Defect #17158

403 error when trying to view project/issue details

Added by Marcin Skoczylas over 7 years ago. Updated over 7 years ago.

Status:Needs feedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution: Affected version:2.5.1

Description

Hi!

I've had a working instance of Redmine 2.3.0 started on Thin web server (v1.5.1 codename Straight Razor) working for last year: thin start --ssl -e production. Today I wanted to add support to send emails and I configured GMail correctly (via configuration.yml), sending emails works perfectly now... I'm not sure if that broke configuration as I literally added few lines to configuration.yml but...

Now all my users that are not administrators can't access their private projects with 403 error message. If project is public everything works fine, also administrators can access the private projects. List of projects by regular members can be seen in /projects URL, also issues are shown in dashboard, but when member wants to go into the project or issue details the error is thrown (excerpt from production.log):

Started GET "/projects/xxxxx" for 89.x.y.z at 2014-06-11 11:37:50 +0200
Processing by ProjectsController#show as HTML
Parameters: {"id"=>"xxxxx"}
Current user: j.member (id=2)
Rendered common/error.html.erb within layouts/base (0.1ms)
Filter chain halted as :authorize rendered or redirected
Completed 403 Forbidden in 20ms (Views: 10.7ms | ActiveRecord: 1.6ms)
What's going on?? What this error means? Where I can start digging, as I do not see any clue in this? I changed member roles to allow for everything, but still they get 403... I'm really desperate as I can't find anything in settings that could cause this. Could you please give me a hint what to do to get this working back?

Edit:
I've changed logger to debug and I got some more details:

Role Load (0.1ms)  SELECT "roles".* FROM "roles" WHERE "roles"."builtin" = 1 LIMIT 1
Rendered common/error.html.erb within layouts/base (0.1ms)
Is this a bug in Redmine? Why selecting roles creates an error?

Edit2:
I've upgraded Redmine to 2.5.1 but the problem is still there. This seems as a bug as I can't properly configure this via admin Settings. I gave all privileges to members but still they receive 403 error.

project-creation.png (10.9 KB) Marcin Skoczylas, 2014-06-11 17:33

History

#1 Updated by Marcin Skoczylas over 7 years ago

Looking in logs I have a clue that this happened when I changed a name of role "Reporter" to "Tester".

#2 Updated by Toshi MARUYAMA over 7 years ago

  • Status changed from New to Needs feedback

Check user in project member at projects/<id>/settings/members.

#3 Updated by Marcin Skoczylas over 7 years ago

Members can see their projects in /projects URL, also issues from these projects are shown in dashboard, but when member wants to go into the project or issue details the error is thrown.

Users are added in projects/<id>/settings/members

also users have proper role set (I've even created role that contains ALL privileges, but this does not help).

#4 Updated by Marcin Skoczylas over 7 years ago

I've added a privilege to create projects to one of users who is not admin.

When that user created a new project that is not public, even he (the owner of newly created project) can not access his own freshly created project, please see the screenshot.

#5 Updated by Toshi MARUYAMA over 7 years ago

Marcin Skoczylas wrote:

I've added a privilege to create projects to one of users who is not admin.

When that user created a new project that is not public, even he (the owner of newly created project) can not access his own freshly created project, please see the screenshot.

I cannot reproduce.
Do you use plugins?

#6 Updated by Marcin Skoczylas over 7 years ago

I do not use any plugins. This happened when I changed a configuration a bit: added email notification configuration and then via Redmine Settings frontend changed role name from "Reporter" to "Tester". The Redmine was setup to use Polish language as default. That broke permissions and since then my members receive 403 error.

Then I downloaded Redmine 2.5.1 and upgraded my old installation by copying only database file (SQLite) and some simple configuration stuff, such as token and then I run upgrade scripts, but that did not help.

I have a clue that some Settings changes I did using Redmine frontend broke the database file and now I can't change it back. I gave all permissions to roles but members still have 403 error.

If you wish I can tar all my setup and send it to you for review, it's a standalone installation (on SQLite) - please contact me privately, I can't share this setup on the web.

#7 Updated by Marcin Skoczylas over 7 years ago

Update: I recreated the database from scratch. The effect is the same. Am I missing something?

Do users need something in addition:
1. Install Redmine DB.
2. Login as Admin.
3. Changed default language to Polish.
4. Created project A, set to not public.
5. Created subproject B, set to not public.
6. Created user X.
7. Added user X to project A and B with role "Programista".
8. Logot and login as User X.
9. Click on project A or B, error 403 is shown - can't access.

#8 Updated by Marcin Skoczylas over 7 years ago

Ok I see you do not care about this error. Does not matter. As a workaround I've added Admin privileges to all my users.

Also available in: Atom PDF