Backend Security key broken for controllers with frontname not equal to route ID #7557
Description
Preconditions
The Magento used is the "develop" branch.
PHP: PHP 7.0.10-1+deb.sury.org~xenial+1
Steps to reproduce
- Create a new module with a controller usable in the backend.
- Define a new route for the controller (new adminhtml/routes.xml file) with a frontname different from the route ID.
- Add the new controller to the menu and add the appropriate item to the ACL.
- Log into the backend, locate the new item and click on it.
Expected result
- The new controller is executed.
Actual result
- The user is redirected back to the dashboard.
After a debugging session, it appears that the security key is incorrectly generated during either the creation of backend URLs or the security key validation.
If you place a breakpoint at the last line of \Magento\Backend\Model\Url::getSecretKey(), you'll notice the following discrepancy:
- While generating the security key used during the creation of the URL, the "$secret" string (the one that is hashed to form the security key) starts with the frontname.
- While checking the security key after having clicked on the link, the "$secret" string starts with the route ID instead.
Metadata
Metadata
Assignees
Labels
The issue has been fixed in 2.2 release lineThe issue has been fixed in 2.3 release lineGate 2 Passed. Manual verification of the issue description passedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedGate 1 Passed. Automatic verification of issue format passedGate 4. Acknowledged. Issue is added to backlog and ready for developmentIndicates that Pull Request has been created to fix issueThe issue has been reproduced on latest 2.1 releaseThe issue has been reproduced on latest 2.2 releaseThe issue has been reproduced on latest 2.3 release