renderData() not firing inside preHandler()

When building a REST API with ColdBox 5.x some years ago, I followed this preHandler() example in the docs:

function preHandler( event, action, eventArguments ){
  var authDetails = event.getHTTPBasicCredentials();
  if( !securityService.authenticate( authDetails.username, authDetails.password ) ) {
      event.renderData( type="JSON", data={ message = 'Please check your credentials' }, statusCode=401, statusMessage="You're not authorized to do that");

Recently I started playing with that code running ColdBox 6.6. To my surprise, I discovered that renderData() seems not to fire now when triggered inside preHandler().

The sample code is noticing unauthenticated requests, but allows them to proceed to index().

Calling noRender() instead is working, but of course I would prefer to return some meaningful info to the user by running renderData().

There’s an older thread here which describes the same issue, but since no Ortus team members chimed in, it would be great to learn if this is expected behavior now (which might call for updating the documentation) or a bug.

So, this could be a bug… but there’s a lot more to investigate here IMO.

The most obvious question is: Is your renderData() being overwritten by the future handler? This is the most likely, I think.

Of course it does. Nowhere do the docs say that renderData() stops the current request or event path. You are looking for overrideEvent() instead:

From the docs:

    if( !security.isLoggedIn() ){
        event.overrideEvent( 'security.login' ); "Unauthorized accessed detected!", getHTTPRequestData() );

Here are a few options for altering the default event execution:

  • Use event.overrideEvent('myHandler.myAction') to execute a different event than the default.
  • Use event.noExecution() to halt execution of the current event

See the RequestContext documentation for more details.

In my opinion, this is a really poor example from the docs. Perhaps it made sense in the Basic Auth context it was placed in. At any rate, I’ve updated the docs for ColdBox 7+:

That all makes sense of course.
Thanks for taking the time to clarify, @MichaelBorn :slightly_smiling_face:

1 Like

Happy to be of service!