Silverstripe-framework: Security::permissionFailure() assumes session is available
Affected Version
4.x
Description
Security::permissionFailure() attempts to store a back URL in the session without checking whether a session is available on the request object:
This may result in an exception:
BadMethodCallException: "No session available for this HTTPRequest"
I believe this happened because the current request was a NullHTTPRequest. The setup that reached this error is a bit complex (it involves elemental + userforms + elemental-userforms + page access controls), but it鈥檚 a simple change to code defensively here.
kinglozzer
All 7 comments
Yeah, none of HTTPRequest indicates that getRequest() can return null, but I'm pretty sure it can. Do you think this would be a case of "if there's a session, run that logic, else ignore it" or something else like trying to get a session from somewhere else?
robbieaverill
on 26 Jul 2019
Do you think this would be a case of "if there's a session, run that logic, else ignore it" or something else like trying to get a session from somewhere else?
I think the first option is fine, we could achieve that by introducing a simple hasSession() method
kinglozzer
on 26 Jul 2019
robbieaverill
on 29 Jul 2019
Throwing an exception like that in the getter is a bit strange. I'm +1 for the hasSession method.
ScopeyNZ
on 29 Jul 2019
We can probably do both
robbieaverill
on 29 Jul 2019
Merged https://github.com/silverstripe/silverstripe-framework/pull/9152 but I鈥檒l leave this open until hasSession() is added to a minor release
kinglozzer
on 30 Jul 2019
robbieaverill
on 2 Aug 2019
Related issues
dnsl48
路
6Comments
leomeloxp
路
4Comments
maxime-rainville
路
6Comments
Cheddam
路
3Comments
sminnee
路
6Comments