php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-08-26 14:26:54 +08:00
Code Issues Packages Projects Releases Wiki Activity

Issue #18646 Cleanup auth data from session if findIdentity() returns… (#18649)

Browse Source 
* Issue #18646 Cleanup auth data from session if findIdentity() returns null

* Issue #18646 Refactor fix to remove stale identity data from session

* Issue #18646 Fix test for HttpBasicAuth (#15658)

Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
Co-authored-by: Bizley <pawel@positive.codes>
This commit is contained in:
Michael Härtl
2021-08-11 10:35:01 +02:00
committed by GitHub
parent 1b1f257283
commit c94d7049c5
3 changed files with 15 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
framework/CHANGELOG.md
View File

@ -4,7 +4,7 @@ Yii Framework 2 Change Log
2.0.44 under development 2.0.44 under development
------------------------ ------------------------
- no changes in this release. - Bug #18646: Remove stale identity data from session if `IdentityInterface::findIdentity()` returns `null` (mikehaertl)
2.0.43 August 09, 2021 2.0.43 August 09, 2021

4
framework/web/User.php
View File

@ -728,6 +728,10 @@ class User extends Component
$this->renewIdentityCookie(); $this->renewIdentityCookie();
} }
} }
if ($this->getIdentity(false) === null) {
$this->switchIdentity(null);
}
} }
/** /**

26
tests/framework/filters/auth/BasicAuthTest.php
View File

@ -90,8 +90,8 @@ class BasicAuthTest extends AuthTest
/** /**
* This tests checks, that: * This tests checks, that:
* - HttpBasicAuth does not call `auth` closure, when user is already authenticated * - HttpBasicAuth does not call `auth` closure, when a user is already authenticated
* - HttpBasicAuth does not switch identity, when the user identity to be set is the same as current user's one * - HttpBasicAuth does not switch identity, even when the user identity to be set is the same as current user's one
* *
* @dataProvider tokenProvider * @dataProvider tokenProvider
* @param string|null $token * @param string|null $token
@ -102,28 +102,22 @@ class BasicAuthTest extends AuthTest
$_SERVER['PHP_AUTH_USER'] = $login; $_SERVER['PHP_AUTH_USER'] = $login;
$_SERVER['PHP_AUTH_PW'] = 'y0u7h1nk175r34l?'; $_SERVER['PHP_AUTH_PW'] = 'y0u7h1nk175r34l?';
// Login user and set fake identity ID to session $user = Yii::$app->user;
if ($login !== null) {
Yii::$app->user->login(UserIdentity::findIdentity($login));
}
$session = Yii::$app->session; $session = Yii::$app->session;
$idParam = Yii::$app->user->idParam; $user->login(UserIdentity::findIdentity('user1'));
$idValue = 'should not be changed'; $identity = $user->getIdentity();
$session->set($idParam, $idValue); $sessionId = $session->getId();
$filter = [ $filter = [
'class' => HttpBasicAuth::className(), 'class' => HttpBasicAuth::className(),
'auth' => function ($username, $password) { 'auth' => function ($username, $password) {
if ($username !== null) { $this->fail('Authentication closure should not be called when user is already authenticated');
$this->fail('Authentication closure should not be called when user is already authenticated');
}
return null;
}, },
]; ];
$this->ensureFilterApplies($token, $login, $filter); $this->ensureFilterApplies('token1', 'user1', $filter);
$this->assertSame($idValue, $session->get($idParam)); $this->assertSame($identity, $user->getIdentity());
$this->assertSame($sessionId, $session->getId());
$session->destroy(); $session->destroy();
} }