Additionally check if trusted option is set by context

Otherwise it's possible to set it explicitly in the context and be trusted even when it should not have been
scheb · Aug 14, 2016 · 17fffbd · 17fffbd
1 parent e9f3d5e
commit 17fffbd
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/Security/TwoFactor/Trusted/TrustedFilter.php b/Security/TwoFactor/Trusted/TrustedFilter.php
@@ -86,7 +86,7 @@ public function requestAuthenticationCode(AuthenticationContextInterface $contex
         if ($response instanceof Response) {
 
             // Set trusted cookie
-            if ($context->isAuthenticated() && $request->get($this->trustedName)) {
+            if ($context->isAuthenticated() && $context->useTrustedOption() && $request->get($this->trustedName)) {
                 $cookie = $this->cookieManager->createTrustedCookie($request, $user);
                 $response->headers->setCookie($cookie);
             }

diff --git a/Tests/Security/TwoFactor/Trusted/TrustedFilterTest.php b/Tests/Security/TwoFactor/Trusted/TrustedFilterTest.php
@@ -331,6 +331,11 @@ public function requestAuthenticationCode_authenticatedAndTrustedChecked_setTrus
             ->method('isAuthenticated')
             ->will($this->returnValue(true));
 
+        $context
+            ->expects($this->once())
+            ->method('useTrustedOption')
+            ->will($this->returnValue(true));
+
         //Stub the authentication handler
         $response = $this->getResponse();
         $this->authHandler
@@ -354,4 +359,34 @@ public function requestAuthenticationCode_authenticatedAndTrustedChecked_setTrus
 
         $this->trustedFilter->requestAuthenticationCode($context);
     }
+
+    /**
+     * @test
+     */
+    public function requestAuthenticationCode_shouldCheckIfTrustedIsAllowedByContext()
+    {
+        $context = $this->getAuthenticationContext();
+
+        $context
+            ->expects($this->once())
+            ->method('isAuthenticated')
+            ->will($this->returnValue(true));
+
+        $context->expects($this->once())
+            ->method('useTrustedOption')
+            ->will($this->returnValue(false));
+
+        $this->authHandler
+            ->expects($this->once())
+            ->method('requestAuthenticationCode')
+            ->with($context)
+            ->will($this->returnValue(new Response('<form></form>')));
+
+        $this->cookieManager
+            ->expects($this->never())
+            ->method('createTrustedCookie');
+
+        $returnValue = $this->trustedFilter->requestAuthenticationCode($context);
+        $this->assertInstanceOf('Symfony\Component\HttpFoundation\Response', $returnValue);
+    }
 }