[Security] Fix parent serialization of user object

symfony · Dec 23, 2013 · 2e4670d · 2e4670d
1 parent 6a9c223
commit 2e4670d
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 1 deletion.
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
@@ -146,7 +146,14 @@ public function eraseCredentials()
      */
     public function serialize()
     {
-        return serialize(array($this->user, $this->authenticated, $this->roles, $this->attributes));
+        return serialize(
+            array(
+                is_object($this->user) ? clone $this->user : $this->user,
+                $this->authenticated,
+                $this->roles,
+                $this->attributes
+            )
+        );
     }
 
     /**

diff --git a/src/Symfony/Component/Security/Tests/Core/Authentication/Token/AbstractTokenTest.php b/src/Symfony/Component/Security/Tests/Core/Authentication/Token/AbstractTokenTest.php
@@ -11,7 +11,9 @@
 
 namespace Symfony\Component\Security\Tests\Core\Authentication\Token;
 
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
 use Symfony\Component\Security\Core\Role\Role;
+use Symfony\Component\Security\Core\Role\SwitchUserRole;
 
 class TestUser
 {
@@ -28,6 +30,31 @@ public function __toString()
     }
 }
 
+class ConcreteToken extends AbstractToken
+{
+    private $credentials = 'credentials_value';
+
+    public function __construct($user, array $roles = array())
+    {
+        parent::__construct($roles);
+
+        $this->setUser($user);
+    }
+
+    public function serialize()
+    {
+        return serialize(array($this->credentials, parent::serialize()));
+    }
+
+    public function unserialize($serialized)
+    {
+        list($this->credentials, $parentStr) = unserialize($serialized);
+        parent::unserialize($parentStr);
+    }
+
+    public function getCredentials() {}
+}
+
 class AbstractTokenTest extends \PHPUnit_Framework_TestCase
 {
     public function testGetUsername()
@@ -71,6 +98,20 @@ public function testSerialize()
         $this->assertEquals($token->getAttributes(), $uToken->getAttributes());
     }
 
+    public function testSerializeParent()
+    {
+        $user = new TestUser('fabien');
+        $token = new ConcreteToken($user, array('ROLE_FOO'));
+
+        $parentToken = new ConcreteToken($user, array(new SwitchUserRole('ROLE_PREVIOUS', $token)));
+        $uToken = unserialize(serialize($parentToken));
+
+        $this->assertEquals(
+            current($parentToken->getRoles())->getSource()->getUser(),
+            current($uToken->getRoles())->getSource()->getUser()
+        );
+    }
+
     /**
      * @covers Symfony\Component\Security\Core\Authentication\Token\AbstractToken::__construct
      */