Merge branch '4.1'

* 4.1: (27 commits)
  Added the Code of Conduct file
  do not override custom access decision configs
  [Security] Do not deauthenticate user when the first refreshed user has changed
  fix a return type hint
  invalidate stale commits for PRs too
  add missing cache prefix seed attribute to XSD
  fix command description
  Fix class documentation
  [Validator] Add a missing translation
  [FrameworkBundle] Fix 3.4 tests
  [DI] fix dumping inline services again
  Rename consumer to receiver
  Register messenger before the profiler
  Fix phpdocs
  [EventDispatcher] Remove template method in test case
  Added LB translation for #27993 (UUID validator message translation)
  Replace deprecated validateValue with validate
  [FWBundle] Automatically enable PropertyInfo when using Flex
  [Process] fix locking of pipe files on Windows
  Correct PHPDoc type for float ttl
  ...

Author: nicolas-grekas

Firewall/ContextListener.php

@@ -161,6 +161,7 @@ protected function refreshUser(TokenInterface $token)
         }
 
         $userNotFoundByProvider = false;
+        $userDeauthenticated = false;
 
         foreach ($this->userProviders as $provider) {
             if (!$provider instanceof UserProviderInterface) {
@@ -169,17 +170,26 @@ protected function refreshUser(TokenInterface $token)
 
             try {
                 $refreshedUser = $provider->refreshUser($user);
-                $token->setUser($refreshedUser);
+                $newToken = unserialize(serialize($token));
+                $newToken->setUser($refreshedUser);
 
                 // tokens can be deauthenticated if the user has been changed.
-                if (!$token->isAuthenticated()) {
-                    if (null !== $this->logger) {
-                        $this->logger->debug('Token was deauthenticated after trying to refresh it.', array('username' => $refreshedUser->getUsername(), 'provider' => \get_class($provider)));
+                if (!$newToken->isAuthenticated()) {
+                    if ($this->logoutOnUserChange) {
+                        $userDeauthenticated = true;
+
+                        if (null !== $this->logger) {
+                            $this->logger->debug('Cannot refresh token because user has changed.', array('username' => $refreshedUser->getUsername(), 'provider' => \get_class($provider)));
+                        }
+
+                        continue;
                     }
 
                     return null;
                 }
 
+                $token->setUser($refreshedUser);
+
                 if (null !== $this->logger) {
                     $context = array('provider' => \get_class($provider), 'username' => $refreshedUser->getUsername());
 
@@ -205,6 +215,14 @@ protected function refreshUser(TokenInterface $token)
             }
         }
 
+        if ($userDeauthenticated) {
+            if (null !== $this->logger) {
+                $this->logger->debug('Token was deauthenticated after trying to refresh it.');
+            }
+
+            return null;
+        }
+
         if ($userNotFoundByProvider) {
             return null;
         }

Tests/Firewall/ContextListenerTest.php

@@ -260,6 +260,15 @@ public function testIfTokenIsDeauthenticated()
         $this->assertNull($tokenStorage->getToken());
     }
 
+    public function testIfTokenIsNotDeauthenticated()
+    {
+        $tokenStorage = new TokenStorage();
+        $badRefreshedUser = new User('foobar', 'baz');
+        $goodRefreshedUser = new User('foobar', 'bar');
+        $this->handleEventWithPreviousSession($tokenStorage, array(new SupportingUserProvider($badRefreshedUser), new SupportingUserProvider($goodRefreshedUser)), $goodRefreshedUser, true);
+        $this->assertSame($goodRefreshedUser, $tokenStorage->getToken()->getUser());
+    }
+
     public function testTryAllUserProvidersUntilASupportingUserProviderIsFound()
     {
         $tokenStorage = new TokenStorage();