Defect #7843

Add a relation between issues = explicit login window ! (basic authentication popup is prompted on AJAX request)

Added by Patrice Bonhomme over 6 years ago. Updated about 6 years ago.

Status:ClosedStart date:2011-03-11
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Rails support
Target version:1.2.0
Resolution:Fixed Affected version:

Description

Since i have upgraded my Redmine from 1.1.0 to 1.1.2.devel.5072 we have a strange issue. While a user try to add a link between to issue, he is asked to login again with an explicit Internet Explorer authentification Windows.

Here is a log :

Processing IssueRelationsController#new (for 10.11.13.196 at 2011-03-11 16:41:56) [POST]
  Parameters: {"commit"=>"Ajouter", "action"=>"new", "authenticity_token"=>"cZEO7tAyuSxFA8qBCnGG1f5NRBrbm0nQyTLa02tfqPo=", "issue_id"=>"7733", "id"=>"7733", "controller"=>"issue_relations", "relation"=>{"delay"=>"", "issue_to_id"=>"4545", "relation_type"=>"relates"}}
  SQL (0.1ms)   SELECT max(`settings`.updated_on) AS max_updated_on FROM `settings`
  Setting Load (0.0ms)   SELECT * FROM `settings` WHERE (`settings`.`name` = 'rest_api_enabled') LIMIT 1
  AnonymousUser Columns (1.4ms)   SHOW FIELDS FROM `users`
  AnonymousUser Load (0.5ms)   SELECT * FROM `users` WHERE ( (`users`.`type` = 'AnonymousUser' ) ) LIMIT 1
  Setting Load (0.1ms)   SELECT * FROM `settings` WHERE (`settings`.`name` = 'login_required') LIMIT 1
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 7ms (View: 0, DB: 2) | 401 Unauthorized [http://support/issues/7733/relations/7733]

ajax_session_reset.patch Magnifier (1.68 KB) Etienne Massip, 2011-03-14 12:48


Related issues

Related to Redmine - Feature #6887: Upgrade to Rails 2.3.11 Closed 2010-11-13
Duplicated by Redmine - Defect #7912: When adding Related Issues, Redmine asks for HTTP Authent... Closed 2011-03-17

Associated revisions

Revision 5134
Added by Jean-Philippe Lang over 6 years ago

Send the CSRF token with Ajax requests (#7843).

Contributed by Etienne Massip.

History

#1 Updated by Etienne Massip over 6 years ago

What Rails version are you using, with what server ?

#2 Updated by Patrice Bonhomme over 6 years ago

ruby 1.8.6 (2009-06-08 patchlevel 369) [i586-linux]
Rails 2.3.11
rake 0.8.7 (oups, should be 1.1.0)

#3 Updated by Patrice Bonhomme over 6 years ago

Sorry :
rack (1.1.0)
rails (2.3.11)
rake (0.8.7)

So its ok for rake.

#4 Updated by Etienne Massip over 6 years ago

Mongrel ?

#5 Updated by Patrice Bonhomme over 6 years ago

No, i am using Apache2 / Passenger 2.2.8

I do not have the problem if i check the auto login box within the login screen.

And i did not have the problem with Redmine 1.1.0 (Apache2/Passenger 2.2.4).

#6 Updated by Etienne Massip over 6 years ago

1.1.0 with Rails 2.3.11 too ?

I hit what seems to be the same problem little time ago with Rails 2.3.11, I thought that was due to a mongrel monkey patch : http://www.redmine.org/issues/7688#note-6.

#7 Updated by Patrice Bonhomme over 6 years ago

No i was using 1.1.0 with Rails 2.3.5.

#8 Updated by Etienne Massip over 6 years ago

  • Target version set to 1.2.0

Copied from http://www.redmine.org/issues/7688#note-6 (note 6 of #7688) :

Hit a bug with AJAX which I supposed is due to this path but not necessarily :

After some time of use, an AJAX request like parent task auto-complete lookup or adding a new category / version directly from the issue form will perform well but the next request (e.g. new parent task lookup or issue submission) will redirect the user to the login page (with a 401 "non authorized" HTTP error code).

#9 Updated by Etienne Massip over 6 years ago

  • Subject changed from Add a relation between issues = explicit login window ! to Add a relation between issues = explicit login window ! (basic authentication popup is prompted on AJAX request)

#10 Updated by Etienne Massip over 6 years ago

  • Affected version (unused) changed from 1.1.2 to devel
  • Affected version deleted (1.1.2)

Changed affected version to devel as 1.1.2 requires Rails 2.3.5.

#11 Updated by Etienne Massip over 6 years ago

  • Category set to Rails support

#12 Updated by Etienne Massip over 6 years ago

This happens only if autologin is enabled in settings and not checked in authentication form (no autologin cookie).

This is easily reproducible with local WEBrick even though the server behavior differs a bit : instead of returning a 401, leading the browser to prompt the basic auth form, XHR returns a 200 each time and browsing out to another page will redirect the user to web authentication form.

#13 Updated by Etienne Massip over 6 years ago

Just discovered that protect_from_forgery is active in application_controller.

From RoR 2.3.11 release news :

There are two steps to ensuring that your application sends the CSRF Token with every ajax request.
Providing the token in a meta tag, then ensuring your javascript reads those values and provides them with each request.
The first step involves you including the csrf_meta_tag helper somewhere in your application’s layout.
Rails 3 applications likely already include this helper, however it has now been backported to the 2.3.x series.

Guess it's the issue, will make some more tests.

#14 Updated by Etienne Massip over 6 years ago

Here's a patch which apply what is said here in "Upgrade process".

Works for me.

#15 Updated by Brian Kinder over 6 years ago

Confirmed. Patch works great. Thanks!

#16 Updated by Jean-Philippe Lang over 6 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Patch committed in r5134. Thanks for digging into this issue.

#17 Updated by Leonardo Vieira over 6 years ago

  • Status changed from Closed to Reopened

I was with this problem until i saw this bug report and applied the solution myself.
Using Redmine version 1.1.2 r5210, when using 1.1.1 i didn't have such a problem.
I'm using Rails version 2.3.11, and Rack version 1.1.0.
Was the patch removed in later updates for some reason?

#18 Updated by Etienne Massip over 6 years ago

1.1.1 or 1.1.2 stable do not support Rails 2.3.11.

Since this is a javascript issue, make that the latest application.js has replaced the previous one in your browser's cache.

#19 Updated by Etienne Massip over 6 years ago

  • Status changed from Reopened to Closed

No feedback and nobody else has been reporting this issue since the fix has been committed to trunk.

#20 Updated by Chris Wolf over 6 years ago

Etienne Massip wrote:

1.1.1 or 1.1.2 stable do not support Rails 2.3.11.

Since this is a javascript issue, make that the latest application.js has replaced the previous one in your browser's cache.

So what is "1.1.2 stable"? That phrase is not mentioned in the compatablity
matrix on this page, which I used to guide my installation:

http://www.redmine.org/projects/redmine/wiki/RedmineInstall

Is "1.1.2 stable" the same as "trunk from r2887 to r4903"? Should I downgrade to Rail-2.3.5? Or should I keep Rails-2.3.11 and apply "ajax_session_reset.patch" from this issue?

#21 Updated by Oliver Maurhart about 6 years ago

We installed Redmine 1.1.2 and applied the given patch.

Now adding a related issue works again ... but delete/remove related issues does now pop up the same explicit login window.

Also available in: Atom PDF