[5.7] MethodNotAllowedHTTPException on Intended Redirect #25685
Conversation
…so the user doesn't get redirected someplace invalid.
…sely as possible to the last action.
|
Is there any way to exclude some URLs from intended behavior? |
|
@ankurk91 Not that I see. However, this issue affects all routes that do not accept GET requests so a blacklist wouldn't help even if we could specify one. |
mcordingley
changed the title
…ions as defaults.
| $this->session->put('url.intended', $this->generator->full()); | ||
| $request = $this->generator->getRequest(); | ||
|
|
||
| $intended = $request->method() === 'GET' && $request->route() && ! $request->ajax() ? |
There was a problem hiding this comment.
Out of curiosity - why is ajax specifically excluded?
There was a problem hiding this comment.
Because we don't want to redirect the user to an AJAX route. We want to only redirect someplace that can be meaningfully loaded up in the browser.
See also Illuminate\Session\Middleware\StartSession::storeCurrentUrl().
There was a problem hiding this comment.
An unlikely --but possible-- scenario is that the user has an expired session, makes an AJAX request, then manually goes over to the login page to log back in. In that case, the AJAX request could have gotten stored as the intended route, since there'd be nothing to overwrite the value in session.
|
What if the previous route isn't valid either? |
|
@taylorotwell It has to be, else it wouldn't have been placed into the session for |
|
Note that I added one more commit to try to bullet-proof this change. With the PR closed, that commit does not appear to show up in here. |
|
@mcordingley Please create a new PR then since Taylor does not read PR comments after he already closed it. |
|
@X-Coder264 I created a bug report over this. It got ignored for a month and then closed. I then created this PR. It immediately got closed. In both cases, it seemed that the people closing them didn't even bother to read what I had written. What's to say that opening another one won't simply get closed without being read? |
|
Reopened as #25739 |
Environment:
Description:
redirect()->intended()can redirect the user to a bad route if the user interacts with a form after session timeout. This leads to errors being shown to a user from reasonable use of the application and is surprisingly difficult to avoid or work around.Steps To Reproduce:
MethodNotAllowedHTTPException.Proposed Solution:
Alter
\Illuminate\Routing\Redirector::guest()to check if the current request is suitable for redirection and if the requested route isn't suitable for redirect, don't store it asurl.intendedand instead store the "previous" URL as the intended route to get the user back to being as close as possible to the failed request.