Fix user logout when accessing permission denied page.

[scott@…]

User A has does not have access to page X and tries to access this page. When they do they currently get logged out and presented with a page requesting a user's login which has access to this page. If you then navigate away from this page you are logged out. If user A goes now to page Y which they do have access to and try to login they get redirected to page X and logged out again.

This is simply fixed by not logging out the current user.

Remove the current lines 161 and 162 in sapphire/security/sapphire.php (rev. 56921) which are:

161 if($member = Member::currentUser())

162 $member->logout();

[sminnee]

That causes all kinds of really gnarly bugs. For example, after applying this patch

• Log into the forum as a forum user
• Try and visit the /admin/
• You get redirected to the user help!

This happens because, if you're logged in when accessing the forum, it tries to get you into the CMS because it relies on a permission failure logging you out. Since the only top-menu item you have access to is the help, it sends you there.

Bottom line is that we shouldn't muck with the login logic until it's covered by a good range of unit tests.

[scott@…]

Why would I be getting different results? (ver 2.2.2 with no forum or any other module) See the attached of what I see when logged in as a user who has access to some pages but not the CMS. If they try to visit /admin/ they are presented with the attached. Which allows them to switch their user or navigate elsewhere.

I totally agree we should test this thoroughly before adding to core.

[scott@…]

Logged in user is denied access to /admin/

[sminnee]

This aspect of the log-in system is... twitchy. I was working from the trunk version of silverstripe with forum and blog installed. That probably created the issue.

I'm changing this ticket from "patch" to "enhancement" because there's a lot of work to do (ie, automated tests) before we can make this change.