Merge branch '4.4' into 5.0

* 4.4: [Security] Allow switching to another user when already switched

Author: chalasr

src/Symfony/Bundle/SecurityBundle/Tests/Functional/SwitchUserTest.php

@@ -29,15 +29,15 @@ public function testSwitchUser($originalUser, $targetUser, $expectedUser, $expec
  $this->assertEquals($expectedUser, $client->getProfile()->getCollector('security')->getUser());
  }
 
- public function testSwitchedUserCannotSwitchToOther()
+ public function testSwitchedUserCanSwitchToOther()
  {
  $client = $this->createAuthenticatedClient('user_can_switch');
 
  $client->request('GET', '/profile?_switch_user=user_cannot_switch_1');
  $client->request('GET', '/profile?_switch_user=user_cannot_switch_2');
 
- $this->assertEquals(500, $client->getResponse()->getStatusCode());
- $this->assertEquals('user_cannot_switch_1', $client->getProfile()->getCollector('security')->getUser());
+ $this->assertEquals(200, $client->getResponse()->getStatusCode());
+ $this->assertEquals('user_cannot_switch_2', $client->getProfile()->getCollector('security')->getUser());
  }
 
  public function testSwitchedUserExit()

src/Symfony/Bundle/SecurityBundle/composer.json

@@ -24,7 +24,7 @@
  "symfony/security-core": "^4.4|^5.0",
  "symfony/security-csrf": "^4.4|^5.0",
  "symfony/security-guard": "^4.4|^5.0",
- "symfony/security-http": "^4.4.3|^5.0.3"
+ "symfony/security-http": "^4.4.5|^5.0.5"
  },
  "require-dev": {
  "doctrine/doctrine-bundle": "^2.0",

src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php

@@ -144,7 +144,8 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
  return $token;
  }
 
- throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));
+ // User already switched, exit before seamlessly switching to another user
+ $token = $this->attemptExitUser($request);
  }
 
  $currentUsername = $token->getUsername();

src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php

@@ -223,6 +223,39 @@ public function testSwitchUser()
  $this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
  }
 
+ public function testSwitchUserAlreadySwitched()
+ {
+ $originalToken = new UsernamePasswordToken('original', null, 'key', ['ROLE_FOO']);
+ $alreadySwitchedToken = new SwitchUserToken('switched_1', null, 'key', ['ROLE_BAR'], $originalToken);
+
+ $tokenStorage = new TokenStorage();
+ $tokenStorage->setToken($alreadySwitchedToken);
+
+ $targetUser = new User('kuba', 'password', ['ROLE_FOO', 'ROLE_BAR']);
+
+ $this->request->query->set('_switch_user', 'kuba');
+
+ $this->accessDecisionManager->expects($this->once())
+ ->method('decide')->with($originalToken, ['ROLE_ALLOWED_TO_SWITCH'], $targetUser)
+ ->willReturn(true);
+
+ $this->userProvider->expects($this->exactly(2))
+ ->method('loadUserByUsername')
+ ->withConsecutive(['kuba'])
+ ->will($this->onConsecutiveCalls($targetUser, $this->throwException(new UsernameNotFoundException())));
+ $this->userChecker->expects($this->once())
+ ->method('checkPostAuth')->with($targetUser);
+
+ $listener = new SwitchUserListener($tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager, null, '_switch_user', 'ROLE_ALLOWED_TO_SWITCH', null, false);
+ $listener($this->event);
+
+ $this->assertSame([], $this->request->query->all());
+ $this->assertSame('', $this->request->server->get('QUERY_STRING'));
+ $this->assertInstanceOf(SwitchUserToken::class, $tokenStorage->getToken());
+ $this->assertSame('kuba', $tokenStorage->getToken()->getUsername());
+ $this->assertSame($originalToken, $tokenStorage->getToken()->getOriginalToken());
+ }
+
  public function testSwitchUserWorksWithFalsyUsernames()
  {
  $token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);