Skip to content

Commit c38fe1c

Browse files
chalasrchalasr
committed
Merge branch '3.4' into 4.4
* 3.4: [Security] Allow switching to another user when already switched
2 parents e3f826d + 20abb20 commit c38fe1c

File tree

2 files changed

+36
-2
lines changed

2 files changed

+36
-2
lines changed

Firewall/SwitchUserListener.php

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -154,7 +154,8 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
154154
return $token;
155155
}
156156

157-
throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));
157+
// User already switched, exit before seamlessly switching to another user
158+
$token = $this->attemptExitUser($request);
158159
}
159160

160161
$currentUsername = $token->getUsername();
@@ -189,7 +190,7 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
189190
$this->userChecker->checkPostAuth($user);
190191

191192
$roles = $user->getRoles();
192-
$roles[] = new SwitchUserRole('ROLE_PREVIOUS_ADMIN', $this->tokenStorage->getToken(), false);
193+
$roles[] = new SwitchUserRole('ROLE_PREVIOUS_ADMIN', $token, false);
193194

194195
$token = new SwitchUserToken($user, $user->getPassword(), $this->providerKey, $roles, $token);
195196

Tests/Firewall/SwitchUserListenerTest.php

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,39 @@ public function testSwitchUser()
240240
$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
241241
}
242242

243+
public function testSwitchUserAlreadySwitched()
244+
{
245+
$originalToken = new UsernamePasswordToken('original', null, 'key', ['ROLE_FOO']);
246+
$alreadySwitchedToken = new SwitchUserToken('switched_1', null, 'key', ['ROLE_BAR'], $originalToken);
247+
248+
$tokenStorage = new TokenStorage();
249+
$tokenStorage->setToken($alreadySwitchedToken);
250+
251+
$targetUser = new User('kuba', 'password', ['ROLE_FOO', 'ROLE_BAR']);
252+
253+
$this->request->query->set('_switch_user', 'kuba');
254+
255+
$this->accessDecisionManager->expects($this->once())
256+
->method('decide')->with($originalToken, ['ROLE_ALLOWED_TO_SWITCH'], $targetUser)
257+
->willReturn(true);
258+
259+
$this->userProvider->expects($this->exactly(2))
260+
->method('loadUserByUsername')
261+
->withConsecutive(['kuba'])
262+
->will($this->onConsecutiveCalls($targetUser, $this->throwException(new UsernameNotFoundException())));
263+
$this->userChecker->expects($this->once())
264+
->method('checkPostAuth')->with($targetUser);
265+
266+
$listener = new SwitchUserListener($tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager, null, '_switch_user', 'ROLE_ALLOWED_TO_SWITCH', null, false);
267+
$listener($this->event);
268+
269+
$this->assertSame([], $this->request->query->all());
270+
$this->assertSame('', $this->request->server->get('QUERY_STRING'));
271+
$this->assertInstanceOf(SwitchUserToken::class, $tokenStorage->getToken());
272+
$this->assertSame('kuba', $tokenStorage->getToken()->getUsername());
273+
$this->assertSame($originalToken, $tokenStorage->getToken()->getOriginalToken());
274+
}
275+
243276
public function testSwitchUserWorksWithFalsyUsernames()
244277
{
245278
$token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);

0 commit comments

Comments
 (0)