Skip to content

[Security] Use NullToken while checking authorization #37620

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 31, 2020
Merged

[Security] Use NullToken while checking authorization #37620

merged 1 commit into from
Jul 31, 2020

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Jul 20, 2020

Q A
Branch? master
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #37523
License MIT
Doc PR tbd

This allows voters to grant access to unauthenticated users. E.g. some objects can be viewed by anyone, in this case the voter has to be able to grant access to unauthenticated users.

This does break the interface PHPdoc of TokenInterface: getUser() returns null instead of string|UserInterface. This is only true when using the new system, so not a real BC break. I think the only thing we can do to "guide" users is to add some custom handling for type errors related to null and UserInterface methods ("Did you forgot to check for null in the Voter?"). Is this something I should add to this PR?

@wouterj wouterj force-pushed the security/null-token branch from 92aaeb5 to b9f3c41 Compare July 20, 2020 19:33
@wouterj
Use NullToken while checking authorization
e370915 
This allows to e.g. have some objects that can be viewed by anyone (even unauthenticated users).
@wouterj wouterj force-pushed the security/null-token branch from b9f3c41 to e370915 Compare July 20, 2020 19:47
@nicolas-grekas nicolas-grekas added this to the next milestone Jul 22, 2020
@fabpot
Copy link
Member

fabpot commented Jul 31, 2020

Thank you @wouterj.

@fabpot fabpot mentioned this pull request Jul 31, 2020
Closed
@fabpot fabpot merged commit 374d705 into symfony:master Jul 31, 2020
@xabbuh xabbuh mentioned this pull request Aug 8, 2020
Closed
@weaverryan weaverryan mentioned this pull request Aug 29, 2020
Closed
@nicolas-grekas nicolas-grekas modified the milestones: next, 5.2 Oct 5, 2020
@fabpot fabpot mentioned this pull request Oct 5, 2020
Merged
@wouterj wouterj deleted the security/null-token branch October 17, 2020 22:41
@alanpoulain alanpoulain mentioned this pull request Feb 16, 2021
Merged
@wouterj wouterj mentioned this pull request Aug 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
5.2
Development

Successfully merging this pull request may close these issues.

[Security][new system] Voter can not vote anymore on "anonymous"
4 participants
@wouterj @fabpot @nicolas-grekas @carsonbot