Defect #7843
closed
Add a relation between issues = explicit login window ! (basic authentication popup is prompted on AJAX request)
Added by Anonymous over 13 years ago.
Updated about 13 years ago.
Description
Since i have upgraded my Redmine from 1.1.0 to 1.1.2.devel.5072 we have a strange issue. While a user try to add a link between to issue, he is asked to login again with an explicit Internet Explorer authentification Windows.
Here is a log :
Processing IssueRelationsController#new (for 10.11.13.196 at 2011-03-11 16:41:56) [POST]
Parameters: {"commit"=>"Ajouter", "action"=>"new", "authenticity_token"=>"cZEO7tAyuSxFA8qBCnGG1f5NRBrbm0nQyTLa02tfqPo=", "issue_id"=>"7733", "id"=>"7733", "controller"=>"issue_relations", "relation"=>{"delay"=>"", "issue_to_id"=>"4545", "relation_type"=>"relates"}}
SQL (0.1ms) SELECT max(`settings`.updated_on) AS max_updated_on FROM `settings`
Setting Load (0.0ms) SELECT * FROM `settings` WHERE (`settings`.`name` = 'rest_api_enabled') LIMIT 1
AnonymousUser Columns (1.4ms) SHOW FIELDS FROM `users`
AnonymousUser Load (0.5ms) SELECT * FROM `users` WHERE ( (`users`.`type` = 'AnonymousUser' ) ) LIMIT 1
Setting Load (0.1ms) SELECT * FROM `settings` WHERE (`settings`.`name` = 'login_required') LIMIT 1
Filter chain halted as [:check_if_login_required] rendered_or_redirected.
Completed in 7ms (View: 0, DB: 2) | 401 Unauthorized [http://support/issues/7733/relations/7733]
Files
What Rails version are you using, with what server ?
ruby 1.8.6 (2009-06-08 patchlevel 369) [i586-linux]
Rails 2.3.11
rake 0.8.7 (oups, should be 1.1.0)
Sorry :
rack (1.1.0)
rails (2.3.11)
rake (0.8.7)
So its ok for rake.
No, i am using Apache2 / Passenger 2.2.8
I do not have the problem if i check the auto login box within the login screen.
And i did not have the problem with Redmine 1.1.0 (Apache2/Passenger 2.2.4).
No i was using 1.1.0 with Rails 2.3.5.
- Target version set to 1.2.0
Copied from http://www.redmine.org/issues/7688#note-6 (note 6 of #7688) :
Hit a bug with AJAX which I supposed is due to this path but not necessarily :
After some time of use, an AJAX request like parent task auto-complete lookup or adding a new category / version directly from the issue form will perform well but the next request (e.g. new parent task lookup or issue submission) will redirect the user to the login page (with a 401 "non authorized" HTTP error code).
- Subject changed from Add a relation between issues = explicit login window ! to Add a relation between issues = explicit login window ! (basic authentication popup is prompted on AJAX request)
- Affected version (unused) changed from 1.1.2 to devel
- Affected version deleted (
1.1.2)
Changed affected version to devel as 1.1.2 requires Rails 2.3.5.
- Category set to Rails support
This happens only if autologin is enabled in settings and not checked in authentication form (no autologin cookie).
This is easily reproducible with local WEBrick even though the server behavior differs a bit : instead of returning a 401, leading the browser to prompt the basic auth form, XHR returns a 200 each time and browsing out to another page will redirect the user to web authentication form.
Just discovered that protect_from_forgery is active in application_controller.
From RoR 2.3.11 release news :
There are two steps to ensuring that your application sends the CSRF Token with every ajax request.
Providing the token in a meta tag, then ensuring your javascript reads those values and provides them with each request.
The first step involves you including the csrf_meta_tag helper somewhere in your application’s layout.
Rails 3 applications likely already include this helper, however it has now been backported to the 2.3.x series.
Guess it's the issue, will make some more tests.
Here's a patch which apply what is said here in "Upgrade process".
Works for me.
Confirmed. Patch works great. Thanks!
- Status changed from New to Closed
- Resolution set to Fixed
Patch committed in r5134. Thanks for digging into this issue.
- Status changed from Closed to Reopened
I was with this problem until i saw this bug report and applied the solution myself.
Using Redmine version 1.1.2 r5210, when using 1.1.1 i didn't have such a problem.
I'm using Rails version 2.3.11, and Rack version 1.1.0.
Was the patch removed in later updates for some reason?
1.1.1 or 1.1.2 stable do not support Rails 2.3.11.
Since this is a javascript issue, make that the latest application.js has replaced the previous one in your browser's cache.
- Status changed from Reopened to Closed
No feedback and nobody else has been reporting this issue since the fix has been committed to trunk.
Etienne Massip wrote:
1.1.1 or 1.1.2 stable do not support Rails 2.3.11.
Since this is a javascript issue, make that the latest application.js has replaced the previous one in your browser's cache.
So what is "1.1.2 stable"? That phrase is not mentioned in the compatablity
matrix on this page, which I used to guide my installation:
http://www.redmine.org/projects/redmine/wiki/RedmineInstall
Is "1.1.2 stable" the same as "trunk from r2887 to r4903"? Should I downgrade to Rail-2.3.5? Or should I keep Rails-2.3.11 and apply "ajax_session_reset.patch" from this issue?
We installed Redmine 1.1.2 and applied the given patch.
Now adding a related issue works again ... but delete/remove related issues does now pop up the same explicit login window.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by