diff --git a/cake/libs/controller/components/auth.php b/cake/libs/controller/components/auth.php index 13a6fb29a24..b391b972b8b 100644 --- a/cake/libs/controller/components/auth.php +++ b/cake/libs/controller/components/auth.php @@ -337,7 +337,7 @@ function startup(&$controller) { if ($loginAction == $url) { $model =& $this->getModel(); if (empty($controller->data) || !isset($controller->data[$model->alias])) { - if (!$this->Session->check('Auth.redirect') && env('HTTP_REFERER')) { + if (!$this->Session->check('Auth.redirect') && !$this->loginRedirect && env('HTTP_REFERER')) { $this->Session->write('Auth.redirect', $controller->referer(null, true)); } return false; diff --git a/cake/tests/cases/libs/controller/components/auth.test.php b/cake/tests/cases/libs/controller/components/auth.test.php index 202c5304339..874fb1e1326 100644 --- a/cake/tests/cases/libs/controller/components/auth.test.php +++ b/cake/tests/cases/libs/controller/components/auth.test.php @@ -623,6 +623,31 @@ function testLogin() { $this->Controller->Session->delete('Auth'); } +/** + * test that being redirected to the login page, with no post data does + * not set the session value. Saving the session value in this circumstance + * can cause the user to be redirected to an already public page. + * + * @return void + */ + function testLoginActionNotSettingAuthRedirect() { + $_referer = $_SERVER['HTTP_REFERER']; + $_SERVER['HTTP_REFERER'] = '/pages/display/about'; + + $this->Controller->data = array(); + $this->Controller->params = Router::parse('auth_test/login'); + $this->Controller->params['url']['url'] = 'auth_test/login'; + $this->Controller->Session->delete('Auth'); + + $this->Controller->Auth->loginRedirect = '/users/dashboard'; + $this->Controller->Auth->loginAction = 'auth_test/login'; + $this->Controller->Auth->userModel = 'AuthUser'; + + $this->Controller->Auth->startup($this->Controller); + $redirect = $this->Controller->Session->read('Auth.redirect'); + $this->assertNull($redirect); + } + /** * testAuthorizeFalse method *