Project

General

Profile

Actions

Defect #26145

closed

Don't redirect anonymous users to the login form for disabled modules

Added by Adam Clark almost 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
Permissions and roles
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

The use case is that a project enables a module (the Files module is the one we encountered) but later turns it off. If there are stray links to that URL, these generate a 403 error, which for anonymous users redirects to the login/registration page.

In our case, we had projects that served files publicly, then moved these to another location and turned off the Files module. The result is we now get a lot of spurious registration requests from users who are trying to download these files, because to the user it looks like the site is asking them to register before they can access the files.

I was able to address our immediate problem by patching ApplicationController.authorize to check whether the request is associated with a disabled project module, and redirect to the main project page in that case. I'm not sure how correct this code is (I don't know the Redmine internals all that well) and I know that this doesn't work for some modules (eg. Issues) which apparently operate through some other method. So this code is just for illustration, I guess.

    def authorize_with_custom(ctrl = params[:controller], action = params[:action], global = false)
      allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project || @projects, :global => global)
      if allowed
        true
      else
        if @project
          logger.debug 'Handling auth error for ' + ctrl + '/' + action

          # Figure out whether the permission for this path is handled by a module
          project_module = Redmine::AccessControl.permissions.select {|p| p.actions.include?(ctrl + '/' + action)}.first.try(:project_module)
          logger.debug 'Permission module is ' + project_module.to_s

          # If it is a module, and the module isn't enabled in this project, try to redirect to the main project page
          if project_module && !@project.module_enabled?(project_module)
            can_view_project = User.current.allowed_to?({:controller => :projects, :action => :show}, @project)
            logger.debug 'Can the user view the main project page? ' + can_view_project.to_s
            if can_view_project
              redirect_to project_path(@project)
              return false
            end
          end
        end
        if @project && @project.archived?
          render_403 :message => :notice_not_authorized_archived_project
        else
          deny_access
        end
      end
    end
Actions #1

Updated by Jean-Philippe Lang almost 7 years ago

  • Subject changed from Accessing URL for a disabled module generates a 403 error to Don't redirect anonymous users to the login form for disabled modules
  • Category changed from Files to Permissions and roles
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Target version set to 4.1.0
  • Resolution set to Fixed

Fixed in r16726, they now get a 403 error without being redirected to the login form.

Actions #2

Updated by Jean-Philippe Lang over 6 years ago

  • Target version changed from 4.1.0 to 4.0.0
Actions #3

Updated by Toshi MARUYAMA over 6 years ago

  • Description updated (diff)
Actions

Also available in: Atom PDF