Store the referrer by default in backend scope (see #7227)

Description ----------- #7190 This implements my opt-out suggestion from #7190 (comment). Any back end route will now store the referrer by default - but you can opt-out via `_store_referrer: false` in your route defaults/attributes. /cc @ameotoko Commits ------- cadf65a Always store referrer for backend _scope 0cfb6ec Make the configuration explicit Co-authored-by: leofeyer <1192057+leofeyer@users.noreply.github.com>
contao · May 21, 2024 · 4b9ce83 · 4b9ce83
1 parent 5c6558a
commit 4b9ce83
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 14 deletions.
diff --git a/core-bundle/src/Controller/BackendController.php b/core-bundle/src/Controller/BackendController.php
@@ -50,7 +50,7 @@ public function mainAction(): Response
     }
 
     /**
-     * @Route("/login", name="contao_backend_login")
+     * @Route("/login", name="contao_backend_login", defaults={"_store_referrer" = false})
      */
     public function loginAction(Request $request): Response
     {
@@ -77,15 +77,15 @@ public function loginAction(Request $request): Response
     /**
      * Symfony will un-authenticate the user automatically by calling this route.
      *
-     * @Route("/logout", name="contao_backend_logout")
+     * @Route("/logout", name="contao_backend_logout", defaults={"_store_referrer" = false})
      */
     public function logoutAction(): RedirectResponse
     {
         return $this->redirectToRoute('contao_backend_login');
     }
 
     /**
-     * @Route("/password", name="contao_backend_password")
+     * @Route("/password", name="contao_backend_password", defaults={"_store_referrer" = false})
      */
     public function passwordAction(): Response
     {
@@ -97,7 +97,7 @@ public function passwordAction(): Response
     }
 
     /**
-     * @Route("/confirm", name="contao_backend_confirm")
+     * @Route("/confirm", name="contao_backend_confirm", defaults={"_store_referrer" = false})
      */
     public function confirmAction(): Response
     {
@@ -109,7 +109,7 @@ public function confirmAction(): Response
     }
 
     /**
-     * @Route("/file", name="contao_backend_file")
+     * @Route("/file", name="contao_backend_file", defaults={"_store_referrer" = false})
      *
      * @deprecated Deprecated since Contao 4.13, to be removed in Contao 5.0.
      *             Use the picker instead.
@@ -126,7 +126,7 @@ public function fileAction(): Response
     }
 
     /**
-     * @Route("/help", name="contao_backend_help")
+     * @Route("/help", name="contao_backend_help", defaults={"_store_referrer" = false})
      */
     public function helpAction(): Response
     {
@@ -138,7 +138,7 @@ public function helpAction(): Response
     }
 
     /**
-     * @Route("/page", name="contao_backend_page")
+     * @Route("/page", name="contao_backend_page", defaults={"_store_referrer" = false})
      *
      * @deprecated Deprecated since Contao 4.13, to be removed in Contao 5.0.
      *             Use the picker instead.
@@ -155,7 +155,7 @@ public function pageAction(): Response
     }
 
     /**
-     * @Route("/popup", name="contao_backend_popup")
+     * @Route("/popup", name="contao_backend_popup", defaults={"_store_referrer" = false})
      */
     public function popupAction(): Response
     {
@@ -167,7 +167,7 @@ public function popupAction(): Response
     }
 
     /**
-     * @Route("/alerts", name="contao_backend_alerts")
+     * @Route("/alerts", name="contao_backend_alerts", defaults={"_store_referrer" = false})
      */
     public function alertsAction(): Response
     {
@@ -183,7 +183,7 @@ public function alertsAction(): Response
      * It will determine the current provider URL based on the value, which is usually
      * read dynamically via JavaScript.
      *
-     * @Route("/picker", name="contao_backend_picker")
+     * @Route("/picker", name="contao_backend_picker", defaults={"_store_referrer" = false})
      */
     public function pickerAction(Request $request): RedirectResponse
     {

diff --git a/core-bundle/src/Controller/BackendPreviewController.php b/core-bundle/src/Controller/BackendPreviewController.php
@@ -27,7 +27,7 @@
  * requested front end page while ensuring that the /preview.php entry point is
  * used. When requested, the front end user gets authenticated.
  *
- * @Route(path="%contao.backend.route_prefix%", defaults={"_scope" = "backend", "_allow_preview" = true})
+ * @Route(path="%contao.backend.route_prefix%", defaults={"_scope" = "backend", "_allow_preview" = true, "_store_referrer" = false})
  */
 class BackendPreviewController
 {

diff --git a/core-bundle/src/Controller/BackendPreviewSwitchController.php b/core-bundle/src/Controller/BackendPreviewSwitchController.php
@@ -37,7 +37,7 @@
  * b) Provide the member usernames for the datalist
  * c) Process the switch action (i.e. log in a specific front end user).
  *
- * @Route(path="%contao.backend.route_prefix%", defaults={"_scope" = "backend", "_allow_preview" = true})
+ * @Route(path="%contao.backend.route_prefix%", defaults={"_scope" = "backend", "_allow_preview" = true, "_store_referrer" = false})
  */
 class BackendPreviewSwitchController
 {

diff --git a/core-bundle/src/EventListener/StoreRefererListener.php b/core-bundle/src/EventListener/StoreRefererListener.php
@@ -92,7 +92,8 @@ private function canModifyBackendSession(Request $request): bool
             && !$request->query->has('token')
             && !$request->query->has('state')
             && 'feRedirect' !== $request->query->get('do')
-            && 'contao_backend' === $request->attributes->get('_route')
+            && 'backend' === $request->attributes->get('_scope')
+            && false !== $request->attributes->get('_store_referrer')
             && !$request->isXmlHttpRequest();
     }
 

diff --git a/core-bundle/src/Resources/config/routes.yml b/core-bundle/src/Resources/config/routes.yml
@@ -12,6 +12,7 @@ contao_backend_redirect:
     defaults:
         _scope: backend
         _controller: Symfony\Bundle\FrameworkBundle\Controller\RedirectController::redirectAction
+        _store_referrer: false
         route: contao_backend
         permanent: true
 
@@ -20,6 +21,7 @@ contao_backend_fallback:
     defaults:
         _scope: backend
         _controller: Symfony\Bundle\FrameworkBundle\Controller\TemplateController
+        _store_referrer: false
         template: '@ContaoCore\Error\backend.html.twig'
         context:
             template: '@ContaoCore\Error\backend.html.twig'

diff --git a/core-bundle/tests/EventListener/StoreRefererListenerTest.php b/core-bundle/tests/EventListener/StoreRefererListenerTest.php
@@ -240,6 +240,7 @@ public function testDoesNotStoreTheRefererIfTheBackEndSessionCannotBeModified():
         $request = new Request();
         $request->setSession($session);
         $request->attributes->set('_scope', ContaoCoreBundle::SCOPE_BACKEND);
+        $request->attributes->set('_store_referrer', false);
 
         $listener = $this->getListener($this->createMock(User::class));
         $listener($this->getResponseEvent($request));

diff --git a/installation-bundle/src/Controller/InstallationController.php b/installation-bundle/src/Controller/InstallationController.php
@@ -30,7 +30,7 @@
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * @Route("%contao.backend.route_prefix%", defaults={"_scope" = "backend", "_token_check" = true})
+ * @Route("%contao.backend.route_prefix%", defaults={"_scope" = "backend", "_token_check" = true, "_store_referrer" = false})
  *
  * @internal
  */