ * A user object that is not an instance of `UserInterface` cannot be accessed from `Security::getUser()` anymore and returns `null` instead.
 
 SecurityBundle
 --------------

diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -12,6 +12,7 @@ CHANGELOG
   use custom tokens, extend the existing `Symfony\Component\Security\Core\Authentication\Token\AnonymousToken`
   or `Symfony\Component\Security\Core\Authentication\Token\RememberMeToken`.
 * allow passing null as $filter in LdapUserProvider to get the default filter
+* accessing the user object that is not an instance of `UserInterface` from `Security::getUser()` is deprecated
 
 4.1.0
 -----

diff --git a/src/Symfony/Component/Security/Core/Security.php b/src/Symfony/Component/Security/Core/Security.php
@@ -46,6 +46,11 @@ public function getUser()
             return null;
         }
 
+        if (!$user instanceof UserInterface) {
+            @trigger_error(sprintf('Accessing the user object "%s" that is not an instance of "%s" from "%s()" is deprecated since Symfony 4.2, use "getToken()->getUser()" instead.', get_class($user), UserInterface::class, __METHOD__), E_USER_DEPRECATED);
+            //return null; // 5.0 behavior
+        }
+
         return $user;
     }
 

diff --git a/src/Symfony/Component/Security/Core/Tests/SecurityTest.php b/src/Symfony/Component/Security/Core/Tests/SecurityTest.php
@@ -64,10 +64,34 @@ public function getUserTests()
 
         yield array('string_username', null);
 
+        //yield array(new StringishUser(), null); // 5.0 behavior
+
         $user = new User('nice_user', 'foo');
         yield array($user, $user);
     }
 
+    /**
+     * @group legacy
+     * @expectedDeprecation Accessing the user object "Symfony\Component\Security\Core\Tests\StringishUser" that is not an instance of "Symfony\Component\Security\Core\User\UserInterface" from "Symfony\Component\Security\Core\Security::getUser()" is deprecated since Symfony 4.2, use "getToken()->getUser()" instead.
+     */
+    public function testGetUserLegacy()
+    {
+        $token = $this->getMockBuilder(TokenInterface::class)->getMock();
+        $token->expects($this->any())
+            ->method('getUser')
+            ->will($this->returnValue($user = new StringishUser()));
+        $tokenStorage = $this->getMockBuilder(TokenStorageInterface::class)->getMock();
+
+        $tokenStorage->expects($this->once())
+            ->method('getToken')
+            ->will($this->returnValue($token));
+
+        $container = $this->createContainer('security.token_storage', $tokenStorage);
+
+        $security = new Security($container);
+        $this->assertSame($user, $security->getUser());
+    }
+
     public function testIsGranted()
     {
         $authorizationChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
@@ -95,3 +119,11 @@ private function createContainer($serviceId, $serviceObject)
         return $container;
     }
 }
+
+class StringishUser
+{
+    public function __toString()
+    {
+        return 'stringish_user';
+    }
+}