Skip to content

[Security] Correcting bugs for provider and JSON login #16799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 6, 2022
Merged

[Security] Correcting bugs for provider and JSON login #16799

merged 1 commit into from
Oct 6, 2022

Conversation

KosticDusan4D
Copy link
Contributor

On lines 501 and 502 I propose this change, because it confused me so much which provider to use, and in the case that you are explaining there you should use earlier configured app_user_provider, not users_in_memory.

On line 1043 I had a problem that $user is always null until I deleted the "?User" from parameters. I think that PHP gets confused here with the way it is written. And to say that now with that part removed everything works fine.

Thanks in advance and I hope that I contributed even a little as this is.

@OskarStark OskarStark requested a review from wouterj May 17, 2022 05:57
@javiereguiluz
Copy link
Member

I think this proposal is correct, but let's ask @wouterj to double check. Thanks.

@carsonbot carsonbot changed the title Correcting bugs for provider and JSON login [Security] Correcting bugs for provider and JSON login Aug 9, 2022
@javiereguiluz
Copy link
Member

@KosticDusan4D thanks again for this contribution. Sorry for the late merge, but I prefer to merge this until someone who knows security well reviews it. Thanks for your patience 🙏

@javiereguiluz
Copy link
Member

Let's ping @chalasr and @xabbuh to see if they can review this proposal. Thanks 🙏

@chalasr
Copy link
Member

chalasr commented Oct 4, 2022
edited
Loading

The configuration change looks good, but the controller part does not. The current signature is correct, we do want a type declaration. Here ?User matches the controller needs and should work fine with the #CurrentUser resolution logic (see https://github.com/symfony/symfony/blob/53db097989b480a92e4e11deb2634afca6c40ac3/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php#L58-L83).
Thanks for the PR, and thanks for the ping Javier.

@KosticDusan4D @wouterj
Correcting bugs for provider and JSON login
2309b0b 
On lines 501 and 502 I propose this change, because it confused me so much which provider to use, and in the case that you are explaining there you should use earlier configured app_user_provider, not users_in_memory.

On line 1043 I had a problem that $user is always null until I deleted the "?User" from parameters. I think that PHP gets confused here with the way it is written. And to say that now with that part removed everything works fine.

Thanks in advance and I hope that I contributed even a little as this is.
@wouterj wouterj merged commit f7948d8 into symfony:6.0 Oct 6, 2022
@wouterj
Copy link
Member

wouterj commented Oct 6, 2022
edited
Loading

Hi @KosticDusan4D! Thanks for this contribution. Fixing a bug in the code example is a great way to contribute, it'll safe upcoming readers of the docs hours of debugging :)

I've reverted the change in the code example, the ?User argument is supposed to work correctly. I'm also quite sure I've seen this example work in a demo application.
If you can still replicate the issue, feel free to open a bug report at https://github.com/symfony/symfony with a reproducer as this is something that needs to be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@KosticDusan4D @javiereguiluz @chalasr @wouterj @carsonbot