[Security] Store original token in token storage when implicitly exiting impersonation

wouterj · wouterj · commit 7152f0e4e292 · 2024-11-04T13:18:48.000+01:00
diff --git a/Firewall/SwitchUserListener.php b/Firewall/SwitchUserListener.php
@@ -109,7 +109,7 @@ public function authenticate(RequestEvent $event)
         }
 
         if (self::EXIT_VALUE === $username) {
-            $this->tokenStorage->setToken($this->attemptExitUser($request));
+            $this->attemptExitUser($request);
         } else {
             try {
                 $this->tokenStorage->setToken($this->attemptSwitchUser($request, $username));
@@ -221,6 +221,8 @@ private function attemptExitUser(Request $request): TokenInterface
             $original = $switchEvent->getToken();
         }
 
+        $this->tokenStorage->setToken($original);
+
         return $original;
     }
 
diff --git a/Tests/Firewall/SwitchUserListenerTest.php b/Tests/Firewall/SwitchUserListenerTest.php
@@ -18,6 +18,7 @@
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -228,7 +229,10 @@ public function testSwitchUserAlreadySwitched()
 
         $targetsUser = $this->callback(function ($user) { return 'kuba' === $user->getUserIdentifier(); });
         $this->accessDecisionManager->expects($this->once())
-            ->method('decide')->with($originalToken, ['ROLE_ALLOWED_TO_SWITCH'], $targetsUser)
+            ->method('decide')->with(self::callback(function (TokenInterface $token) use ($originalToken, $tokenStorage) {
+                // the token storage should also contain the original token for voters depending on it
+                return $token === $originalToken && $tokenStorage->getToken() === $originalToken;
+            }), ['ROLE_ALLOWED_TO_SWITCH'], $targetsUser)
             ->willReturn(true);
 
         $this->userChecker->expects($this->once())

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ public function authenticate(RequestEvent $event)`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`if (self::EXIT_VALUE === $username) {`
`112`		`- $this->tokenStorage->setToken($this->attemptExitUser($request));`
	`112`	`+ $this->attemptExitUser($request);`
`113`	`113`	`} else {`
`114`	`114`	`try {`
`115`	`115`	`$this->tokenStorage->setToken($this->attemptSwitchUser($request, $username));`
`@@ -221,6 +221,8 @@ private function attemptExitUser(Request $request): TokenInterface`
`221`	`221`	`$original = $switchEvent->getToken();`
`222`	`222`	`}`
`223`	`223`
	`224`	`+ $this->tokenStorage->setToken($original);`
	`225`	`+`
`224`	`226`	`return $original;`
`225`	`227`	`}`
`226`	`228`