-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This fixes a security issue if the user is allowed to change his username and enters an invalid one as this new name would be stored in the session and used by the next request.
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -123,8 +123,16 @@ public function refreshUser(SecurityUserInterface $user) | |
| if (!$user instanceof $class) { | ||
| throw new UnsupportedUserException('Account is not supported.'); | ||
| } | ||
| if (!$user instanceof User) { | ||
| throw new UnsupportedUserException(sprintf('Expected an instance of FOS\UserBundle\Model\User, but got "%s".', get_class($user))); | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
DenisGorbachev
|
||
| } | ||
|
|
||
| $user = $this->findUserBy(array('id' => $user->getId())); | ||
| if (null === $user) { | ||
| throw new UsernameNotFoundException(sprintf('User with ID "%d" could not be reloaded.', $user->getId())); | ||
This comment has been minimized.
Sorry, something went wrong. |
||
| } | ||
|
|
||
| return $this->loadUserByUsername($user->getUsername()); | ||
| return $user; | ||
| } | ||
|
|
||
| /** | ||
|
|
||
Is it necessary to enforce
FOS\UserBundle\Model\User? MaybeFOS\UserBundle\Model\UserInterfacewould suffice?I've written my own user class that doesn't extend
FOS\UserBundle\Model\User, but is perfectly valid for this provider.