Defect #9749
closed
Entering data into the 'Parent Task' field in new or updated issues causes redmine to log out the current user.
0%
Description
About your application's environment Ruby version 1.8.7 (x86_64-linux) RubyGems version 1.4.2 Rack version 1.1.2 Rails version 2.3.14 Active Record version 2.3.14 Active Resource version 2.3.14 Action Mailer version 2.3.14 Active Support version 2.3.14 Application root /home/redmine/releases/20111207004106 Environment production Database adapter postgresql Database schema version 20111201201315 About your Redmine plugins Redmine Backlogs master branch (unstable) Redmine Tags 0.0.1 Redmine Workflow Viz plugin 0.0.1
The following log output occurs when the field is populated:
Processing AutoCompletesController#issues (for x.x.x.x at 2011-12-07 17:42:31) [POST]
Parameters: {"project_id"=>"riak", "action"=>"issues", "amp"=>nil, "id"=>"6907", "q"=>"6898", "controller"=>"auto_completes"}
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 9ms (View: 1, DB: 2) | 401 Unauthorized [https://redmine.domain.com/issues/auto_complete?id=6907&project_id=riak]
As you can see, redmine performs a login check and returns "unauthorized". The user account that performed this action is a site wide administrator with full rights. The behavior did not arise until we recently updated to master (from a relatively old deployment).
I can take that request, /issues/auto_complete?id=6907&project_id=riak, log in and directly call the url and I get a 200 OK response.
The last thing of interest is the javascript console error output. I've attached a screen shot, but the only error is "ReferenceError: Can't find variable: WarnLeavingUnsaved" that comes from this call "
Event.observe(window, 'load', function(){ new WarnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
The rest are just 401 responses. I've also included a screen shot of the behavior when a user populates the parent task field.
Let me know if I can provide more information.
Files
Related issues
Updated by Jean-Philippe Lang over 12 years ago
Can you check that the AJAX request that gets a 401 is made on the same exact proto://domain as regular requests?
For your js error, it looks like you're not loading the fresh application.js (which defines WarnLeavingUnsaved).
Updated by James Kyle over 12 years ago
Jean-Philippe Lang wrote:
Can you check that the AJAX request that gets a 401 is made on the same exact proto://domain as regular requests?
My apologies if I'm misunderstanding 'pro to://domain'. But the loaded *.js files are from the same domain...all relative url paths. I also grepped through the /public/javascripts for the function in my installation and found nothing.
For your js error, it looks like you're not loading the fresh application.js (which defines WarnLeavingUnsaved).
I just checked the application.js from HEAD and the WarnLeavingUnsaved method is not defined there (checked it in the redmine repo, not my local one).
I dug up an old definition, going to play with that.
Updated by James Kyle over 12 years ago
Copying and pasting the WarnLeavingUnsaved method into my current application.js eliminated those errors.
However, the described behavior persists. So I suppose that, in this case, the missing method was a red herring. . .
The only error now left is the call to :check_if_login_required and the subsequent 401 response.
Updated by Jean-Philippe Lang over 12 years ago
James Kyle wrote:
I just checked the application.js from HEAD and the WarnLeavingUnsaved method is not defined there (checked it in the redmine repo, not my local one).
See: source:/trunk/public/javascripts/application.js@7926#L337
The only error now left is the call to :check_if_login_required and the subsequent 401 response.
No clue. It looks like your session cookie is not sent within the AJAX request.
Updated by Jean-Philippe Lang over 12 years ago
I think your session is killed because the CSRF token is not sent within your ajax POST request (any POST without the CSRF token terminates the session).
This CSRF token is added automatically to each AJAX request using javascript, and because you didn't have a fresh application.js, this may be the problem.
Please make sure you have a fresh application.js with the code that sets X-CSRF-Token header on AJAX requests.
See: source:/trunk/public/javascripts/application.js@7926#L384
Updated by James Kyle over 12 years ago
- Status changed from New to Resolved
Thanks, Jean-Philippe!
Manually copying over did the trick. I rolled back after that and found a merge gone wrong that led to the section not updating. So, file this away as a pebkac.
Updated by Mischa The Evil over 12 years ago
- Status changed from Resolved to Closed
- Resolution set to Invalid
Updated by shravan kumar about 12 years ago
- Status changed from Closed to Reopened
- Assignee set to Jean-Philippe Lang
Still i have same problem.
I tried to replace application.js file form the above 7926#L337
Still promotes for authentication.
Updated by Moritz Kobel over 11 years ago
Replacing the application.js is not enough. You have to add the csrf-token to the html header in the template:
http://www.kobelnet.ch/Blog/2012/08/03/fix_redmine_csrf_post_request_issue
Updated by Toshi MARUYAMA almost 11 years ago
- Affected version (unused) deleted (
devel)
Updated by Toshi MARUYAMA almost 11 years ago
- Status changed from Reopened to Closed
This issue is on Rails2 and obsolete.