Skip to content

[Security/Core] Fix wrong roles comparison #35944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 22, 2020
Merged

[Security/Core] Fix wrong roles comparison #35944

merged 1 commit into from
May 22, 2020

Conversation

thlbaut
Copy link
Contributor

@thlbaut thlbaut commented Mar 3, 2020

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #35941
License MIT

Fix wrong roles comparison.

@nicolas-grekas nicolas-grekas added this to the 4.4 milestone Mar 3, 2020
@xabbuh xabbuh added the Security label Mar 4, 2020
@ajgarlag
Copy link
Contributor

ajgarlag commented Mar 5, 2020

I've opened thlbaut#1 to PR author branch with an small change to reproduce the bug, and to prevent a future regression.

This was referenced Mar 6, 2020
Merged
Closed
@nicolas-grekas nicolas-grekas changed the title Fix wrong roles comparison [Security/Core] Fix wrong roles comparison Mar 31, 2020
@nicolas-grekas
Copy link
Member

This would deserve more tests I suppose (note the I don't know if this is correct.)

This was referenced May 3, 2020
Closed
Closed
chalasr
chalasr approved these changes May 22, 2020
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The added test looks good enough.

wouterj
wouterj approved these changes May 22, 2020
View reviewed changes
Copy link
Member

@wouterj wouterj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed with Robin, the tweaked test covers the BC regression introduced in 4.4

@fabpot
Copy link
Member

fabpot commented May 22, 2020

Thank you @thlbaut.

@fabpot fabpot merged commit 2e46c63 into symfony:4.4 May 22, 2020
@fabpot fabpot mentioned this pull request May 26, 2020
Merged
This was referenced May 28, 2020
Closed
Merged
wouterj added a commit to wouterj/symfony that referenced this pull request May 30, 2020
@wouterj
Revert "bug symfony#35944 [Security/Core] Fix wrong roles comparison …
6e9f34a 
…(thlbaut)"

This reverts commit 2e46c63, reversing
changes made to 47180fe.
wouterj added a commit to wouterj/symfony that referenced this pull request May 30, 2020
@wouterj
Revert "bug symfony#35944 [Security/Core] Fix wrong roles comparison …
d4e357b 
…(thlbaut)"

This reverts commit 2e46c63, reversing
changes made to 47180fe.
nicolas-grekas added a commit that referenced this pull request May 30, 2020
@nicolas-grekas
bug #37008 [Security] Fixed AbstractToken::hasUserChanged() (wouterj)
bdb01db 
This PR was squashed before being merged into the 4.4 branch.

Discussion
----------

[Security] Fixed AbstractToken::hasUserChanged()

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #36989
| License       | MIT
| Doc PR        | -

This PR completely reverts #35944.

That PR tried to fix a BC break (ref #35941, #35509) introduced by #31177. However, this broke many authentications (ref #36989), as the User is serialized in the session (as hinted by @stof). Many applications don't include the `roles` property in the serialization (at least, the MakerBundle doesn't include it).

In 5.2, we should probably deprecate having different roles in token and user, which fixes the BC breaks all together.

Commits
-------

f297beb [Security] Fixed AbstractToken::hasUserChanged()
This was referenced May 31, 2020
Merged
Merged
@ajgarlag ajgarlag mentioned this pull request Jun 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@wouterj wouterj wouterj approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
8 participants
@thlbaut @ajgarlag @nicolas-grekas @fabpot @wouterj @chalasr @xabbuh @carsonbot