Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 0ac530f

Browse filesBrowse files
wouterjwouterj
committed
Also check PUBLIC_ACCESS for authenticated tokens
Currently, authenticated users are denied access for pages that have PUBLIC_ACCESS, as this attribute is only checked when no token was set.
1 parent 2af156d commit 0ac530f
Copy full SHA for 0ac530f

File tree

2 files changed

+34
-3
lines changed
Filter options

2 files changed

+34
-3
lines changed

‎src/Symfony/Component/Security/Http/Firewall/AccessListener.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Firewall/AccessListener.php
+5-3Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -95,11 +95,13 @@ public function authenticate(RequestEvent $event)
9595
return;
9696
}
9797

98-
if ([self::PUBLIC_ACCESS] === $attributes) {
99-
return;
98+
if ([self::PUBLIC_ACCESS] !== $attributes) {
99+
throw $this->createAccessDeniedException($request, $attributes);
100100
}
101+
}
101102

102-
throw $this->createAccessDeniedException($request, $attributes);
103+
if ([self::PUBLIC_ACCESS] === $attributes) {
104+
return;
103105
}
104106

105107
if (!$token->isAuthenticated()) {

‎src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php
+29Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,10 @@
1818
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
1919
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
2020
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
21+
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
2122
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
2223
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
24+
use Symfony\Component\Security\Core\User\User;
2325
use Symfony\Component\Security\Http\AccessMapInterface;
2426
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
2527
use Symfony\Component\Security\Http\Firewall\AccessListener;
@@ -279,6 +281,33 @@ public function testHandleWhenPublicAccessIsAllowedAndExceptionOnTokenIsFalse()
279281
$this->expectNotToPerformAssertions();
280282
}
281283

284+
public function testHandleWhenPublicAccessWhileAuthenticated()
285+
{
286+
$token = new UsernamePasswordToken(new User('Wouter', null, ['ROLE_USER']), null, 'main', ['ROLE_USER']);
287+
$tokenStorage = new TokenStorage();
288+
$tokenStorage->setToken($token);
289+
$request = new Request();
290+
291+
$accessMap = $this->createMock(AccessMapInterface::class);
292+
$accessMap->expects($this->any())
293+
->method('getPatterns')
294+
->with($this->equalTo($request))
295+
->willReturn([[AccessListener::PUBLIC_ACCESS], null])
296+
;
297+
298+
$listener = new AccessListener(
299+
$tokenStorage,
300+
$this->getMockBuilder('Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface')->getMock(),
301+
$accessMap,
302+
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
303+
false
304+
);
305+
306+
$listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST));
307+
308+
$this->expectNotToPerformAssertions();
309+
}
310+
282311
public function testHandleMWithultipleAttributesShouldBeHandledAsAnd()
283312
{
284313
$request = new Request();

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.