Hi!
I have added a custom route (/foo/bar) that’s defined inside config.php which should only be executable if the user is logged in inside the panel:
return [
...
'routes' => [
[
'pattern' => 'foo/bar',
'action' => function () {
$user = kirby()->user();
if ($user->isLoggedIn()) {
// logic if user is logged in here ...
return [
'status' => 200
]
}
return [
'status' => 401
]
}
]
]
]
This works in general. However, once I moved Kirby in a sub directory (/cms), the user object is always null and in return an exception is thrown:
For reference, this is my .htaccess file where I only added a folder (frontend) that should not be accessible and adjusted the rewrite rule regarding installing Kirby in a sub folder:
# Kirby .htaccess
# revision 2023-07-22
# rewrite rules
<IfModule mod_rewrite.c>
# enable awesome urls. i.e.:
# http://yourdomain.com/about-us/team
RewriteEngine on
# make sure to set the RewriteBase correctly
# if you are running the site in a subfolder;
# otherwise links or the entire site will break.
#
# If your homepage is http://yourdomain.com/mysite,
# set the RewriteBase to:
#
RewriteBase /cms
# In some environments it's necessary to
# set the RewriteBase to:
#
# RewriteBase /
# block files and folders beginning with a dot, such as .git
# except for the .well-known folder, which is used for Let's Encrypt and security.txt
RewriteRule (^|/)\.(?!well-known\/) index.php [L]
# block all files in the content folder from being accessed directly
RewriteRule ^content/(.*) index.php [L]
# block all files in the site folder from being accessed directly
RewriteRule ^site/(.*) index.php [L]
# block direct access to Kirby and the Panel sources
RewriteRule ^kirby/(.*) index.php [L]
# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]
# block frontend code folder from accessing
RewriteRule ^frontend/ - [F]
</IfModule>
# pass the Authorization header to PHP
SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$1
# compress text file responses
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>
# set security headers in all responses
<IfModule mod_headers.c>
# serve files as plain text if the actual content type is not known
# (hardens against attacks from malicious file uploads)
Header set Content-Type "text/plain" "expr=-z %{CONTENT_TYPE}"
Header set X-Content-Type-Options "nosniff"
</IfModule>
Why is it null? How can I check if the user is logged in or not in my case? Is this maybe a Bug?
Thanks