Check roles instead of token

contao · Dec 10, 2019 · bbb0d6f · bbb0d6f
1 parent 26484b2
commit bbb0d6f
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 46 deletions.
diff --git a/core-bundle/src/Security/Authentication/Token/TokenChecker.php b/core-bundle/src/Security/Authentication/Token/TokenChecker.php
@@ -14,7 +14,6 @@
 
 use Contao\BackendUser;
 use Contao\FrontendUser;
-use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorTokenInterface;
 use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
 use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Component\HttpFoundation\RequestStack;
@@ -76,7 +75,7 @@ public function hasFrontendUser(): bool
     {
         $token = $this->getToken(self::FRONTEND_FIREWALL);
 
-        return null !== $token && !$token instanceof TwoFactorTokenInterface && $token->getUser() instanceof FrontendUser;
+        return null !== $token && \in_array('ROLE_MEMBER', array_map('strval', $token->getRoles()), true);
     }
 
     /**
@@ -86,7 +85,7 @@ public function hasBackendUser(): bool
     {
         $token = $this->getToken(self::BACKEND_FIREWALL);
 
-        return null !== $token && !$token instanceof TwoFactorTokenInterface && $token->getUser() instanceof BackendUser;
+        return null !== $token && \in_array('ROLE_USER', array_map('strval', $token->getRoles()), true);
     }
 
     /**

diff --git a/core-bundle/tests/Security/Authentication/Token/TokenCheckerTest.php b/core-bundle/tests/Security/Authentication/Token/TokenCheckerTest.php
@@ -19,7 +19,6 @@
 use Contao\FrontendUser;
 use Contao\User;
 use PHPUnit\Framework\MockObject\MockObject;
-use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorToken;
 use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
 use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Component\HttpFoundation\Request;
@@ -47,10 +46,10 @@ protected function setUp(): void
     /**
      * @dataProvider getUserInTokenStorageData
      */
-    public function testChecksForUserInTokenStorageIfFirewallContextMatches(string $class, string $firewallContext): void
+    public function testChecksForUserInTokenStorageIfFirewallContextMatches(string $class, string $firewallContext, array $roles): void
     {
         $user = $this->mockUser($class);
-        $token = new UsernamePasswordToken($user, 'password', 'provider', ['ROLE_USER']);
+        $token = new UsernamePasswordToken($user, 'password', 'provider', $roles);
 
         $session = $this->createMock(SessionInterface::class);
         $session
@@ -73,21 +72,33 @@ public function testChecksForUserInTokenStorageIfFirewallContextMatches(string $
         );
 
         if (FrontendUser::class === $class) {
-            $this->assertTrue($tokenChecker->hasFrontendUser());
-        } else {
+            if (\count($roles)) {
+                $this->assertTrue($tokenChecker->hasFrontendUser());
+            } else {
+                $this->assertFalse($tokenChecker->hasFrontendUser());
+            }
+        } elseif (\count($roles)) {
             $this->assertTrue($tokenChecker->hasBackendUser());
+        } else {
+            $this->assertFalse($tokenChecker->hasBackendUser());
         }
     }
 
+    public function getUserInTokenStorageData(): \Generator
+    {
+        yield [FrontendUser::class, 'contao_frontend', []];
+        yield [FrontendUser::class, 'contao_frontend', ['ROLE_MEMBER']];
+        yield [BackendUser::class, 'contao_backend', []];
+        yield [BackendUser::class, 'contao_backend', ['ROLE_USER']];
+    }
+
     /**
-     * @dataProvider getUserInTokenStorageData
+     * @dataProvider getUserInSessionData
      */
-    public function testChecksForTwoFactorTokenInTokenStorageIfFirewallContextMatches(string $class, string $firewallContext): void
+    public function testChecksForUserInSessionIfFirewallContextDoesNotMatch(string $class, string $firewallContext, array $roles): void
     {
         $user = $this->mockUser($class);
-        $token = new UsernamePasswordToken($user, 'password', 'provider', ['ROLE_USER']);
-
-        $twoFactorToken = new TwoFactorToken($token, null, '2fa-provider', []);
+        $token = new UsernamePasswordToken($user, 'password', 'provider', $roles);
 
         $session = $this->createMock(SessionInterface::class);
         $session
@@ -98,7 +109,7 @@ public function testChecksForTwoFactorTokenInTokenStorageIfFirewallContextMatche
         $tokenStorage = $this->createMock(TokenStorageInterface::class);
         $tokenStorage
             ->method('getToken')
-            ->willReturn($twoFactorToken)
+            ->willReturn($token)
         ;
 
         $tokenChecker = new TokenChecker(
@@ -109,35 +120,6 @@ public function testChecksForTwoFactorTokenInTokenStorageIfFirewallContextMatche
             $this->trustResolver
         );
 
-        if (FrontendUser::class === $class) {
-            $this->assertFalse($tokenChecker->hasFrontendUser());
-        } else {
-            $this->assertFalse($tokenChecker->hasBackendUser());
-        }
-    }
-
-    public function getUserInTokenStorageData(): \Generator
-    {
-        yield [FrontendUser::class, 'contao_frontend'];
-        yield [BackendUser::class, 'contao_backend'];
-    }
-
-    /**
-     * @dataProvider getUserInSessionData
-     */
-    public function testChecksForUserInSessionIfFirewallContextDoesNotMatch(string $class, string $firewallContext): void
-    {
-        $user = $this->mockUser($class);
-        $token = new UsernamePasswordToken($user, 'password', 'provider', ['ROLE_USER']);
-
-        $tokenChecker = new TokenChecker(
-            $this->mockRequestStack(),
-            $this->mockFirewallMapWithConfigContext($firewallContext),
-            $this->mockTokenStorage($class),
-            $this->mockSessionWithToken($token),
-            $this->trustResolver
-        );
-
         if (FrontendUser::class === $class) {
             $this->assertTrue($tokenChecker->hasFrontendUser());
         } else {
@@ -147,14 +129,14 @@ public function testChecksForUserInSessionIfFirewallContextDoesNotMatch(string $
 
     public function getUserInSessionData(): \Generator
     {
-        yield [FrontendUser::class, 'contao_backend'];
-        yield [BackendUser::class, 'contao_frontend'];
+        yield [BackendUser::class, 'contao_backend', ['ROLE_USER']];
+        yield [FrontendUser::class, 'contao_frontend', ['ROLE_MEMBER']];
     }
 
     public function testReturnsTheFrontendUsername(): void
     {
         $user = $this->mockUser(FrontendUser::class);
-        $token = new UsernamePasswordToken($user, 'password', 'provider', ['ROLE_USER']);
+        $token = new UsernamePasswordToken($user, 'password', 'provider', ['ROLE_MEMBER']);
 
         $tokenChecker = new TokenChecker(
             $this->mockRequestStack(),