Magento 1.6 /admin always redirects to store after SUPEE-9767

Question

I recently patched a 1.6 site with SUPEE-9767, on our development copy I encountered no issues, but after I pushed it onto the live host I could no longer get into the admin area.

I would get the following redirects:

/admin (302) -> /index.php/admin
/index.php/admin (302) -> /

I've flushed the cache, rebuilt the indexes, and confirmed that the file perms are correct but still the same behaviour.

It feels like I'm overlooking something.

Answer 1

I've literally just spent most of my afternoon debugging this issue. The issue only occurs when https is enabled (which might explain why it doesn't occur in your dev environment).

Line 835 of PATCH_SUPEE-9767_CE_1.6.2.0_v1-2017-05-25-09-32-57.sh makes this change to _checkBaseUrl in app/code/core/Mage/Core/Controller/Varien/Front.php:

-        $baseUrl = Mage::getBaseUrl(Mage_Core_Model_Store::URL_TYPE_WEB, Mage::app()->getStore()->isCurrentlySecure());
-
+        $baseUrl = Mage::getBaseUrl(Mage_Core_Model_Store::URL_TYPE_WEB,
+            Mage::getConfig()->shouldUrlBeSecure($request->getPathInfo())
+        );

The issue is that shouldUrlBeSecure returns false because the admin frontname is not on the list of secure URLs. That causes Mage::getBaseUrl to return the unsecure base_url, and subsequent comparison with the current URL to fail (different protocol/scheme). Therefore Magento will redirect you to the base_url (i.e. the redirect to the http home page behaviour you're seeing).

I hate core hacks as a fix, but undoing the effect of that patch at line 317 of app/code/core/Mage/Core/Controller/Varien/Front.php seems to be the best option.

Cue Ben Marks...

Answer 2

Definitely not. Put it in app\code\local\Mage\Core\Controller\Varien

I just tested and it worked like that