Defect #26145: Don't redirect anonymous users to the login form for disabled modules - Redmine

Defect #26145

Updated by Toshi MARUYAMA almost 7 years ago

The use case is that a project enables a module (the Files module is the one we encountered) but later turns it off. If there are stray links to that URL, these generate a 403 error, which for anonymous users redirects to the login/registration page. 

 In our case, we had projects that served files publicly, then moved these to another location and turned off the Files module. The result is we now get a lot of spurious registration requests from users who are trying to download these files, because to the user it looks like the site is asking them to register before they can access the files. 

 I was able to address our immediate problem by patching ApplicationController.authorize to check whether the request is associated with a disabled project module, and redirect to the main project page in that case. I'm not sure how correct this code is (I don't know the Redmine internals all that well) and I know that this doesn't work for some modules (eg. Issues) which apparently operate through some other method. So this code is just for illustration, I guess. 

 <pre><code class="ruby"> <pre><code> 
     def authorize_with_custom(ctrl = params[:controller], action = params[:action], global = false) 
       allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project || @projects, :global => global) 
       if allowed 
         true 
       else 
         if @project 
           logger.debug 'Handling auth error for ' + ctrl + '/' + action 

           # Figure out whether the permission for this path is handled by a module 
           project_module = Redmine::AccessControl.permissions.select {|p| p.actions.include?(ctrl + '/' + action)}.first.try(:project_module) 
           logger.debug 'Permission module is ' + project_module.to_s 

           # If it is a module, and the module isn't enabled in this project, try to redirect to the main project page 
           if project_module && !@project.module_enabled?(project_module) 
             can_view_project = User.current.allowed_to?({:controller => :projects, :action => :show}, @project) 
             logger.debug 'Can the user view the main project page? ' + can_view_project.to_s 
             if can_view_project 
               redirect_to project_path(@project) 
               return false 
             end 
           end 
         end 
         if @project && @project.archived? 
           render_403 :message => :notice_not_authorized_archived_project 
         else 
           deny_access 
         end 
       end 
     end 
 </code></pre>

Back

Project

General

Profile

Redmine

Defect #26145