Throw access denied if CurrentUser cannot be resolved instead of a 500

Seldaek · fabpot · commit 8af26661515d · 2022-03-17T07:48:57.000+01:00
diff --git a/Controller/UserValueResolver.php b/Controller/UserValueResolver.php
@@ -15,7 +15,7 @@
 use Symfony\Component\HttpKernel\Controller\ArgumentValueResolverInterface;
 use Symfony\Component\HttpKernel\ControllerMetadata\ArgumentMetadata;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Attribute\CurrentUser;
 
@@ -41,13 +41,27 @@ public function supports(Request $request, ArgumentMetadata $argument): bool
             return false;
         }
 
-        $token = $this->tokenStorage->getToken();
+        // if no user is present but a default value exists we delegate to DefaultValueResolver
+        if ($argument->hasDefaultValue() && null === $this->tokenStorage->getToken()?->getUser()) {
+            return false;
+        }
 
-        return $token instanceof TokenInterface;
+        return true;
     }
 
     public function resolve(Request $request, ArgumentMetadata $argument): iterable
     {
-        yield $this->tokenStorage->getToken()->getUser();
+        $user = $this->tokenStorage->getToken()?->getUser();
+
+        if (null === $user) {
+            if (!$argument->isNullable()) {
+                throw new AccessDeniedException(sprintf('There is no logged-in user to pass to $%s, make the argument nullable if you want to allow anonymous access to the action.', $argument->getName()));
+            }
+            yield null;
+        } elseif (null === $argument->getType() || $user instanceof ($argument->getType())) {
+            yield $user;
+        } else {
+            throw new AccessDeniedException(sprintf('The logged-in user is an instance of "%s" and an user of type "%s" is expected.', $user::class, $argument->getType()));
+        }
     }
 }
diff --git a/Tests/Controller/UserValueResolverTest.php b/Tests/Controller/UserValueResolverTest.php
@@ -16,61 +16,77 @@
 use Symfony\Component\HttpKernel\Controller\ArgumentResolver;
 use Symfony\Component\HttpKernel\Controller\ArgumentResolver\DefaultValueResolver;
 use Symfony\Component\HttpKernel\ControllerMetadata\ArgumentMetadata;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Attribute\CurrentUser;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
 
 class UserValueResolverTest extends TestCase
 {
-    public function testResolveNoToken()
+    public function testSupportsFailsWithNoType()
     {
         $tokenStorage = new TokenStorage();
         $resolver = new UserValueResolver($tokenStorage);
-        $metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null);
+        $metadata = new ArgumentMetadata('foo', null, false, false, null);
 
         $this->assertFalse($resolver->supports(Request::create('/'), $metadata));
     }
 
-    public function testResolveNoUser()
+    public function testSupportsFailsWhenDefaultValAndNoUser()
     {
-        $mock = $this->createMock(UserInterface::class);
-        $token = new UsernamePasswordToken(new InMemoryUser('username', 'password'), 'provider');
         $tokenStorage = new TokenStorage();
-        $tokenStorage->setToken($token);
-
         $resolver = new UserValueResolver($tokenStorage);
-        $metadata = new ArgumentMetadata('foo', \get_class($mock), false, false, null);
+        $metadata = new ArgumentMetadata('foo', UserInterface::class, false, true, new InMemoryUser('username', 'password'));
 
         $this->assertFalse($resolver->supports(Request::create('/'), $metadata));
     }
 
-    public function testResolveWrongType()
+    public function testResolveSucceedsWithUserInterface()
     {
+        $user = new InMemoryUser('username', 'password');
+        $token = new UsernamePasswordToken($user, 'provider');
         $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken($token);
+
         $resolver = new UserValueResolver($tokenStorage);
-        $metadata = new ArgumentMetadata('foo', null, false, false, null);
+        $metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null);
 
-        $this->assertFalse($resolver->supports(Request::create('/'), $metadata));
+        $this->assertTrue($resolver->supports(Request::create('/'), $metadata));
+        $this->assertSame([$user], iterator_to_array($resolver->resolve(Request::create('/'), $metadata)));
     }
 
-    public function testResolve()
+    public function testResolveSucceedsWithSubclassType()
     {
         $user = new InMemoryUser('username', 'password');
         $token = new UsernamePasswordToken($user, 'provider');
         $tokenStorage = new TokenStorage();
         $tokenStorage->setToken($token);
 
         $resolver = new UserValueResolver($tokenStorage);
-        $metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null);
+        $metadata = new ArgumentMetadata('foo', InMemoryUser::class, false, false, null, false, [new CurrentUser()]);
 
         $this->assertTrue($resolver->supports(Request::create('/'), $metadata));
         $this->assertSame([$user], iterator_to_array($resolver->resolve(Request::create('/'), $metadata)));
     }
 
-    public function testResolveWithAttribute()
+    public function testResolveSucceedsWithNullableParamAndNoUser()
+    {
+        $token = new NullToken();
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken($token);
+
+        $resolver = new UserValueResolver($tokenStorage);
+        $metadata = new ArgumentMetadata('foo', InMemoryUser::class, false, false, null, true, [new CurrentUser()]);
+
+        $this->assertTrue($resolver->supports(Request::create('/'), $metadata));
+        $this->assertSame([null], iterator_to_array($resolver->resolve(Request::create('/'), $metadata)));
+    }
+
+    public function testResolveSucceedsWithNullableAttribute()
     {
         $user = new InMemoryUser('username', 'password');
         $token = new UsernamePasswordToken($user, 'provider');
@@ -85,14 +101,59 @@ public function testResolveWithAttribute()
         $this->assertSame([$user], iterator_to_array($resolver->resolve(Request::create('/'), $metadata)));
     }
 
-    public function testResolveWithAttributeAndNoUser()
+    public function testResolveSucceedsWithTypedAttribute()
     {
+        $user = new InMemoryUser('username', 'password');
+        $token = new UsernamePasswordToken($user, 'provider');
         $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken($token);
 
         $resolver = new UserValueResolver($tokenStorage);
-        $metadata = new ArgumentMetadata('foo', null, false, false, null, false, [new CurrentUser()]);
+        $metadata = $this->createMock(ArgumentMetadata::class);
+        $metadata = new ArgumentMetadata('foo', InMemoryUser::class, false, false, null, false, [new CurrentUser()]);
 
-        $this->assertFalse($resolver->supports(Request::create('/'), $metadata));
+        $this->assertTrue($resolver->supports(Request::create('/'), $metadata));
+        $this->assertSame([$user], iterator_to_array($resolver->resolve(Request::create('/'), $metadata)));
+    }
+
+    public function testResolveThrowsAccessDeniedWithWrongUserClass()
+    {
+        $user = $this->createMock(UserInterface::class);
+        $token = new UsernamePasswordToken($user, 'provider');
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken($token);
+
+        $resolver = new UserValueResolver($tokenStorage);
+        $metadata = new ArgumentMetadata('foo', InMemoryUser::class, false, false, null, false, [new CurrentUser()]);
+
+        $this->assertTrue($resolver->supports(Request::create('/'), $metadata));
+        $this->expectException(AccessDeniedException::class);
+        $this->expectExceptionMessageMatches('/^The logged-in user is an instance of "Mock_UserInterface[^"]+" and an user of type "Symfony\\\\Component\\\\Security\\\\Core\\\\User\\\\InMemoryUser" is expected.$/');
+        iterator_to_array($resolver->resolve(Request::create('/'), $metadata));
+    }
+
+    public function testResolveThrowsAccessDeniedWithAttributeAndNoUser()
+    {
+        $tokenStorage = new TokenStorage();
+
+        $resolver = new UserValueResolver($tokenStorage);
+        $metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null, false, [new CurrentUser()]);
+
+        $this->assertTrue($resolver->supports(Request::create('/'), $metadata));
+        $this->expectException(AccessDeniedException::class);
+        $this->expectExceptionMessage('There is no logged-in user to pass to $foo, make the argument nullable if you want to allow anonymous access to the action.');
+        iterator_to_array($resolver->resolve(Request::create('/'), $metadata));
+    }
+
+    public function testResolveThrowsAcessDeniedWithNoToken()
+    {
+        $tokenStorage = new TokenStorage();
+        $resolver = new UserValueResolver($tokenStorage);
+        $metadata = new ArgumentMetadata('foo', UserInterface::class, false, false, null);
+
+        $this->assertTrue($resolver->supports(Request::create('/'), $metadata));
+        $this->expectException(AccessDeniedException::class);
+        iterator_to_array($resolver->resolve(Request::create('/'), $metadata));
     }
 
     public function testIntegration()
