[Security] Support union type for #[CurrentUser] attribute

VincentLanglet · fabpot · commit 870fa697ab71 · 2025-07-25T07:13:14.000+02:00
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -4,6 +4,7 @@ CHANGELOG
 7.4
 ---
 
+ * Add support for union types with `#[CurrentUser]`
  * Deprecate callable firewall listeners, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Deprecate `AbstractListener::__invoke`
 
diff --git a/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php b/src/Symfony/Component/Security/Http/Controller/UserValueResolver.php
@@ -57,6 +57,13 @@ public function resolve(Request $request, ArgumentMetadata $argument): array
             return [$user];
         }
 
+        $types = explode('|', $argument->getType());
+        foreach ($types as $type) {
+            if ($user instanceof $type) {
+                return [$user];
+            }
+        }
+
         throw new AccessDeniedException(\sprintf('The logged-in user is an instance of "%s" but a user of type "%s" is expected.', $user::class, $argument->getType()));
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php b/src/Symfony/Component/Security/Http/Tests/Controller/UserValueResolverTest.php
@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Core\User\OAuth2User;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Attribute\CurrentUser;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
@@ -109,6 +110,19 @@ public function testResolveSucceedsWithTypedAttribute()
         $this->assertSame([$user], $resolver->resolve(Request::create('/'), $metadata));
     }
 
+    public function testResolveSucceedsWithUnionTypedAttribute()
+    {
+        $user = new InMemoryUser('username', 'password');
+        $token = new UsernamePasswordToken($user, 'provider');
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken($token);
+
+        $resolver = new UserValueResolver($tokenStorage);
+        $metadata = new ArgumentMetadata('foo', InMemoryUser::class.'|'.OAuth2User::class, false, false, null, false, [new CurrentUser()]);
+
+        $this->assertSame([$user], $resolver->resolve(Request::create('/'), $metadata));
+    }
+
     public function testResolveThrowsAccessDeniedWithWrongUserClass()
     {
         $user = $this->createMock(UserInterface::class);

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,13 @@ public function resolve(Request $request, ArgumentMetadata $argument): array`
`57`	`57`	`return [$user];`
`58`	`58`	`}`
`59`	`59`
	`60`	`+ $types = explode('\|', $argument->getType());`
	`61`	`+ foreach ($types as $type) {`
	`62`	`+ if ($user instanceof $type) {`
	`63`	`+ return [$user];`
	`64`	`+ }`
	`65`	`+ }`
	`66`	`+`
`60`	`67`	`throw new AccessDeniedException(\sprintf('The logged-in user is an instance of "%s" but a user of type "%s" is expected.', $user::class, $argument->getType()));`
`61`	`68`	`}`
`62`	`69`	`}`