Patch #14096
closedback_url is ignored after auto login existing session.
0%
Description
When user open redmine issues like "/issues/1216" from external applications, the page is directed to redmine "/" after auto login from existed session. The back_url is ignored in this case, so i made a change to make back_url works.
Started GET "/issues/1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013 Processing by IssuesController#show as */* Parameters: {"id"=>"1216"} Current user: anonymous Redirected to http://20.20.20.20/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216 Filter chain halted as :check_if_login_required rendered or redirected Completed 302 Found in 12ms (ActiveRecord: 0.5ms) Started GET "/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013 Processing by AccountController#login as */* Parameters: {"back_url"=>"http://20.20.20.20/issues/1216"} Current user: anonymous Rendered account/login.html.erb within layouts/base (5.1ms) Rendered plugins/progressive_projects_list/app/views/application/_progressive_sidebar.html.erb (0.2ms) Rendered plugins/sidebar_hide/app/views/sidebar/_hideButton_partial.html.erb (1.8ms) Completed 200 OK in 30ms (Views: 22.5ms | ActiveRecord: 0.5ms) Started GET "/login?back_url=http%3A%2F%2F20.20.20.20%2Fissues%2F1216" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013 Processing by AccountController#login as HTML Parameters: {"back_url"=>"http://20.20.20.20/issues/1216"} Current user: admin (id=1) Redirected to http://20.20.20.20/ Completed 302 Found in 11ms (ActiveRecord: 0.5ms) Started GET "/" for 10.10.10.123 at Tue May 07 16:49:25 +0800 2013 app / controllers / account_controller.rb
Files
Updated by Martin Corino about 11 years ago
We have encountered this problem also but have determined it only occurs when opening Redmine from embedded URLs in Microsoft Office documents.
Applications under Linux, triggering URLs from the Windows Run dialog or from an application like Acrobat Reader does not exhibit this behaviour.
Somehow the Microsoft Office apps trigger the embedded URL in a way which causes the browser to send the request without the current session information for Redmine (which at that time typically has a window opened in Redmine) which results in a redirect to AccountController#login in ApplicationController#check_if_login_required because no current User is detected.
After the redirect the browser seems to have included the session info again and the current User is detected again.
Also, we believe the fix should be to replace the code
... if User.current.logged? redirect_to home_url end ...
in
AccountController#login
by ... if User.current.logged? redirect_back_or_default home_url end ...
Updated by Vladimir Sinenko almost 11 years ago
Martin Corino's description and fix is right on the money. I hope this will be merged into the production. Thank you, Martin.
Updated by Jean-Philippe Lang almost 11 years ago
- Status changed from New to Closed