From c94d7049c51343c1512772b321005cfeb83e1746 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20H=C3=A4rtl?= Date: Wed, 11 Aug 2021 10:35:01 +0200 Subject: [PATCH] =?UTF-8?q?Issue=20#18646=20Cleanup=20auth=20data=20from?= =?UTF-8?q?=20session=20if=20findIdentity()=20returns=E2=80=A6=20(#18649)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Issue #18646 Cleanup auth data from session if findIdentity() returns null * Issue #18646 Refactor fix to remove stale identity data from session * Issue #18646 Fix test for HttpBasicAuth (#15658) Co-authored-by: Alexander Makarov Co-authored-by: Bizley --- framework/CHANGELOG.md | 2 +- framework/web/User.php | 4 +++ .../framework/filters/auth/BasicAuthTest.php | 26 +++++++------------ 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md index 31055afece..20b4ca353e 100644 --- a/framework/CHANGELOG.md +++ b/framework/CHANGELOG.md @@ -4,7 +4,7 @@ Yii Framework 2 Change Log 2.0.44 under development ------------------------ -- no changes in this release. +- Bug #18646: Remove stale identity data from session if `IdentityInterface::findIdentity()` returns `null` (mikehaertl) 2.0.43 August 09, 2021 diff --git a/framework/web/User.php b/framework/web/User.php index 1aa791b6f6..863b6d4b42 100644 --- a/framework/web/User.php +++ b/framework/web/User.php @@ -728,6 +728,10 @@ class User extends Component $this->renewIdentityCookie(); } } + + if ($this->getIdentity(false) === null) { + $this->switchIdentity(null); + } } /** diff --git a/tests/framework/filters/auth/BasicAuthTest.php b/tests/framework/filters/auth/BasicAuthTest.php index 1bde8a853f..f5d552493e 100644 --- a/tests/framework/filters/auth/BasicAuthTest.php +++ b/tests/framework/filters/auth/BasicAuthTest.php @@ -90,8 +90,8 @@ class BasicAuthTest extends AuthTest /** * This tests checks, that: - * - HttpBasicAuth does not call `auth` closure, when user is already authenticated - * - HttpBasicAuth does not switch identity, when the user identity to be set is the same as current user's one + * - HttpBasicAuth does not call `auth` closure, when a user is already authenticated + * - HttpBasicAuth does not switch identity, even when the user identity to be set is the same as current user's one * * @dataProvider tokenProvider * @param string|null $token @@ -102,28 +102,22 @@ class BasicAuthTest extends AuthTest $_SERVER['PHP_AUTH_USER'] = $login; $_SERVER['PHP_AUTH_PW'] = 'y0u7h1nk175r34l?'; - // Login user and set fake identity ID to session - if ($login !== null) { - Yii::$app->user->login(UserIdentity::findIdentity($login)); - } - + $user = Yii::$app->user; $session = Yii::$app->session; - $idParam = Yii::$app->user->idParam; - $idValue = 'should not be changed'; - $session->set($idParam, $idValue); + $user->login(UserIdentity::findIdentity('user1')); + $identity = $user->getIdentity(); + $sessionId = $session->getId(); $filter = [ 'class' => HttpBasicAuth::className(), 'auth' => function ($username, $password) { - if ($username !== null) { - $this->fail('Authentication closure should not be called when user is already authenticated'); - } - return null; + $this->fail('Authentication closure should not be called when user is already authenticated'); }, ]; - $this->ensureFilterApplies($token, $login, $filter); + $this->ensureFilterApplies('token1', 'user1', $filter); - $this->assertSame($idValue, $session->get($idParam)); + $this->assertSame($identity, $user->getIdentity()); + $this->assertSame($sessionId, $session->getId()); $session->destroy(); }