From: Jo-Philipp Wich <jo@mein.io>
Date: Tue, 30 Jul 2024 21:50:41 +0000 (+0200)
Subject: luci-base: dispatcher.uc: skip login nodes when resolving w/ active session
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=cdbe9034c9bcad3f4ecd3d207ebf30e84da00063;p=project%2Fluci.git

luci-base: dispatcher.uc: skip login nodes when resolving w/ active session

When resolving eligible child nodes during evaluation of the "firstchild"
dispatch action, do not consider nodes allowing a login as allowed when
there already is an established session.

This fixes cases where restricted sessions are redirected to nodes they
have insufficent ACLs for, just because those nodes allow logins.

Fixes: #7218
Ref: https://forum.openwrt.org/t/x/174687
Suggested-by: @mikma
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 65b8002adbf8219b5dad37637756fa8fcae871a6)
---

diff --git a/modules/luci-base/ucode/dispatcher.uc b/modules/luci-base/ucode/dispatcher.uc
index 8717385be2..2cb8cc2f6c 100644
--- a/modules/luci-base/ucode/dispatcher.uc
+++ b/modules/luci-base/ucode/dispatcher.uc
@@ -582,7 +582,7 @@ function resolve_firstchild(node, session, login_allowed, ctx) {
 			session = is_authenticated(node.auth);
 
 		let cacl = child.depends?.acl;
-		let login = login_allowed || child.auth?.login;
+		let login = !session && (login_allowed || child.auth?.login);
 
 		if (login || check_acl_depends(cacl, session?.acls?.["access-group"]) != null) {
 			if (child.title && type(child.action) == "object") {