luci-base: dispatcher.uc: skip login nodes when resolving w/ active s…

…ession When resolving eligible child nodes during evaluation of the "firstchild" dispatch action, do not consider nodes allowing a login as allowed when there already is an established session. This fixes cases where restricted sessions are redirected to nodes they have insufficent ACLs for, just because those nodes allow logins. Fixes: openwrt#7218 Ref: https://forum.openwrt.org/t/x/174687 Suggested-by: @mikma Signed-off-by: Jo-Philipp Wich <[email protected]>
schuettecarsten · Jul 30, 2024 · 65b8002 · 65b8002
1 parent 79a7012
commit 65b8002
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/modules/luci-base/ucode/dispatcher.uc b/modules/luci-base/ucode/dispatcher.uc
@@ -582,7 +582,7 @@ function resolve_firstchild(node, session, login_allowed, ctx) {
 			session = is_authenticated(node.auth);
 
 		let cacl = child.depends?.acl;
-		let login = login_allowed || child.auth?.login;
+		let login = !session && (login_allowed || child.auth?.login);
 
 		if (login || check_acl_depends(cacl, session?.acls?.["access-group"]) != null) {
 			if (child.title && type(child.action) == "object") {