Merge pull request #608 from cakephp/fix-606

Store only the original data in the impersonation session

src/Controller/Component/AuthenticationComponent.php

@@ -17,6 +17,7 @@
 namespace Authentication\Controller\Component;
 
 use ArrayAccess;
+use ArrayObject;
 use Authentication\AuthenticationServiceInterface;
 use Authentication\Authenticator\ImpersonationInterface;
 use Authentication\Authenticator\PersistenceInterface;
@@ -368,12 +369,16 @@ public function impersonate(ArrayAccess $impersonated)
         if (!$identity) {
             throw new UnauthenticatedException('You must be logged in before impersonating a user.');
         }
+        $impersonator = $identity->getOriginalData();
+        if (!($impersonator instanceof ArrayAccess)) {
+            $impersonator = new ArrayObject($impersonator);
+        }
         $controller = $this->getController();
         /** @psalm-var array{request: \Cake\Http\ServerRequest, response: \Cake\Http\Response} $result */
         $result = $service->impersonate(
             $controller->getRequest(),
             $controller->getResponse(),
-            $identity,
+            $impersonator,
             $impersonated
         );
 

tests/TestCase/Controller/Component/AuthenticationComponentTest.php

@@ -565,11 +565,47 @@ public function testImpersonate()
         $controller = new Controller($request, $this->response);
         $registry = new ComponentRegistry($controller);
         $component = new AuthenticationComponent($registry);
+
         $this->assertEquals($impersonator, $controller->getRequest()->getSession()->read('Auth'));
         $this->assertNull($controller->getRequest()->getSession()->read('AuthImpersonate'));
+
         $component->impersonate($impersonated);
         $this->assertEquals($impersonated, $controller->getRequest()->getSession()->read('Auth'));
-        $this->assertEquals($identity, $controller->getRequest()->getSession()->read('AuthImpersonate'));
+        $this->assertEquals($impersonator, $controller->getRequest()->getSession()->read('AuthImpersonate'));
+
+        $component->stopImpersonating();
+        $this->assertNull($controller->getRequest()->getSession()->read('AuthImpersonate'));
+    }
+
+    /**
+     * test that impersonate() can handle identities with array data within them.
+     *
+     * @return void
+     */
+    public function testImpersonateDecoratorIgnored()
+    {
+        $impersonator = ['username' => 'mariano'];
+        $impersonated = new ArrayObject(['username' => 'larry']);
+
+        $this->request->getSession()->write('Auth', $impersonator);
+        $this->service->authenticate($this->request);
+        $identity = new Identity($impersonator);
+        $request = $this->request
+            ->withAttribute('identity', $identity)
+            ->withAttribute('authentication', $this->service);
+        $controller = new Controller($request, $this->response);
+        $registry = new ComponentRegistry($controller);
+        $component = new AuthenticationComponent($registry);
+
+        $this->assertEquals($impersonator, $controller->getRequest()->getSession()->read('Auth'));
+        $this->assertNull($controller->getRequest()->getSession()->read('AuthImpersonate'));
+
+        $component->impersonate($impersonated);
+        $this->assertEquals($impersonated, $controller->getRequest()->getSession()->read('Auth'));
+        $this->assertEquals(new ArrayObject($impersonator), $controller->getRequest()->getSession()->read('AuthImpersonate'));
+
+        $component->stopImpersonating();
+        $this->assertNull($controller->getRequest()->getSession()->read('AuthImpersonate'));
     }
 
     /**