- Issue created by @nessthehero
- Status changed to Needs review
12 months ago 7:12pm 17 November 2023 - π¨π·Costa Rica Royden_CH
I've tested the merge request and it works fine.
- Status changed to RTBC
12 months ago 10:34pm 17 November 2023 - πΊπΈUnited States nessthehero
I am attaching a patch as well in case anyone wants to use this immediately in a project.
- π¨π·Costa Rica Royden_CH
I am having an issue with this patch/MR. The first time works as expected, the site redirects me to the login. But when I try again by deleting the login path and leave only the destination (example: /en/user/login?destination=[destination-path] -> /[destination-path]) the site shows me the node, without redirecting to the login page.
- Status changed to Needs review
12 months ago 10:20pm 22 November 2023 - πΊπΈUnited States nessthehero
I am not able to reproduce that behavior.
Here are my testing steps:
1. Create a new node that is restricted to "Visitor", and select the option "User must log in".
2. Visit the node in an incognito window. I am redirected to the login screen.
3. Do not log in. Instead, modify the url to be the url of the restricted page. Hit enter to navigate.
4. I am redirected back to the login screen again.If you are logged in already, then it won't redirect you to the login screen or destroy your session. Perhaps what needs done is to show a 403 if you are logged in and try to hit the restricted page.
- πΊπΈUnited States nessthehero
Noticed two things while digging into this:
1. The role is never passed into getRecords. It's always either '' or 'anonymous'.
2. If I modify getAccessContentStatus to pass the user's role, it then looks for records that match the UID _and_ Role. I'm not setting the specific user id for my restrictions so this is definitely odd.I pushed up a change that improves the check for records using roles, and if the user is logged in and hits a page that is set to redirect to the login (and their role is restricted), they get a 403.
Also adding in a new patch.