Bug #90986
Updated by Volker Diels-Grabsch over 4 years ago
*Steps to reproduce:* # Create I have a Typo3 setup where there is no redirectMode is configured (i.e. $conf['redirectMode'] === ''). # Open I open the login form with a @redirect_url=/some-page@ GET parameter. # Enter I enter wrong credentials. *Current result:* * I don't see any error message, and I'm redirected to /some-page even though I'm not logged in. *Expected result:* * I'm not redirected, but stay on the login page and see the error message. *Analysis:* The bug is caused in @FrontendLoginController::main()@. When @redirectMode@ is empty or not set, the @$this->redirectUrl@ is taken directly from the @redirect_url@ GET/POST parameter, and @processRedirect()@ is not called. Then, there is a final condition that checks whether to actually perform the redirect to @$this->redirectUrl@ or not: <pre> if (($this->logintype === LoginType::LOGIN || $this->logintype === LoginType::LOGOUT) && ...) { </pre> The problem is: This condition is true on a failed login. This bug does not appear when @redirectMode@ is set, as in that case @processRedirect()@ will take care of failed logins. The patch fixes this issue by adding the missing additional check for a successful login, i.e. @$this->userIsLoggedIn@.