Fix NoMethodError on HEAD requests to AccountController#register
|Assignee:||Jean-Philippe Lang||% Done:|
|Category:||Accounts / authentication|
The attached patch fixes a NoMethodError when attempting to run a HEAD request against AccountController#register.
The cause of the bug is that HEAD requests did not trigger the check for
#1 Updated by Go MAEDA about 1 month ago
- Target version set to 3.2.7
I cannot reproduce the problem but I think that merging this fix is very reasonable because lines after source:tags/3.3.3/app/controllers/account_controller.rb@16536#L130 should be executed only when request is POST.
$ curl -v --head http://localhost:3000/account/register * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 3000 (#0) > HEAD /account/register HTTP/1.1 > Host: localhost:3000 > User-Agent: curl/7.51.0 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK
#2 Updated by Holger Just about 1 month ago
Hmmm, we had indeed only seen the error on Redmine 3.3, more specifically in http://www.redmine.org/projects/redmine/repository/revisions/16536/entry/tags/3.3.3/app/controllers/account_controller.rb#L148.
In current trunk, this code is now a bit different so that the exception doesn't occur anymore. However, it would still be desirable to not perform the registration from a HEAD request, as Go Maeda wrote above.
Now that I had a look around, the same issue is present in
AccountController#login. There, it's again not an exception on HEAD but Redmine still attempts a login from the supplied URL parameters which is not desirable.
#3 Updated by Holger Just about 1 month ago
The attached patch also fixed the additional issue described in #25653#note-2