[#11533] - Set login/logout form actions to "index.php"
- Fixed in Code Base
- 13 Aug 2016
- Medium
- Build: staging
- # 11533
- Diff
- jo-sf:patch-24
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success JTracker/HumanTestResults Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Login and Logout form actions set to "index.php", in doing so undoing the change made Dec 8, 2014.
Reason for this change is that JRoute::_() doesn't honor the third parameter (the "usesecure" flag) when a complete URL is passed, this is due to the following lines in that method:
if (!is_array($url) && (strpos($url, '&') !== 0) && (strpos($url, 'index.php') !== 0))
{
return $url;
}
Assume that http://www.example.org/index.php is the current URL which is passed as a string as first parameter to JRoute::_(). A string is not an array, there is no "&" in the string (so strpos() returns false which is not identical to "0") and the substring "index.php" doesn't start at position 0 in the string. Therefore the given URL is returned without any modifications, here: no changing of the scheme to HTTPS if the flag "usesecure" is set.
It is no problem to pass simply "index.php" here as action since the real target after logging in is passed in the hidden field "return".
Testing Instructions
For testing this change you need a current Joomla installation with the sample data installed.
Preparations
- log in to the administration
- important: check that caching is disabled, if not disable it and clear the site cache
- open "Extensions", "Modules"
- search for all site modules containing the string "login" - you should find 3 such modules
- open the "Login Form" module (this should be positioned at "position-7")
- change "Encrypt Login Form" to "Yes" and save the settings
Status Quo
- open the site homepage using HTTP
- locate the login form in the bottom right of the page
- check the login form action, it should be something like
http://<server>/index.php - log in using any valid user and password
- you're still visiting the site via HTTP
- log out and close the site homepage
Changes
- install this PR
- open the site homepage using HTTP
- locate the login form and check the login form action, now it should be something like
https://<server>/index.php - log in using any valid user and password
- you should now visit the site via HTTPS, the current page is probably the user profile (this is somewhat unexpected, but this is another issue to be fixed separately)
- go the the site homepage
- locate the logout form and check the logout form action, it should be something like
https://<server>/index.php - log out, afterwards you still visit the site via HTTPS (this again is another issue to be fixed separately)
- close the site homepage
joomla-cms-bot
- | Category | ⇒ | Front End Modules |
| Status | New | ⇒ | Pending |
| Labels |
Added:
?
|
||
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11533.
| Status | Pending | ⇒ | Ready to Commit |
2 good testers. RTC
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11533.
| Labels |
Added:
?
|
||
wilsonge
- | Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-08-13 21:32:16 |
| Closed_By | ⇒ | wilsonge |
| Labels |
Removed:
?
|
||
I have tested this item✅ successfully on 8dd80b3
works as expected.
IMHO we should have the same behaviour in the offline pages (protostar and system).
But i guess that needs a parameter at user component level.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11533.