Project

General

Profile

Actions
Copy link

Defect #43698

closed

ArgumentError occurs on /oauth/authorize when REST API is disabled

Added by Mizuki ISHIKAWA 2 months ago. Updated 4 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Marius BĂLTEANU
Category:
REST API
Target version:
6.1.3
Resolution:
Fixed
Affected version:

Description

When the REST web service is disabled in Redmine settings, accessing the OAuth authorization endpoint causes an exception: ArgumentError (wrong number of arguments (given 1, expected 0))

Steps to reproduce:

  • Go to Administration → Settings → API
  • Uncheck Enable REST web service and save
  • Access <redmine url>/oauth/authorize
  • An exception is raised instead of returning a normal 403 response: ArgumentError (wrong number of arguments (given 1, expected 0))

Cause

The exception happens when render_403 calls render_error.
However, Doorkeeper::AuthorizationController also defines a method named render_error, and that method takes no arguments.
Due to method lookup / precedence, the Doorkeeper version of render_error is called instead of Redmine’s render_error, which leads to:

  • Redmine calls: render_error <something>
  • Doorkeeper receives 1 argument but expects 0 → ArgumentError

Notes

Normally, OAuth cannot be used when the REST web service is disabled, so this issue may not occur in typical usage.
I found this during testing and created this issue.

Related issues

Related to Redmine - Feature #24808: OAuth2 support for Redmine API Apps (OAuth2 Provider)ClosedMarius BĂLTEANUActions
Actions
Copy link
 #1

Updated by Marius BĂLTEANU 17 days ago

  • Status changed from New to Needs feedback
  • Target version set to Candidate for next minor release

Can you test with the following patch?

diff --git a/config/initializers/30-redmine.rb b/config/initializers/30-redmine.rb
index c7cb9e542..fba7d511b 100644
--- a/config/initializers/30-redmine.rb
+++ b/config/initializers/30-redmine.rb
@@ -113,6 +113,15 @@ Rails.application.config.to_prepare do

   Doorkeeper::AuthorizationsController.class_eval do
     require_sudo_mode :create, :destroy
+
+    alias_method :doorkeeper_render_error, :render_error
+    def render_error(arg = nil)
+      if arg
+        super
+      else
+        doorkeeper_render_error
+      end
+    end
   end
 end
Actions
Copy link
 #2

Updated by Mizuki ISHIKAWA 15 days ago

Marius BĂLTEANU wrote in #note-1:

Can you test with the following patch?

[...]

I checked it locally and it works as expected. Thanks!

Actions
Copy link
 #3

Updated by Marius BĂLTEANU 5 days ago

  • Related to Feature #24808: OAuth2 support for Redmine API Apps (OAuth2 Provider) added
Actions
Copy link
 #4

Updated by Marius BĂLTEANU 5 days ago

  • Status changed from Needs feedback to Confirmed
  • Assignee set to Marius BĂLTEANU
  • Target version changed from Candidate for next minor release to 6.1.3
  • Resolution set to Fixed

Patch committed, thanks!

Actions
Copy link
 #5

Updated by Marius BĂLTEANU 5 days ago

  • Status changed from Confirmed to Resolved
Actions
Copy link
 #6

Updated by Marius BĂLTEANU 4 days ago

  • Status changed from Resolved to Closed

Merged to 6.1-stable.

Actions
Copy link

Also available in: Atom PDF