bug symfony#40286 [Security] #[CurrentUser] arguments should resolve to null for "anon." (chalasr)

chalasr · chalasr · commit b03731981acc · 2021-02-24T15:02:23.000+01:00
This PR was merged into the 5.2 branch. Discussion ---------- [Security] #[CurrentUser] arguments should resolve to null for "anon." | Q | A | ------------- | --- | Branch? | 5.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - The UserValueResolver should only resolve `UserInterface` (or subtype) typed arguments: https://github.com/symfony/symfony/blob/bc9e946a56b3874b01d363772f396d8db879de8d/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php#L54-L55 When using the `#CurrentUser` attribute with an AnonymousToken in the storage, the resolved argument value is `anon.`. This PR fixes it. /cc @jvasseur Commits ------- 8d3078d [Security] #[CurrentUser] argument should resolve to null when it is anonymous
diff --git a/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php b/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php
@@ -35,12 +35,9 @@ public function __construct(TokenStorageInterface $tokenStorage)
 
     public function supports(Request $request, ArgumentMetadata $argument): bool
     {
-        if ($argument->getAttribute() instanceof CurrentUser) {
-            return true;
-        }
-
-        // only security user implementations are supported
-        if (UserInterface::class !== $argument->getType()) {
+        // with the attribute, the type can be any UserInterface implementation
+        // otherwise, the type must be UserInterface
+        if (UserInterface::class !== $argument->getType() && !$argument->getAttribute() instanceof CurrentUser) {
             return false;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php b/src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php
@@ -83,6 +83,17 @@ public function testResolveWithAttribute()
         $this->assertSame([$user], iterator_to_array($resolver->resolve(Request::create('/'), $metadata)));
     }
 
+    public function testResolveWithAttributeAndNoUser()
+    {
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken(new UsernamePasswordToken('username', 'password', 'provider'));
+
+        $resolver = new UserValueResolver($tokenStorage);
+        $metadata = new ArgumentMetadata('foo', null, false, false, null, false, new CurrentUser());
+
+        $this->assertFalse($resolver->supports(Request::create('/'), $metadata));
+    }
+
     public function testIntegration()
     {
         $user = $this->createMock(UserInterface::class);

Original file line number	Diff line number	Diff line change
`@@ -35,12 +35,9 @@ public function __construct(TokenStorageInterface $tokenStorage)`
`35`	`35`
`36`	`36`	`public function supports(Request $request, ArgumentMetadata $argument): bool`
`37`	`37`	`{`
`38`		`- if ($argument->getAttribute() instanceof CurrentUser) {`
`39`		`- return true;`
`40`		`- }`
`41`		`-`
`42`		`- // only security user implementations are supported`
`43`		`- if (UserInterface::class !== $argument->getType()) {`
	`38`	`+ // with the attribute, the type can be any UserInterface implementation`
	`39`	`+ // otherwise, the type must be UserInterface`
	`40`	`+ if (UserInterface::class !== $argument->getType() && !$argument->getAttribute() instanceof CurrentUser) {`
`44`	`41`	`return false;`
`45`	`42`	`}`
`46`	`43`