search

codeigniter4 / shield

Authentication and Authorization for CodeIgniter 4
https://shield.codeigniter.com
MIT License
352 stars 130 forks source link

Permissions filter doesn't capture ajax requests #1049

Closed Elvis254 closed 6 months ago

Elvis254 commented 6 months ago

PHP Version

8.2.0

CodeIgniter4 Version

4.4.5

Shield Version

1.0.1

Which operating systems have you tested for this bug?

Windows

Which server did you use?

apache

Database

MariaDB 10.2

Did you customize Shield?

I customized the UserModel class to include a function to generate a full name of a user from their first and last name before insert and before update. I also customized the User entity class to include two functions to set the first and last name of a user after cleaning the string input and performing formatting on it like capitalization.

What happened?

I made an ajax request on a route protected by a permission expecting to get a 403 Forbidden response because the user I was testing the route on doesn't have the permission. The response should be JSON in nature but it sends the page a user is redirected to if they don't have the permission.

Steps to Reproduce

Edit the permission filter to capture ajax requests and instead of redirecting to the page specified in Auth config, it sends a JSON formatted 403 Forbidden response.

Expected Output

A JSON formatted 403 Forbidden response.

Anything else?

No response