[Security] Unset token roles when serializing it and user implements EquatableInterface

nicolas-grekas · nicolas-grekas · commit 09507738031a · 2025-01-20T15:19:48.000+01:00
diff --git a/Firewall/ContextListener.php b/Firewall/ContextListener.php
@@ -301,11 +301,12 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa
             }
         }
 
-        $userRoles = array_map('strval', $refreshedUser->getRoles());
+        $refreshedRoles = array_map('strval', $refreshedUser->getRoles());
+        $originalRoles = $refreshedToken->getRoleNames(); // This comes from cloning the original token, so it still contains the roles of the original user
 
         if (
-            \count($userRoles) !== \count($refreshedToken->getRoleNames())
-            || \count($userRoles) !== \count(array_intersect($userRoles, $refreshedToken->getRoleNames()))
+            \count($refreshedRoles) !== \count($originalRoles)
+            || \count($refreshedRoles) !== \count(array_intersect($refreshedRoles, $originalRoles))
         ) {
             return true;
         }

Original file line number	Diff line number	Diff line change
`@@ -301,11 +301,12 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa`
`301`	`301`	`}`
`302`	`302`	`}`
`303`	`303`
`304`		`- $userRoles = array_map('strval', $refreshedUser->getRoles());`
	`304`	`+ $refreshedRoles = array_map('strval', $refreshedUser->getRoles());`
	`305`	`+ $originalRoles = $refreshedToken->getRoleNames(); // This comes from cloning the original token, so it still contains the roles of the original user`
`305`	`306`
`306`	`307`	`if (`
`307`		`- \count($userRoles) !== \count($refreshedToken->getRoleNames())`
`308`		`- \|\| \count($userRoles) !== \count(array_intersect($userRoles, $refreshedToken->getRoleNames()))`
	`308`	`+ \count($refreshedRoles) !== \count($originalRoles)`
	`309`	`+ \|\| \count($refreshedRoles) !== \count(array_intersect($refreshedRoles, $originalRoles))`
`309`	`310`	`) {`
`310`	`311`	`return true;`
`311`	`312`	`}`