Adding image.style_private and image.style_public routes resolved the issue I was seeing with image uploads. I tested with other media types and didn't find any other issues.
Not much time to work on this today, but I did test uninstalling redirect, and the issue persists.
That patch works to prevent those files from triggering auth redirects, but looks like there's more afoot.
I verified that media uploads even with this patch are resulting in:
Error message
The form has become outdated. Press the back button, copy any unsaved work in the form, and then reload the page.
In the browser dev tools network tab I saw
/sites/default/files/styles/thumbnail/public/2024-04/myfile.png?check_logged_in=1&itok=N6RgIXj6 with the initiator /casservice?destination=/sites/default/files/styles/thumbnail/public/2024-0β¦&ticket=[ticketHere]
I was able to identify the route in play as image.style_public
That led me to Redirect module - next step for me is to determine if it's part of the problem or not:
/**
* Modify core routes to support redirect.
*/
class RouteSubscriber extends RouteSubscriberBase {
/**
* {@inheritdoc}
*/
protected function alterRoutes(RouteCollection $collection) {
if ($route = $collection->get('image.style_public')) {
$route->setDefault('_disable_route_normalizer', TRUE);
}
if ($route = $collection->get('image.style_private')) {
$route->setDefault('_disable_route_normalizer', TRUE);
}
if ($route = $collection->get('system.files')) {
$route->setDefault('_disable_route_normalizer', TRUE);
}
}
}
Patch to exempt the aggregate file routes from forced login.
Haven't gotten to test it, but perhaps system.css_asset and system.js_asset routes could be added to IGNORABLE_AUTO_LOGIN_ROUTES.
Also got a report that of users having trouble with uploading images/media to the site while the CAS "forced login" is enabled. Not sure if that's tied to a route or not, yet.
I believe we are experiencing the same issue, but the title of this issue makes it sound like the opposite of what we're seeing.
Steps to reproduce:
- Using Drupal 10.2.2 and CAS 2.2.0,
- Enable CSS and JS aggregation in the site.
- Check "Forced login enabled" and leave the "Pages" field empty (to require login everywhere), and do not check negate.
- As an already logged in user, the CSS and JS aggregations don't load - in the browser dev tools network tab it appears the files trigger the login redirect flow. Pages take a long time to load and lack CSS and JS.
Screengrab of full settings. β
Workaround:
Check "negate" and add /sites/default/files/js/* and /sites/default/files/css/* to the Pages.
Re-rolled the patch against 3.x.