fix composite auth ignore only/except filters of auth methods (#19418)

* fix compositeAuth ignore only/except filters of child auth methods

* fix

* add tests for wrong token

* fix

* update changelog

* Update CHANGELOG.md

Co-authored-by: Bizley <pawel@positive.codes>

framework/CHANGELOG.md

@@ -29,6 +29,7 @@ Yii Framework 2 Change Log
 - Bug #19368: Fix PHP 8.1 error when `$fileMimeType` is `null` in `yii\validators\FileValidator::validateMimeType()` (bizley)
 - Enh #19384: Normalize `setBodyParams()` and `getBodyParam()` in `yii\web\Request` (WinterSilence, albertborsos)
 - Bug #19386: Fix recursive calling `yii\helpers\BaseArrayHelper::htmlDecode()` (WinterSilence)
+- Bug #19418: Fix `yii\filters\auth\CompositeAuth` ignoring `only` and `except` options (lesha724)
 - Enh #19401: Delay `exit(1)` in `yii\base\ErrorHandler::handleFatalError` (arrilot)
 - Bug #19402: Add shutdown event and fix working directory in `yii\base\ErrorHandler` (WinterSilence)
 - Enh #19416: Update and improve configurations for `yii\console\controllers\MessageController` (WinterSilence)

framework/filters/auth/CompositeAuth.php

@@ -70,9 +70,11 @@ class CompositeAuth extends AuthMethod
                 }
             }
 
-            $identity = $auth->authenticate($user, $request, $response);
-            if ($identity !== null) {
-                return $identity;
+            if (isset($this->owner->action) && $auth->isActive($this->owner->action)) {
+                $identity = $auth->authenticate($user, $request, $response);
+                if ($identity !== null) {
+                    return $identity;
+                }
             }
         }