-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yii\web\User::loginRequired does not cause redirect for AJAX requests by default in Yii 2.0.8 #11523
Comments
Okay, I confirmed the behavior. Redirecting the "main" page when an AJAX request returns a From 2.0.8 onwards, as is listed in the documentation for
So in my opinion the default behavior was changed, and this change was planned. (Note I'm not in the Yii team). We could add
In this case The best solution I see is separately checking if |
Looks too complicated for me. |
It might look complicated at first; but it will restore the default behavior from 2.0.7 while at the same time providing the more sensible behavior when the So from a developer perspective no change except configuration is required. |
We could also consider adding an extra header.
How about for this specific case we add an Advantages:
Note: adding an |
Why not use |
401 is for http basic authentication
|
Your fix will not result in expected behavior for json requests; see my earlier comment regarding |
@SilverFire I think you confused me 😸 |
What steps will reproduce the problem?
Install Yii 2 Advanced Application Template, run built-in PHP server, go to http://localhost:8080/backend/web/index.php?r=site%2Flogin as unauthenticated user, execute in browser console
$.ajax('http://localhost:8080/backend/web/index.php');
. Note that visiting of page http://localhost:8080/backend/web/index.php requires authentication.What is the expected result?
Redirect to Login page.
What do you get instead?
403 (Forbidden) is shown in browser console, no redirect.
Additional info
In described situation Yii 2.0.7 does redirect to Login page, Yii 2.0.8 does not. I'm not sure whether it is bug or planned change of default behavior. If it was planned then probably makes sense to clarify it https://github.com/yiisoft/yii2/blob/master/framework/UPGRADE.md#upgrade-from-yii-207.
Old behavior can be returned by specifying
false
for parameter$checkAcceptHeader
ofyii\web\User::loginRequired()
or by adding'*/*'
toyii\web\User::$acceptableRedirectTypes
.The text was updated successfully, but these errors were encountered: