EZP-24852: Add UserReference support in Authentication/User providers #1965
Conversation
andrerom
force-pushed
the
sfuser_improvments
branch
4 times, most recently
from
dd6a6d9 to
531c958
Compare
…f or User To protect against injecting api user several times bloating session value.
andrerom
force-pushed
the
sfuser_improvments
branch
3 times, most recently
from
081f5e5 to
b5c3fe3
Compare
andrerom
changed the title
andrerom
force-pushed
the
sfuser_improvments
branch
from
c7ea670 to
5e83ce9
Compare
|
Review ping @lolautruche NOTE: I assumed we kind of need to continue load users on load to make sure user is still existing and enabled (however not needed for permission checks), so only made sure user is no longer serialized to and from session, but that assumption might be wrong. |
There was a problem hiding this comment.
I don't see the UserReference class, is it already present somewhere?
I assumed we kind of need to continue load users on load to make sure user is still existing and enabled
This is indeed needed when user is refreshed from the session. It's not specific to eZ, but needed from the Security component
| if (!$this->user instanceof APIUser) { | ||
| throw new \LogicException( | ||
| 'Attempts to get APIUser before it has been set by UserProvider, APIUser is not serialized to session' | ||
| ); |
There was a problem hiding this comment.
This exception needs to be documented in the phpdoc
There was a problem hiding this comment.
re added in d6a6803
There was a problem hiding this comment.
Would it be worth using an exception of our own ?
There was a problem hiding this comment.
hmm, maybe, however unsure what that should be and what it should extend, and it's not a condition that should happen for end users given provider deals with loading it before you typically get your hands on it.
As we always refresh APIUser on load anyway, changes our symfony User to not serialize APIUser to session to reduce size of session being serialized back and forth. This approch assumed the refresh is needed for security reasons *(as in check if user is still exists and is enabled, permissions lookup don't need this)*. However if that is not the case this can be done closer to how it is described in JIRA issue and aim to deprecate this logic instead.
Not a must, but test where failing since MVC User was calling method and this part of the code property.
Maybe, this doc on
Depends on what you mean, you have:
Then in this PR there is |
andrerom
force-pushed
the
sfuser_improvments
branch
from
5e83ce9 to
1f50078
Compare
It indeed depends on our domain needs, but this is highly recommended and done in every implementation provided by Symfony. Only exception I can imagine would be stateless authentication. As for |
ok, then approach here is at least going in the right direction, our old issue was implying to get rid of it, but then we aim to keep the object refresh, and instead look for way to make it lighter later in api.
Actually it is used a few places already: |
| @@ -93,7 +96,11 @@ public function testIsNotEqualTo() | |||
| public function testIsEqualToNotSameUserType() | |||
| { | |||
| $user = new User(); | |||
| $user2 = $this->getMock('Symfony\Component\Security\Core\User\UserInterface'); | |||
| $user2 = $this->getMock('eZ\Publish\Core\MVC\Symfony\Security\ReferenceUserInterface'); | |||
There was a problem hiding this comment.
Nitpick: ReferenceUserInterface::class please :)
| @@ -127,7 +129,7 @@ public function testRegularUser() | |||
|
|
|||
| public function testIsEqualTo() | |||
| { | |||
| $originalUser = $this->getMock('eZ\Publish\Core\MVC\Symfony\Security\User'); | |||
| $originalUser = $this->getMock('eZ\Publish\Core\MVC\Symfony\Security\Tests\UserEquatableInterface'); | |||
…ezsystems#1965) * Throw InvalidArgumentException if WrappedUser recives instance of self or User To protect against injecting api user several times bloating session value. * EZP-24852: Add UserReference support in Authentication/User providers As we always refresh APIUser on load anyway, changes our symfony User to not serialize APIUser to session to reduce size of session being serialized back and forth. This approch assumed the refresh is needed for security reasons *(as in check if user is still exists and is enabled, permissions lookup don't need this)*. However if that is not the case this can be done closer to how it is described in JIRA issue and aim to deprecate this logic instead. * [UnitTests] Adapt Tests for changes * Adapt RestAuthenticator to use getUserId() also Not a must, but test where failing since MVC User was calling method and this part of the code property. * Deprecate UserInterface::setAPIUser() so update is not forgotten in 7.0 * CS
As we anyway always refresh APIUser on load, this changes our symfony User to not serialize APIUser to session anymore to reduce size of session being serialized back and forth.
On top of that make sure WrappedUser does not get self or User injected to avoid possibility of wrong use and bloated session value.