Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

fix src/AppBundle/Security/TimeAuthenticator.php #10146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix src/AppBundle/Security/TimeAuthenticator.php #10146

wants to merge 1 commit into from

Conversation

Reyh
Copy link

@Reyh Reyh commented Aug 3, 2018

$isPasswordValid was emty
isPasswordValid attempted UserInterface first argument, string given

@Reyh
fix src/AppBundle/Security/TimeAuthenticator.php
a45ace9 
$isPasswordValid was emty
isPasswordValid attempted UserInterface first argument, string given
@xabbuh
Copy link
Member

xabbuh commented Aug 3, 2018

Shouldn't we remove the if below instead? I fail to see how $isPasswordValid could ever be false.

@Reyh
Copy link
Author

Reyh commented Aug 6, 2018 

        if ($currentUser instanceof UserInterface) {
            if ($currentUser->getPassword() !== $user->getPassword()) {
                throw new BadCredentialsException('The credentials were changed from another session.');
            }
        } else {
            if ('' === ($givenPassword = $token->getCredentials())) {
                throw new BadCredentialsException('The given password cannot be empty.');
            }
            if (!$this->encoder->isPasswordValid($user->getPassword(), $givenPassword, $user->getSalt())) {
                throw new BadCredentialsException('The given password is invalid.');
            }
        }
        if ($isPasswordValid) {
                ...
        }

I think $isPasswordValid was undefined

@xabbuh
Copy link
Member

xabbuh commented Aug 6, 2018

That's right. But what I mean is that even if we initialise the variable now, it will never be false when the if ($isPasswordValid) statement is reached (because in those cases the code above would have already exited the method with an exception), right?

apfelbox
apfelbox reviewed Aug 6, 2018
View reviewed changes
security/custom_password_authenticator.rst
throw new BadCredentialsException('The credentials were changed from another session.');
}
} else {
if ('' === ($givenPassword = $token->getCredentials())) {
throw new BadCredentialsException('The given password cannot be empty.');
}
if (!$this->encoder->isPasswordValid($user->getPassword(), $givenPassword, $user->getSalt())) {
if (!$isPasswordValid=$this->encoder->isPasswordValid($user, $givenPassword, $user->getSalt())) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is wrong, should be:

if ($isPasswordValid = !$this->encoder->isPasswordValid($user, $givenPassword, $user->getSalt())) {

(look at the position of !)

@apfelbox
Copy link
Contributor

apfelbox commented Aug 6, 2018
edited
Loading

I agree with @xabbuh, we should just remove the if.

It seems that it was overlooked when making this change: https://github.com/Reyh/symfony-docs/commit/3fb163c0792f695e85bbdbe1dbdc138db58f8e5e#diff-0afb1ed1142b93956c79786c3b4c6550

@weaverryan
Copy link
Member

Wait a second. This whole new code block is a bit insane :). I see it was added in #10100 to fix #4579.

Let's fix any logic needed here. But this article should be re-written to support Guard.

Do we know what we want the logic to look like exactly?

@javiereguiluz javiereguiluz mentioned this pull request Oct 8, 2018
Merged
@javiereguiluz
Copy link
Member

@Reyh thanks a lot for this contribution and for helping us improve the current code. Sadly this pull request "stalled" and there are merge conflicts, so I've opened #10448 to make the alternative fix proposed by @xabbuh. In any case, we hope to see more contributions from you in the future for Symfony Docs. Thanks a lot!

@javiereguiluz javiereguiluz mentioned this pull request Oct 8, 2018
Merged
javiereguiluz added a commit that referenced this pull request Oct 8, 2018
@javiereguiluz
minor #10448 Fixed the logic of the custom password authenticator (ja…
e00007f 
…viereguiluz)

This PR was merged into the 3.4 branch.

Discussion
----------

Fixed the logic of the custom password authenticator

This finishes #10146.

Commits
-------

2b1e5b5 Fixed the logic of the custom password authenticator
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apfelbox apfelbox apfelbox left review comments

Assignees
No one assigned
Labels
Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Reyh @xabbuh @apfelbox @weaverryan @javiereguiluz @carsonbot
Morty Proxy This is a proxified and sanitized view of the page, visit original site.