8000 [Security/Http] Throw `AccessDeniedException` in `UserValueResolver` when user is required but not authenticated by ruudk · Pull Request #46447 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security/Http] Throw AccessDeniedException in UserValueResolver when user is required but not authenticated #46447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[Security/Http] Throw AccessDeniedException in UserValueResolver when user is required but not authenticated #46447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion src/Symfony/Component/Security/Http/Controller/UserValueResolver.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
use Symfony\Component\HttpKernel\ControllerMetadata\ArgumentMetadata;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\User\UserInterface;

/**
Expand All @@ -41,17 +42,41 @@ public function supports(Request $request, ArgumentMetadata $argument): bool

$token = $this->tokenStorage->getToken();
if (!$token instanceof TokenInterface) {
$this->maybeThrowAccessDeniedException($argument);

return false;
}

$user = $token->getUser();

// in case it's not an object we cannot do anything with it; E.g. "anon."
return $user instanceof UserInterface;
if (!$user instanceof UserInterface) {
$this->maybeThrowAccessDeniedException($argument);

return false;
}

return true;
}

public function resolve(Request $request, ArgumentMetadata $argument): iterable
{
yield $this->tokenStorage->getToken()->getUser();
}

private function maybeThrowAccessDeniedException(ArgumentMetadata $argument): void
{
if ($argument->hasDefaultValue() || (null !== $argument->getType() && $argument->isNullable())) {
return;
}

// Although not really the responsibility of an ArgumentValueResolverInterface, we need to stop here
// because otherwise another resolver (like ServiceValueResolver) can try to load the User class
// from the service container and fail with an exception that is counter-intuitive:
//
// Example: Cannot autowire argument $user of "App\Controller::myAction()": it references class "App\User" but no such service exists.
//
// By throwing an AccessDeniedException we can redirect the user to a login page.
throw new AccessDeniedException('No token found in the security context.');
}
}
36 changes: 34 additions & 2 deletions src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,52 @@
use Symfony\Component\HttpKernel\ControllerMetadata\ArgumentMetadata;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Http\Controller\UserValueResolver;

class UserValueResolverTest extends TestCase
{
public function testResolveNoToken()
public function testResolveNoTokenWhenArgumentIsNullable()
{
$tokenStorage = new TokenStorage();
$resolver = new UserValueResolver($tokenStorage);
$metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null);
$metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null, true);

$this->assertFalse($resolver->supports(Request::create('/'), $metadata));
}

public function testResolveNoTokenWhenArgumentHasDefaultValue()
{
$tokenStorage = new TokenStorage();
$resolver = new UserValueResolver($tokenStorage);
$metadata = new ArgumentMetadata('foo', UserInterface::class, false, true, null, true);

$this->assertFalse($resolver->supports(Request::create('/'), $metadata));
}

public function testResolveNoTokenWhenArgumentIsNotNullable()
{
$tokenStorage = new TokenStorage();
$resolver = new UserValueResolver($tokenStorage);
$metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null, false);

$this->expectException(AccessDeniedException::class);

$resolver->supports(Request::create('/'), $metadata);
}

public function testResolveNoTokenWhenArgumentDoesNotHaveDefaultValue()
{
$tokenStorage = new TokenStorage();
$resolver = new UserValueResolver($tokenStorage);
$metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null, false);

$this->expectException(AccessDeniedException::class);

$resolver->supports(Request::create('/'), $metadata);
}

public function testResolveNoUser()
{
$mock = $this->createMock(UserInterface::class);
Expand Down
0