Fix _forward secret key matching expects standard router matching #40

Closed
wants to merge 1 commit into from

2 participants

@Vinai

Background:
When you are in admin and using secret keys, the key in the request
has to match up with the controller + action + salt. If not you are
bounced to the dashboard. When you call _forward to get sent to a new
URL, the new dispatch loop call checks the secret key a second time.
The 'problem' at this stage is the secret key doesn't match up with
the controller and/or action portion. The 'fix' that currently is in
place is to grab the the original PATH_INFO from the request, split
that on '/', grab indexes 1 and 2, and use those as the
controller and action.
Keep in mind, this only happens if the controller and/or action are
not passed directly to the getSecretKey call. Additionally, if
either of these is empty then it has a second try of getting the
controller or action name stored in the request object directly.

Ok, that's the background. Here's the 'bug':
If you have code in place that handles routing differently than the
standard routers, the getSecretKey method erroneously making
assumptions about the translation of a PATH_INFO string into a
module/controller/action array. And, as luck would have it, the
request object has a MUCH better method of working around the issue.
The is a getBeforeForwardInfo method that can give the original
request module/controller/action that was made. That info would
correspond to what getSecretKey expects.

This patch was also submitted as MCACE-144 to the Magento 1.6.2.0
MCA-CE contributor repository in Mage_Adminhtml_Model_Url.

Thanks to Lee Saferite for this one!

@Vinai Vinai _forward secret key matching expects the standard router
Background:
When you are in admin and using secret keys, the key in the request
has to match up with the controller + action + salt. If not you are
bounced to the dashboard. When you call _forward to get sent to a new
URL, the new dispatch loop call checks the secret key a second time.
The 'problem' at this stage is the secret key doesn't match up with
the controller and/or action portion. The 'fix' that currently is in
place is to grab the the original PATH_INFO from the request, split
 that on '/', grab indexes 1 and 2, and use those as the
controller and action.
Keep in mind, this only happens if the controller and/or action are
not passed directly to the getSecretKey call. Additionally, if
either of these is empty then it has a second try of getting the
controller or action name stored in the request object directly.

Ok, that's the background. Here's the 'bug':
If you have code in place that handles routing differently than the
standard routers, the getSecretKey method erroneously making
assumptions about the translation of a PATH_INFO string into a
module/controller/action array. And, as luck would have it, the
request object has a MUCH better method of working around the issue.
The is a getBeforeForwardInfo method that can give the original
request module/controller/action that was made. That info would
correspond to what getSecretKey expects.

This patch was also submitted as MCACE-144 to the Magento 1.6.2.0
MCA-CE contributor repository in Mage_Adminhtml_Model_Url.

Thanks to Lee Saferite for this one.
d5c9b61
@magento-team

@Vinai
Thank you for the contribution, we have applied it as a patch. In addition, the changes have been covered with tests.
The changes will be rolled out in next update.

@Vinai

Thank you!

@magento-team magento-team added a commit that referenced this pull request Jul 20, 2012
@magento-team magento-team Update as of 7/19/2012
* Implemented inheritance of locales. Inheritance is declared in `app/locale/<locale_name>/config.xml`
* Moved declaration of modules from `app/etc/modules/<module>.xml` to `app/code/<pool>/<namespace>/<module>/config.xml`
* Implemented ability to match URLs in format `protocol://base_url/area/module/controller/action` (as opposite to only `module/controller/action`), utilized this feature in backend (admin) area
* Added product attribute set "Minimal Attributes", which consists of required system attributes only
* Improved customers import:
  * Implemented "Delete" behavior for importing customers, customer addresses and financial data
  * Implemented "Custom" behavior, which allows to specify behavior for each item directly from the imported file
* Updated performance tests:
  * Enabled Product View, Category View, Add to Cart, Quick Search and Advanced Search scenarios
  * Added ability to specify configuration parameters per scenario and refactored bootstrap of performance tests
* Implemented `mage.js` for base JavaScript initialization of the application
* Implemented new JS translation mechanism. JavaScript translations are loaded by locale code stored in cookies
* Implemented unit tests for JavaScript widgets in Visual Design Editor
* Added jQuery plugins: Cookie, Metadata, Validation, Head JS
* Fixed issues:
  * Impossible to add configurable product to the cart
  * Impossible to apply Shopping Cart Price Rule with any conditions to cart with simple and virtual product
  * Memory leak in email templates
  * Impossible to place order with Multiple Addresses using 3D Secure
  * Required product attributes are not exported
  * "Forgot Your Password" link on checkout page inactive after captcha reloading
  * Validation of "Number of Symbols" field in Captcha configuration doesn't work
  * Other small fixes
* GitHub requests:
  * [#37](#37) -- fixed particular case of "HEADERS ALREADY SENT" error in WYSIWYG thumbnail
  * [#39](#39) -- added `composer.json`
  * [#40](#40) -- fixed generation of "secret key" in backend URLs to honor `_forward` in controllers
1617a6e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment