Project

General

Profile

Actions
Copy link

Patch #14096

closed

back_url is ignored after auto login existing session.

Added by Jethro Yu almost 11 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

When user open redmine issues like "/issues/1216" from external applications, the page is directed to redmine "/" after auto login from existed session. The back_url is ignored in this case, so i made a change to make back_url works.

Started GET "/issues/1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by IssuesController#show as */*
  Parameters: {"id"=>"1216"}
  Current user: anonymous
Redirected to http://20.20.20.20/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 12ms (ActiveRecord: 0.5ms)
Started GET "/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by AccountController#login as */*
  Parameters: {"back_url"=>"http://20.20.20.20/issues/1216"}
  Current user: anonymous
  Rendered account/login.html.erb within layouts/base (5.1ms)
  Rendered plugins/progressive_projects_list/app/views/application/_progressive_sidebar.html.erb (0.2ms)
  Rendered plugins/sidebar_hide/app/views/sidebar/_hideButton_partial.html.erb (1.8ms)
Completed 200 OK in 30ms (Views: 22.5ms | ActiveRecord: 0.5ms)
Started GET "/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by AccountController#login as HTML
  Parameters: {"back_url"=>"http://20.20.20.20/issues/1216"}
  Current user: admin (id=1)
Redirected to http://20.20.20.20/
Completed 302 Found in 11ms (ActiveRecord: 0.5ms)
Started GET "/" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
app / controllers / account_controller.rb

Files

Redirected_to_back_url_after_auto_login.diff (429 Bytes) Redirected_to_back_url_after_auto_login.diff Jethro Yu, 2013-05-20 08:49
Actions
Copy link
 #1

Updated by Martin Corino over 10 years ago

We have encountered this problem also but have determined it only occurs when opening Redmine from embedded URLs in Microsoft Office documents.
Applications under Linux, triggering URLs from the Windows Run dialog or from an application like Acrobat Reader does not exhibit this behaviour.
Somehow the Microsoft Office apps trigger the embedded URL in a way which causes the browser to send the request without the current session information for Redmine (which at that time typically has a window opened in Redmine) which results in a redirect to AccountController#login in ApplicationController#check_if_login_required because no current User is detected.
After the redirect the browser seems to have included the session info again and the current User is detected again.

Also, we believe the fix should be to replace the code 

 ...
    if User.current.logged?
      redirect_to home_url
    end
 ...

in AccountController#login by 
 ...
    if User.current.logged?
      redirect_back_or_default home_url
    end
 ...

Actions
Copy link
 #2

Updated by Vladimir Sinenko over 10 years ago

Martin Corino's description and fix is right on the money. I hope this will be merged into the production. Thank you, Martin.

Actions
Copy link
 #3

Updated by Jean-Philippe Lang about 10 years ago

  • Status changed from New to Closed

Fixed in r12705 (see #15926).

Actions
Copy link

Also available in: Atom PDF