luci-base: dispatcher.uc: skip login nodes when resolving w/ active session

When resolving eligible child nodes during evaluation of the "firstchild"
dispatch action, do not consider nodes allowing a login as allowed when
there already is an established session.

This fixes cases where restricted sessions are redirected to nodes they
have insufficent ACLs for, just because those nodes allow logins.

Fixes: #7218
Ref: https://forum.openwrt.org/t/x/174687
Suggested-by: @mikma
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 65b8002adbf8219b5dad37637756fa8fcae871a6)

diff --git a/modules/luci-base/ucode/dispatcher.uc b/modules/luci-base/ucode/dispatcher.uc
index 8717385be2170e8eeb41f5f23fce2f1864a9c2d4..2cb8cc2f6cf185d310356b1535d6bb6f78f38447 100644 (file)
--- a/modules/luci-base/ucode/dispatcher.uc
+++ b/modules/luci-base/ucode/dispatcher.uc
@@ -582,7 +582,7 @@ function resolve_firstchild(node, session, login_allowed, ctx) {
                        session = is_authenticated(node.auth);
 
                let cacl = child.depends?.acl;
-               let login = login_allowed || child.auth?.login;
+               let login = !session && (login_allowed || child.auth?.login);
 
                if (login || check_acl_depends(cacl, session?.acls?.["access-group"]) != null) {
                        if (child.title && type(child.action) == "object") {