Defect #9749

Entering data into the 'Parent Task' field in new or updated issues causes redmine to log out the current user.

Added by James Kyle over 8 years ago. Updated about 7 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Issues
Target version:-
Resolution:Invalid Affected version:

Description

About your application's environment
Ruby version              1.8.7 (x86_64-linux)
RubyGems version          1.4.2
Rack version              1.1.2
Rails version             2.3.14
Active Record version     2.3.14
Active Resource version   2.3.14
Action Mailer version     2.3.14
Active Support version    2.3.14
Application root          /home/redmine/releases/20111207004106
Environment               production
Database adapter          postgresql
Database schema version   20111201201315

About your Redmine plugins
Redmine Backlogs              master branch (unstable)
Redmine Tags                  0.0.1
Redmine Workflow Viz plugin   0.0.1

The following log output occurs when the field is populated:

Processing AutoCompletesController#issues (for x.x.x.x at 2011-12-07 17:42:31) [POST]
  Parameters: {"project_id"=>"riak", "action"=>"issues", "amp"=>nil, "id"=>"6907", "q"=>"6898", "controller"=>"auto_completes"}
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 9ms (View: 1, DB: 2) | 401 Unauthorized [https://redmine.domain.com/issues/auto_complete?id=6907&project_id=riak]

As you can see, redmine performs a login check and returns "unauthorized". The user account that performed this action is a site wide administrator with full rights. The behavior did not arise until we recently updated to master (from a relatively old deployment).

I can take that request, /issues/auto_complete?id=6907&project_id=riak, log in and directly call the url and I get a 200 OK response.

The last thing of interest is the javascript console error output. I've attached a screen shot, but the only error is "ReferenceError: Can't find variable: WarnLeavingUnsaved" that comes from this call "

Event.observe(window, 'load', function(){ new WarnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });

The rest are just 401 responses. I've also included a screen shot of the behavior when a user populates the parent task field.

Let me know if I can provide more information.

Screen Shot 2011-12-07 at 9.41.05 AM.png - HTTP Auth Drop down on Parent Task Entry (71.5 KB) James Kyle, 2011-12-07 18:59

Screen Shot 2011-12-07 at 9.55.04 AM.png - javascript error (34.9 KB) James Kyle, 2011-12-07 18:59


Related issues

Related to Redmine - Defect #9752: "Subtasks autocompletion" feature breaks "Add related iss... Closed

History

#1 Updated by Jean-Philippe Lang over 8 years ago

Can you check that the AJAX request that gets a 401 is made on the same exact proto://domain as regular requests?

For your js error, it looks like you're not loading the fresh application.js (which defines WarnLeavingUnsaved).

#2 Updated by James Kyle over 8 years ago

Jean-Philippe Lang wrote:

Can you check that the AJAX request that gets a 401 is made on the same exact proto://domain as regular requests?

My apologies if I'm misunderstanding 'pro to://domain'. But the loaded *.js files are from the same domain...all relative url paths. I also grepped through the /public/javascripts for the function in my installation and found nothing.

For your js error, it looks like you're not loading the fresh application.js (which defines WarnLeavingUnsaved).

I just checked the application.js from HEAD and the WarnLeavingUnsaved method is not defined there (checked it in the redmine repo, not my local one).

I dug up an old definition, going to play with that.

#3 Updated by James Kyle over 8 years ago

Copying and pasting the WarnLeavingUnsaved method into my current application.js eliminated those errors.

However, the described behavior persists. So I suppose that, in this case, the missing method was a red herring. . .

The only error now left is the call to :check_if_login_required and the subsequent 401 response.

#4 Updated by Jean-Philippe Lang over 8 years ago

James Kyle wrote:

I just checked the application.js from HEAD and the WarnLeavingUnsaved method is not defined there (checked it in the redmine repo, not my local one).

See: source:/trunk/public/javascripts/application.js@7926#L337

The only error now left is the call to :check_if_login_required and the subsequent 401 response.

No clue. It looks like your session cookie is not sent within the AJAX request.

#5 Updated by Jean-Philippe Lang over 8 years ago

I think your session is killed because the CSRF token is not sent within your ajax POST request (any POST without the CSRF token terminates the session).

This CSRF token is added automatically to each AJAX request using javascript, and because you didn't have a fresh application.js, this may be the problem.

Please make sure you have a fresh application.js with the code that sets X-CSRF-Token header on AJAX requests.
See: source:/trunk/public/javascripts/application.js@7926#L384

#6 Updated by James Kyle over 8 years ago

  • Status changed from New to Resolved

Thanks, Jean-Philippe!

Manually copying over did the trick. I rolled back after that and found a merge gone wrong that led to the section not updating. So, file this away as a pebkac.

#7 Updated by Mischa The Evil over 8 years ago

  • Status changed from Resolved to Closed
  • Resolution set to Invalid

#8 Updated by shravan kumar about 8 years ago

  • Status changed from Closed to Reopened
  • Assignee set to Jean-Philippe Lang

Still i have same problem.

I tried to replace application.js file form the above 7926#L337

Still promotes for authentication.

#9 Updated by Moritz Kobel almost 8 years ago

Replacing the application.js is not enough. You have to add the csrf-token to the html header in the template:

http://www.kobelnet.ch/Blog/2012/08/03/fix_redmine_csrf_post_request_issue

#10 Updated by Toshi MARUYAMA about 7 years ago

  • Affected version (unused) deleted (devel)

#11 Updated by Toshi MARUYAMA about 7 years ago

  • Status changed from Reopened to Closed

This issue is on Rails2 and obsolete.

Also available in: Atom PDF