[Admin] exit from impersonnification when access to admin pages

parti-renaissance · Apr 26, 2024 · 068bfe5 · 068bfe5
1 parent 9da5233
commit 068bfe5
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 5 deletions.
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
@@ -581,6 +581,7 @@ security:
             pattern: ^/admin
             provider: admins_db
             switch_user: true
+            access_denied_handler: App\Security\AccessDeniedHandler
             form_login:
                 login_path: app_admin_login
                 check_path: app_admin_login_check
@@ -627,6 +628,7 @@ security:
                     - App\Security\LoginFormGuardAuthenticator
                     - lexik_jwt_authentication.jwt_token_authenticator
             entry_point: App\Security\LoginFormGuardAuthenticator
+            access_denied_handler: App\Security\AccessDeniedHandler
             login_link:
                 check_route: app_user_connect_with_magic_link
                 check_post_only: true

diff --git a/features/oauth.feature b/features/oauth.feature
@@ -4,11 +4,6 @@ Feature: Using OAuth for 2-legged OAuth flow (client credentials)
   As an API or an En-Marche! user
   I need to be able to access API data
 
-  Scenario: OAuth is not allowed for admin
-    Given I am logged as "superadmin@en-marche-dev.fr" admin
-    When I am on "/oauth/v2/auth?response_type=code&client_id=f80ce2df-af6d-4ce4-8239-04cfcefd5a19&redirect_uri=http%3A%2F%2Fclient-oauth.docker%3A8000%2Fclient%2Freceive_authcode&state=m94bmt522o81gtch7pj0kd7hdf"
-    Then the response status code should be 403
-
   Scenario: OAuth client_id is malformed
     Given I am logged as "simple-user@example.ch"
     When I am on "/oauth/v2/auth?response_type=code&client_id=-af6d-4ce4-8239-04cfcefd5a19"

diff --git a/src/Security/AccessDeniedHandler.php b/src/Security/AccessDeniedHandler.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace App\Security;
+
+use App\Entity\Administrator;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Exception\MissingMandatoryParametersException;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
+
+class AccessDeniedHandler implements AccessDeniedHandlerInterface
+{
+    public function __construct(
+        private readonly Security $security,
+        private readonly UrlGeneratorInterface $urlGenerator,
+    ) {
+    }
+
+    public function handle(Request $request, AccessDeniedException $accessDeniedException): ?Response
+    {
+        if ($request->isXmlHttpRequest() || \in_array('application/json', $request->getAcceptableContentTypes())) {
+            return null;
+        }
+
+        $user = $this->security->getUser();
+
+        if ($user instanceof Administrator && !str_starts_with($request->getPathInfo(), '/admin/')) {
+            return new RedirectResponse($this->urlGenerator->generate('admin_app_adherent_list'));
+        }
+
+        if ($this->security->isGranted('ROLE_PREVIOUS_ADMIN')) {
+            try {
+                return new RedirectResponse(
+                    $this->urlGenerator->generate($request->attributes->get('_route'), ['_switch_user' => '_exit'])
+                );
+            } catch (MissingMandatoryParametersException $exception) {
+            }
+        }
+
+        return null;
+    }
+}