regression fix for session/logout

Signed-off-by: Andy Miller <rhuk@mac.com>

classes/plugin/AdminBaseController.php

@@ -96,6 +96,8 @@ class AdminBaseController
 
         // Make sure that user is logged into admin.
         if (!$this->admin->authorize()) {
+            $this->respondUnauthorizedIfAjax();
+
             return false;
         }
 
@@ -236,6 +238,31 @@ class AdminBaseController
         $this->close($response);
     }
 
+    /**
+     * Return a JSON 401 response when an unauthenticated request was clearly triggered via AJAX.
+     *
+     * @return void
+     */
+    protected function respondUnauthorizedIfAjax(): void
+    {
+        $uri = $this->grav['uri'] ?? null;
+        $extension = $uri ? $uri->extension() : null;
+        $accept = $_SERVER['HTTP_ACCEPT'] ?? '';
+        $requestedWith = $_SERVER['HTTP_X_REQUESTED_WITH'] ?? '';
+
+        $acceptsJson = is_string($accept) && (stripos($accept, 'application/json') !== false || stripos($accept, 'text/json') !== false);
+        $isAjax = ($extension === 'json') || $acceptsJson || (is_string($requestedWith) && strtolower($requestedWith) === 'xmlhttprequest');
+
+        if (!$isAjax) {
+            return;
+        }
+
+        $this->sendJsonResponse([
+            'status' => 'unauthenticated',
+            'message' => Admin::translate('PLUGIN_ADMIN.SESSION_EXPIRED_DESC')
+        ], 401);
+    }
+
     /**
      * @param ResponseInterface $response
      * @return never-return