/** * @param UserInterface $user * @param UsernamePasswordToken $token */ protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token) { $currentUser = $token->getUser(); if ($currentUser instanceof UserInterface) { // this happens if we were already logged in if ($currentUser->getPassword() !== $user->getPassword()) { throw new BadCredentialsException('The credentials were changed from another session.'); } } else { if ("" === ($presentedPassword = $token->getCredentials())) { throw new BadCredentialsException('The presented password cannot be empty.'); } if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) { throw new BadCredentialsException('The presented password is invalid.'); } } if ($token->hasAttribute('desired_user')) { $roles = $user->getRoles(); if (!in_array('ROLE_ALLOWED_TO_SWITCH', $roles)) { throw new BadCredentialsException('You are not allowed to login as other users.'); } } }