New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
403 error on cookie login when visiting a protected page after session expires #15824
Comments
@sakicnet can you submit this as a PR please Emir |
i wonder, can we do in an alternative way just loading first plg_system_remember plugin and after plg_system_languagefilter changing the system plugin order? |
@brianteeman Hi Brian, is this enough? sakicnet@d6fa7f9 @alikon: no, not really. Remember plugin does the login, which triggers onUserLogin events, which builds the menu before user is logged in. So it would involve bigger structural changes to fix it. |
We shouldn't be direct calling |
@mbabker that would probably require extending the JMenu class because its $user property is protected? |
|
Wait, nevermind. Realizing you need an updated |
Either way, you shouldn't reconstruct an object. A new one should be loaded in replacing the existing one. |
JMenu::load() doesn't fix the issue. What we need is $menu->user->load($id) |
Putting public setters for the properties (at least a |
If we can change JMenu then great. New PR: #15839 |
Same issue as #11541 |
Please close this and re-open #21230 |
Maintainers please action the request above |
That PR is against staging which does not exists anymore and the PR can not be reopend but need to be created against 4.x-dev |
Steps to reproduce the issue
Expected result
You should be automatically logged in and land on open protected page.
Actual result
You are redirected to frontpage with message:
Error: You are not authorised to view this resource.
If your homepage requires access then you end up on 403 page.
System information (as much as possible)
What happens is that the language filter plugin builds the menu with access levels before the remember plugin had a chance to login the user. The menu is built with access levels of the guest user and updates only on refresh. So, on first visit, after the session expires, the menu thinks it's a guest and denies the access.
The quick fix is to re-build the menu after the remember plugin has logged in the user.
Here is the Gist, line 66: https://gist.github.com/sakicnet/f2b8e2486011093d08e544423d8e5124
Additional comments
The text was updated successfully, but these errors were encountered: