Closed
Description
Symfony version(s) affected: 4.4 / 5.0
Description
It seems there is mistake here :
How to reproduce
When simulating authentication, roles passed to UsernamePasswordToken have to be identical to user roles retrieve by user_provider. It doesn't make any sense. The fourth parameter of UsernamePasswordToken is useless in this case.
private function logIn()
{
$session = self::$container->get('session');
$firewallName = 'secure_area';
// if you don't define multiple connected firewalls, the context defaults to the firewall name
// See https://symfony.com/doc/current/reference/configuration/security.html#firewall-context
$firewallContext = 'secured_area';
// you may need to use a different token class depending on your application.
// for example, when using Guard authentication you must instantiate PostAuthenticationGuardToken
$token = new UsernamePasswordToken('admin', null, $firewallName, ['ROLE_ADMIN']);
$session->set('_security_'.$firewallContext, serialize($token));
$session->save();
$cookie = new Cookie($session->getName(), $session->getId());
$this->client->getCookieJar()->set($cookie);
}
Possible Solution
It should be :
if (\count($userRoles) !== \count($this->user->getRoles()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->user->getRoles()))) {
instead of
if (\count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()))) {