Bug #90986

Updated by Volker Diels-Grabsch about 2 years ago

*Steps to reproduce:* 

 # Create a Typo3 setup where no redirectMode is configured (e.g. @$conf['redirectMode'] === ''@). 
 # Open the login form with a @redirect_url=/some-page@ GET parameter. 
 # Enter wrong credentials. 

 *Current result:* 

 * No I don't see any error message is shown, message, and the user is I'm redirected to /some-page even though I'm not logged in. 

 *Expected result:* 

 * The user is I'm not redirected, but stays stay on the login page where and see the error message is shown. message. 

 *Analysis:* 

 The bug is caused in @FrontendLoginController::main()@. When @redirectMode@ is empty or not set, the @$this->redirectUrl@ is taken directly from the @redirect_url@ GET/POST parameter, and @processRedirect()@ is not called. Then, there is a final condition that checks whether to actually perform the redirect to @$this->redirectUrl@ or not: 

 <pre> 
 if (($this->logintype === LoginType::LOGIN || $this->logintype === LoginType::LOGOUT) && ...) { 
 </pre> 

 The problem is: This condition is true on a failed login. 

 This bug does not appear when @redirectMode@ is set, as in that case @processRedirect()@ will take care of failed logins. 

 The patch fixes this issue by adding the missing additional check for a successful login, i.e. @$this->userIsLoggedIn@. 

Back