ModelAdmin executes init code even when there is no authenticated user

Module version(s) affected

5.x

Description

I recently discovered this unexpected error in my logs...

RuntimeException
ModelAdmin::init(): Invalid Model class lib

for the following url: /admin/events/lib/external/responsive_filemanager/filemanager/dialog.php

That's expected, "lib" is not a valid model class. But what's really odd, is that this is the case for anonymous users... meaning any bot can basically hammer your website and create tons of errors logs due to this.

The issue is that the auth check does not interrupt the init() process in subclasses (there is simply a return statement in the init parent class)

How to reproduce

Visit any /admin/security|modeladmin_segment/invalid_modal/xxx url on a ss website and get a server error

eg: https://some.domain.com/admin/security/lib/external/responsive_filemanager/filemanager/dialog.php

Possible Solution

Always add a redirectedTo check in any ModelAdmin subclasses... (not great, because you have to think about it)

<?php

    protected function init()
    {
        parent::init();

        if ($this->redirectedTo()) {
            return;
        }

?>

Better long term solution:

Throw a RedirectException (this does not exist, but I think it really should be added to the core) in the init method to avoid any further processing instead of what's currently in place. This would make the whole thing much simpler and avoid issues for unsuspecting developers.

Additional Context

No response

Validations

[X] Check that there isn't already an issue that reports the same bug
[X] Double check that your reproduction steps work in a fresh installation of silverstripe/installer (with any code examples you've provided)

silverstripe / silverstripe-framework