From cdbe9034c9bcad3f4ecd3d207ebf30e84da00063 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Tue, 30 Jul 2024 23:50:41 +0200
Subject: [PATCH] luci-base: dispatcher.uc: skip login nodes when resolving w/
 active session

When resolving eligible child nodes during evaluation of the "firstchild"
dispatch action, do not consider nodes allowing a login as allowed when
there already is an established session.

This fixes cases where restricted sessions are redirected to nodes they
have insufficent ACLs for, just because those nodes allow logins.

Fixes: #7218
Ref: https://forum.openwrt.org/t/x/174687
Suggested-by: @mikma
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 65b8002adbf8219b5dad37637756fa8fcae871a6)
---
 modules/luci-base/ucode/dispatcher.uc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/luci-base/ucode/dispatcher.uc b/modules/luci-base/ucode/dispatcher.uc
index 8717385be2..2cb8cc2f6c 100644
--- a/modules/luci-base/ucode/dispatcher.uc
+++ b/modules/luci-base/ucode/dispatcher.uc
@@ -582,7 +582,7 @@ function resolve_firstchild(node, session, login_allowed, ctx) {
 			session = is_authenticated(node.auth);
 
 		let cacl = child.depends?.acl;
-		let login = login_allowed || child.auth?.login;
+		let login = !session && (login_allowed || child.auth?.login);
 
 		if (login || check_acl_depends(cacl, session?.acls?.["access-group"]) != null) {
 			if (child.title && type(child.action) == "object") {
-- 
2.30.2