Release 9.0.2

.semver

@@ -1,5 +1,5 @@
 ---
 :major: 9
 :minor: 0
-:patch: 0
+:patch: 2
 :special: ''

CHANGELOG.md

@@ -2,11 +2,20 @@ Changelog
 =========
 Releases for CakePHP 4
 -------------
+* 9.0.2
+  * Added a custom Unauthorized Handler
+    * If logged user access unauthorized url he is redirected to referer url or '/' if no referer url
+    * If not logged user access unauthorized url he is redirected to configured url (default to login)
+    * on login we only use the redirect url from querystring 'redirect' if user can access the target url
+    * App can configure a callable for 'url' option to define a custom logic to retrieve the url for unauthorized redirect
+  * Added postLink method to AuthLinkHelper
+  * UserHelper::welcome now works with request's attribute 'identity'
+
 * 9.0.1
   * Improved routes
   * Improved integration tests
   * Fixed warnings related to arguments in function calls
-  
+
 * 9.0.0
    * Migration to CakePHP 4
    * Compatible with cakephp/authentication
@@ -27,7 +36,7 @@ Releases for CakePHP 3
 
 * 8.4.0
   * Rehash password if needed at login
-  
+
 * 8.3.0
   * Bootstrap don't need to listen for EVENT_FAILED_SOCIAL_LOGIN
 
@@ -44,7 +53,7 @@ Releases for CakePHP 3
   * Updated to latest version of Google OAuth
   * Added plugin object
   * Fixed action changePassword to work with post or put request
- 
+
 * 8.0.2
   * Add default role for users registered via social login
 
@@ -59,14 +68,14 @@ Releases for CakePHP 3
   * Added new translations
   * Improved customization options for recaptcha integration
 
-* 7.0.2 
+* 7.0.2
   * Fixed an issue with 2FA only working on the second try
 
-* 7.0.1 
+* 7.0.1
   * Fixed a security issue in 2 factor authentication, reported by @ndm2
   * Updated to cakedc/auth ^3.0
   * Documentation fixes
-  
+
 * 7.0.0
   * Removed deprecations for CakePHP 3.6
   * Added a new `UsersAuthComponent::EVENT_AFTER_CHANGE_PASSWORD`
@@ -79,7 +88,7 @@ Releases for CakePHP 3
   * Updated Facebook Graph version to 2.8
   * Fixed flash error messages on logic
   * Added link social account feature for twitter
-  * Switched to codecov  
+  * Switched to codecov
 
 * 5.2.0
   * Compatible with 3.5, deprecations will be removed in next major version of the plugin
@@ -131,7 +140,7 @@ Releases for CakePHP 3
 * 4.1.2
   * Fix RememberMe redirect
   * Fix AuthLink rendering inside Cells
-  
+
 * 4.1.1
   * Add missing password field in add user
 
@@ -148,7 +157,7 @@ Releases for CakePHP 3
   * Fixed RegisterBehavior api, make getRegisterValidators public.
 
 * 3.2.3
-  * Added compatibility with CakePHP 3.3+ 
+  * Added compatibility with CakePHP 3.3+
   * Fixed several bugs, including regression issue with Facebook login & improvements
 
 * 3.2.2
@@ -161,7 +170,7 @@ Releases for CakePHP 3
   * Improved registration and reset password user already logged in logic
   * Several bugfixes
   * AuthLinkHelper added to render links if user is allowed only
-  
+
 * 3.1.5
   * SocialAuthenticate improvements
   * Authorize Rules. Owner rule

Docs/Documentation/Authorization.md

@@ -24,46 +24,88 @@ The default configuration for authorization middleware is:
 ```
 [
     'unauthorizedHandler' => [
-        'exceptions' => [
-            'MissingIdentityException' => 'Authorization\Exception\MissingIdentityException',
-            'ForbiddenException' => 'Authorization\Exception\ForbiddenException',
-        ],
-        'className' => 'Authorization.CakeRedirect',        
+        'className' => 'CakeDC/Users.DefaultRedirect',
     ]
 ],
 ```
 
-You can check the configuration options available for authorization middleware at the 
-[official documentation](https://github.com/cakephp/authorization/blob/master/docs/Middleware.md)
+You can check the configuration options available for authorization middleware at the
+[official documentation](https://github.com/cakephp/authorization/blob/master/docs/Middleware.md).
+
+The `CakeDC/Users.DefaultRedirect` offers additional behavior and config:
+  * If logged user access unauthorized url he is redirected to referer url or '/' if no referer url
+  * If not logged user access unauthorized url he is redirected to configured url (default to login)
+  * on login we only use the redirect url from querystring 'redirect' if user can access the target url
+  * App can configure a callable for 'url' option to define a custom logic to retrieve the url for unauthorized redirect
+  * App can configure a flash message
 
+You could do the following to set a custom url and flash message:
 
+```
+[
+    'unauthorizedHandler' => [
+        'className' => 'CakeDC/Users.DefaultRedirect',
+        'url' => [
+            'plugin' => false,
+            'prefix' => false,
+            'controller' => 'Pages',
+            'action' => 'home'
+        ],
+        'flash' => [
+            'message' => 'My custom message',
+            'key' => 'flash',
+            'element' => 'flash/error',
+            'params' => [],
+        ],
+    ]
+],
+```
+OR
+```
+[
+    'unauthorizedHandler' => [
+        'className' => 'CakeDC/Users.DefaultRedirect',
+        'url' => function($request, $options) {
+              //custom logic
+
+              return $url;
+        },
+        'flash' => [
+            'message' => 'My custom message',
+            'key' => 'flash',
+            'element' => 'flash/error',
+            'params' => [],
+        ],
+    ]
+],
+```
 Authorization Component
 -----------------------
 We autoload the authorization component at users controller using the default configuration,
 if you don't want the plugin to autoload it, you can do:
 ```
 Configure::write('Auth.AuthorizationComponent.enabled', false);
-``` 
+```
 
-You can check the configuration options available for authorization component at the 
+You can check the configuration options available for authorization component at the
 [official documentation](https://github.com/cakephp/authorization/blob/master/docs/Component.md)
 
-Authorization Service Loader 
+Authorization Service Loader
 -----------------------------
 To make the integration with cakephp/authorization easier we load the resolvers OrmResolver and MapResolver.
 The MapResolver resolves ServerRequest request object to check access permission using Superuser and Rbac policies.
 
-If the configuration is not enough for your project you may create a custom loader extending the 
+If the configuration is not enough for your project you may create a custom loader extending the
 default provided.
 
 - Create file src/Loader/AppAuthorizationServiceLoader.php
 
 ```
 <?php
 namespace App\Loader;
- 
+
 use \CakeDC\Users\Loader\AuthorizationServiceLoader;
- 
+
 class AppAuthorizationServiceLoader
 {
     /**

README.md

@@ -12,8 +12,8 @@ Versions and branches
 
 | CakePHP | CakeDC Users Plugin | Tag   | Notes |
 | :-------------: | :------------------------: | :--:  | :---- |
-| ^4.0            | [master](https://github.com/cakedc/users/tree/master)                      | 9.0.1 | stable |
-| ^4.0            | [9.0](https://github.com/cakedc/users/tree/9.next)                      | 9.0.1 | stable |
+| ^4.0            | [master](https://github.com/cakedc/users/tree/master)                      | 9.0.2 | stable |
+| ^4.0            | [9.0](https://github.com/cakedc/users/tree/9.next)                      | 9.0.2 | stable |
 | ^3.7  <4.0      | [8.5](https://github.com/cakedc/users/tree/8.next)                      | 8.5.1 | stable |
 | 3.7             | [develop](https://github.com/cakedc/users/tree/develop)                      | - | unstable |
 | 3.6             | [8.1](https://github.com/cakedc/users/tree/8.1.0)                      | 8.1.0 | stable |
@@ -32,7 +32,7 @@ It covers the following features:
 * Remember me (Cookie) via https://github.com/CakeDC/auth
 * Manage user's profile
 * Admin management
-* Yubico U2F for Two-Factor Authentication 
+* Yubico U2F for Two-Factor Authentication
 * One-Time Password for Two-Factor Authentication
 
 The plugin is here to provide users related features following 2 approaches:

config/users.php

@@ -195,11 +195,7 @@
         ],
         'AuthorizationMiddleware' => [
             'unauthorizedHandler' => [
-                'exceptions' => [
-                    'MissingIdentityException' => 'Authorization\Exception\MissingIdentityException',
-                    'ForbiddenException' => 'Authorization\Exception\ForbiddenException',
-                ],
-                'className' => 'Authorization.CakeRedirect',
+                'className' => 'CakeDC/Users.DefaultRedirect',
             ]
         ],
         'AuthorizationComponent' => [

phpstan-baseline.neon

@@ -302,4 +302,12 @@ parameters:
 			count: 1
 			path: src\Shell\UsersShell.php
 
+		-
+			message: "#^Parameter \\#1 \\$message of method Cake\\\\Controller\\\\Controller\\:\\:log\\(\\)\\ expects string, Exception given.$#"
+			count: 1
+			path: src\Controller\Traits\OneTimePasswordVerifyTrait.php
 
+		-
+			message: "#^Access to an undefined property CakeDC\\\\Users\\\\View\\\\Helper\\\\AuthLinkHelper\\:\\:\\$Form\\.$#"
+			count: 1
+			path: src\View\Helper\AuthLinkHelper.php

src/Controller/Component/LoginComponent.php

@@ -16,7 +16,9 @@
 use Authentication\Authenticator\ResultInterface;
 use Cake\Controller\Component;
 use Cake\Core\Configure;
+use Cake\Http\ServerRequest;
 use CakeDC\Auth\Authentication\AuthenticationService;
+use CakeDC\Auth\Traits\IsAuthorizedTrait;
 use CakeDC\Users\Plugin;
 use CakeDC\Users\Utility\UsersUrl;
 
@@ -25,6 +27,8 @@
  */
 class LoginComponent extends Component
 {
+    use IsAuthorizedTrait;
+
     /**
      * Default configuration.
      *
@@ -36,6 +40,16 @@ class LoginComponent extends Component
         'targetAuthenticator' => null,
     ];
 
+    /**
+     * Gets the request instance.
+     *
+     * @return \Cake\Http\ServerRequest
+     */
+    public function getRequest(): ServerRequest
+    {
+        return $this->getController()->getRequest();
+    }
+
     /**
      * Handle login, if success redirect to 'AuthenticationComponent.loginRedirect' or show error
      *
@@ -138,7 +152,7 @@ protected function afterIdentifyUser($user)
 
         $query = $this->getController()->getRequest()->getQueryParams();
         $redirectUrl = $this->getController()->Authentication->getConfig('loginRedirect');
-        if (isset($query['redirect'])) {
+        if ($this->isAuthorized($query['redirect'] ?? null)) {
             $redirectUrl = $query['redirect'];
         }