[Security] Return default value instead of deferring to lower prio resolvers when using #[CurrentUser] and no user is found

Seldaek · nicolas-grekas · commit 595b62692c74 · 2023-01-19T14:43:31.000+01:00
diff --git a/Controller/UserValueResolver.php b/Controller/UserValueResolver.php
@@ -47,11 +47,6 @@ public function supports(Request $request, ArgumentMetadata $argument): bool
             return false;
         }
 
-        // if no user is present but a default value exists we delegate to DefaultValueResolver
-        if ($argument->hasDefaultValue() && null === $this->tokenStorage->getToken()?->getUser()) {
-            return false;
-        }
-
         return true;
     }
 
@@ -62,20 +57,21 @@ public function resolve(Request $request, ArgumentMetadata $argument): array
         if (UserInterface::class !== $argument->getType() && !$argument->getAttributesOfType(CurrentUser::class, ArgumentMetadata::IS_INSTANCEOF)) {
             return [];
         }
-        $user = $this->tokenStorage->getToken()?->getUser();
 
-        // if no user is present but a default value exists we delegate to DefaultValueResolver
-        if ($argument->hasDefaultValue() && null === $user) {
-            return [];
-        }
+        if (null === $user = $this->tokenStorage->getToken()?->getUser()) {
+            // if no user is present but a default value exists we use it to prevent the EntityValueResolver or others
+            // from attempting resolution of the User as the current logged in user was requested here
+            if ($argument->hasDefaultValue()) {
+                return [$argument->getDefaultValue()];
+            }
 
-        if (null === $user) {
             if (!$argument->isNullable()) {
                 throw new AccessDeniedException(sprintf('There is no logged-in user to pass to $%s, make the argument nullable if you want to allow anonymous access to the action.', $argument->getName()));
             }
 
             return [null];
         }
+
         if (null === $argument->getType() || $user instanceof ($argument->getType())) {
             return [$user];
         }
diff --git a/Tests/Controller/UserValueResolverTest.php b/Tests/Controller/UserValueResolverTest.php
@@ -28,7 +28,7 @@
 class UserValueResolverTest extends TestCase
 {
     /**
-     * In Symfony 7, keep this test case but remove the call to supports()
+     * In Symfony 7, keep this test case but remove the call to supports().
      *
      * @group legacy
      */
@@ -43,18 +43,18 @@ public function testSupportsFailsWithNoType()
     }
 
     /**
-     * In Symfony 7, keep this test case but remove the call to supports()
+     * In Symfony 7, keep this test case but remove the call to supports().
      *
      * @group legacy
      */
     public function testSupportsFailsWhenDefaultValAndNoUser()
     {
         $tokenStorage = new TokenStorage();
         $resolver = new UserValueResolver($tokenStorage);
-        $metadata = new ArgumentMetadata('foo', UserInterface::class, false, true, new InMemoryUser('username', 'password'));
+        $metadata = new ArgumentMetadata('foo', UserInterface::class, false, true, $default = new InMemoryUser('username', 'password'));
 
-        $this->assertSame([], $resolver->resolve(Request::create('/'), $metadata));
-        $this->assertFalse($resolver->supports(Request::create('/'), $metadata));
+        $this->assertSame([$default], $resolver->resolve(Request::create('/'), $metadata));
+        $this->assertTrue($resolver->supports(Request::create('/'), $metadata));
     }
 
     public function testResolveSucceedsWithUserInterface()

Original file line number	Diff line number	Diff line change
`@@ -47,11 +47,6 @@ public function supports(Request $request, ArgumentMetadata $argument): bool`
`47`	`47`	`return false;`
`48`	`48`	`}`
`49`	`49`
`50`		`- // if no user is present but a default value exists we delegate to DefaultValueResolver`
`51`		`- if ($argument->hasDefaultValue() && null === $this->tokenStorage->getToken()?->getUser()) {`
`52`		`- return false;`
`53`		`- }`
`54`		`-`
`55`	`50`	`return true;`
`56`	`51`	`}`
`57`	`52`
`@@ -62,20 +57,21 @@ public function resolve(Request $request, ArgumentMetadata $argument): array`
`62`	`57`	`if (UserInterface::class !== $argument->getType() && !$argument->getAttributesOfType(CurrentUser::class, ArgumentMetadata::IS_INSTANCEOF)) {`
`63`	`58`	`return [];`
`64`	`59`	`}`
`65`		`- $user = $this->tokenStorage->getToken()?->getUser();`
`66`	`60`
`67`		`- // if no user is present but a default value exists we delegate to DefaultValueResolver`
`68`		`- if ($argument->hasDefaultValue() && null === $user) {`
`69`		`- return [];`
`70`		`- }`
	`61`	`+ if (null === $user = $this->tokenStorage->getToken()?->getUser()) {`
	`62`	`+ // if no user is present but a default value exists we use it to prevent the EntityValueResolver or others`
	`63`	`+ // from attempting resolution of the User as the current logged in user was requested here`
	`64`	`+ if ($argument->hasDefaultValue()) {`
	`65`	`+ return [$argument->getDefaultValue()];`
	`66`	`+ }`
`71`	`67`
`72`		`- if (null === $user) {`
`73`	`68`	`if (!$argument->isNullable()) {`
`74`	`69`	`throw new AccessDeniedException(sprintf('There is no logged-in user to pass to $%s, make the argument nullable if you want to allow anonymous access to the action.', $argument->getName()));`
`75`	`70`	`}`
`76`	`71`
`77`	`72`	`return [null];`
`78`	`73`	`}`
	`74`	`+`
`79`	`75`	`if (null === $argument->getType() \|\| $user instanceof ($argument->getType())) {`
`80`	`76`	`return [$user];`
`81`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`class UserValueResolverTest extends TestCase`
`29`	`29`	`{`
`30`	`30`	`/**`
`31`		`- * In Symfony 7, keep this test case but remove the call to supports()`
	`31`	`+ * In Symfony 7, keep this test case but remove the call to supports().`
`32`	`32`	`*`
`33`	`33`	`* @group legacy`
`34`	`34`	`*/`
`@@ -43,18 +43,18 @@ public function testSupportsFailsWithNoType()`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`/**`
`46`		`- * In Symfony 7, keep this test case but remove the call to supports()`
	`46`	`+ * In Symfony 7, keep this test case but remove the call to supports().`
`47`	`47`	`*`
`48`	`48`	`* @group legacy`
`49`	`49`	`*/`
`50`	`50`	`public function testSupportsFailsWhenDefaultValAndNoUser()`
`51`	`51`	`{`
`52`	`52`	`$tokenStorage = new TokenStorage();`
`53`	`53`	`$resolver = new UserValueResolver($tokenStorage);`
`54`		`- $metadata = new ArgumentMetadata('foo', UserInterface::class, false, true, new InMemoryUser('username', 'password'));`
	`54`	`+ $metadata = new ArgumentMetadata('foo', UserInterface::class, false, true, $default = new InMemoryUser('username', 'password'));`
`55`	`55`
`56`		`- $this->assertSame([], $resolver->resolve(Request::create('/'), $metadata));`
`57`		`- $this->assertFalse($resolver->supports(Request::create('/'), $metadata));`
	`56`	`+ $this->assertSame([$default], $resolver->resolve(Request::create('/'), $metadata));`
	`57`	`+ $this->assertTrue($resolver->supports(Request::create('/'), $metadata));`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`public function testResolveSucceedsWithUserInterface()`