FormAuthenticator::_checkLoginUrl() fails when accessing alternative route #137
Comments
|
I think you would have to compare array values as well. |
|
@markstory exactly my thought but then it is required that you run the routing middleware before authentication. But this brings up a problem if we want to do authorization against routes. authorization requires the identity. |
|
Couldn't the 'loginAction' be defined as a string URL if people have multiple possible routes a login page can be reached at? |
|
We would always require a string then and turn the URI from the request also into an array and then compare them. Or am I missing something? If not I'll do the change. |
|
That sounds like it should work to me. |
|
@markstory does that look OK? protected function _checkLoginUrl(ServerRequestInterface $request)
{
$loginUrl = $this->getConfig('loginUrl');
if (!empty($loginUrl)) {
$requestUrl = Router::parseRequest($request);
if (is_string($loginUrl)) {
$loginUrl = Router::parseRequest((new ServerRequest([
'uri' => $loginUrl
])));
$this->setConfig('loginUrl', $loginUrl);
}
$keysToCompare = array_keys($loginUrl);
foreach ($keysToCompare as $key) {
if (!array_key_exists($key, $requestUrl)
|| $requestUrl[$key] !== $loginUrl[$key]
) {
return false;
}
}
}
return true;
} |
|
You could use |
|
@markstory I've pushed the code to the branch |
|
Sure, I'll try to take a look in the next few days. |
|
Closing as #146 covers this. |
For testing I've been accessing the direct controller/action URL
http://cake3.world-architects.com/en/users/loginbut we have a route for that as well/en/login.But the FormAuthenticator compares only a string URL and not if the passed array really matches the resolved controller action but instead only the first route that machtes:
I'm not sure if there is a better way than to compare the arrays to resolve this?
The text was updated successfully, but these errors were encountered: