Change the cas route cas.login to have a route requirement _user_is_logged_in: 'FALSE'. This should effectively prevent access to the route for users that are already logged in.

Going to make a new branch because this one was created with branch name 2.x and it's making it harder to review locally (I already have a branch with that name)

bkosborne → changed the visibility of the branch 2.x to hidden.

Okay, this is in good shape

Thanks for the review. I'll see about extending that base class!

Another thing I want to try and resolve here is this scenario:

1. Authenticated user clicks a link to /cas?destination=/some/page
2. User is denied access to /cas since they're already logged in
3. Our subscriber intercepts the exception and redirects the user to the homepage
4. The /some/page destination is lost

We have at least one site that's using this workflow for links that this patch breaks.

Given 📌 AccessDeniedSubscriber should extend HttpExceptionSubscriberBase RTBC is RTBC and most likely will me merged, I think we should do it also here.

i think #11 makes sense

Pushed an update that uses HttpExceptionSubscriberBase and preserves the destination parameter. Updated issue summary to describe the change.

Updated the MR to be based on 3.x

Unfortunately tests are failing

Fixed the broken test

Great. You can merge and release 3.0.0.

I propose the following release notes:

Relevant changes

• Drupal 11 compatibility (see "Updating to CAS 3.0" section below)
• Routes /cas and /caslogin are no more accessible by logged in users. See 🐛 Change the cas route cas.login to have a route requirement _user_is_logged_in: 'FALSE'. This should effectively prevent access to the route for users that are already logged in. Active .

Updating to CAS 3.0

• While still on Drupal 10, update your site to CAS 2.3.2. This is very important because starting with CAS 3.0.0, old (post)update functions are removed.
• Require drupal/cas:^3.0 with Composer
• If you have custom code that interacts with the CAS module, you may need to make some updates. There are some tiny backwards compatibility breaking changes that require your attention:
  • The type of value returned by CasLoginException::getCode() was changed from integer to enum of type CasLoginExceptionType. If your code calls this method, you should adapt. If you still need the integer value, you can do something like
    

    $codes = CasLoginExceptionType::cases();
    $code = array_search($exception->getCode(), $codes, TRUE);
    

  • The parameter of CasUserManager::getCasUsernameForAccount() is now strict typed as integer. Make sure you cast the parameter to an Integer before is passed to the method:
    

    $account = ...;
    $uid = (int) $account->id();
    $name = \Drupal::service('cas.user_manager')->getCasUsernameForAccount($uid);
    

  • The CasServerConfig::setProtocolVersion() setter accepts now a CasProtocolVersion enum case as parameter instead of a string. Same, the CasServerConfig::getProtocolVersion() getter returns now a CasProtocolVersion enum case instead of a string. If needed, get the server version as a legacy string: CasServerConfig::getProtocolVersion()->value.
  • The CasServerConfig::setHttpScheme() setter accepts now a HttpScheme enum case as parameter instead of a string. Same, the CasServerConfig::getHttpScheme() getter returns now a HttpScheme enum case instead of a string. If needed, get the HTTP scheme as a legacy string: CasServerConfig:: getHttpScheme()->value.
  • The CasServerConfig::setVerify() setter accepts now a SslCertificateVerification enum case as parameter instead of an integer. Same, the CasServerConfig::getVerify() getter returns now a SslCertificateVerification enum case instead of an integer. If needed, get the certificate verification scheme as a legacy integer: CasServerConfig:: getVerify()->value.
• You can now update your site to Drupal 11.
• After updating to CAS 3.0, prepare for the next CAS version by replacing the deprecated code. Check https://www.drupal.org/node/3462792 → to learn what is deprecated in CAS 3.0 and adapt your code.

Automatically closed - issue fixed for 2 weeks with no activity.