feature symfony#61486 [Security] Ignore target route when exiting impersonation (MatTheCat)

fabpot · fabpot · commit a410ac7fb03a · 2025-08-22T09:29:15.000+02:00
This PR was merged into the 6.4 branch. Discussion ---------- [Security] Ignore target route when exiting impersonation | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix symfony#53873 | License | MIT [The user impersonation documentation](https://symfony.com/doc/current/security/impersonating_user.html#redirecting-to-a-specific-target-route) just mentions > control the redirection target route via `target_route` Now, given that Twig’s `impersonation_exit_path` and `impersonation_exit_url` have an `exitTo` parameter but not `impersonation_path` nor `impersonation_url`, it looks like `target_route` should only be used when **starting** an impersonation. However it is currently also used when exiting, which means that if you configured one, an `exitTo` argument wouldn’t have any effect. Based on this assumption, this PR ignores `target_route` when exiting impersonation. Since `exitTo` will now work with `target_route` this PR technically breaks BC, but since this behavior was broken I’m not sure it needs to be considered. Commits ------- 5c4618c [Security] Ignore target route when exiting impersonation
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -124,7 +124,7 @@ public function authenticate(RequestEvent $event): void
         if (!$this->stateless) {
             $request->query->remove($this->usernameParameter);
             $request->server->set('QUERY_STRING', http_build_query($request->query->all(), '', '&'));
-            $response = new RedirectResponse($this->urlGenerator && $this->targetRoute ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);
+            $response = new RedirectResponse($this->urlGenerator && $this->targetRoute && self::EXIT_VALUE !== $username ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);
 
             $event->setResponse($response);
         }
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
@@ -17,6 +17,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
@@ -105,6 +106,20 @@ public function testExitUserUpdatesToken()
         $this->assertSame($originalToken, $this->tokenStorage->getToken());
     }
 
+    public function testExitUserDoesNotRedirectToTargetRoute()
+    {
+        $originalToken = new UsernamePasswordToken(new InMemoryUser('username', '', []), 'key', []);
+        $this->tokenStorage->setToken(new SwitchUserToken(new InMemoryUser('username', '', ['ROLE_USER']), 'key', ['ROLE_USER'], $originalToken));
+
+        $this->request->query->set('_switch_user', SwitchUserListener::EXIT_VALUE);
+
+        $listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager, urlGenerator: $this->createMock(UrlGeneratorInterface::class), targetRoute: 'whatever');
+        $listener($this->event);
+
+        $this->assertInstanceOf(RedirectResponse::class, $this->event->getResponse());
+        $this->assertSame($this->request->getUri(), $this->event->getResponse()->getTargetUrl());
+    }
+
     public function testExitUserDispatchesEventWithRefreshedUser()
     {
         $originalUser = new InMemoryUser('username', null);

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ public function authenticate(RequestEvent $event): void`
`124`	`124`	`if (!$this->stateless) {`
`125`	`125`	`$request->query->remove($this->usernameParameter);`
`126`	`126`	`$request->server->set('QUERY_STRING', http_build_query($request->query->all(), '', '&'));`
`127`		`- $response = new RedirectResponse($this->urlGenerator && $this->targetRoute ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);`
	`127`	`+ $response = new RedirectResponse($this->urlGenerator && $this->targetRoute && self::EXIT_VALUE !== $username ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);`
`128`	`128`
`129`	`129`	`$event->setResponse($response);`
`130`	`130`	`}`