Project

General

Profile

Actions

Patch #14096

closed

back_url is ignored after auto login existing session.

Added by Jethro Yu over 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

When user open redmine issues like "/issues/1216" from external applications, the page is directed to redmine "/" after auto login from existed session. The back_url is ignored in this case, so i made a change to make back_url works.

Started GET "/issues/1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by IssuesController#show as */*
  Parameters: {"id"=>"1216"}
  Current user: anonymous
Redirected to http://20.20.20.20/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 12ms (ActiveRecord: 0.5ms)
Started GET "/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by AccountController#login as */*
  Parameters: {"back_url"=>"http://20.20.20.20/issues/1216"}
  Current user: anonymous
  Rendered account/login.html.erb within layouts/base (5.1ms)
  Rendered plugins/progressive_projects_list/app/views/application/_progressive_sidebar.html.erb (0.2ms)
  Rendered plugins/sidebar_hide/app/views/sidebar/_hideButton_partial.html.erb (1.8ms)
Completed 200 OK in 30ms (Views: 22.5ms | ActiveRecord: 0.5ms)
Started GET "/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
Processing by AccountController#login as HTML
  Parameters: {"back_url"=>"http://20.20.20.20/issues/1216"}
  Current user: admin (id=1)
Redirected to http://20.20.20.20/
Completed 302 Found in 11ms (ActiveRecord: 0.5ms)
Started GET "/" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013
app / controllers / account_controller.rb

Files

Actions #1

Updated by Martin Corino about 11 years ago

We have encountered this problem also but have determined it only occurs when opening Redmine from embedded URLs in Microsoft Office documents.
Applications under Linux, triggering URLs from the Windows Run dialog or from an application like Acrobat Reader does not exhibit this behaviour.
Somehow the Microsoft Office apps trigger the embedded URL in a way which causes the browser to send the request without the current session information for Redmine (which at that time typically has a window opened in Redmine) which results in a redirect to AccountController#login in ApplicationController#check_if_login_required because no current User is detected.
After the redirect the browser seems to have included the session info again and the current User is detected again.

Also, we believe the fix should be to replace the code

 ...
    if User.current.logged?
      redirect_to home_url
    end
 ...

in AccountController#login by
 ...
    if User.current.logged?
      redirect_back_or_default home_url
    end
 ...

Actions #2

Updated by Vladimir Sinenko almost 11 years ago

Martin Corino's description and fix is right on the money. I hope this will be merged into the production. Thank you, Martin.

Actions #3

Updated by Jean-Philippe Lang almost 11 years ago

  • Status changed from New to Closed

Fixed in r12705 (see #15926).

Actions

Also available in: Atom PDF