Patch #29885

Fix 403 error while adding new watchers when selected issues in context_menu from different projects

Added by Andrey Lobanov (RedSoft) 3 months ago. Updated 19 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues
Target version:Candidate for next minor release

Description

Tested issue on trunk;
Steps to reproduce:
1) Select 2 or more issues from different projects
2) Open context menu
3) Select Watchers->New
4) Type some user name
5) In dev tools you will see 403 error;

fix_403_cm_new_watchers.patch Magnifier (2.21 KB) Andrey Lobanov (RedSoft), 2018-10-31 10:47

fix_403_cm_new_watchers_v2.patch Magnifier (3.25 KB) Mizuki ISHIKAWA, 2018-12-21 06:22

History

#1 Updated by Andrey Lobanov (RedSoft) about 1 month ago

Can anyone review this patch?

#2 Updated by Marius BALTEANU about 1 month ago

Andrey Lobanov (RedSoft) wrote:

Can anyone review this patch?

Could you add a test to the patch?

#3 Updated by Go MAEDA about 1 month ago

Confirmed the problem.

#4 Updated by Marius BALTEANU about 1 month ago

I'm not able to reproduce the problem in order to review the patch.

I tried from the global issues page and each request made from contextual menu to add watchers to issues from different projects returned 200. Can someone add more detailed steps to reproduce the problem (maybe I do not understand something well)? or a test that fails on the current trunk?

#5 Updated by Mizuki ISHIKAWA 28 days ago

Marius BALTEANU wrote:

I'm not able to reproduce the problem in order to review the patch.

I tried from the global issues page and each request made from contextual menu to add watchers to issues from different projects returned 200. Can someone add more detailed steps to reproduce the problem (maybe I do not understand something well)? or a test that fails on the current trunk?

In order to reproduce this problem I needed to input a search keyword in "Search for user".
When entering the search keyword, the request parameter is Parameters: {"object_type"=>"issue", "q"=>""} .

<!--  app/views/watchers/_new.html.erb -->
  <%= javascript_tag "observeSearchfield('user_search', 'users_for_watcher', '#{ escape_javascript url_for(:controller => 'watchers',
                 :action => 'autocomplete_for_user',
                 :object_type => (watchables.present? ? watchables.first.class.name.underscore : nil),
                 :object_id => (watchables.present? && watchables.size == 1 ? watchables.first.id : nil),
                 :project_id => @project) }')" %>

If there are multiple watchable and multiple watchable projects, both object_id and project_id will be nil.
Those parameters are required for WatchersController#find_project to work.
Because WatchersController#find_project does not work, ApplicationController#authorize returns an exception "Filter chain halted as: authorize rendered or redirected".

I have made several changes by reading the patch written by Andrey Lobanov (RedSoft).
I appreciate that you shared the patch.

Changes:
  • Add tests
  • Make multiple watchable values ​​of object_id instead of project_ids
  • Change the conditions of users_for_new_watcher to maintain the specification of #5159

#6 Updated by Go MAEDA 19 days ago

  • Target version set to Candidate for next minor release

Also available in: Atom PDF