handle access denied exception correctly and don't duplicate redirect to login...

Closes #6375

Merge request studip/studip!4836


(cherry picked from commit 431fda0deda433186c5ea5740e2a2b120d2c1a14)

2fb81ba6 handle access denied exception correctly and don't duplicate redirect to login...

Co-authored-by: Jan-Hendrik Willms <tleilax+studip@gmail.com>

2 files changed, 8 insertions, 16 deletions

diff --git a/lib/functions.php b/lib/functions.php
index 82fd5ac..cbc0e64 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1127,7 +1127,7 @@ function studip_default_exception_handler($exception) {
         $status = 403;
         $template = 'check_object_exception';
     } elseif ($exception instanceof LoginException) {
-        $_SESSION['redirect_after_login'] ??= Request::url();
+        $_SESSION['redirect_after_login'] = Request::url();
         sess()->save();
         header('Location: ' . URLHelper::getScriptURL('dispatch.php/login'));
         exit;
diff --git a/lib/middleware/HandleAccessDeniedMiddleware.php b/lib/middleware/HandleAccessDeniedMiddleware.php
index 567eca8..829b516 100644
--- a/lib/middleware/HandleAccessDeniedMiddleware.php
+++ b/lib/middleware/HandleAccessDeniedMiddleware.php
@@ -2,33 +2,25 @@
 namespace Studip\Middleware;
 
 use AccessDeniedException;
+use LoginException;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
-use Psr\Http\Message\ResponseFactoryInterface;
-use Request;
-use URLHelper;
+use User;
 
 final class HandleAccessDeniedMiddleware implements MiddlewareInterface
 {
-    public function __construct(
-        private readonly ResponseFactoryInterface $responseFactory
-    ) {
-    }
-
-    /**
-     * @SuppressWarnings(StaticAccess)
-     * @SuppressWarnings(SuperGlobals)
-     */
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
         try {
             return $handler->handle($request);
         } catch (AccessDeniedException $ade) {
-            $_SESSION['redirect_after_login'] ??= Request::url();
-            return $this->responseFactory->createResponse(302)
-                ->withHeader('Location', URLHelper::getURL('dispatch.php/login'));
+            if (!User::findCurrent()) {
+                throw new LoginException();
+            }
+
+            throw $ade;
         }
     }
 }