Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix wildcard-public controllers redirecting unknown actions to login (#173)#174

Merged
dereuromark merged 1 commit into
masterfrom
fix/missing-action-wildcard-auth
Jun 23, 2026
Merged

Fix wildcard-public controllers redirecting unknown actions to login (#173)#174
dereuromark merged 1 commit into
masterfrom
fix/missing-action-wildcard-auth

Conversation

@dereuromark

Copy link
Copy Markdown
Owner

Fixes the regression reported in #173: after switching from the legacy AuthComponent to the new AuthenticationComponent, hitting an undefined action on a fully public controller (Pages = *) redirected unauthenticated users to login instead of returning a 404.

Cause

A * allow rule is expanded to the controller's concrete method list via get_class_methods() so it can be passed to the cakephp/authentication plugin (which has no wildcard support). An action that does not exist as a method is not in that list, so it was dropped from the unauthenticated set. Unauthenticated users then failed the identity check and got redirected to login, never reaching the dispatcher where the missing action would raise MissingActionException (404).

The legacy AuthComponent checked the allow rule directly (honoring * for any action string), so the request dispatched and produced the 404.

Fix

Under a wildcard allow, keep the current request action in the unauthenticated set even when it is not a real method. Unknown actions then fall through to MissingActionException (404), matching the old behavior. Explicit denies (!superPrivate) still take precedence.

This also repairs the Acl path: AuthorizationComponent::_isUnauthenticatedAction() consumes the same getUnauthenticatedActions() list, so the single fix covers both authentication and authorization skip logic.

Tests

Added two regression tests in AuthenticationComponentTest:

  • wildcard allow keeps an unknown action unauthenticated
  • wildcard allow still honors an explicit deny for a missing action

A `*` allow rule is expanded to the controller's concrete method list via
get_class_methods() so it can be handed to the Authentication plugin, which
has no wildcard support. An action that does not exist as a method was
therefore dropped from the unauthenticated set, so unauthenticated users
hit the identity check and got redirected to login instead of receiving the
MissingActionException (404) the missing action should produce.

Keep the current request action in the unauthenticated set under a wildcard
allow so unknown actions fall through to MissingActionException, matching the
old AuthComponent behavior. Explicit denies still take precedence.
@dereuromark dereuromark merged commit fa67b40 into master Jun 23, 2026
16 checks passed
@dereuromark dereuromark deleted the fix/missing-action-wildcard-auth branch June 23, 2026 15:58
dereuromark added a commit that referenced this pull request Jun 24, 2026
A `*` allow rule is expanded to the controller's concrete method list via
get_class_methods() so it can be handed to the Authentication plugin, which
has no wildcard support. An action that does not exist as a method was
therefore dropped from the unauthenticated set, so unauthenticated users
hit the identity check and got redirected to login instead of receiving the
MissingActionException (404) the missing action should produce.

Keep the current request action in the unauthenticated set under a wildcard
allow so unknown actions fall through to MissingActionException, matching the
old AuthComponent behavior. Explicit denies still take precedence.

Backport of #174 to the 3.x branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant