-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IBX-2880: Added PasswordExpiredException #309
Conversation
To be frank I'm not convinced that we should introduce a dedicated exception for something that already has it's own exception in the framework. Developers will need to respect both after this patch is added, which adds to the complexity and knowledge required to properly handle our library. Instead I would propose to check We also need to ensure that we are not exposing user account existence when credentials are expired. That's the purpose of the Symfony code. If we're always redirecting to the password refresh page, we might introduce a security issue. |
Unfortunately, we cannot use previous on last authentication exception, as for this case it is always |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Following private discussion we concluded that this is actually the proper solution.
src/lib/MVC/Symfony/Security/Exception/PasswordExpiredException.php
Outdated
Show resolved
Hide resolved
src/lib/MVC/Symfony/Security/Exception/PasswordExpiredException.php
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 apart from @Steveb-p suggestions.
…n.php Co-authored-by: Paweł Niedzielski <pawel.tadeusz.niedzielski@gmail.com>
…n.php Co-authored-by: Paweł Niedzielski <pawel.tadeusz.niedzielski@gmail.com>
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
v3.3
CredentialsExpiredListener expects
CredentialsExpiredException
which will never happen, as the Exception is immediately replaced withBadCredentialsException
in https://github.com/symfony/security-core/blob/5.4/Authentication/Provider/UserAuthenticationProvider.php#L90This PR adds a new
PasswordExpiredException
exception which extendsCustomUserMessageAccountStatusException
which allows for it to be propagated to the top soCredentialsExpiredListener
can act properly when it happens.AdminUI part of PR: ezsystems/ezplatform-admin-ui#2045
Checklist:
$ composer fix-cs
).@ezsystems/engineering-team
).