From 802020227034f5a86b225ed68b2f786396f34a4f Mon Sep 17 00:00:00 2001 From: Mark Story Date: Sun, 28 Jun 2015 10:42:21 -0400 Subject: [PATCH] Don't set Location headers when failing ajax requests. Setting a location header and 403 status codes causes infinite loops when AuthComponent is set to protect `/`. Refs #6880 --- src/Controller/Component/AuthComponent.php | 3 ++- .../Component/AuthComponentTest.php | 22 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/src/Controller/Component/AuthComponent.php b/src/Controller/Component/AuthComponent.php index 306a901e53a..e623f3f7e86 100644 --- a/src/Controller/Component/AuthComponent.php +++ b/src/Controller/Component/AuthComponent.php @@ -364,7 +364,8 @@ protected function _unauthenticated(Controller $controller) $response->statusCode(403); return $response; } - return $controller->redirect(null, 403); + $this->response->statusCode(403); + return $this->response; } /** diff --git a/tests/TestCase/Controller/Component/AuthComponentTest.php b/tests/TestCase/Controller/Component/AuthComponentTest.php index 0f604fcae86..15f991f33f7 100644 --- a/tests/TestCase/Controller/Component/AuthComponentTest.php +++ b/tests/TestCase/Controller/Component/AuthComponentTest.php @@ -973,6 +973,28 @@ public function testAjaxLogin() ); } + /** + * test ajax unauthenticated + * + * @return void + * @triggers Controller.startup $this->Controller + */ + public function testAjaxUnauthenticated() + { + $this->Controller->request = new Request([ + 'url' => '/ajax_auth/add', + 'environment' => ['HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest'], + ]); + $this->Controller->request->params['action'] = 'add'; + + $event = new Event('Controller.startup', $this->Controller); + $response = $this->Auth->startup($event); + + $this->assertTrue($event->isStopped()); + $this->assertEquals(403, $response->statusCode()); + $this->assertArrayNotHasKey('Location', $response->header()); + } + /** * testLoginActionRedirect method *