Don't set Location headers when failing ajax requests.

Setting a location header and 403 status codes causes infinite loops when AuthComponent is set to protect `/`. Refs #6880
cakephp · Jun 28, 2015 · 8020202 · 8020202
1 parent 7d7b787
commit 8020202
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/src/Controller/Component/AuthComponent.php b/src/Controller/Component/AuthComponent.php
@@ -364,7 +364,8 @@ protected function _unauthenticated(Controller $controller)
             $response->statusCode(403);
             return $response;
         }
-        return $controller->redirect(null, 403);
+        $this->response->statusCode(403);
+        return $this->response;
     }
 
     /**

diff --git a/tests/TestCase/Controller/Component/AuthComponentTest.php b/tests/TestCase/Controller/Component/AuthComponentTest.php
@@ -973,6 +973,28 @@ public function testAjaxLogin()
         );
     }
 
+    /**
+     * test ajax unauthenticated
+     *
+     * @return void
+     * @triggers Controller.startup $this->Controller
+     */
+    public function testAjaxUnauthenticated()
+    {
+        $this->Controller->request = new Request([
+            'url' => '/ajax_auth/add',
+            'environment' => ['HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest'],
+        ]);
+        $this->Controller->request->params['action'] = 'add';
+
+        $event = new Event('Controller.startup', $this->Controller);
+        $response = $this->Auth->startup($event);
+
+        $this->assertTrue($event->isStopped());
+        $this->assertEquals(403, $response->statusCode());
+        $this->assertArrayNotHasKey('Location', $response->header());
+    }
+
     /**
      * testLoginActionRedirect method
      *