Symfony version(s) affected

6.4

Description

When using impersonation, one can optionally specify a exitTo URI (when using twig) where the redirect leads to after exiting the impersonation.
(Compare Symfony Documentation Twig Functions)

The impersonation exit works, but the user is still being redirected to the target_path as defined in the security.yaml, instead of the exitTo parameter.

This leads to, e.g., 403 - access denied errors when routes are set as target_path where only the impersonated user has rights to access.

How to reproduce

Create two different entites in different firewalls where one can impersonate the other.
Add a target_route you want to follow after successful impersonating the user.
Thereafter exit the impersonation using the twig function and a exitTo URI where the impersonating user has access to.

As this is somewhat more complex, I created the following repo to reproduce this bug: https://github.com/sakul95/impersonation_exit_bug

Possible Solution

I presume, that once a developer has specified a target_path in the security.yaml, the intention is to access a route, that only the impersonated user is allowed to. Thus this route won't be accessible with the impersonating user.

Therefore, the defined exitTo argument should primary being used.

I locally fixed this in Symfony\Component\Security\Http\Firewall\SwitchUserListener and can provide a pull request if necessary.

Additional Context

No response