Skip to content

Commit

Permalink
Don't let falsey usernames slip through
Browse files Browse the repository at this point in the history
  • Loading branch information
@j4nr6n
j4nr6n committed Oct 1, 2019
1 parent d2b66ff commit 8f0f211
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 2 deletions.
11 changes: 9 additions & 2 deletions src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
View file
Expand Up @@ -77,9 +77,16 @@ public function __construct(TokenStorageInterface $tokenStorage, UserProviderInt
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
$username = $request->get($this->usernameParameter) ?: $request->headers->get($this->usernameParameter);

if (!$username) {
// usernames can be falsy
$username = $request->get($this->usernameParameter);

if (null === $username) {
$username = $request->headers->get($this->usernameParameter);
}

// if it's still null, nothing to do.
if (null === $username) {
return;
}

Expand Down
26 changes: 26 additions & 0 deletions src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
View file
Expand Up @@ -191,6 +191,32 @@ public function testSwitchUser()
$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
}

public function testSwitchUserWorksWithFalsyUsernames()
{
$token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);
$user = new User('username', 'password', []);

$this->tokenStorage->setToken($token);
$this->request->query->set('_switch_user', '0');

$this->accessDecisionManager->expects($this->once())
->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'])
->willReturn(true);

$this->userProvider->expects($this->once())
->method('loadUserByUsername')->with('0')
->willReturn($user);
$this->userChecker->expects($this->once())
->method('checkPostAuth')->with($user);

$listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager);
$listener->handle($this->event);

$this->assertSame([], $this->request->query->all());
$this->assertSame('', $this->request->server->get('QUERY_STRING'));
$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
}

public function testSwitchUserKeepsOtherQueryStringParameters()
{
$token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);
Expand Down

0 comments on commit 8f0f211

Please sign in to comment.