tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

Don't clear BackURL after MemberAuthenticator::authenticate()

Browse Source 
It breaks logic flow, e.g. when

Its called by BasicAuth:requireLogin() when basic auth is enabled,
before any controller logic kicks in (on every HTTP request).
This means you can't use session-based BackURLs with basic auth enabled,
breaking flows like redirection after Facebook logins.

I can't see why a clear() was necessary here, looks like a overly
cautious way to prevent infinite loops? Can't see how those
would be caused by requireLogin() though.

Been there since all the way back in 2007: a377a67e540a33941e4a5436d169e4cfa93af58a
This commit is contained in:
Ingo Schommer 2014-05-02 16:51:23 +12:00
parent f3974f0e63
commit e56ad9b37c
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
security/MemberAuthenticator.php
View File

@ -115,10 +115,8 @@ class MemberAuthenticator extends Authenticator {
$member->write(); $member->write();
} }
if($member) { if(!$member && $form && $result) {
Session::clear('BackURL'); $form->sessionMessage($result->message(), 'bad');
} else {
if($form && $result) $form->sessionMessage($result->message(), 'bad');
} }
return $member; return $member;