Updating AuthComponent::startup() so that being redirected to loginAc…

…tion with no Auth.redirect value in the session and a non empty loginRedirect defined, the Auth.redirect value is not overwritten. This prevents redirection to already accessible pages. Test cases updated.

Fixes #173

cake/libs/controller/components/auth.php

@@ -337,7 +337,7 @@ function startup(&$controller) {
 		if ($loginAction == $url) {
 			$model =& $this->getModel();
 			if (empty($controller->data) || !isset($controller->data[$model->alias])) {
-				if (!$this->Session->check('Auth.redirect') && env('HTTP_REFERER')) {
+				if (!$this->Session->check('Auth.redirect') && !$this->loginRedirect && env('HTTP_REFERER')) {
 					$this->Session->write('Auth.redirect', $controller->referer(null, true));
 				}
 				return false;

cake/tests/cases/libs/controller/components/auth.test.php

@@ -623,6 +623,31 @@ function testLogin() {
 		$this->Controller->Session->delete('Auth');
 	}
 
+/**
+ * test that being redirected to the login page, with no post data does 
+ * not set the session value.  Saving the session value in this circumstance
+ * can cause the user to be redirected to an already public page.
+ *
+ * @return void
+ */
+	function testLoginActionNotSettingAuthRedirect() {
+		$_referer = $_SERVER['HTTP_REFERER'];
+		$_SERVER['HTTP_REFERER'] = '/pages/display/about';
+
+		$this->Controller->data = array();
+		$this->Controller->params = Router::parse('auth_test/login');
+		$this->Controller->params['url']['url'] = 'auth_test/login';
+		$this->Controller->Session->delete('Auth');
+
+		$this->Controller->Auth->loginRedirect = '/users/dashboard';
+		$this->Controller->Auth->loginAction = 'auth_test/login';
+		$this->Controller->Auth->userModel = 'AuthUser';
+
+		$this->Controller->Auth->startup($this->Controller);
+		$redirect = $this->Controller->Session->read('Auth.redirect');
+		$this->assertNull($redirect);
+	}
+
 /**
  * testAuthorizeFalse method
  *