Fix wildcard-public controllers redirecting unknown actions to login (#173)#174
Merged
Merged
Conversation
A `*` allow rule is expanded to the controller's concrete method list via get_class_methods() so it can be handed to the Authentication plugin, which has no wildcard support. An action that does not exist as a method was therefore dropped from the unauthenticated set, so unauthenticated users hit the identity check and got redirected to login instead of receiving the MissingActionException (404) the missing action should produce. Keep the current request action in the unauthenticated set under a wildcard allow so unknown actions fall through to MissingActionException, matching the old AuthComponent behavior. Explicit denies still take precedence.
dereuromark
added a commit
that referenced
this pull request
Jun 24, 2026
A `*` allow rule is expanded to the controller's concrete method list via get_class_methods() so it can be handed to the Authentication plugin, which has no wildcard support. An action that does not exist as a method was therefore dropped from the unauthenticated set, so unauthenticated users hit the identity check and got redirected to login instead of receiving the MissingActionException (404) the missing action should produce. Keep the current request action in the unauthenticated set under a wildcard allow so unknown actions fall through to MissingActionException, matching the old AuthComponent behavior. Explicit denies still take precedence. Backport of #174 to the 3.x branch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the regression reported in #173: after switching from the legacy
AuthComponentto the newAuthenticationComponent, hitting an undefined action on a fully public controller (Pages = *) redirected unauthenticated users to login instead of returning a 404.Cause
A
*allow rule is expanded to the controller's concrete method list viaget_class_methods()so it can be passed to the cakephp/authentication plugin (which has no wildcard support). An action that does not exist as a method is not in that list, so it was dropped from the unauthenticated set. Unauthenticated users then failed the identity check and got redirected to login, never reaching the dispatcher where the missing action would raiseMissingActionException(404).The legacy
AuthComponentchecked the allow rule directly (honoring*for any action string), so the request dispatched and produced the 404.Fix
Under a wildcard allow, keep the current request action in the unauthenticated set even when it is not a real method. Unknown actions then fall through to
MissingActionException(404), matching the old behavior. Explicit denies (!superPrivate) still take precedence.This also repairs the Acl path:
AuthorizationComponent::_isUnauthenticatedAction()consumes the samegetUnauthenticatedActions()list, so the single fix covers both authentication and authorization skip logic.Tests
Added two regression tests in
AuthenticationComponentTest: