Closed
Bug 408984
Opened 17 years ago
Closed 16 years ago
Redirect not working if logged in to editors
Categories
(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
3.4.3
People
(Reporter: aryx, Assigned: clouserw)
References
()
Details
Attachments
(1 file)
811 bytes,
patch
|
wenzel
:
review+
morgamic
:
review+
|
Details | Diff | Splinter Review |
Log out of AMO and go to https://addons.mozilla.org/de/firefox/editors , the redirect doesn't take you to the editor panel (like it did before the last push).
Comment 1•17 years ago
|
||
Confirming; Wil, the login code does not seem to honor the ?to= parameter anymore. :( Could be because you seem to have added locale and app to the ?to parameter, which was not part of it before.
Assignee: nobody → clouserw
Assignee | ||
Comment 2•17 years ago
|
||
This is by design. Any URL that matches: /(:\/\/|developers|editors|localizers|admin|users|\r|\n)/ is ignored and the user is sent to the home page. This is to prevent CSRF attacks (http://en.wikipedia.org/wiki/Csrf). I'm WONTFIXing this, but I'm happy to talk about it if you'd like.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 3•17 years ago
|
||
Could we use a whitelist for allowed urls for these usergroups. At the moment, an editor has to log in, click 'editors', 'updates' and at least the link to the last page (or '50' if there are less than 51 updates pending review) if he wants to see new submissions. In the old system, I had a bookmark going directly to update queue. I can live without it, but it was a nice-to-have.
Assignee | ||
Comment 4•17 years ago
|
||
Sure, I'll reopen it. I'm going to assign it to nobody in the hopes a patch comes in though. :) To anyone looking to write a patch, this happens on line 294 of users_controller.php. The easiest way to do this would probably be just have an if (in_array($url,array('safeurl1','safeurl2'))) right before it gets reset to '/'.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Assignee | ||
Updated•17 years ago
|
Assignee: clouserw → nobody
Status: REOPENED → NEW
Comment 5•16 years ago
|
||
Where can one get insight into the sources? Here? http://svn.mozilla.org/addons/trunk/site/app/controllers/users_controller.php
Assignee | ||
Comment 6•16 years ago
|
||
(In reply to comment #5) > Where can one get insight into the sources? Here? > http://svn.mozilla.org/addons/trunk/site/app/controllers/users_controller.php > Yep, that's the file. Comment #4 narrows it down a bit.
Updated•16 years ago
|
Target Milestone: --- → 3.4
Updated•16 years ago
|
Target Milestone: 3.4 → 3.4.3
Updated•16 years ago
|
Assignee: nobody → clouserw
Assignee | ||
Comment 7•16 years ago
|
||
The only other modify-data-without-POST is recalculating a file's hash. Is that a blocker for this? Does anyone else know of a place where we modify data with just GET?
Assignee | ||
Updated•16 years ago
|
Attachment #322702 -
Flags: review?(fwenzel)
Assignee | ||
Updated•16 years ago
|
Attachment #322702 -
Flags: review?(morgamic)
Comment 8•16 years ago
|
||
Comment on attachment 322702 [details] [diff] [review] Remove CSRF failsafe works for me. Sad that our code is tomfoolery-free now, though.
Attachment #322702 -
Flags: review?(fwenzel) → review+
Updated•16 years ago
|
Attachment #322702 -
Flags: review?(morgamic) → review+
Assignee | ||
Comment 9•16 years ago
|
||
r14031
Status: NEW → RESOLVED
Closed: 17 years ago → 16 years ago
Resolution: --- → FIXED
Verified FIXED using preview.* URLS with the paths mentioned in comment 2's regexp.
Status: RESOLVED → VERIFIED
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•