diff --git a/lib/Cake/Controller/Component/AuthComponent.php b/lib/Cake/Controller/Component/AuthComponent.php index 8f68c9b7c46..bf84e7847fd 100644 --- a/lib/Cake/Controller/Component/AuthComponent.php +++ b/lib/Cake/Controller/Component/AuthComponent.php @@ -310,7 +310,7 @@ public function startup(Controller $controller) { if ($loginAction == $url) { if (empty($request->data)) { - if (!$this->Session->check('Auth.redirect') && !$this->loginRedirect && env('HTTP_REFERER')) { + if (!$this->Session->check('Auth.redirect') && env('HTTP_REFERER')) { $this->Session->write('Auth.redirect', $controller->referer(null, true)); } } @@ -554,7 +554,7 @@ public function login($user = null) { } /** - * Log a user out. + * Log a user out. * * Returns the login action to redirect to. Triggers the logout() method of * all the authenticate objects, so they can perform custom logout logic. @@ -645,9 +645,17 @@ public function redirect($url = null) { /** * Get the URL a use should be redirected to upon login. * - * If no parameter is passed, gets the authentication redirect URL. Pass a url in to - * set the destination a user should be redirected to upon logging in. Will fallback to - * AuthComponent::$loginRedirect if there is no stored redirect value. + * Pass a url in to set the destination a user should be redirected to upon + * logging in. + * + * If no parameter is passed, gets the authentication redirect URL. The url + * returned is as per following rules: + * + * - Returns the session Auth.redirect value if it is present and for the same + * domain the current app is running on. + * - If there is no session value and there is a $loginRedirect, the $loginRedirect + * value is returned. + * - If there is no session and no $loginRedirect, / is returned. * * @param string|array $url Optional URL to write as the login redirect URL. * @return string Redirect URL @@ -663,8 +671,10 @@ public function redirectUrl($url = null) { if (Router::normalize($redir) == Router::normalize($this->loginAction)) { $redir = $this->loginRedirect; } - } else { + } elseif ($this->loginRedirect) { $redir = $this->loginRedirect; + } else { + $redir = '/'; } return Router::normalize($redir); } diff --git a/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php b/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php index b4e8f9a36c1..d29c9448356 100644 --- a/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php +++ b/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php @@ -417,30 +417,6 @@ public function testLogin() { $this->assertEquals($user, $this->Auth->user()); } -/** - * test that being redirected to the login page, with no post data does - * not set the session value. Saving the session value in this circumstance - * can cause the user to be redirected to an already public page. - * - * @return void - */ - public function testLoginActionNotSettingAuthRedirect() { - $_SERVER['HTTP_REFERER'] = '/pages/display/about'; - - $this->Controller->data = array(); - $this->Controller->request->addParams(Router::parse('auth_test/login')); - $this->Controller->request->url = 'auth_test/login'; - $this->Auth->Session->delete('Auth'); - - $this->Auth->loginRedirect = '/users/dashboard'; - $this->Auth->loginAction = 'auth_test/login'; - $this->Auth->userModel = 'AuthUser'; - - $this->Auth->startup($this->Controller); - $redirect = $this->Auth->Session->read('Auth.redirect'); - $this->assertNull($redirect); - } - /** * testAuthorizeFalse method *