Skip to content

[Security] Fix legacy impersonation system #46748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 23, 2022
Merged

[Security] Fix legacy impersonation system #46748

merged 1 commit into from
Jun 23, 2022
+5 −1

Conversation

dunglas
Copy link
Member

@dunglas dunglas commented Jun 23, 2022
edited
Loading

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets n/a
License MIT
Doc PR n/a

When using the legacy authentication system with a user class not
implementing EquatableInterface (for instance, the default when using
Sylius) a bug prevents the impersonation system from working properly.

The switch is done correctly, but then the user is disconnected on the
next request because SecurityContext::hasUserChanged() compares the
roles of the token in session with the roles of the temporary token, and they
aren't equal.

ROLE_PREVIOUS_ADMIN is added in
SwitchUserListener::attemptSwitchUser(), but then removed if the
legacy system is still enabled in UserAuthenticationProvider.

It looks like this bug has been introduced while deprecating support for
role classes: d64372d#diff-914ec544d4f7b26fda540aea3d7bc57cc5057d76bfb9ad72047d77739e3bb5a3L115

This patch fixes the issue (tested on a real Sylius project).

@dunglas
[Security] Fix legacy impersonation system
4d44563 
When using the legacy authentication system with a user class not
implementing `EquatableInterface` (for instance, the default when using
Sylius) a bug prevents the impersonation system to work properly.

The switch is done correctly, but then the user is disconnected on the
next request because `SecurityContext::hasUserChanged()` compares the
roles of the token in session with the roles of the temporary token, and they
aren't equal.

`ROLE_PREVIOUS_ADMIN` is added in
`SwitchUserListener::attemptSwitchUser()`, but then removed if the
legacy system is still enabled in `UserAuthenticationProvider`.

It looks like this bug has been introduced while deprecating support for
role classes: symfony@d64372d#diff-914ec544d4f7b26fda540aea3d7bc57cc5057d76bfb9ad72047d77739e3bb5a3L115

This patch fixes the issue (tested on a real Sylius project).
@dunglas dunglas requested a review from xabbuh June 23, 2022 11:59
@dunglas dunglas requested review from wouterj and chalasr as code owners June 23, 2022 11:59
@carsonbot carsonbot added this to the 5.4 milestone Jun 23, 2022
chalasr
chalasr approved these changes Jun 23, 2022
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fabpot
Copy link
Member

fabpot commented Jun 23, 2022

Thank you @dunglas.

@fabpot fabpot merged commit b3c1841 into symfony:5.4 Jun 23, 2022
@dunglas dunglas deleted the fix/legacy-switch-user branch June 23, 2022 13:18
This was referenced Jun 26, 2022
Merged
Merged
Merged
@simonsolutions simonsolutions mentioned this pull request Aug 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@stof stof stof approved these changes

@chalasr chalasr chalasr approved these changes

@xabbuh xabbuh Awaiting requested review from xabbuh

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.
5 participants
@dunglas @fabpot @stof @chalasr @carsonbot