Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 64aecab

Browse filesBrowse files
j4nr6nj4nr6n
committed
Don't let falsey usernames slip through
1 parent fb5f8fb commit 64aecab
Copy full SHA for 64aecab

File tree

Expand file treeCollapse file tree

2 files changed

+35
-2
lines changed
Filter options
Expand file treeCollapse file tree

2 files changed

+35
-2
lines changed

‎src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
+9-2Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -77,9 +77,16 @@ public function __construct(TokenStorageInterface $tokenStorage, UserProviderInt
7777
public function handle(GetResponseEvent $event)
7878
{
7979
$request = $event->getRequest();
80-
$username = $request->get($this->usernameParameter) ?: $request->headers->get($this->usernameParameter);
8180

82-
if (!$username) {
81+
// usernames can be falsy
82+
$username = $request->get($this->usernameParameter);
83+
84+
if (null === $username || '' === $username) {
85+
$username = $request->headers->get($this->usernameParameter);
86+
}
87+
88+
// if it's still "empty", nothing to do.
89+
if (null === $username || '' === $username) {
8390
return;
8491
}
8592

‎src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
+26Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -191,6 +191,32 @@ public function testSwitchUser()
191191
$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
192192
}
193193

194+
public function testSwitchUserWorksWithFalsyUsernames()
195+
{
196+
$token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);
197+
$user = new User('username', 'password', []);
198+
199+
$this->tokenStorage->setToken($token);
200+
$this->request->query->set('_switch_user', '0');
201+
202+
$this->accessDecisionManager->expects($this->once())
203+
->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'])
204+
->willReturn(true);
205+
206+
$this->userProvider->expects($this->once())
207+
->method('loadUserByUsername')->with('0')
208+
->willReturn($user);
209+
$this->userChecker->expects($this->once())
210+
->method('checkPostAuth')->with($user);
211+
212+
$listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager);
213+
$listener->handle($this->event);
214+
215+
$this->assertSame([], $this->request->query->all());
216+
$this->assertSame('', $this->request->server->get('QUERY_STRING'));
217+
$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
218+
}
219+
194220
public function testSwitchUserKeepsOtherQueryStringParameters()
195221
{
196222
$token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.