Project

General

Profile

Actions
Copy link

Patch #29885

open

Fix 403 error while adding new watchers when selected issues in context_menu from different projects

Added by Andrey Lobanov (RedSoft) about 6 years ago. Updated almost 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Issues
Target version:
Candidate for next minor release
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Tested issue on trunk;
Steps to reproduce:
1) Select 2 or more issues from different projects
2) Open context menu
3) Select Watchers->New
4) Type some user name
5) In dev tools you will see 403 error;

Files

Download all files
fix_403_cm_new_watchers.patch (2.21 KB) fix_403_cm_new_watchers.patch Andrey Lobanov (RedSoft), 2018-10-31 10:47
fix_403_cm_new_watchers_v2.patch (3.25 KB) fix_403_cm_new_watchers_v2.patch Mizuki ISHIKAWA, 2018-12-21 06:22
Actions
Copy link
 #1

Updated by Andrey Lobanov (RedSoft) about 6 years ago

Can anyone review this patch?

Actions
Copy link
 #2

Updated by Marius BĂLTEANU about 6 years ago

Andrey Lobanov (RedSoft) wrote:

Can anyone review this patch?

Could you add a test to the patch?

Actions
Copy link
 #3

Updated by Go MAEDA about 6 years ago

Confirmed the problem.

Actions
Copy link
 #4

Updated by Marius BĂLTEANU almost 6 years ago

I'm not able to reproduce the problem in order to review the patch.

I tried from the global issues page and each request made from contextual menu to add watchers to issues from different projects returned 200. Can someone add more detailed steps to reproduce the problem (maybe I do not understand something well)? or a test that fails on the current trunk?

Actions
Copy link
 #5

Updated by Mizuki ISHIKAWA almost 6 years ago

Marius BALTEANU wrote:

I'm not able to reproduce the problem in order to review the patch.

I tried from the global issues page and each request made from contextual menu to add watchers to issues from different projects returned 200. Can someone add more detailed steps to reproduce the problem (maybe I do not understand something well)? or a test that fails on the current trunk?

In order to reproduce this problem I needed to input a search keyword in "Search for user".
When entering the search keyword, the request parameter is Parameters: {"object_type"=>"issue", "q"=>""} .

<!--  app/views/watchers/_new.html.erb -->
  <%= javascript_tag "observeSearchfield('user_search', 'users_for_watcher', '#{ escape_javascript url_for(:controller => 'watchers',
                 :action => 'autocomplete_for_user',
                 :object_type => (watchables.present? ? watchables.first.class.name.underscore : nil),
                 :object_id => (watchables.present? && watchables.size == 1 ? watchables.first.id : nil),
                 :project_id => @project) }')" %>

If there are multiple watchable and multiple watchable projects, both object_id and project_id will be nil.
Those parameters are required for WatchersController#find_project to work.
Because WatchersController#find_project does not work, ApplicationController#authorize returns an exception "Filter chain halted as: authorize rendered or redirected".

I have made several changes by reading the patch written by Andrey Lobanov (RedSoft).
I appreciate that you shared the patch.

Changes:
  • Add tests
  • Make multiple watchable values ​​of object_id instead of project_ids
  • Change the conditions of users_for_new_watcher to maintain the specification of #5159
Actions
Copy link
 #6

Updated by Go MAEDA almost 6 years ago

  • Target version set to Candidate for next minor release
Actions
Copy link

Also available in: Atom PDF