From eb6c1fc6de2e4863198ce5d1f96bfb3e32ae2b8d Mon Sep 17 00:00:00 2001
From: Robbie Averill <robbie@silverstripe.com>
Date: Tue, 12 Dec 2017 16:35:53 +1300
Subject: [PATCH] FIX Allow the current controller as well as injectable
 HTTPRequest objects

---
 src/Security/SecurityToken.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/Security/SecurityToken.php b/src/Security/SecurityToken.php
index ff7d0ccfa..10276a4c4 100644
--- a/src/Security/SecurityToken.php
+++ b/src/Security/SecurityToken.php
@@ -178,15 +178,17 @@ class SecurityToken implements TemplateGlobalProvider
      * Returns the current session instance from the injector
      *
      * @return Session
-     * @throws Exception If the HTTPRequest class hasn't been registered as a service
+     * @throws Exception If the HTTPRequest class hasn't been registered as a service and no controllers exist
      */
     protected function getSession()
     {
         $injector = Injector::inst();
-        if (!$injector->has(HTTPRequest::class)) {
-            throw new Exception('No HTTPRequest object available yet!');
+        if ($injector->has(HTTPRequest::class)) {
+            return $injector->get(HTTPRequest::class)->getSession();
+        } elseif (Controller::has_curr()) {
+            return Controller::curr()->getRequest()->getSession();
         }
-        return $injector->get(HTTPRequest::class)->getSession();
+        throw new Exception('No HTTPRequest object or controller available yet!');
     }
 
     /**