symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/RefreshableRolesTest.php
Copy file name to clipboard
+127Lines changed: 127 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/RefreshableRolesTest.php
Copy file name to clipboard
+127Lines changed: 127 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/refreshable_roles.yml
Copy file name to clipboard
+29Lines changed: 29 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/refreshable_roles.yml
Copy file name to clipboard
+29Lines changed: 29 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
+21Lines changed: 21 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
+21Lines changed: 21 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php
+3Lines changed: 3 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php
+3Lines changed: 3 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php
+4Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php
+4Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authentication/Token/RefreshableRolesTokenInterface.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/RefreshableRolesTokenInterface.php
+11Lines changed: 11 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authentication/Token/RefreshableRolesTokenInterface.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/RefreshableRolesTokenInterface.php
+11Lines changed: 11 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
+1Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
+1Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php
+4Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php
+4Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Tests/Authentication/Provider/PreAuthenticatedAuthenticationProviderTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Authentication/Provider/PreAuthenticatedAuthenticationProviderTest.php
+1-1Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Component/Security/Core/Tests/Authentication/Provider/PreAuthenticatedAuthenticationProviderTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Authentication/Provider/PreAuthenticatedAuthenticationProviderTest.php
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
+2-2Lines changed: 2 additions & 2 deletions b/‎src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
+2-2Lines changed: 2 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php
+2Lines changed: 2 additions & 0 deletions b/‎src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Firewall/ContextListener.php
+14-1Lines changed: 14 additions & 1 deletion b/‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Firewall/ContextListener.php
+14-1Lines changed: 14 additions & 1 deletion
@@ -0,0 +1,127 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
+
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+
+class RefreshableRolesTest extends WebTestCase
+{
+    public function testRolesAreRefreshed()
+    {
+        // log them in!
+        $client = $this->createAuthenticatedClient('cool_user');
+
+        // refresh the page, roles have not changed yet
+        $client->request('GET', '/profile');
+        $rolesData = $client->getProfile()->getCollector('security')->getRoles();
+        $this->assertCount(1, $rolesData);
+        $this->assertEquals('ROLE_ORIGINAL', $rolesData[0]);
+
+        // this will cause the refreshed user to have these new roles
+        $client->request('GET', '/profile?new_role=ROLE_NEW');
+        $rolesData = $client->getProfile()->getCollector('security')->getRoles();
+        $this->assertCount(1, $rolesData);
+        $this->assertEquals('ROLE_NEW', $rolesData[0]);
+
+        // the change should be persistent
+        $client->request('GET', '/profile');
+        $rolesData = $client->getProfile()->getCollector('security')->getRoles();
+        $this->assertCount(1, $rolesData);
+        $this->assertEquals('ROLE_NEW', $rolesData[0]);
+    }
+
+    private function createAuthenticatedClient($username)
+    {
+        $client = $this->createClient(array('test_case' => 'StandardFormLogin', 'root_config' => 'refreshable_roles.yml'));
+        $client->followRedirects(true);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['_username'] = $username;
+        $form['_password'] = 'test';
+        $client->submit($form);
+
+        return $client;
+    }
+}
+
+class RefreshableRolesUserProvider implements UserProviderInterface
+{
+    private $requestStack;
+
+    public function __construct(RequestStack $requestStack)
+    {
+        $this->requestStack = $requestStack;
+    }
+
+    public function loadUserByUsername($username)
+    {
+        return new RefreshableUser($username, array('ROLE_ORIGINAL'));
+    }
+
+    public function refreshUser(UserInterface $user)
+    {
+        $request = $this->requestStack->getCurrentRequest();
+        // a sneaky way of faking the stored user's roles being changed
+        if ($request->query->has('new_role')) {
+            $user->setRoles(array($request->query->get('new_role')));
+        }
+
+        return $user;
+    }
+
+    public function supportsClass($class)
+    {
+        return RefreshableUser::class === $class;
+    }
+}
+
+class RefreshableUser implements UserInterface
+{
+    private $username;
+    private $roles;
+
+    public function __construct($username, array $roles)
+    {
+        $this->username = $username;
+        $this->roles = $roles;
+    }
+
+    public function getUsername()
+    {
+        return $this->username;
+    }
+
+    public function getRoles()
+    {
+        return $this->roles;
+    }
+
+    public function setRoles($roles)
+    {
+        $this->roles = $roles;
+    }
+
+    public function getPassword()
+    {
+        return 'test';
+    }
+
+    public function getSalt()
+    {
+    }
+
+    public function eraseCredentials()
+    {
+    }
+}
@@ -0,0 +1,29 @@
+imports:
+    - { resource: ./../config/default.yml }
+
+services:
+    refreshable_roles_user_provider:
+      class: Symfony\Bundle\SecurityBundle\Tests\Functional\RefreshableRolesUserProvider
+      arguments: ['@request_stack']
+
+security:
+    encoders:
+        Symfony\Bundle\SecurityBundle\Tests\Functional\RefreshableUser: plaintext
+
+    providers:
+        all_users:
+            id: refreshable_roles_user_provider
+
+    firewalls:
+        # This firewall doesn't make sense in combination with the rest of the
+        # configuration file, but it's here for testing purposes (do not use
+        # this file in a real world scenario though)
+        login_form:
+            pattern: ^/login$
+            security: false
+
+        default:
+            form_login:
+                check_path: /login_check
+                default_target_path: /profile
+            anonymous: ~
@@ -29,6 +29,7 @@ abstract class AbstractToken implements TokenInterface, RefreshableRolesTokenInt
     private $roles = array();
     private $authenticated = false;
     private $attributes = array();
+    private $shouldUpdateRoles = false;
 
     /**
      * Constructor.
@@ -235,6 +236,14 @@ public function updateRoles(array $roles)
         }
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function shouldUpdateRoles()
+    {
+        return $this->shouldUpdateRoles;
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -251,6 +260,18 @@ public function __toString()
         return sprintf('%s(user="%s", authenticated=%s, roles="%s")', $class, $this->getUsername(), json_encode($this->authenticated), implode(', ', $roles));
     }
 
+    /**
+     * Call this from a sub-class if you want the token's roles
+     * to be updated from UserInterface::getRoles() on each
+     * page refresh (when using session-based authentication).
+     *
+     * @param bool $shouldUpdateRoles
+     */
+    protected function setShouldUpdateRoles($shouldUpdateRoles)
+    {
+        $this->shouldUpdateRoles = $shouldUpdateRoles;
+    }
+
     private function hasUserChanged(UserInterface $user)
     {
         if (!($this->user instanceof UserInterface)) {
 
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Authentication\Token;
 
 use Symfony\Component\Security\Core\Role\Role;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 /**
  * AnonymousToken represents an anonymous token.
@@ -36,6 +37,8 @@ public function __construct($secret, $user, array $roles = array())
         $this->secret = $secret;
         $this->setUser($user);
         $this->setAuthenticated(true);
+
+        $this->setShouldUpdateRoles($user instanceof UserInterface && $user->getRoles() === $roles);
     }
 
     /**
 
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\Authentication\Token;
 
+use Symfony\Component\Security\Core\User\UserInterface;
+
 /**
  * PreAuthenticatedToken implements a pre-authenticated token.
  *
@@ -44,6 +46,8 @@ public function __construct($user, $credentials, $providerKey, array $roles = ar
         if ($roles) {
             $this->setAuthenticated(true);
         }
+
+        $this->setShouldUpdateRoles($user instanceof UserInterface && $user->getRoles() === $roles);
     }
 
     /**
 
@@ -22,4 +22,15 @@ interface RefreshableRolesTokenInterface
      * @param array $roles An array of roles
      */
     public function updateRoles(array $roles);
+
+    /**
+     * Returns whether or not roles *should* be updated on this token.
+     *
+     * This can be useful if your token is adding custom roles,
+     * and so you purposely do not want the roles in the token to
+     * be automatically reset.
+     *
+     * @return bool
+     */
+    public function shouldUpdateRoles();
 }
@@ -49,6 +49,7 @@ public function __construct(UserInterface $user, $providerKey, $secret)
 
         $this->setUser($user);
         parent::setAuthenticated(true);
+        $this->setShouldUpdateRoles(true);
     }
 
     /**
 
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\Authentication\Token;
 
+use Symfony\Component\Security\Core\User\UserInterface;
+
 /**
  * UsernamePasswordToken implements a username and password token.
  *
@@ -44,6 +46,8 @@ public function __construct($user, $credentials, $providerKey, array $roles = ar
         $this->providerKey = $providerKey;
 
         parent::setAuthenticated(count($roles) > 0);
+
+        $this->setShouldUpdateRoles($user instanceof UserInterface && $user->getRoles() === $roles);
     }
 
     /**
 
@@ -56,7 +56,7 @@ public function testAuthenticate()
     {
         $user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();
         $user
-            ->expects($this->once())
+            ->expects($this->atLeastOnce())
             ->method('getRoles')
             ->will($this->returnValue(array()))
         ;
 
@@ -159,7 +159,7 @@ public function testAuthenticateWhenPostCheckAuthenticationFailsWithHideFalse()
     public function testAuthenticate()
     {
         $user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();
-        $user->expects($this->once())
+        $user->expects($this->atLeastOnce())
              ->method('getRoles')
              ->will($this->returnValue(array('ROLE_FOO')))
         ;
@@ -193,7 +193,7 @@ public function testAuthenticate()
     public function testAuthenticateWithPreservingRoleSwitchUserRole()
     {
         $user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();
-        $user->expects($this->once())
+        $user->expects($this->atLeastOnce())
              ->method('getRoles')
              ->will($this->returnValue(array('ROLE_FOO')))
         ;
 
@@ -48,6 +48,8 @@ public function __construct(UserInterface $user, $providerKey, array $roles)
         // this token is meant to be used after authentication success, so it is always authenticated
         // you could set it as non authenticated later if you need to
         parent::setAuthenticated(true);
+
+        $this->setShouldUpdateRoles($user instanceof UserInterface && $user->getRoles() === $roles);
     }
 
     /**
 
@@ -40,12 +40,14 @@ class ContextListener implements ListenerInterface
     private $tokenStorage;
     private $contextKey;
     private $sessionKey;
+    private $refreshableRolesSessionKey;
     private $logger;
     private $userProviders;
     private $dispatcher;
     private $registered;
     private $trustResolver;
     private $logoutOnUserChange = false;
+    private $refreshedToken;
 
     /**
      * @param TokenStorageInterface                     $tokenStorage
@@ -65,6 +67,8 @@ public function __construct(TokenStorageInterface $tokenStorage, $userProviders,
         $this->userProviders = $userProviders;
         $this->contextKey = $contextKey;
         $this->sessionKey = '_security_'.$contextKey;
+        $this->refreshableRolesSessionKey = $this->sessionKey.'_refreshable_roles';
+
         $this->logger = $logger;
         $this->dispatcher = $dispatcher;
         $this->trustResolver = $trustResolver ?: new AuthenticationTrustResolver(AnonymousToken::class, RememberMeToken::class);
@@ -120,14 +124,16 @@ public function handle(GetResponseEvent $event)
             $token = null;
         }
 
-        if ($token instanceof RefreshableRolesTokenInterface && $token->getUser() instanceof UserInterface) {
+        // see if this token wants the roles refreshed from the User
+        if ($session->get($this->refreshableRolesSessionKey) && $token->getUser() instanceof UserInterface) {
             if (null !== $this->logger) {
                 $this->logger->debug('Refreshing token roles from the User object');
             }
 
             $token->updateRoles($token->getUser()->getRoles());
         }
 
+        $this->refreshedToken = $token;
         $this->tokenStorage->setToken($token);
     }
 
@@ -155,13 +161,20 @@ public function onKernelResponse(FilterResponseEvent $event)
         if ((null === $token = $this->tokenStorage->getToken()) || $this->trustResolver->isAnonymous($token)) {
             if ($request->hasPreviousSession()) {
                 $session->remove($this->sessionKey);
+                $session->remove($this->refreshableRolesSessionKey);
             }
         } else {
             $session->set($this->sessionKey, serialize($token));
 
             if (null !== $this->logger) {
                 $this->logger->debug('Stored the security token in the session.', array('key' => $this->sessionKey));
             }
+
+            // if the token changed, then re-set the refreshable key
+            if ($token !== $this->refreshedToken) {
+                $shouldUpdateRoles = $token instanceof RefreshableRolesTokenInterface && $token->shouldUpdateRoles();
+                $session->set($this->refreshableRolesSessionKey, $shouldUpdateRoles);
+            }
         }
     }
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\Security\Core\Authentication\Token;`
`13`	`13`
	`14`	`+use Symfony\Component\Security\Core\User\UserInterface;`
	`15`	`+`
`14`	`16`	`/**`
`15`	`17`	`* PreAuthenticatedToken implements a pre-authenticated token.`
`16`	`18`	`*`
`@@ -44,6 +46,8 @@ public function __construct($user, $credentials, $providerKey, array $roles = ar`
`44`	`46`	`if ($roles) {`
`45`	`47`	`$this->setAuthenticated(true);`
`46`	`48`	`}`
	`49`	`+`
	`50`	`+ $this->setShouldUpdateRoles($user instanceof UserInterface && $user->getRoles() === $roles);`
`47`	`51`	`}`
`48`	`52`
`49`	`53`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ public function __construct(UserInterface $user, $providerKey, $secret)`
`49`	`49`
`50`	`50`	`$this->setUser($user);`
`51`	`51`	`parent::setAuthenticated(true);`
	`52`	`+ $this->setShouldUpdateRoles(true);`
`52`	`53`	`}`
`53`	`54`
`54`	`55`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ public function testAuthenticate()`
`56`	`56`	`{`
`57`	`57`	`$user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();`
`58`	`58`	`$user`
`59`		`- ->expects($this->once())`
	`59`	`+ ->expects($this->atLeastOnce())`
`60`	`60`	`->method('getRoles')`
`61`	`61`	`->will($this->returnValue(array()))`
`62`	`62`	`;`
Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ public function testAuthenticateWhenPostCheckAuthenticationFailsWithHideFalse()`
`159`	`159`	`public function testAuthenticate()`
`160`	`160`	`{`
`161`	`161`	`$user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();`
`162`		`- $user->expects($this->once())`
	`162`	`+ $user->expects($this->atLeastOnce())`
`163`	`163`	`->method('getRoles')`
`164`	`164`	`->will($this->returnValue(array('ROLE_FOO')))`
`165`	`165`	`;`
`@@ -193,7 +193,7 @@ public function testAuthenticate()`
`193`	`193`	`public function testAuthenticateWithPreservingRoleSwitchUserRole()`
`194`	`194`	`{`
`195`	`195`	`$user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();`
`196`		`- $user->expects($this->once())`
	`196`	`+ $user->expects($this->atLeastOnce())`
`197`	`197`	`->method('getRoles')`
`198`	`198`	`->will($this->returnValue(array('ROLE_FOO')))`
`199`	`199`	`;`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,8 @@ public function __construct(UserInterface $user, $providerKey, array $roles)`
`48`	`48`	`// this token is meant to be used after authentication success, so it is always authenticated`
`49`	`49`	`// you could set it as non authenticated later if you need to`
`50`	`50`	`parent::setAuthenticated(true);`
	`51`	`+`
	`52`	`+ $this->setShouldUpdateRoles($user instanceof UserInterface && $user->getRoles() === $roles);`
`51`	`53`	`}`
`52`	`54`
`53`	`55`	`/**`