EZP-32333: Validate access for 'change password' menu item #92
Conversation
| } | ||
|
|
||
| if (null !== $token && | ||
| is_object($token->getUser()) && |
There was a problem hiding this comment.
Can't we get currentUser from $token instead of fetching it from userService?
There was a problem hiding this comment.
Sadly not as $token is instance of Symfony\Component\Security\Core\User\UserInterface
There was a problem hiding this comment.
hm.
I would say token is instance of \Symfony\Component\Security\Core\Authentication\Token\TokenInterface,
And you can get \eZ\Publish\Core\MVC\Symfony\Security\User from getUser, and then API user with getAPIUser, right?
There was a problem hiding this comment.
yes, sorry, I mean getUser on $token was an instance of Symfony\Component\Security\Core\User\UserInterface, not the token itself. I'll take a second look at this.
There was a problem hiding this comment.
We actually can't get user with getAPIUser as this method is inside eZ\Publish\Core\MVC\Symfony\Security\UserInterface whether $token->getUser() gives us Symfony\Component\Security\Core\User\UserInterface.
There was a problem hiding this comment.
Why do we even bother asking TokenStorage for the User if we store it elsewhere?
There was a problem hiding this comment.
It was probably used as a first resort to validate the user, but if we should actually check it via permission resolver this could be skipped.
There was a problem hiding this comment.
Well, yes if you look at interfaces, but our implementation returns \Symfony\Component\Security\Core\User\User we could check for it (or more precise, checking if user is instance of \eZ\Publish\Core\MVC\Symfony\Security\ReferenceUserInterface , and act accordingly. or remove tokenStorage alltogether and just relay on userService.
|
Could you please merge up changes @barw4? |
As the title states.
Required
ezplatform-admin-uiPR: ezsystems/ezplatform-admin-ui#1759Checklist:
$ composer fix-cs)