Startsida Utforska Hjälp
Registrera dig Logga in
VendorSoftware
/
symfony
2
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Bläddra i källkod

merged branch snc/issue-1798 (PR #2528)

Commits
-------

f9befb6 Remove only the security token instead of the session cookie.
348bccb Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798).

Discussion
----------

Fix for issue 1798

Bug fix: yes
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes

Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798).

---------------------------------------------------------------------------

by snc at 2011/11/01 04:01:49 -0700

@stof I have changed the code so that it only removes the token... do we still need any hook support?

---------------------------------------------------------------------------

by stof at 2011/11/01 04:07:17 -0700

well, the hook is for your own use case but it would be for 2.1 only anyway, not for 2.0

---------------------------------------------------------------------------

by snc at 2011/11/07 15:11:52 -0800

Now that #2414 is merged to 2.1, this could be simplified for the master branch...
Fabien Potencier 13 år sedan
förälder
877e484529 f9befb6348
incheckning
3c584f5683
1 ändrade filer med 8 tillägg och 0 borttagningar
Delad Vy Visa Diff Statistik
  1. 8 0
      src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php

+ 8 - 0
src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
Visa fil 

@@ -15,7 +15,9 @@ use Symfony\Component\HttpFoundation\Response;
 
 use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
 
 use Symfony\Component\Security\Core\SecurityContextInterface;
 
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
 
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 
+use Symfony\Component\Security\Core\Exception\AccountStatusException;
 
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
 
@@ -158,6 +160,12 @@ class ExceptionListener
 
 
         $this->setTargetPath($request);
 
 
+        if ($authException instanceof AccountStatusException && ($token = $this->context->getToken()) instanceof UsernamePasswordToken) {
 
+            // remove the security token to prevent infinite redirect loops
 
+            $this->context->setToken(null);
 
+            $request->getSession()->remove('_security_' . $token->getProviderKey());
 
+        }
 
+
 
         return $this->authenticationEntryPoint->start($request, $authException);
 
     }