New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set login constants in request listener #4968
Set login constants in request listener #4968
Conversation
I think there are two things to consider/fix here:
Otherwise 👍 for using a listener after firewall! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would change two things here
- always use
getCurrentRequest
for the constants to keep it consistent - I don't think we need two methods. Calling
setLoginConstants()
when the framework is not initialised should set the internal flag. Calling the method (again) if the framework is initialised (internally) should set the constants automatically.
Are you sure? Should we not pass the request of the request event? |
83fd688
to
7d72d58
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about that request, but it probably does not matter. But why did you remove the mode-check and the session initialization?
I don't understand the purpose of Also the previous condition had |
It made sense because without a previous session you could never be logged in – since a security token would have been stored in the DB. But I agree if the constant is only set after the firewall this should never be necessary. |
…-request-listener
Thank you @fritzmg. |
Description ----------- - Commits ------- 829a207 set login constants in request listener cc98d05 update tests 6975586 only set constants if framework was initialized 3a5bb25 code style df1a2b5 expect deprecation 7abe0f2 English please 7d72d58 simplify implementation 98a490d use getMode d60c2cb Merge remote-tracking branch 'origin/4.9' into set-login-constants-in…
Fixes #2576 and other issues.
In #2628 we removed the usage of the deprecated
FE_USER_LOGGED_IN
constant within the core and switched to using the token checker instead, in order to fix #2576.However, the core issue still remains: for any Contao extension that still uses the
FE_USER_LOGGED_IN
constant, the constant will still have the wrong value for any authenticated request without a previous authenticated session. For example: if you implement a custom guard authenticator that authenticates a Contao user e.g. via anAuthorization
header, or some other custom solution, the constant will always befalse
(if no session cookie of a previous authenticated request is passed along with the request).The cause of this is the setting of the constants within
ContaoFramework::initialize
.ContaoFramework::initialize
will be executed very early - earlier than the Firewall listener, which is a regular request listener. So since$this->tokenChecker->hasFrontendUser()
will be executed before Symfony's Firewall listener, it will always be false, because no security token has been set by the Symfony Firewall yet.To fix this we must not query the
TokenChecker
before the Symfony Firewall listener. i.e. we need to set this constant in a regular request listener that has a lower priority than the Firewall request listener of Symfony. This is implemented in this PR.