Skip to content

Commit 477a24d

Browse files
author
Robin Chalas
committed
feature #23882 [Security] Deprecated not being logged out after user change (iltar)
This PR was squashed before being merged into the 3.4 branch (closes #23882). Discussion ---------- [Security] Deprecated not being logged out after user change | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #17023 | License | MIT | Doc PR | ~ This PR is an alternative approach to #19033. Due to a behavioral change that could break a lot of applications and websites, I've decided to trigger a deprecation instead of actually changing the behavior as that can be done for 4.0. Whenever a user object is considered changed (`AbstractToken::hasUserChanged`) when setting a new user object after refreshing, it will now throw a deprecation, paving the way for a behavioral change in 4.0. The idea is that in 4.0 Symfony will simply trigger a logout when this case is encountered. Commits ------- 22f525b [Security] Deprecated not being logged out after user change
2 parents 7f2bfc0 + 22f525b commit 477a24d

35 files changed

+161
-21
lines changed

UPGRADE-3.4.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -269,6 +269,10 @@ SecurityBundle
269269
as first argument. Not passing it is deprecated and will throw a `TypeError`
270270
in 4.0.
271271

272+
* Added `logout_on_user_change` to the firewall options. This config item will
273+
trigger a logout when the user has changed. Should be set to true to avoid
274+
deprecations in the configuration.
275+
272276
Translation
273277
-----------
274278

UPGRADE-4.0.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -642,6 +642,9 @@ Security
642642

643643
* Support for defining voters that don't implement the `VoterInterface` has been removed.
644644

645+
* Calling `ContextListener::setLogoutOnUserChange(false)` won't have any
646+
effect anymore.
647+
645648
SecurityBundle
646649
--------------
647650

@@ -660,6 +663,9 @@ SecurityBundle
660663
`Symfony\Component\Security\Acl\Model\MutableAclProviderInterfaceConnection`
661664
as first argument.
662665

666+
* The firewall option `logout_on_user_change` is now always true, which will
667+
trigger a logout if the user changes between requests.
668+
663669
Serializer
664670
----------
665671

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ CHANGELOG
1313
* `SetAclCommand::__construct()` now takes an instance of
1414
`Symfony\Component\Security\Acl\Model\MutableAclProviderInterfaceConnection`
1515
as first argument
16+
* Added `logout_on_user_change` to the firewall options. This config item will
17+
trigger a logout when the user has changed. Should be set to true to avoid
18+
deprecations in the configuration.
1619

1720
3.3.0
1821
-----

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -252,6 +252,10 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
252252
->scalarNode('provider')->end()
253253
->booleanNode('stateless')->defaultFalse()->end()
254254
->scalarNode('context')->cannotBeEmpty()->end()
255+
->booleanNode('logout_on_user_change')
256+
->defaultFalse()
257+
->info('When true, it will trigger a logout for the user if something has changed. This will be the default behavior as of Syfmony 4.0.')
258+
->end()
255259
->arrayNode('logout')
256260
->treatTrueLike(array())
257261
->canBeUnset()
@@ -340,6 +344,17 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
340344
return $firewall;
341345
})
342346
->end()
347+
->validate()
348+
->ifTrue(function ($v) {
349+
return (isset($v['stateless']) && true === $v['stateless']) || (isset($v['security']) && false === $v['security']);
350+
})
351+
->then(function ($v) {
352+
// this option doesn't change behavior when true when stateless, so prevent deprecations
353+
$v['logout_on_user_change'] = true;
354+
355+
return $v;
356+
})
357+
->end()
343358
;
344359
}
345360

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -265,14 +265,14 @@ private function createFirewalls($config, ContainerBuilder $container)
265265
$providerIds = $this->createUserProviders($config, $container);
266266

267267
// make the ContextListener aware of the configured user providers
268-
$definition = $container->getDefinition('security.context_listener');
269-
$arguments = $definition->getArguments();
268+
$contextListenerDefinition = $container->getDefinition('security.context_listener');
269+
$arguments = $contextListenerDefinition->getArguments();
270270
$userProviders = array();
271271
foreach ($providerIds as $userProviderId) {
272272
$userProviders[] = new Reference($userProviderId);
273273
}
274274
$arguments[1] = new IteratorArgument($userProviders);
275-
$definition->setArguments($arguments);
275+
$contextListenerDefinition->setArguments($arguments);
276276

277277
$customUserChecker = false;
278278

@@ -284,6 +284,12 @@ private function createFirewalls($config, ContainerBuilder $container)
284284
$customUserChecker = true;
285285
}
286286

287+
if (!isset($firewall['logout_on_user_change']) || !$firewall['logout_on_user_change']) {
288+
@trigger_error('Setting logout_on_user_change to false is deprecated as of 3.4 and will always be true in 4.0. Set logout_on_user_change to true in your firewall configuration.', E_USER_DEPRECATED);
289+
}
290+
291+
$contextListenerDefinition->addMethodCall('setLogoutOnUserChange', array($firewall['logout_on_user_change']));
292+
287293
$configId = 'security.firewall.map.config.'.$name;
288294

289295
list($matcher, $listeners, $exceptionListener) = $this->createFirewall($container, $name, $firewall, $authenticationProviders, $providerIds, $configId);

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,18 +73,21 @@
7373
'logout' => true,
7474
'remember_me' => array('secret' => 'TheSecret'),
7575
'user_checker' => null,
76+
'logout_on_user_change' => true,
7677
),
7778
'host' => array(
7879
'pattern' => '/test',
7980
'host' => 'foo\\.example\\.org',
8081
'methods' => array('GET', 'POST'),
8182
'anonymous' => true,
8283
'http_basic' => true,
84+
'logout_on_user_change' => true,
8385
),
8486
'with_user_checker' => array(
8587
'user_checker' => 'app.user_checker',
8688
'anonymous' => true,
8789
'http_basic' => true,
90+
'logout_on_user_change' => true,
8891
),
8992
),
9093

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_provider.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,12 @@
1515
'main' => array(
1616
'provider' => 'default',
1717
'form_login' => true,
18+
'logout_on_user_change' => true,
1819
),
1920
'other' => array(
2021
'provider' => 'with-dash',
2122
'form_login' => true,
23+
'logout_on_user_change' => true,
2224
),
2325
),
2426
));

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_undefined_provider.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
'main' => array(
1313
'provider' => 'undefined',
1414
'form_login' => true,
15+
'logout_on_user_change' => true,
1516
),
1617
),
1718
));

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_provider.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
'firewalls' => array(
1212
'main' => array(
1313
'form_login' => array('provider' => 'default'),
14+
'logout_on_user_change' => true,
1415
),
1516
),
1617
));

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_undefined_provider.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
'firewalls' => array(
1212
'main' => array(
1313
'form_login' => array('provider' => 'undefined'),
14+
'logout_on_user_change' => true,
1415
),
1516
),
1617
));

0 commit comments

Comments
 (0)