Merge pull request #3456 from mhsdesign/task/allow-to-return-from-withoutAuthorizationChecks

TASK: Allow to return closure value from `withoutAuthorizationChecks()`

Author: kitsunet

Neos.Flow/Classes/Security/Authentication/Provider/PersistedUsernamePasswordProvider.php

@@ -12,7 +12,6 @@
  */
 
 use Neos\Flow\Annotations as Flow;
-use Neos\Flow\Security\Account;
 use Neos\Flow\Security\AccountRepository;
 use Neos\Flow\Security\Authentication\Token\UsernamePasswordTokenInterface;
 use Neos\Flow\Security\Authentication\TokenInterface;
@@ -86,9 +85,6 @@ public function authenticate(TokenInterface $authenticationToken)
             throw new UnsupportedAuthenticationTokenException(sprintf('This provider cannot authenticate the given token. The token must implement %s', UsernamePasswordTokenInterface::class), 1217339840);
         }
 
-        /** @var Account|null $account */
-        $account = null;
-
         if ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
             $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
         }
@@ -101,8 +97,8 @@ public function authenticate(TokenInterface $authenticationToken)
         }
 
         $providerName = $this->options['lookupProviderName'] ?? $this->name;
-        $this->securityContext->withoutAuthorizationChecks(function () use ($username, &$account, $providerName) {
-            $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName);
+        $account = $this->securityContext->withoutAuthorizationChecks(function () use ($username, $providerName) {
+            return $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName);
         });
 
         $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);

Neos.Flow/Classes/Security/Authorization/Privilege/Entity/Doctrine/PropertyConditionGenerator.php

@@ -553,8 +553,8 @@ public function getValueForOperand($expression)
             $objectAccess = explode('.', $expression, 3);
             $globalObjectsRegisteredClassName = $this->globalObjects[$objectAccess[1]];
             $globalObject = $this->objectManager->get($globalObjectsRegisteredClassName);
-            $this->securityContext->withoutAuthorizationChecks(function () use ($globalObject, $objectAccess, &$globalObjectValue) {
-                $globalObjectValue = $this->getObjectValueByPath($globalObject, $objectAccess[2]);
+            $globalObjectValue = $this->securityContext->withoutAuthorizationChecks(function () use ($globalObject, $objectAccess) {
+                return $this->getObjectValueByPath($globalObject, $objectAccess[2]);
             });
 
             return $globalObjectValue;

Neos.Flow/Classes/Security/Context.php

@@ -202,22 +202,22 @@ class Context
      * Lets you switch off authorization checks (CSRF token, policies, content security, ...) for the runtime of $callback
      *
      * Usage:
-     * $this->securityContext->withoutAuthorizationChecks(function () use ($accountRepository, $username, $providerName, &$account) {
-     *   // this will disable the PersistenceQueryRewritingAspect for this one call
-     *   $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName)
-     * });
      *
-     * @param \Closure $callback
-     * @return void
-     * @throws \Exception
+     *     $account = $this->securityContext->withoutAuthorizationChecks(function () use ($accountRepository, $username, $providerName) {
+     *       // this will disable the PersistenceQueryRewritingAspect for this one call
+     *       return $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName)
+     *     });
+     *
+     * @template T
+     * @param \Closure(): T $callback
+     * @return T the return value of $callback
      */
-    public function withoutAuthorizationChecks(\Closure $callback)
+    public function withoutAuthorizationChecks(\Closure $callback): mixed
     {
         $authorizationChecksAreAlreadyDisabled = $this->authorizationChecksDisabled;
         $this->authorizationChecksDisabled = true;
         try {
-            /** @noinspection PhpUndefinedMethodInspection */
-            $callback->__invoke();
+            return $callback();
         } finally {
             $this->authorizationChecksDisabled = $authorizationChecksAreAlreadyDisabled;
         }

Neos.Flow/Tests/Functional/Command/BehatHelperCommandController.php

@@ -67,11 +67,10 @@ public function callBehatStepCommand($testHelperObjectName, $methodName, $withou
             $mappedArguments[] = $this->propertyMapper->convert($rawMethodArguments[$i+1], $rawMethodArguments[$i]);
         }
 
-        $result = null;
         try {
             if ($withoutSecurityChecks === true) {
-                $this->securityContext->withoutAuthorizationChecks(function () use ($testHelper, $methodName, $mappedArguments, &$result) {
-                    $result = call_user_func_array([$testHelper, $methodName], $mappedArguments);
+                $result = $this->securityContext->withoutAuthorizationChecks(function () use ($testHelper, $methodName, $mappedArguments) {
+                    return call_user_func_array([$testHelper, $methodName], $mappedArguments);
                 });
             } else {
                 $result = call_user_func_array([$testHelper, $methodName], $mappedArguments);