Project

General

Profile

Actions

Defect #9749

closed

Entering data into the 'Parent Task' field in new or updated issues causes redmine to log out the current user.

Added by James Kyle about 13 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Category:
Issues
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

About your application's environment
Ruby version              1.8.7 (x86_64-linux)
RubyGems version          1.4.2
Rack version              1.1.2
Rails version             2.3.14
Active Record version     2.3.14
Active Resource version   2.3.14
Action Mailer version     2.3.14
Active Support version    2.3.14
Application root          /home/redmine/releases/20111207004106
Environment               production
Database adapter          postgresql
Database schema version   20111201201315

About your Redmine plugins
Redmine Backlogs              master branch (unstable)
Redmine Tags                  0.0.1
Redmine Workflow Viz plugin   0.0.1

The following log output occurs when the field is populated:

Processing AutoCompletesController#issues (for x.x.x.x at 2011-12-07 17:42:31) [POST]
  Parameters: {"project_id"=>"riak", "action"=>"issues", "amp"=>nil, "id"=>"6907", "q"=>"6898", "controller"=>"auto_completes"}
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 9ms (View: 1, DB: 2) | 401 Unauthorized [https://redmine.domain.com/issues/auto_complete?id=6907&project_id=riak]

As you can see, redmine performs a login check and returns "unauthorized". The user account that performed this action is a site wide administrator with full rights. The behavior did not arise until we recently updated to master (from a relatively old deployment).

I can take that request, /issues/auto_complete?id=6907&project_id=riak, log in and directly call the url and I get a 200 OK response.

The last thing of interest is the javascript console error output. I've attached a screen shot, but the only error is "ReferenceError: Can't find variable: WarnLeavingUnsaved" that comes from this call "

Event.observe(window, 'load', function(){ new WarnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });

The rest are just 401 responses. I've also included a screen shot of the behavior when a user populates the parent task field.

Let me know if I can provide more information.


Files

Screen Shot 2011-12-07 at 9.41.05 AM.png (71.5 KB) Screen Shot 2011-12-07 at 9.41.05 AM.png HTTP Auth Drop down on Parent Task Entry James Kyle, 2011-12-07 18:59
Screen Shot 2011-12-07 at 9.55.04 AM.png (34.9 KB) Screen Shot 2011-12-07 at 9.55.04 AM.png javascript error James Kyle, 2011-12-07 18:59

Related issues

Related to Redmine - Defect #9752: "Subtasks autocompletion" feature breaks "Add related issue" scenarioClosed

Actions
Actions #1

Updated by Jean-Philippe Lang about 13 years ago

Can you check that the AJAX request that gets a 401 is made on the same exact proto://domain as regular requests?

For your js error, it looks like you're not loading the fresh application.js (which defines WarnLeavingUnsaved).

Actions #2

Updated by James Kyle about 13 years ago

Jean-Philippe Lang wrote:

Can you check that the AJAX request that gets a 401 is made on the same exact proto://domain as regular requests?

My apologies if I'm misunderstanding 'pro to://domain'. But the loaded *.js files are from the same domain...all relative url paths. I also grepped through the /public/javascripts for the function in my installation and found nothing.

For your js error, it looks like you're not loading the fresh application.js (which defines WarnLeavingUnsaved).

I just checked the application.js from HEAD and the WarnLeavingUnsaved method is not defined there (checked it in the redmine repo, not my local one).

I dug up an old definition, going to play with that.

Actions #3

Updated by James Kyle about 13 years ago

Copying and pasting the WarnLeavingUnsaved method into my current application.js eliminated those errors.

However, the described behavior persists. So I suppose that, in this case, the missing method was a red herring. . .

The only error now left is the call to :check_if_login_required and the subsequent 401 response.

Actions #4

Updated by Jean-Philippe Lang about 13 years ago

James Kyle wrote:

I just checked the application.js from HEAD and the WarnLeavingUnsaved method is not defined there (checked it in the redmine repo, not my local one).

See: source:/trunk/public/javascripts/application.js@7926#L337

The only error now left is the call to :check_if_login_required and the subsequent 401 response.

No clue. It looks like your session cookie is not sent within the AJAX request.

Actions #5

Updated by Jean-Philippe Lang about 13 years ago

I think your session is killed because the CSRF token is not sent within your ajax POST request (any POST without the CSRF token terminates the session).

This CSRF token is added automatically to each AJAX request using javascript, and because you didn't have a fresh application.js, this may be the problem.

Please make sure you have a fresh application.js with the code that sets X-CSRF-Token header on AJAX requests.
See: source:/trunk/public/javascripts/application.js@7926#L384

Actions #6

Updated by James Kyle about 13 years ago

  • Status changed from New to Resolved

Thanks, Jean-Philippe!

Manually copying over did the trick. I rolled back after that and found a merge gone wrong that led to the section not updating. So, file this away as a pebkac.

Actions #7

Updated by Mischa The Evil about 13 years ago

  • Status changed from Resolved to Closed
  • Resolution set to Invalid
Actions #8

Updated by shravan kumar almost 13 years ago

  • Status changed from Closed to Reopened
  • Assignee set to Jean-Philippe Lang

Still i have same problem.

I tried to replace application.js file form the above 7926#L337

Still promotes for authentication.

Actions #9

Updated by Moritz Kobel over 12 years ago

Replacing the application.js is not enough. You have to add the csrf-token to the html header in the template:

http://www.kobelnet.ch/Blog/2012/08/03/fix_redmine_csrf_post_request_issue

Actions #10

Updated by Toshi MARUYAMA over 11 years ago

  • Affected version (unused) deleted (devel)
Actions #11

Updated by Toshi MARUYAMA over 11 years ago

  • Status changed from Reopened to Closed

This issue is on Rails2 and obsolete.

Actions

Also available in: Atom PDF