Merge branch '7.4' into 8.0

nicolas-grekas · nicolas-grekas · commit 9016ce60bfd1 · 2025-08-26T11:23:28.000+02:00
* 7.4:
  [Security] Fix deprecation
  [Serializer] Don't fallback to default serializer if tags specify a named one
  make RoutingControllerPass and AttributeServicesLoader final
  fix tests
  [Security] Preserve ordering of roles in RoleHierarchy
  [Messenger] Fix Oracle errors 'ORA-00955: Name is already used by an existing object' with Doctrine transport
  [FrameworkBundle] Only show relevant columns in `debug:router` call and adding colors
  [Security] Improve performance of `RoleHierarchy::buildRoleMap` method
  chore: add exclude-receivers consume parameters
  [ObjectMapper] embed collection transformer
  [SecurityHttp] Removes final keyword from IsGranted attribute
  [String] Fix nodes singular
  [Console] Fix testing multiline question
  [Security][Validator] Review translations.
  [Security] Ignore target route when exiting impersonation
  [Console] Restore SHELL_VERBOSITY after a command is ran
diff --git a/Attribute/IsGranted.php b/Attribute/IsGranted.php
@@ -22,7 +22,7 @@
  * @author Ryan Weaver <ryan@knpuniversity.com>
  */
 #[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
-final class IsGranted
+class IsGranted
 {
     /** @var string[] */
     public readonly array $methods;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ CHANGELOG
  * Deprecate callable firewall listeners, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Deprecate `AbstractListener::__invoke`
  * Add `$methods` argument to `#[IsGranted]` to restrict validation to specific HTTP methods
+ * Remove `final` keyword from `#[IsGranted]` to allow implementation of custom attributes
 
 7.3
 ---
diff --git a/Firewall/SwitchUserListener.php b/Firewall/SwitchUserListener.php
@@ -111,7 +111,7 @@ public function authenticate(RequestEvent $event): void
         if (!$this->stateless) {
             $request->query->remove($this->usernameParameter);
             $request->server->set('QUERY_STRING', http_build_query($request->query->all(), '', '&'));
-            $response = new RedirectResponse($this->urlGenerator && $this->targetRoute ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);
+            $response = new RedirectResponse($this->urlGenerator && $this->targetRoute && self::EXIT_VALUE !== $username ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);
 
             $event->setResponse($response);
         }
diff --git a/Tests/Firewall/SwitchUserListenerTest.php b/Tests/Firewall/SwitchUserListenerTest.php
@@ -17,6 +17,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
@@ -109,6 +110,21 @@ public function testExitUserUpdatesToken()
         $this->assertSame($originalToken, $this->tokenStorage->getToken());
     }
 
+    public function testExitUserDoesNotRedirectToTargetRoute()
+    {
+        $originalToken = new UsernamePasswordToken(new InMemoryUser('username', '', []), 'key', []);
+        $this->tokenStorage->setToken(new SwitchUserToken(new InMemoryUser('username', '', ['ROLE_USER']), 'key', ['ROLE_USER'], $originalToken));
+
+        $this->request->query->set('_switch_user', SwitchUserListener::EXIT_VALUE);
+
+        $listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager, urlGenerator: $this->createMock(UrlGeneratorInterface::class), targetRoute: 'whatever');
+        $this->assertTrue($listener->supports($this->event->getRequest()));
+        $listener->authenticate($this->event);
+
+        $this->assertInstanceOf(RedirectResponse::class, $this->event->getResponse());
+        $this->assertSame($this->request->getUri(), $this->event->getResponse()->getTargetUrl());
+    }
+
     public function testExitUserDispatchesEventWithRefreshedUser()
     {
         $originalUser = new InMemoryUser('username', null);

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@`
`22`	`22`	`* @author Ryan Weaver <ryan@knpuniversity.com>`
`23`	`23`	`*/`
`24`	`24`	`#[\Attribute(\Attribute::IS_REPEATABLE \| \Attribute::TARGET_CLASS \| \Attribute::TARGET_METHOD \| \Attribute::TARGET_FUNCTION)]`
`25`		`-final class IsGranted`
	`25`	`+class IsGranted`
`26`	`26`	`{`
`27`	`27`	`/** @var string[] */`
`28`	`28`	`public readonly array $methods;`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ public function authenticate(RequestEvent $event): void`
`111`	`111`	`if (!$this->stateless) {`
`112`	`112`	`$request->query->remove($this->usernameParameter);`
`113`	`113`	`$request->server->set('QUERY_STRING', http_build_query($request->query->all(), '', '&'));`
`114`		`- $response = new RedirectResponse($this->urlGenerator && $this->targetRoute ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);`
	`114`	`+ $response = new RedirectResponse($this->urlGenerator && $this->targetRoute && self::EXIT_VALUE !== $username ? $this->urlGenerator->generate($this->targetRoute) : $request->getUri(), 302);`
`115`	`115`
`116`	`116`	`$event->setResponse($response);`
`117`	`117`	`}`