Skip to content

potential bug in Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity #5026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
binabik opened this issue Jul 24, 2012 · 2 comments
Closed

potential bug in Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity #5026

binabik opened this issue Jul 24, 2012 · 2 comments

Comments

@binabik
Copy link

binabik commented Jul 24, 2012

hi,

the constructor of Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity\RoleSecurityIdentity takes $role as a parameter and checks if it is an instance of Symfony\Component\Security\Core\Role\Role. Following the guidelines in http://symfony.com/doc/master/cookbook/security/entity_provider.html, our Role class implements RoleInterface. This results in RoleSecurityIdentity::role being populated with an object during the PermissionsEvaluation phase.

the fix, for me was easy, and should not break any other parts of the implementation, as Core\Role\Role also implements Core\Role\RoleInterface.

[[WARNING: HANDWRITTEN DIFF]]
<<<
[Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity\RoleSecurityIdentity.php]
-- use Symfony\Component\Security\Core\Role\Role;
++ use Symfony\Component\Security\Core\Role\RoleInterface;
[...]
public function __construct($role)
{
-- if ($role instanceof Role) {
++ if ($role instanceof RoleInterface) {

i can submit a proper patch if required.

regards,
sb
@vicb
Copy link
Contributor

vicb commented Jul 30, 2012

ref #5076

@stloyd stloyd mentioned this issue Nov 5, 2012
Closed
@fabpot
Copy link
Member

fabpot commented Nov 9, 2012

Closing as this is a duplicate.

@fabpot fabpot closed this as completed Nov 9, 2012
@m14t m14t mentioned this issue Apr 23, 2013
Merged
m14t added a commit to m14t/symfony-docs that referenced this issue Apr 23, 2013
@m14t
Fix custom Roles in entity_provider cookbook.
dd04a2e 
The documentation seems to assume the implementation present in commit
symfony/symfony#1673, which reverted soon after due
to a potential, but undisclosed security hole (citation @schmittjoh in symfony/symfony@af70ac8).

This incorrect documentation has likely been the source of many
of the following issues:
* symfony/symfony#1538 - [ACL RoleSecurityIdentity] check if instance of Role
* symfony/symfony#1748 - Replace Role to RoleInterface for RoleSecurityIdentity
* symfony/symfony#4309 - Issue related to custom group (role) and ACL/ACE
* symfony/symfony#5026 - potential bug in Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity
* symfony/symfony#5076 - [Acl] altered the behaviour of RoleSecurityIdentity
* symfony/symfony#5171 - Fix/role security identity
* symfony/symfony#5303 - [Security] Check for RoleInterface instead of Role object in RoleSecurityIdentity
* symfony/symfony#5909 - Allow Custom Roles to implement the RoleInterface
* symfony/symfony#6012 - Securityidentity fix
@cabello cabello mentioned this issue Jun 20, 2013
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fabpot @vicb @binabik