[Security] Allow configuring a redirect url via route name when switching user

94noni · 94noni · commit ccabea1b920e · 2022-09-12T15:35:20.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -257,7 +257,7 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                     ->scalarNode('provider')->end()
                     ->scalarNode('parameter')->defaultValue('_switch_user')->end()
                     ->scalarNode('role')->defaultValue('ROLE_ALLOWED_TO_SWITCH')->end()
-                    ->scalarNode('target_url')->defaultValue(null)->end()
+                    ->scalarNode('target_route')->defaultValue(null)->end()
                 ->end()
             ->end()
             ->arrayNode('required_badges')
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -845,8 +845,8 @@ private function createSwitchUserListener(ContainerBuilder $container, string $i
         if (!$userProvider) {
             throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "switch_user" listener on "%s" firewall is ambiguous as there is more than one registered provider.', $id));
         }
-        if ($stateless && null !== $config['target_url']) {
-            throw new InvalidConfigurationException(sprintf('Cannot set a "target_url" for the "switch_user" listener on the "%s" firewall as it is stateless.', $id));
+        if ($stateless && null !== $config['target_route']) {
+            throw new InvalidConfigurationException(sprintf('Cannot set a "target_route" for the "switch_user" listener on the "%s" firewall as it is stateless.', $id));
         }
 
         $switchUserListenerId = 'security.authentication.switchuser_listener.'.$id;
@@ -857,7 +857,7 @@ private function createSwitchUserListener(ContainerBuilder $container, string $i
         $listener->replaceArgument(6, $config['parameter']);
         $listener->replaceArgument(7, $config['role']);
         $listener->replaceArgument(9, $stateless);
-        $listener->replaceArgument(10, $config['target_url']);
+        $listener->replaceArgument(11, $config['target_route']);
 
         return $switchUserListenerId;
     }
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php
@@ -151,7 +151,8 @@
                 'ROLE_ALLOWED_TO_SWITCH',
                 service('event_dispatcher')->nullOnInvalid(),
                 false, // Stateless
-                abstract_arg('Target Url'),
+                service('router')->nullOnInvalid(),
+                abstract_arg('Target Route'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -165,7 +165,7 @@ public function testFirewalls()
                 [
                     'parameter' => '_switch_user',
                     'role' => 'ROLE_ALLOWED_TO_SWITCH',
-                    'target_url' => null,
+                    'target_route' => null,
                 ],
                 [
                     'csrf_parameter' => '_csrf_token',
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -15,6 +15,7 @@
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
@@ -51,9 +52,10 @@ class SwitchUserListener extends AbstractListener
     private ?LoggerInterface $logger;
     private ?EventDispatcherInterface $dispatcher;
     private bool $stateless;
-    private ?string $targetUrl;
+    private ?UrlGeneratorInterface $urlGenerator;
+    private ?string $targetRoute;
 
-    public function __construct(TokenStorageInterface $tokenStorage, UserProviderInterface $provider, UserCheckerInterface $userChecker, string $firewallName, AccessDecisionManagerInterface $accessDecisionManager, LoggerInterface $logger = null, string $usernameParameter = '_switch_user', string $role = 'ROLE_ALLOWED_TO_SWITCH', EventDispatcherInterface $dispatcher = null, bool $stateless = false, string $targetUrl = null)
+    public function __construct(TokenStorageInterface $tokenStorage, UserProviderInterface $provider, UserCheckerInterface $userChecker, string $firewallName, AccessDecisionManagerInterface $accessDecisionManager, LoggerInterface $logger = null, string $usernameParameter = '_switch_user', string $role = 'ROLE_ALLOWED_TO_SWITCH', EventDispatcherInterface $dispatcher = null, bool $stateless = false, UrlGeneratorInterface $urlGenerator = null, string $targetRoute = null)
     {
         if ('' === $firewallName) {
             throw new \InvalidArgumentException('$firewallName must not be empty.');
@@ -69,7 +71,8 @@ public function __construct(TokenStorageInterface $tokenStorage, UserProviderInt
         $this->logger = $logger;
         $this->dispatcher = $dispatcher;
         $this->stateless = $stateless;
-        $this->targetUrl = $targetUrl;
+        $this->urlGenerator = $urlGenerator;
+        $this->targetRoute = $targetRoute;
     }
 
     public function supports(Request $request): ?bool
@@ -121,7 +124,7 @@ public function authenticate(RequestEvent $event)
         if (!$this->stateless) {
             $request->query->remove($this->usernameParameter);
             $request->server->set('QUERY_STRING', http_build_query($request->query->all(), '', '&'));
-            $response = new RedirectResponse($this->targetUrl ?? $request->getUri(), 302);
+            $response = new RedirectResponse($this->urlGenerator && $this->targetRoute ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);
 
             $event->setResponse($response);
         }

Original file line number	Diff line number	Diff line change
`@@ -845,8 +845,8 @@ private function createSwitchUserListener(ContainerBuilder $container, string $i`
`845`	`845`	`if (!$userProvider) {`
`846`	`846`	`throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "switch_user" listener on "%s" firewall is ambiguous as there is more than one registered provider.', $id));`
`847`	`847`	`}`
`848`		`- if ($stateless && null !== $config['target_url']) {`
`849`		`- throw new InvalidConfigurationException(sprintf('Cannot set a "target_url" for the "switch_user" listener on the "%s" firewall as it is stateless.', $id));`
	`848`	`+ if ($stateless && null !== $config['target_route']) {`
	`849`	`+ throw new InvalidConfigurationException(sprintf('Cannot set a "target_route" for the "switch_user" listener on the "%s" firewall as it is stateless.', $id));`
`850`	`850`	`}`
`851`	`851`
`852`	`852`	`$switchUserListenerId = 'security.authentication.switchuser_listener.'.$id;`
`@@ -857,7 +857,7 @@ private function createSwitchUserListener(ContainerBuilder $container, string $i`
`857`	`857`	`$listener->replaceArgument(6, $config['parameter']);`
`858`	`858`	`$listener->replaceArgument(7, $config['role']);`
`859`	`859`	`$listener->replaceArgument(9, $stateless);`
`860`		`- $listener->replaceArgument(10, $config['target_url']);`
	`860`	`+ $listener->replaceArgument(11, $config['target_route']);`
`861`	`861`
`862`	`862`	`return $switchUserListenerId;`
`863`	`863`	`}`
Original file line number	Diff line number	Diff line change
`@@ -165,7 +165,7 @@ public function testFirewalls()`
`165`	`165`	`[`
`166`	`166`	`'parameter' => '_switch_user',`
`167`	`167`	`'role' => 'ROLE_ALLOWED_TO_SWITCH',`
`168`		`- 'target_url' => null,`
	`168`	`+ 'target_route' => null,`
`169`	`169`	`],`
`170`	`170`	`[`
`171`	`171`	`'csrf_parameter' => '_csrf_token',`