Bug #90986
Updated by Volker Diels-Grabsch about 4 years ago
*Steps to reproduce:* # Create a Typo3 setup where no redirectMode is configured (e.g. @$conf['redirectMode'] === ''@). # Open the login form with a @redirect_url=/some-page@ GET parameter. # Enter wrong credentials. *Current result:* * No I don't see any error message is shown, message, and the user is I'm redirected to /some-page even though I'm not logged in. *Expected result:* * The user is I'm not redirected, but stays stay on the login page where and see the error message is shown. message. *Analysis:* The bug is caused in @FrontendLoginController::main()@. When @redirectMode@ is empty or not set, the @$this->redirectUrl@ is taken directly from the @redirect_url@ GET/POST parameter, and @processRedirect()@ is not called. Then, there is a final condition that checks whether to actually perform the redirect to @$this->redirectUrl@ or not: <pre> if (($this->logintype === LoginType::LOGIN || $this->logintype === LoginType::LOGOUT) && ...) { </pre> The problem is: This condition is true on a failed login. This bug does not appear when @redirectMode@ is set, as in that case @processRedirect()@ will take care of failed logins. The patch fixes this issue by adding the missing additional check for a successful login, i.e. @$this->userIsLoggedIn@.