From e2b6cb69b0bee7004a0dd170804dfd4323d0fc92 Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Fri, 7 Nov 2014 03:01:05 +0300
Subject: [PATCH] Fixes #4889: Application was getting into redirect loop when
 user wasn't allowed accessing login page. Now shows 403

---
 framework/CHANGELOG.md | 1 +
 framework/web/User.php | 8 +++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index f482900..12e2751 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -5,6 +5,7 @@ Yii Framework 2 Change Log
 -----------------------
 
 - Bug #4471: `yii\caching\ApcCache::getValues()` now returns array in case of APC is installed but not enabled in CLI mode (samdark, cebe)
+- Bug #4889: Application was getting into redirect loop when user wasn't allowed accessing login page. Now shows 403 (samdark)
 - Bug #5402: Debugger was not loading when there were closures in asset classes (samdark)
 - Bug #5570: `yii\bootstrap\Tabs` would throw an exception if `content` is not set for one of its `items` (RomeroMsk)
 - Bug #5584: `yii\rbac\DbRbacManager` should not delete items when deleting a rule on a database not supporting cascade update (mdmunir)
diff --git a/framework/web/User.php b/framework/web/User.php
index e464040..7c35f84 100644
--- a/framework/web/User.php
+++ b/framework/web/User.php
@@ -422,10 +422,12 @@ class User extends Component
             $this->setReturnUrl($request->getUrl());
         }
         if ($this->loginUrl !== null) {
-            return Yii::$app->getResponse()->redirect($this->loginUrl);
-        } else {
-            throw new ForbiddenHttpException(Yii::t('yii', 'Login Required'));
+            $loginUrl = (array)$this->loginUrl;
+            if ($loginUrl[0] !== Yii::$app->requestedRoute) {
+                return Yii::$app->getResponse()->redirect($this->loginUrl);
+            }
         }
+        throw new ForbiddenHttpException(Yii::t('yii', 'Login Required'));
     }
 
     /**