[Security] always check the token on non-lazy firewalls

nicolas-grekas · nicolas-grekas · commit 5ef19ef6f48b · 2019-11-14T23:50:50.000+01:00
diff --git a/Firewall/AccessListener.php b/Firewall/AccessListener.php
@@ -18,6 +18,7 @@
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
 use Symfony\Component\Security\Http\AccessMapInterface;
+use Symfony\Component\Security\Http\Event\LazyResponseEvent;
 
 /**
  * AccessListener enforces access control rules.
@@ -51,6 +52,10 @@ public function __construct(TokenStorageInterface $tokenStorage, AccessDecisionM
      */
     public function __invoke(RequestEvent $event)
     {
+        if (!$event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
+            throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
+        }
+
         $request = $event->getRequest();
 
         list($attributes) = $this->map->getPatterns($request);
@@ -59,7 +64,7 @@ public function __invoke(RequestEvent $event)
             return;
         }
 
-        if (null === $token = $this->tokenStorage->getToken()) {
+        if ($event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
             throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
         }
 
diff --git a/Tests/Firewall/AccessListenerTest.php b/Tests/Firewall/AccessListenerTest.php
@@ -18,6 +18,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Http\AccessMapInterface;
+use Symfony\Component\Security\Http\Event\LazyResponseEvent;
 use Symfony\Component\Security\Http\Firewall\AccessListener;
 
 class AccessListenerTest extends TestCase
@@ -219,7 +220,7 @@ public function testHandleWhenAccessMapReturnsEmptyAttributes()
             ->willReturn($request)
         ;
 
-        $listener($event);
+        $listener(new LazyResponseEvent($event));
     }
 
     public function testHandleWhenTheSecurityTokenStorageHasNoToken()

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`	`use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;`
`19`	`19`	`use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;`
`20`	`20`	`use Symfony\Component\Security\Http\AccessMapInterface;`
	`21`	`+use Symfony\Component\Security\Http\Event\LazyResponseEvent;`
`21`	`22`	`use Symfony\Component\Security\Http\Firewall\AccessListener;`
`22`	`23`
`23`	`24`	`class AccessListenerTest extends TestCase`
`@@ -219,7 +220,7 @@ public function testHandleWhenAccessMapReturnsEmptyAttributes()`
`219`	`220`	`->willReturn($request)`
`220`	`221`	`;`
`221`	`222`
`222`		`- $listener($event);`
	`223`	`+ $listener(new LazyResponseEvent($event));`
`223`	`224`	`}`
`224`	`225`
`225`	`226`	`public function testHandleWhenTheSecurityTokenStorageHasNoToken()`