Patch #14096

back_url is ignored after auto login existing session.

Added by Jethro Yu over 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-

Description

When user open redmine issues like "/issues/1216" from external applications, the page is directed to redmine "/" after auto login from existed session. The back_url is ignored in this case, so i made a change to make back_url works.

Started GET "/issues/1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by IssuesController#show as */*
  Parameters: {"id"=>"1216"}
  Current user: anonymous
Redirected to http://20.20.20.20/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 12ms (ActiveRecord: 0.5ms)
Started GET "/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by AccountController#login as */*
  Parameters: {"back_url"=>"http://20.20.20.20/issues/1216"}
  Current user: anonymous
  Rendered account/login.html.erb within layouts/base (5.1ms)
  Rendered plugins/progressive_projects_list/app/views/application/_progressive_sidebar.html.erb (0.2ms)
  Rendered plugins/sidebar_hide/app/views/sidebar/_hideButton_partial.html.erb (1.8ms)
Completed 200 OK in 30ms (Views: 22.5ms | ActiveRecord: 0.5ms)
Started GET "/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by AccountController#login as HTML
  Parameters: {"back_url"=>"http://20.20.20.20/issues/1216"}
  Current user: admin (id=1)
Redirected to http://20.20.20.20/
Completed 302 Found in 11ms (ActiveRecord: 0.5ms)
Started GET "/" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
app / controllers / account_controller.rb

Redirected_to_back_url_after_auto_login.diff Magnifier (429 Bytes) Jethro Yu, 2013-05-20 08:49

History

#1 Updated by Martin Corino about 4 years ago

We have encountered this problem also but have determined it only occurs when opening Redmine from embedded URLs in Microsoft Office documents.
Applications under Linux, triggering URLs from the Windows Run dialog or from an application like Acrobat Reader does not exhibit this behaviour.
Somehow the Microsoft Office apps trigger the embedded URL in a way which causes the browser to send the request without the current session information for Redmine (which at that time typically has a window opened in Redmine) which results in a redirect to AccountController#login in ApplicationController#check_if_login_required because no current User is detected.
After the redirect the browser seems to have included the session info again and the current User is detected again.

Also, we believe the fix should be to replace the code

 ...
    if User.current.logged?
      redirect_to home_url
    end
 ...

in AccountController#login by
 ...
    if User.current.logged?
      redirect_back_or_default home_url
    end
 ...

#2 Updated by Vladimir Sinenko about 4 years ago

Martin Corino's description and fix is right on the money. I hope this will be merged into the production. Thank you, Martin.

#3 Updated by Jean-Philippe Lang almost 4 years ago

  • Status changed from New to Closed

Fixed in r12705 (see #15926).

Also available in: Atom PDF