Defect #26145

Don't redirect anonymous users to the login form for disabled modules

Added by Adam Clark 4 months ago. Updated 22 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Permissions and roles
Target version:4.0.0
Resolution:Fixed Affected version:2.5.2

Description

The use case is that a project enables a module (the Files module is the one we encountered) but later turns it off. If there are stray links to that URL, these generate a 403 error, which for anonymous users redirects to the login/registration page.

In our case, we had projects that served files publicly, then moved these to another location and turned off the Files module. The result is we now get a lot of spurious registration requests from users who are trying to download these files, because to the user it looks like the site is asking them to register before they can access the files.

I was able to address our immediate problem by patching ApplicationController.authorize to check whether the request is associated with a disabled project module, and redirect to the main project page in that case. I'm not sure how correct this code is (I don't know the Redmine internals all that well) and I know that this doesn't work for some modules (eg. Issues) which apparently operate through some other method. So this code is just for illustration, I guess.

    def authorize_with_custom(ctrl = params[:controller], action = params[:action], global = false)
      allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project || @projects, :global => global)
      if allowed
        true
      else
        if @project
          logger.debug 'Handling auth error for ' + ctrl + '/' + action

          # Figure out whether the permission for this path is handled by a module
          project_module = Redmine::AccessControl.permissions.select {|p| p.actions.include?(ctrl + '/' + action)}.first.try(:project_module)
          logger.debug 'Permission module is ' + project_module.to_s

          # If it is a module, and the module isn't enabled in this project, try to redirect to the main project page
          if project_module && !@project.module_enabled?(project_module)
            can_view_project = User.current.allowed_to?({:controller => :projects, :action => :show}, @project)
            logger.debug 'Can the user view the main project page? ' + can_view_project.to_s
            if can_view_project
              redirect_to project_path(@project)
              return false
            end
          end
        end
        if @project && @project.archived?
          render_403 :message => :notice_not_authorized_archived_project
        else
          deny_access
        end
      end
    end

Associated revisions

Revision 16726
Added by Jean-Philippe Lang 4 months ago

Don't redirect anonymous users to the login form when module is disabled (#26145).

History

#1 Updated by Jean-Philippe Lang 4 months ago

  • Subject changed from Accessing URL for a disabled module generates a 403 error to Don't redirect anonymous users to the login form for disabled modules
  • Category changed from Files to Permissions and roles
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Target version set to 4.1.0
  • Resolution set to Fixed

Fixed in r16726, they now get a 403 error without being redirected to the login form.

#2 Updated by Jean-Philippe Lang 4 months ago

  • Target version changed from 4.1.0 to 4.0.0

#3 Updated by Toshi MARUYAMA 3 months ago

  • Description updated (diff)

Also available in: Atom PDF