Defect #51


Blank screen when unauthorized access attempt.

Added by Thomas Lecavelier about 17 years ago. Updated about 17 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected version:


When a user attempts to access an existing page without having the good permission, redmine show a blank screen instead
of a explanation page as for the 404 error.

It's really painful when a user had access to a project, create issue about it and then, lose its privileges upon the
project: on the "my page", it still view its issues, but get the blank screen if he try to reach them.

Reproducible: always
1) Create a project and give permission to User A
2) User A create a issue.
3) Check that User A see the issue on "my page"
4) Withdraw permission on the project for User A
5) Reconnect User A
6) User A go to its "my page" view, click on the created issue

boom blank screen.

Log show a 403 error:

Processing IssuesController#show (for at 2007-04-30 17:27:56) [GET]
Session ID: 407a22c49aec94478cf335a0d137e805
Parameters: {"action"=>"show", "id"=>"4",
Filter chain halted as [#<ActionController::Filters::ClassMethods::SymbolFilter:
0x4697554 @filter=:authorize>] returned false.
Completed in 0.20300 (4 reqs/sec) | Rendering: 0.00000 (0%) | DB: 0.15700 (77%) | 403 Forbidden [http://localhost/issues/show/4]

Actions #1

Updated by Thomas Lecavelier about 17 years ago

There's maybe a security consideration here:

If user enter an invalid reference object, he gets a clean
404 error message. If he enter a real reference object but
upon which he has no right, he gets a blank screen: this
means that the reference exist.

It should be better to convert the 404 error page in a
generic "can't reach page" error message page whithout
precision of origin, taking care of 404 and 403 HTTP error code?

Actions #2

Updated by Jean-Philippe Lang about 17 years ago

Fix committed in rev 495.
A "clean" 403 error is now displayed when trying to
access a protected page.

Even if the same 404 error message was used, there would still
be a way to know if a page exists:
- logout
- try to access the page
- if the page doesn't exist => 404
- if the page exist but is protected => redirected to login
form (before getting the error once logged in).

And I want to keep the auto-redirect to login...


Also available in: Atom PDF