Project

General

Profile

Actions

Defect #7843

closed

Add a relation between issues = explicit login window ! (basic authentication popup is prompted on AJAX request)

Added by Anonymous about 13 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Rails support
Target version:
Start date:
2011-03-11
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Since i have upgraded my Redmine from 1.1.0 to 1.1.2.devel.5072 we have a strange issue. While a user try to add a link between to issue, he is asked to login again with an explicit Internet Explorer authentification Windows.

Here is a log :

Processing IssueRelationsController#new (for 10.11.13.196 at 2011-03-11 16:41:56) [POST]
  Parameters: {"commit"=>"Ajouter", "action"=>"new", "authenticity_token"=>"cZEO7tAyuSxFA8qBCnGG1f5NRBrbm0nQyTLa02tfqPo=", "issue_id"=>"7733", "id"=>"7733", "controller"=>"issue_relations", "relation"=>{"delay"=>"", "issue_to_id"=>"4545", "relation_type"=>"relates"}}
  SQL (0.1ms)   SELECT max(`settings`.updated_on) AS max_updated_on FROM `settings`
  Setting Load (0.0ms)   SELECT * FROM `settings` WHERE (`settings`.`name` = 'rest_api_enabled') LIMIT 1
  AnonymousUser Columns (1.4ms)   SHOW FIELDS FROM `users`
  AnonymousUser Load (0.5ms)   SELECT * FROM `users` WHERE ( (`users`.`type` = 'AnonymousUser' ) ) LIMIT 1
  Setting Load (0.1ms)   SELECT * FROM `settings` WHERE (`settings`.`name` = 'login_required') LIMIT 1
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 7ms (View: 0, DB: 2) | 401 Unauthorized [http://support/issues/7733/relations/7733]


Files

ajax_session_reset.patch (1.68 KB) ajax_session_reset.patch Etienne Massip, 2011-03-14 12:48

Related issues

Related to Redmine - Feature #6887: Upgrade to Rails 2.3.11ClosedJean-Philippe Lang2010-11-13

Actions
Has duplicate Redmine - Defect #7912: When adding Related Issues, Redmine asks for HTTP AuthenticationClosed2011-03-17

Actions
Actions #1

Updated by Etienne Massip about 13 years ago

What Rails version are you using, with what server ?

Actions #2

Updated by Anonymous about 13 years ago

ruby 1.8.6 (2009-06-08 patchlevel 369) [i586-linux]
Rails 2.3.11
rake 0.8.7 (oups, should be 1.1.0)

Actions #3

Updated by Anonymous about 13 years ago

Sorry :
rack (1.1.0)
rails (2.3.11)
rake (0.8.7)

So its ok for rake.

Actions #4

Updated by Etienne Massip about 13 years ago

Mongrel ?

Actions #5

Updated by Anonymous about 13 years ago

No, i am using Apache2 / Passenger 2.2.8

I do not have the problem if i check the auto login box within the login screen.

And i did not have the problem with Redmine 1.1.0 (Apache2/Passenger 2.2.4).

Actions #6

Updated by Etienne Massip about 13 years ago

1.1.0 with Rails 2.3.11 too ?

I hit what seems to be the same problem little time ago with Rails 2.3.11, I thought that was due to a mongrel monkey patch : http://www.redmine.org/issues/7688#note-6.

Actions #7

Updated by Anonymous about 13 years ago

No i was using 1.1.0 with Rails 2.3.5.

Actions #8

Updated by Etienne Massip about 13 years ago

  • Target version set to 1.2.0

Copied from http://www.redmine.org/issues/7688#note-6 (note 6 of #7688) :

Hit a bug with AJAX which I supposed is due to this path but not necessarily :

After some time of use, an AJAX request like parent task auto-complete lookup or adding a new category / version directly from the issue form will perform well but the next request (e.g. new parent task lookup or issue submission) will redirect the user to the login page (with a 401 "non authorized" HTTP error code).

Actions #9

Updated by Etienne Massip about 13 years ago

  • Subject changed from Add a relation between issues = explicit login window ! to Add a relation between issues = explicit login window ! (basic authentication popup is prompted on AJAX request)
Actions #10

Updated by Etienne Massip about 13 years ago

  • Affected version (unused) changed from 1.1.2 to devel
  • Affected version deleted (1.1.2)

Changed affected version to devel as 1.1.2 requires Rails 2.3.5.

Actions #11

Updated by Etienne Massip about 13 years ago

  • Category set to Rails support
Actions #12

Updated by Etienne Massip about 13 years ago

This happens only if autologin is enabled in settings and not checked in authentication form (no autologin cookie).

This is easily reproducible with local WEBrick even though the server behavior differs a bit : instead of returning a 401, leading the browser to prompt the basic auth form, XHR returns a 200 each time and browsing out to another page will redirect the user to web authentication form.

Actions #13

Updated by Etienne Massip about 13 years ago

Just discovered that protect_from_forgery is active in application_controller.

From RoR 2.3.11 release news :

There are two steps to ensuring that your application sends the CSRF Token with every ajax request.
Providing the token in a meta tag, then ensuring your javascript reads those values and provides them with each request.
The first step involves you including the csrf_meta_tag helper somewhere in your application’s layout.
Rails 3 applications likely already include this helper, however it has now been backported to the 2.3.x series.

Guess it's the issue, will make some more tests.

Actions #14

Updated by Etienne Massip about 13 years ago

Here's a patch which apply what is said here in "Upgrade process".

Works for me.

Actions #15

Updated by Brian Kinder about 13 years ago

Confirmed. Patch works great. Thanks!

Actions #16

Updated by Jean-Philippe Lang about 13 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Patch committed in r5134. Thanks for digging into this issue.

Actions #17

Updated by Leonardo Vieira about 13 years ago

  • Status changed from Closed to Reopened

I was with this problem until i saw this bug report and applied the solution myself.
Using Redmine version 1.1.2 r5210, when using 1.1.1 i didn't have such a problem.
I'm using Rails version 2.3.11, and Rack version 1.1.0.
Was the patch removed in later updates for some reason?

Actions #18

Updated by Etienne Massip about 13 years ago

1.1.1 or 1.1.2 stable do not support Rails 2.3.11.

Since this is a javascript issue, make that the latest application.js has replaced the previous one in your browser's cache.

Actions #19

Updated by Etienne Massip almost 13 years ago

  • Status changed from Reopened to Closed

No feedback and nobody else has been reporting this issue since the fix has been committed to trunk.

Actions #20

Updated by Chris Wolf almost 13 years ago

Etienne Massip wrote:

1.1.1 or 1.1.2 stable do not support Rails 2.3.11.

Since this is a javascript issue, make that the latest application.js has replaced the previous one in your browser's cache.

So what is "1.1.2 stable"? That phrase is not mentioned in the compatablity
matrix on this page, which I used to guide my installation:

http://www.redmine.org/projects/redmine/wiki/RedmineInstall

Is "1.1.2 stable" the same as "trunk from r2887 to r4903"? Should I downgrade to Rail-2.3.5? Or should I keep Rails-2.3.11 and apply "ajax_session_reset.patch" from this issue?

Actions #21

Updated by Oliver Maurhart over 12 years ago

We installed Redmine 1.1.2 and applied the given patch.

Now adding a related issue works again ... but delete/remove related issues does now pop up the same explicit login window.

Actions

Also available in: Atom PDF