Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
system routes for 403 and 404 are defined as "system.403" and "system.404".
if custom 403 or 404 pages have been defined those will not be generated as 403 and 404 routes.
I submitted a patch to fix this issue. This also fixes the infinite redirect for admin routes.
Comments
Comment #2
bogdan.dinu CreditAttribution: bogdan.dinu commentedThis is the patch
Comment #3
bogdan.dinu CreditAttribution: bogdan.dinu commentedComment #4
robphillips CreditAttribution: robphillips commentedNow I see why I couldn't reproduce. It only happens if you have a custom 403/404 page defined. I think the patch is close but I'm going to make a few changes. I'll report back this evening with a new update and probably an official release.
@bogdan.dinu: Thanks for your efforts!
Comment #5
bogdan.dinu CreditAttribution: bogdan.dinu commentedNo, It also happens for standard 403/403 and custom routes. To prevent this you have to manually send the redirect response in the event subscriber. I submitted an updated patch.
Comment #6
robphillips CreditAttribution: robphillips commentedI've been too busy to test the latest patch. I will try and review today or tomorrow.
Comment #7
robphillips CreditAttribution: robphillips commentedNeed to clean up the code and check with phpcs. Initial testing seems to work but would like to fit in a few more test cases.
Comment #8
renatogComment #9
robphillips CreditAttribution: robphillips commentedComment #10
renatogHi!
I checked module with phpcs and found these items:
I fixed these items and the patch with the fix follow in attachment.
Regards.
Comment #11
rodrigoaguileraThanks for the patch!
I did a quick review:
I don't know what you really want here
Comment #12
bogdan.dinu CreditAttribution: bogdan.dinu commentedThe return should not be commented out. I must have forgotten it there from when I was testing. I'll submit tomorrow a new patch.
Comment #13
renatogHi guys!
To help, exists a new patch with the fix in attachment.
Thanks.
Regards.
Comment #14
renatogComment #15
renatogComment #16
chrisrockwell CreditAttribution: chrisrockwell commentedI'm dealing with the same thing here. I have a custom route with access permissions on it and a custom User Login Path configured at admin/config/system/require-login.
Without #13 I get the too many redirects issue. With this patch, I just get the Access Denied page.
A nitpick, but cleaning up/adding comments to the patch aren't necessary. I believe a separate issue should be created for this.
These @file aren't required here.
Same here
Comment #17
chrisrockwell CreditAttribution: chrisrockwell commentedComment #18
chrisrockwell CreditAttribution: chrisrockwell commentedFYI, with this left commented out - it works for me.
Comment #19
chrisrockwell CreditAttribution: chrisrockwell commentedI am working on a patch, but also leaving comments here for others. We also need to add, at least,
user.login.http
to the excluded routes, otherwise login via endpoint won't work.Comment #20
ExTexan CreditAttribution: ExTexan commentedAs far as I know, we aren't using custom 403/404 pages. I applied patch 13 and at least it fixed the infinite redirect. But when I tried a path other than the home page (as anonymous visitor), instead of going to the login page, it went to the "Access denied" page.
Comment #21
chrisrockwell CreditAttribution: chrisrockwell commented@ExTexan, you can try what I've done here: https://gist.github.com/clrockwell79/b17a83d61972ee403c1dccaf68af1ea5.
Comment #22
ExTexan CreditAttribution: ExTexan commented@chrisrockwell, thanks for that. I tried that version of the RequireLoginSubscriber.php, but I still just get Access Denied instead of being redirected to the login page.
Was there more to your patch in git that I missed?
Comment #23
ExTexan CreditAttribution: ExTexan commentedOops, scratch that. I had already disabled the require_login module (so I could do it in a custom module myself)... forgot to re-enable it when I put in the RequireLoginSubscriber.php file. But when I enabled the module just now, I got this...
Recoverable fatal error: Argument 1 passed to Drupal\require_login\EventSubscriber\RequireLoginSubscriber::__construct() must be an instance of Drupal\Core\Config\ConfigFactory, none given, called in /Users/Doug/Projects/Sunland/Site/core/lib/Drupal/Component/DependencyInjection/Container.php on line 264 and defined in Drupal\require_login\EventSubscriber\RequireLoginSubscriber->__construct() (line 30 of modules/require_login/src/EventSubscriber/RequireLoginSubscriber.php).
Comment #24
chrisrockwell CreditAttribution: chrisrockwell commented@ExTexan, no nothing different. I have a couple site specific modifications (just uploaded them so I could see the diff in gist) but this has been working on a production site.
I did find another issue, which you can see in my newest gist in that requests for API are getting access denied, I had to hack together a fix for that. If I ever have time, I'd like to come back to this. Not certain the module owner has time/interest in getting at this though (which I 100% understand and sympathize with).
Comment #25
TommyK CreditAttribution: TommyK as a volunteer and commentedI came across this issue because I was having infinite redirect loops. I actually want my 403 pages to redirect to /user/login instead of displaying Access Denied. I applied the patch and set the default 403 (access denied) page to / which actually does trigger the login form and redirect that I want.
The only problem is the error in the log:
I’m not sure if this is because of my configuration or a problem with the module or patch.
Comment #26
btully CreditAttribution: btully commentedI have created an updated patch that also includes the more recent work by @cuignet.g at https://www.drupal.org/project/require_login/issues/2881063 (Infinite redirect loop) which adds an ImmutableTargetRedirectResponse. That patch and the patch from #13 have some overlap, so I've combined them here using the best of both patches. Hope that helps!
See #2881063: Infinite redirect loop
Comment #27
oriol_e9gApplied and tested the patch in #26 and works perfect.
Comment #28
danharper CreditAttribution: danharper as a volunteer and commentedI have applied the latest patch in 26 but instead of redirecting I now get access denied.
I have added user/login as an exclusion but that's the only configuration I've added
Drupal 8.5.0
Comment #30
robphillips CreditAttribution: robphillips commentedI went a different route to resolve this issue. The checkUserRedirect() event subscriber is now also checking for the 403/404 HTTP status codes on the current page. Those changes have been committed to the 8.x branch and will be included in a release today.
Comment #31
robphillips CreditAttribution: robphillips commentedComment #32
robphillips CreditAttribution: robphillips commentedCommitted. Included in release 8.x-1.11.
Comment #33
hughworm CreditAttribution: hughworm as a volunteer commentedThe new version 8.x-1.11 still caused infinite redirect for me. I've patched it so it now correctly detects the exception code under a 403/404.