[SecurityBundle] fix setLogoutOnUserChange calls for context listeners #25272
Conversation
| @@ -276,15 +276,19 @@ private function createFirewalls($config, ContainerBuilder $container) | |||
| $customUserChecker = true; | |||
| } | |||
|
|
|||
| $configId = 'security.firewall.map.config.'.$name; | |||
|
|
|||
| list($matcher, $listeners, $exceptionListener) = $this->createFirewall($container, $name, $firewall, $authenticationProviders, $providerIds, $configId); | |||
There was a problem hiding this comment.
Those 2 lines can bu moved back to where they were, right?
| $configId = 'security.firewall.map.config.'.$name; | ||
|
|
||
| list($matcher, $listeners, $exceptionListener) = $this->createFirewall($container, $name, $firewall, $authenticationProviders, $providerIds, $configId); | ||
|
|
||
| foreach ($listeners as $listener) { | ||
| if (0 === strpos($listenerId = (string) $listener, 'security.context_listener.')) { | ||
| $container->getDefinition($listenerId)->addMethodCall('setLogoutOnUserChange', array($firewall['logout_on_user_change'])); |
There was a problem hiding this comment.
Can be done in createContextListener by passing the option value as argument to createFirewall first (it has the whole config), or iterate over $this->contextListeners after the createFirewall loop.
There was a problem hiding this comment.
@chalasr done 😉 Will make merging into higher branches a bit harder though 😋
|
How will this work if multiple firewalls share the same context? |
|
@Xymanek hmm I think you are right. That case is still not handled properly 😢 I will look into it. |
|
@iltar @chalasr any idea how to fix this? Seems Within the Or we enforce (with an error when validating the config?) that all firewalls that share a context have the same value for |
|
@dmaicher I think it should throw indeed |
| } | ||
|
|
||
| if (isset($this->firewallsByContextKey[$contextKey]) && $this->firewallsByContextKey[$contextKey][1]['logout_on_user_change'] !== $firewall['logout_on_user_change']) { | ||
| throw new InvalidConfigurationException(sprintf('Firewalls "%s" and "%s" need to have the same value for option "logout_on_user_change" as they are sharing the context "%s"', $this->firewallsByContextKey[$contextKey][0], $id, $contextKey)); |
There was a problem hiding this comment.
@chalasr done. There is a tiny chance though that this is a BC break if someone set the option already on some firewalls with a shared context.
But the behavior is wrong anyway with that config then 😋
There was a problem hiding this comment.
Current behavior is buggy, fine to me
| } | ||
|
|
||
| $this->firewallsByContextKey[$contextKey] = array($id, $firewall); | ||
| $listeners[] = new Reference($this->createContextListener($container, $contextKey, $firewall['logout_on_user_change'])); |
There was a problem hiding this comment.
must be reached only if the key is set on $firewall. Also I would store the option value only instead of the whole config
There was a problem hiding this comment.
must be reached only if the key is set on $firewall.
Not sure I follow. That line was always reached before as well?
Also I would store the option value only instead of the whole config
👍
There was a problem hiding this comment.
Now it's accessing $firewall['logout_on_user_change'] which might be not set.
In this case we should not register the firewall in $firewallsByContextKey, perhaps pass null to createContextListener() in order to not add the method call as well
There was a problem hiding this comment.
But it did that also before 😉
I actually think the array key will always exist and it cannot be null?
There was a problem hiding this comment.
Forgot that it's a bool node, sorry for the noise!
There was a problem hiding this comment.
No problem ;) will update the PR after work
| @@ -43,6 +43,7 @@ class SecurityExtension extends Extension | |||
| private $factories = array(); | |||
| private $userProviderFactories = array(); | |||
| private $expressionLanguage; | |||
| private $firewallsByContextKey = array(); | |||
There was a problem hiding this comment.
can you add a deprec docblock so that we don't forget to remove it in 5.0?
| @@ -340,17 +340,6 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto | |||
| return $firewall; | |||
| }) | |||
| ->end() | |||
| ->validate() | |||
There was a problem hiding this comment.
@chalasr this is now actually not needed anymore since triggering the deprecation is moved and it's not triggered anymore at all if stateless = true or security = false.
| @@ -43,6 +43,7 @@ class SecurityExtension extends Extension | |||
| private $factories = array(); | |||
| private $userProviderFactories = array(); | |||
| private $expressionLanguage; | |||
| private $logoutOnUserChangeByContextKey = array(); | |||
There was a problem hiding this comment.
@chalasr should I add some deprecation info here? Did not see that for private member variables elsewhere?
There was a problem hiding this comment.
Let's let it as is and keep it in mind, note for mergers: this prop should be removed when merging in 4.0 (I can take care of the merge)
|
Thanks for fixing this bug @dmaicher. |
…xt listeners (dmaicher) This PR was squashed before being merged into the 3.4 branch (closes #25272). Discussion ---------- [SecurityBundle] fix setLogoutOnUserChange calls for context listeners | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #25267 | License | MIT | Doc PR | - As pointed out in #25267 the `setLogoutOnUserChange` method calls were added to the parent definition `security.context_listener` instead of the concrete child definitions `security.context_listener.*`. ping @iltar @chalasr Commits ------- 4eff146 [SecurityBundle] fix setLogoutOnUserChange calls for context listeners
As pointed out in #25267 the
setLogoutOnUserChangemethod calls were added to the parent definitionsecurity.context_listenerinstead of the concrete child definitionssecurity.context_listener.*.ping @iltar @chalasr