[Security] Skip user checks if not implementing UserInterface

Robin Chalas · Robin Chalas · commit fa20fe10af89 · 2018-04-25T13:42:08.000+02:00
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/SimpleAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/SimpleAuthenticationProvider.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\Security\Core\User\UserChecker;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\SimpleAuthenticatorInterface;
@@ -45,6 +46,11 @@ public function authenticate(TokenInterface $token)
         }
 
         $user = $authToken->getUser();
+
+        if (!$user instanceof UserInterface) {
+            return $authToken;
+        }
+
         $this->userChecker->checkPreAuth($user);
         $this->userChecker->checkPostAuth($user);
 
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/SimpleAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/SimpleAuthenticationProviderTest.php
@@ -15,6 +15,7 @@
 use Symfony\Component\Security\Core\Exception\DisabledException;
 use Symfony\Component\Security\Core\Authentication\Provider\SimpleAuthenticationProvider;
 use Symfony\Component\Security\Core\Exception\LockedException;
+use Symfony\Component\Security\Core\User\UserChecker;
 
 class SimpleAuthenticationProviderTest extends TestCase
 {
@@ -72,6 +73,20 @@ public function testAuthenticateWhenPostChecksFails()
         $provider->authenticate($token);
     }
 
+    public function testAuthenticateSkipsUserChecksForAnonymousTokens()
+    {
+        $token = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock();
+        $token->expects($this->any())
+            ->method('getUser')
+            ->will($this->returnValue('string-user'));
+        $authenticator = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\SimpleAuthenticatorInterface')->getMock();
+        $authenticator->expects($this->once())
+            ->method('authenticateToken')
+            ->will($this->returnValue($token));
+
+        $this->assertSame($token, $this->getProvider($authenticator, null, new UserChecker())->authenticate($token));
+    }
+
     protected function getProvider($simpleAuthenticator = null, $userProvider = null, $userChecker = null, $key = 'test')
     {
         if (null === $userChecker) {
