Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EZP-32333: Validate access for 'change password' menu item #92

Merged
merged 5 commits into from
May 25, 2021

Conversation

barw4
Copy link
Member

@barw4 barw4 commented May 21, 2021

Question Answer
Tickets EZP-32333
Bug fix? yes
New feature? no
BC breaks? no
Tests pass? yes
Doc needed? no
License GPL-2.0

As the title states.

Required ezplatform-admin-ui PR: ezsystems/ezplatform-admin-ui#1759

Checklist:

  • Coding standards ($ composer fix-cs)

@barw4 barw4 self-assigned this May 21, 2021
@barw4 barw4 added Bug Something isn't working Ready for review labels May 21, 2021
@barw4 barw4 requested a review from a team May 21, 2021 18:29
src/lib/EventListener/UserMenuListener.php Outdated Show resolved Hide resolved
}

if (null !== $token &&
is_object($token->getUser()) &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we get currentUser from $token instead of fetching it from userService?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sadly not as $token is instance of Symfony\Component\Security\Core\User\UserInterface

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm.
I would say token is instance of \Symfony\Component\Security\Core\Authentication\Token\TokenInterface,
And you can get \eZ\Publish\Core\MVC\Symfony\Security\User from getUser, and then API user with getAPIUser, right?

Copy link
Member Author

@barw4 barw4 May 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, sorry, I mean getUser on $token was an instance of Symfony\Component\Security\Core\User\UserInterface, not the token itself. I'll take a second look at this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We actually can't get user with getAPIUser as this method is inside eZ\Publish\Core\MVC\Symfony\Security\UserInterface whether $token->getUser() gives us Symfony\Component\Security\Core\User\UserInterface.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we even bother asking TokenStorage for the User if we store it elsewhere?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was probably used as a first resort to validate the user, but if we should actually check it via permission resolver this could be skipped.

Copy link
Contributor

@ViniTou ViniTou May 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, yes if you look at interfaces, but our implementation returns \Symfony\Component\Security\Core\User\User we could check for it (or more precise, checking if user is instance of \eZ\Publish\Core\MVC\Symfony\Security\ReferenceUserInterface , and act accordingly. or remove tokenStorage alltogether and just relay on userService.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ViniTou ViniTou requested a review from a team May 24, 2021 07:19
@barw4 barw4 requested a review from ViniTou May 24, 2021 08:20
src/lib/EventListener/UserMenuListener.php Outdated Show resolved Hide resolved
Copy link

@kacper-wieczorek-ibexa kacper-wieczorek-ibexa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA - Approved. Tested on 2.5.18

@adamwojs adamwojs merged commit f886c43 into 1.0 May 25, 2021
@adamwojs adamwojs deleted the ezp-32333-hide-change-password-if-forbidden branch May 25, 2021 09:10
@adamwojs
Copy link
Member

Could you please merge up changes @barw4?

@barw4
Copy link
Member Author

barw4 commented May 25, 2021

Merged into:
2.2: 3f8dcdb
2.3: bd127ca
master: 3226a78

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Something isn't working QA approved
Development

Successfully merging this pull request may close these issues.

5 participants