FIX: Don't redirect XHR/JSON requests when login is required (#15093)

When redirecting to login, we store a destination_url cookie, which the user is then redirected to after login. We never want the user to be redirected to a JSON URL. Instead, we should return a 403 in these situations. This should also be much less confusing for API consumers - a 403 is a better representation than a 302.
2025-02-25 18:55:32 -06:00 · 2021-12-02 15:12:25 +00:00
parent 55cbc70f3f
commit cfb6199a95
4 changed files with 46 additions and 11 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -819,7 +819,11 @@ class ApplicationController < ActionController::Base

    if !current_user && SiteSetting.login_required?
      flash.keep
-      redirect_to_login
+      if (request.format && request.format.json?) || request.xhr? || !request.get?
+        ensure_logged_in
+      else
+        redirect_to_login
+      end
      return
    end