Bug #90986
Epic #92636: felogin bug collection
Felogin redirects on failed login when redirectMode is unset [patch]
Status:
Resolved
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2020-04-09
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
Steps to reproduce:
- Create a Typo3 setup where no redirectMode is configured (e.g.
$conf['redirectMode'] === ''). - Open the login form with a
redirect_url=/some-pageGET parameter. - Enter wrong credentials.
Current result:
- No error message is shown, and the user is redirected to /some-page even though not logged in.
Expected result:
- The user is not redirected, but stays on the login page where the error message is shown.
Analysis:
The bug is caused in FrontendLoginController::main(). When redirectMode is empty or not set, the $this->redirectUrl is taken directly from the redirect_url GET/POST parameter, and processRedirect() is not called. Then, there is a final condition that checks whether to actually perform the redirect to $this->redirectUrl or not:
if (($this->logintype === LoginType::LOGIN || $this->logintype === LoginType::LOGOUT) && ...) {
The problem is: This condition is true on a failed login.
This bug does not appear when redirectMode is set, as in that case processRedirect() will take care of failed logins.
The patch fixes this issue by adding the missing additional check for a successful login, i.e. $this->userIsLoggedIn.
Files
Updated by 
Updated by 
Updated by 
Updated by 
Updated by