fix(SecuredEventInterceptor): Relocate by default for non-ajax events

For non-ajax events, `relocate` instead of `overrideEvent` to allow for
preProcess events and the like to fire completely when loading the
login page (or whatever page is the target of the redirect). For
ajax events, `overrideEvent` is still used.  This behavior can be
adjusted in the module settings.

BREAKING CHANGE: Non-ajax events now relocate instead of override the event.

Author: elpete

ModuleConfig.cfc

@@ -37,6 +37,7 @@ component {
 
     function onLoad() {
         controller.getInterceptorService().registerInterceptor(
+            interceptorName = "SecuredEventInterceptor",
             interceptorClass = "#moduleMapping#.interceptors.SecuredEventInterceptor",
             interceptorProperties = settings
         );

README.md

@@ -4,7 +4,6 @@
 
 ## Annotation driven guards for authentication and authorization in ColdBox
 
-
 ### Usage
 
 `cbguard` lets us lock down methods to logged in users and users with specific permissions using one annotation — `secured`.  Just sticking the secured annotation on a handler or action is enough to require a user to log in before executing those events.
@@ -41,7 +40,7 @@ You can further lock down handlers and actions to a list of specific permissions
 
 ```cfc
 component secured="admin" {
-	
+
     function index( event, rc, prc ) {
         // ...
     }
@@ -57,7 +56,7 @@ In the above component, the user must have the `admin` permission to access the
 
 ```cfc
 component {
-	
+
     function show( event, rc, prc ) secured="admin,reviews_posts" {
         // ...
     }
@@ -176,3 +175,23 @@ moduleSettings = {
     }
 };
 ```
+
+Additionally, you can modify the override action for each of the event types:
+
+```cfc
+moduleSettings = {
+    cbguard = {
+        overrideActions = {
+            authenticationOverrideEvent = "relocate",
+            authenticationAjaxOverrideEvent = "override",
+            authorizationOverrideEvent = "relocate",
+            authorizationAjaxOverrideEvent = "override"
+        }
+    }
+};
+```
+
+`relocate` refers to calling `relocate` on the controller. The user will be redirected to the new page.
+`override` refers to `event.overrideEvent`. This will not redirect but simply change the running event.
+
+`

interceptors/SecuredEventInterceptor.cfc

@@ -16,8 +16,7 @@ component extends="coldbox.system.Interceptor"{
     * the event is overridden to the event specified in module settings.
     */
     function preProcess( event, rc, prc, interceptData, buffer ) {
-
-	if ( isNull( variables.authenticationService ) ) {
+        if ( isNull( variables.authenticationService ) ) {
             variables.authenticationService = wirebox.getInstance( getProperty( "AuthenticationService" ) );
         }
 
@@ -56,11 +55,22 @@ component extends="coldbox.system.Interceptor"{
         }
 
         if ( ! invoke( authenticationService, getProperty( "methodNames" )[ "isLoggedIn" ] ) ) {
-            event.overrideEvent(
-                event.isAjax() ?
-                    getProperty( "authenticationAjaxOverrideEvent", getProperty( "authenticationOverrideEvent", "" ) ) :
-                    getProperty( "authenticationOverrideEvent", "" )
-            );
+            var eventType = event.isAjax() ? "authenticationAjaxOverrideEvent" : "authenticationOverrideEvent";
+            var relocateEvent = getProperty( eventType );
+            var overrideAction = getProperty( "overrideActions" )[ eventType ];
+            switch ( overrideAction ) {
+                case "relocate":
+                    relocate( relocateEvent );
+                    break;
+                case "override":
+                    event.overrideEvent( relocateEvent );
+                    break;
+                default:
+                    throw(
+                        type = "InvalidOverideActionType",
+                        message = "The type [#overrideAction#] is not a valid override action.  Valid types are ['relocate', 'override']."
+                    );
+            }
             return true;
         }
 
@@ -81,11 +91,22 @@ component extends="coldbox.system.Interceptor"{
             }
         }
 
-        event.overrideEvent(
-            event.isAjax() ?
-                getProperty( "authorizationAjaxOverrideEvent", getProperty( "authorizationOverrideEvent", "" ) ) :
-                getProperty( "authorizationOverrideEvent", "" )
-        );
+        var eventType = event.isAjax() ? "authorizationAjaxOverrideEvent" : "authorizationOverrideEvent";
+        var relocateEvent = getProperty( eventType );
+        var overrideAction = getProperty( "overrideActions" )[ eventType ];
+        switch ( overrideAction ) {
+            case "relocate":
+                relocate( relocateEvent );
+                break;
+            case "override":
+                event.overrideEvent( relocateEvent );
+                break;
+            default:
+                throw(
+                    type = "InvalidOverideActionType",
+                    message = "The type [#overrideAction#] is not a valid override action.  Valid types are ['relocate', 'override']."
+                );
+        }
         return true;
     }
 
@@ -117,11 +138,22 @@ component extends="coldbox.system.Interceptor"{
         }
 
         if ( ! invoke( authenticationService, getProperty( "methodNames" )[ "isLoggedIn" ] ) ) {
-            event.overrideEvent(
-                event.isAjax() ?
-                    getProperty( "authenticationAjaxOverrideEvent", getProperty( "authenticationOverrideEvent", "" ) ) :
-                    getProperty( "authenticationOverrideEvent", "" )
-            );
+            var eventType = event.isAjax() ? "authenticationAjaxOverrideEvent" : "authenticationOverrideEvent";
+            var relocateEvent = getProperty( eventType );
+            var overrideAction = getProperty( "overrideActions" )[ eventType ];
+            switch ( overrideAction ) {
+                case "relocate":
+                    relocate( relocateEvent );
+                    break;
+                case "override":
+                    event.overrideEvent( relocateEvent );
+                    break;
+                default:
+                    throw(
+                        type = "InvalidOverideActionType",
+                        message = "The type [#overrideAction#] is not a valid override action.  Valid types are ['relocate', 'override']."
+                    );
+            }
             return true;
         }
 
@@ -142,11 +174,22 @@ component extends="coldbox.system.Interceptor"{
             }
         }
 
-        event.overrideEvent(
-            event.isAjax() ?
-                getProperty( "authorizationAjaxOverrideEvent", getProperty( "authorizationOverrideEvent", "" ) ) :
-                getProperty( "authorizationOverrideEvent", "" )
-        );
+        var eventType = event.isAjax() ? "authorizationAjaxOverrideEvent" : "authorizationOverrideEvent";
+        var relocateEvent = getProperty( eventType );
+        var overrideAction = getProperty( "overrideActions" )[ eventType ];
+        switch ( overrideAction ) {
+            case "relocate":
+                relocate( relocateEvent );
+                break;
+            case "override":
+                event.overrideEvent( relocateEvent );
+                break;
+            default:
+                throw(
+                    type = "InvalidOverideActionType",
+                    message = "The type [#overrideAction#] is not a valid override action.  Valid types are ['relocate', 'override']."
+                );
+        }
         return true;
     }
 

tests/resources/ModuleIntegrationSpec.cfc

@@ -2,7 +2,7 @@ component extends="coldbox.system.testing.BaseTestCase" {
 
     function beforeAll() {
         super.beforeAll();
-        
+
         getController().getModuleService()
             .registerAndActivateModule( "cbguard", "testingModuleRoot" );
     }
@@ -14,4 +14,18 @@ component extends="coldbox.system.testing.BaseTestCase" {
         setup();
     }
 
+    function withSwappedSettings( applyOverrides, callback ) {
+        var newSettings = duplicate( getController().getConfigSettings().modules.cbguard.settings );
+        applyOverrides( newSettings );
+        var interceptor = getController().getInterceptorService().getInterceptor( "SecuredEventInterceptor" );
+        interceptor.setProperties( newSettings );
+        try {
+            callback();
+        } catch ( any e ) {
+            rethrow;
+        } finally {
+            interceptor.setProperties( getController().getConfigSettings().modules.cbguard.settings );
+        }
+    }
+
 }

tests/specs/integration/AuthenticationSpec.cfc

@@ -20,7 +20,19 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
 
             it( "redirects the user if the component has a secured annotation and the user is not logged in", function() {
                 var event = execute( event = "Secured.index" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthenticationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthenticationFailure" );
+            } );
+
+            it( "overrides the event if the component has a secured annotation and the user is not logged in with specific settings", function() {
+                withSwappedSettings(
+                    function( settings ) {
+                        settings.overrideActions.authenticationOverrideEvent = "override";
+                    },
+                    function() {
+                        var event = execute( event = "Secured.index" );
+                        expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthenticationFailure" );
+                    }
+                );
             } );
 
             it( "does not redirect the user if the component has a secured annotation and the user is logged in", function() {
@@ -31,7 +43,19 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
 
             it( "redirects the user if the action has a secured annotation and the user is not logged in", function() {
                 var event = execute( event = "PartiallySecured.secured" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthenticationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthenticationFailure" );
+            } );
+
+            it( "overrides the event if the action has a secured annotation and the user is not logged in with specific settings", function() {
+                withSwappedSettings(
+                    function( settings ) {
+                        settings.overrideActions.authenticationOverrideEvent = "override";
+                    },
+                    function() {
+                        var event = execute( event = "PartiallySecured.secured" );
+                        expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthenticationFailure" );
+                    }
+                );
             } );
 
             it( "does not redirect the user if the action has a secured annotation and the user is logged in", function() {

tests/specs/integration/AuthorizationSpec.cfc

@@ -15,19 +15,19 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
 
             it( "redirects the user if the component has a secured annotation with a list of permissions and the user is not logged in", function() {
                 var event = execute( event = "PermissionSecured.fooPermissionAction" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthenticationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthenticationFailure" );
             } );
 
             it( "redirects the user if the component has a secured annotation with a list of permissions and the user does not have any permissions", function() {
                 authenticationService.login( createUser( { permissions = [] } ) );
                 var event = execute( event = "PermissionSecured.fooPermissionAction" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthorizationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthorizationFailure" );
             } );
 
             it( "redirects the user if the component has a secured annotation with a list of permissions and the user does not have any of the required permissions", function() {
                 authenticationService.login( createUser( { permissions = [ "bar" ] } ) );
                 var event = execute( event = "PermissionSecured.fooPermissionAction" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthorizationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthorizationFailure" );
             } );
 
             it( "does not redirect the user if the component has a secured annotation with a list of permissions and the user has at least one of the required permissions", function() {
@@ -38,19 +38,19 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
 
             it( "redirects the user if the action has a secured annotation with a list of permissions and the user is not logged in", function() {
                 var event = execute( event = "PermissionActionSecured.fooPermissionAction" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthenticationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthenticationFailure" );
             } );
 
             it( "redirects the user if the action has a secured annotation with a list of permissions and the user does not have any permissions", function() {
                 authenticationService.login( createUser( { permissions = [] } ) );
                 var event = execute( event = "PermissionActionSecured.fooPermissionAction" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthorizationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthorizationFailure" );
             } );
 
             it( "redirects the user if the action has a secured annotation with a list of permissions and the user does not have any of the required permissions", function() {
                 authenticationService.login( createUser( { permissions = [ "bar" ] } ) );
                 var event = execute( event = "PermissionActionSecured.fooPermissionAction" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthorizationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthorizationFailure" );
             } );
 
             it( "does not redirect the user if the action has a secured annotation with a list of permissions and the user has at least one of the required permissions", function() {
@@ -62,7 +62,7 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
             it( "redirects the user if the component has a secured annotatoin with a list of permissions and the user has at least one of the required permissions but the action also has a secured annotation with a list of permissions and the user does not have any of the required permissions", function() {
                 authenticationService.login( createUser( { permissions = [ "one" ] } ) );
                 var event = execute( event = "DoubleSecured.securedAction" );
-                expect( event.getValue( "event", "" ) ).toBe( "Main.onAuthorizationFailure" );
+                expect( event.getValue( "relocate_EVENT", "" ) ).toBe( "Main.onAuthorizationFailure" );
             } );
 
             it( "does not redirect the user if the component has a secured annotatoin with a list of permissions and the user has at least one of the required permissions and the action also has a secured annotation with a list of permissions and the user has at least one of the required permissions", function() {