Bugfix #10912 (Micro Middleware (before) does not stop operation)

[pauliuspetronis]

In this pull request is one important change.

before this change:

1. if event (before) is closure and return false - cancels the route execution
2. if event (before) is MiddlewareInterface object and return false/true/... - not cancels route execution

In this change:

1. if event (before) is closure and return false/true/... - not cancels route execution
2. if event (before) is MiddlewareInterface and return false/true/... - not cancels route execution

If you need to cancel execution on event (before) - in both cases must be called $microApplication->stop();

For example:

<?php
$app = new Phalcon\Mvc\Micro();
$app->before(function () use ($app) {
    if ($app['session']->get('auth') == false) {
        $app->stop();
        return false;
    }
    return true;
});
$app->handle();

or

<?php
class Auth implements Phalcon\Mvc\Micro\MiddlewareInterface
{
    public function call(Phalcon\Mvc\Micro $app)
    {
         if ($app['session']->get('auth') == false) {
            $app->stop();
            return false;
        }
        return true;
    }
}
$app = new Phalcon\Mvc\Micro();
$app->before(new Access());
$app->handle();

[andresgutierrez]

Just to make sure, return false does not stop the events?

[pauliuspetronis]

Yes.
In before event - will cancel process only if you call stop() function.
In after and finish events - will never cancel process, but if event call stop() then skip next same type events (after, or finish).

[sszdh]

👍

[sergeyklay]

👍

[sergeyklay]

@pauliuspetronis Could you please rebase onto 3.2.x branch

[pauliuspetronis]

@sergeyklay - done

[sergeyklay]

Looks good to me

[sergeyklay]

@pauliuspetronis Could you please update CHANGELOG.md

[pauliuspetronis]

@sergeyklay - updated. But I think the same problem is with afterBindingHandlers. Or I'm wrong?

[sergeyklay]

@pauliuspetronis Looks like yes. Anyway it should be in separated PR. Thank you for contributing !

[necipallef]

First of all, I would like to say thanks for this awesome framework and awesome work. Really appreciate it. We love using PHP and Phalcon in our projects, we've already written several separate libraries to make the best use of Phalcon (here is an example).

However, by changing a crucial functionality like this (calling return false does not stop the execution on before) broke most of our applications that are live today, causing huge security issues. It is unpleasant to be aware of this after it is been a while since this change was released.

Maybe I have to check here more often, but we are already dependent on lots of other libraries too, and checking them all is not always possible. Please be more careful not to break people's code who loves using Phalcon in the future.