🐛 Does not redirect ot login if url start by /bolt...

[macintoshplus]

Issue #3504 Fix the security side effect on URL start with /bolt.

• /bolt$ is secured and redirect on login if need. 🔒
• /bolt/new/page is secured and redirect on login if need. 🔒
• /bolt-and-nuts Not secured. 🔓

[bobvandevijver]

This looks good, but it will require a yaml migration as well so it is to be applied to existing installations. See for example https://github.com/bolt/core/blob/master/yaml-migrations/m_2022-02-16-security_1.yaml.

[macintoshplus]

This looks good, but it will require a yaml migration as well so it is to be applied to existing installations. See for example https://github.com/bolt/core/blob/master/yaml-migrations/m_2022-02-16-security_1.yaml.

It's not possible. The YAML migration tool doesn't work fine with an array. This change requires two migrations. One for removing older configuration and one for adding new configuration.

The remove migration like

# See: https://github.com/bolt/core/issues/3504

file: packages/security.yaml
since: 5.2.1
remove:
    security:
        access_control:
            - { path: '^%bolt.backend_url%', roles: IS_AUTHENTICATED_REMEMBERED }
            - { path: '^/(%app_locales%)%bolt.backend_url%', roles: IS_AUTHENTICATED_REMEMBERED }

Apply the removing migration generate this error:

PHP Fatal error:  Uncaught TypeError: YamlMigrate\ArrayMerge::removeArrayRecursively(): Argument #1 ($origin) must be of type array, string given, called in /home/user/dev/bolt/bolt-5.2/vendor/bobdenotter/yaml-migrations/src/ArrayMerge.php on line 62 and defined in /home/user/dev/bolt/bolt-5.2/vendor/bobdenotter/yaml-migrations/src/ArrayMerge.php:54

To apply this change, it's necessary to upgrade the YAML migration tool to add the updating action like kaliop/ezmigrationbundle.

[macintoshplus]

I've added the upgrade file and updated the changelog.

This patch may have already been applied to users' Bolt projects.

[bobvandevijver]

Included in dbeab8b