Closed Bug 83044 Opened 24 years ago Closed 20 years ago

Any page should be able to have ?GoAheadAndLogIn=1 in the URL to force a login.

Categories

(Bugzilla :: User Accounts, defect, P3)

Product:
Bugzilla
Component:
User Accounts
Version:
2.13
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: justdave, Assigned: jacob)

References

Details

Attachments

(1 file, 4 obsolete files)

Partial Hack - No login box
4.37 KB, patch
bugreport
: review+
Details | Diff | Splinter Review
Summary's a little funny-looking, but the real story won't fit there. But here's the scenario: Steps to reproduce: 1) You receive bugmail for a change to a confidential bug. 2) You click the link in the bugmail from your email client 3) browser opens to the "This bug cannot be viewed unless you first log in" page. 4) click "log in" 5) fill out your username and password, then click Login Actual results: - You are deposited on the Query page. Expexted results: - You are shown the bug that you originally clicked the link to, or told that your account doesn't have permission to view it. This used to work. I'm not sure when it broke.
Keywords: regression
Target Milestone: --- → Bugzilla 2.14
Works for me on both b.m.o and my own installation running the tip.
i can't reproduce it either. closing out.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
just managed to duplicate this again... but here's the catch. I accidently clicked the "Log in" link in the footer instead of the one in the error message. The Log In link in the footer really should take you back to the same page you were already looking at instead of going to the query page...
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Summary: Can't view a confidential bug when not logged in → "Log In" in footer should return to same page after logging in.
Target Milestone: Bugzilla 2.14 → Bugzilla 2.16
Keywords: regression
As described by Dave this is not critical ...
Severity: critical → normal
Priority: -- → P3
-> Bugzilla product, User Accounts component, reassigning.
Assignee: tara → myk
Status: REOPENED → NEW
Component: Bugzilla → User Accounts
Product: Webtools → Bugzilla
Version: Bugzilla 2.13 → 2.13
We are currently trying to wrap up Bugzilla 2.16. We are now close enough to release time that anything that wasn't already ranked at P1 isn't going to make the cut. Thus this is being retargetted at 2.18. If you strongly disagree with this retargetting, please comment, however, be aware that we only have about 2 weeks left to review and test anything at this point, and we intend to devote this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
We at bugs.kde.org are using Bugzilla since about one year. All our database is public, so nobody is required to login first before being able to see a particular bug. However all our logins are done through query.cgi?GoAheadAndLogIn=1 which still leads to the query page instead to the refer link. This behavior is very annoying and scares the hell out of anyone who is not able to handle something complex like the query page but still needs to login to post something simple like an ordinary comment. I really wish someone will pick this bug up after nearly 1 1/2 years of idling time. We could try to fix that locally but it's not our intention to create a fork. Thank you for the much needed attention to this bug report. =)
Attached patch Partial Hack (obsolete) — Splinter Review
This patch isn't a full fix for this bug as reported, but it does at least partially solve the problem. This patch allows any Bugzilla page to respond to GoAheadAndLogIn (currently, only those with the funky if statement [such as query.cgi and show_bug.cgi] do). It also changes the link in the footer for logging in to point to index.cgi instead of query.cgi (to reduce the complexity).
Attached patch Slightly more complete hack (obsolete) — Splinter Review
This version does bring the user back to the page they were viewing provided they weren't viewing it because of a POST (eg, the information required to bring them back is located in the QUERY_STRING portion of the URL).
Comment on attachment 121977 [details] [diff] [review] Partial Hack I'm not entirely sure if I'm using the new CGI module stuff corretly, but it does work :)
Attachment #121977 - Flags: review?(bbaetz)
I'm not sure how to solve the problems with attachment 121978 [details] [diff] [review] (POSTed form)... perhaps the easiest way is to simply use attachment 121977 [details] [diff] [review] (the 1st) instead.
Assignee: myk → jake
Status: NEW → ASSIGNED
Comment on attachment 121977 [details] [diff] [review] Partial Hack >Index: Bugzilla.pm >=================================================================== >RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla.pm,v >retrieving revision 1.6 >diff -u -r1.6 Bugzilla.pm >--- Bugzilla.pm 22 Mar 2003 04:47:09 -0000 1.6 >+++ Bugzilla.pm 29 Apr 2003 03:30:03 -0000 >@@ -65,6 +65,7 @@ > } > > $type = LOGIN_NORMAL unless defined $type; >+ $type = LOGIN_REQUIRED if Bugzilla->cgi->param('GoAheadAndLogIn'); > Move this line above the previous one to save a comparision, and r=bbaetz The other patch cannot work, because of the POST issue. If you want to do that, you'd have to: a) Make sure that all the pages which do modifications only accept POST responses, and error out for GET. Stuff which does both, like attachment.cgi, makes this harder. Note that we should do that anyway at some point, anyway b) Go to index.cgi if the current page was a POST (again, get that from [% Bugzilla.cgi %] in the template) Does it matter that our redirection pages such as xml.cgi don't pass this on? I don't think so (since they never worked before)
Attachment #121977 - Flags: review?(bbaetz) → review+
Dave, good enough? Also, should we leave this bug open for a more complete fix?
Flags: approval?
Please leave it open since this fix regrettably isn't sufficient in our case. At bugs.kde.org we use vanilla Bugzilla scripts but heavily changed templates which seem to cause index.cgi?GoAheadAndLogIn=1 to not work for us. I'll look what exactly causes this behavior, but in the end it would be really nice in any case to just have query.cgi?GoAheadAndLogIn=1 work as expected (ie. let the user return to the page where he started his login procedure). But first thanks for picking up this old issue that quickly, I really appreciated it. =)
Simply using index.cgi as the login page won't work unless you make the code change (also included in this patch) in Bugzilla.bm for 2.17.4. If you are trying to use an earlier version (eg, before the Auth module patch), a different code change would be required. I'm not sure what that change would be exactly w/out looking at it, but it would involve a modification to the quietly_check_login() routine. Without that change, only a select few CGI's are capable of processing a login.
I like the idea of checking the method used, and if it was the result of a POST, link to index.cgi instead of the current page. That sounds like a decent workaround for the POST problems.
Flags: approval?
dave: There are issues, though, with that. I can't think of any off hand, mind you logins would be, because they can turn a GET into a POST, but thats not an issue here. Although, what would happen if you logged in, gave an incorrect username/password, and then clicked on the login link? We'd have to make that one generic to index.cgi, I guess, but that coul dlead to surprising results. We'd also need the check I mentioned in (a). The other issue, however, is that for utf8 forms, we need POST. Will that affect stuff? What about utf8 aliases? that fact that we have to login to make any changes, and so this link then won't show, does make this easier. (although what if you try to login to relogin.cgi?). I'm just not convinced that its always safe, and won't lead to 'stuff' happening more than once.
Attached patch More complex hack v2 (obsolete) — Splinter Review
The login with incorrect password problem is quite interesting, but this patch doesn't address it at all. I think my prefered behavior would be to include the login form again on that page instead of just an error. This patch also doesn't address the utf8 issues and I'm not even certain if I understand them. Is it that any form w/an item that uses utf8 characters in it's name has to be POSTed or any form that submits utf8 information? The relogin.cgi was also interesting... if you visit relogin.cgi?GoAheadAndLogIn=1 (w/the code part of this patch applied) it will prompt you for your username and password. As soon as you supply them, it will tell you that you were logged out :) I'm not sure that this is the right method, but here's the patch anyway :)
Attachment #121978 - Attachment is obsolete: true
Attachment #122146 - Flags: review?(justdave)
Comment on attachment 122146 [details] [diff] [review] More complex hack v2 The issue is that if you have a login which fails, then that form var will be present in the cgi variables. So when you go to log in, the script will see the login info already there, try to authenticate, and fail. Now, that doesn't happen because login requests are POST. I know that userprefs has those form vars to deal with authentication too. Thats POST as well, though. Is there anywhere which does that as a GET? Theres nothing stopping someone from just typing that into the URL field of their browser. I'd feel safer if you stripped out Bugzilla_login and Bugzilla_password first. You can use canonicalise_query (from Bugzilla::CGI) to arrange that.
I may be missing something obvious, but why not have the login page look at the Referrer: header? It could stuff in in a hidden field, and do a 302 redirect on a successful login. If it fails, just keep the hidden field.
Hello friends, Any way to put this patch on version 2.16.3? The query page after login is too complex for my users. Thanks in advance.
taking... Jake's Army Reserve unit has been deployed.
Assignee: jake → justdave
Status: ASSIGNED → NEW
All 2.18 bugs that haven't been touched in over 60 days and aren't flagged as blockers are getting pushed out to 2.20
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Attached patch Partial Hack - Updated to tip (obsolete) — Splinter Review
I kinda dropped the ball on this one, but here's the aforementioned "Partial Hack" from attachment 121977 [details] [diff] [review] updated for the new Bugzilla::Auth::Login::WWW stuff. This also puts the login form on the index page instead of just having a link to it.
Assignee: justdave → jake
Attachment #121977 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #168612 - Flags: review?
Blocks: 276565
Morphing this bug entirely so that it matches the patch in attachment 168612 [details] [diff] [review]. Also requesting that this make it into 2.20. Filed new bug #276565 to address the more complex hack.
Flags: blocking2.20?
Summary: "Log In" in footer should return to same page after logging in. → Any page should be able to have ?GoAheadAndLogIn=1 in the URL to force a login.
Attachment #122146 - Attachment is obsolete: true
Attachment #122146 - Flags: review?(justdave)
Blocks: 165075
Flags: blocking2.20? → blocking2.20+
Any chance we can change the parameter name to something that sucks a little less, like "login" perhaps? We can keep "GoAheadAndLogIn" as a special case which works on query.cgi... Gerv
Gerv, that is a little out of the scope of this bug... this is really about making any page a potential login page, but if a paramater name was agreed up by all, it could probably be done here (keeping GoAheadAndLogIn as an alias)... Though it is about 20 lines worth of code changes touching numerous additional files.
I'll take this for 2.20 branch, but it's not blocking release.
Flags: blocking2.20+ → blocking2.20-
Comment on attachment 168612 [details] [diff] [review] Partial Hack - Updated to tip r=joel if you skip the index.cgi change and leave out the login-small file (filter violation)
Attachment #168612 - Flags: review? → review+
I'm pulling the part of the patch that puts the login box on the index page out of this patch. I'll attach it to bug 165075 so the UI can be debated seperate from this bug.
Attachment #168612 - Attachment is obsolete: true
Attachment #177248 - Flags: review?
Comment on attachment 177248 [details] [diff] [review] Partial Hack - No login box r=joel
Attachment #177248 - Flags: review? → review+
Flags: approval?
Flags: approval? → approval+
Checking in Bugzilla/Auth/Login/WWW.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/WWW.pm,v <-- WWW.pm new revision: 1.6; previous revision: 1.5 done Checking in template/en/default/index.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/index.html.tmpl,v <-- index.html.tmpl new revision: 1.20; previous revision: 1.19 done Checking in template/en/default/sidebar.xul.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/sidebar.xul.tmpl,v <-- sidebar.xul.tmpl new revision: 1.16; previous revision: 1.15 done Checking in template/en/default/account/created.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/account/created.html.tmpl,v <-- created.html.tmpl new revision: 1.6; previous revision: 1.5 done Checking in template/en/default/global/messages.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/global/messages.html.tmpl,v <-- messages.html.tmpl new revision: 1.26; previous revision: 1.25 done Checking in template/en/default/global/useful-links.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/global/useful-links.html.tmpl,v <-- useful-links.html.tmpl new revision: 1.36; previous revision: 1.35 done
Status: ASSIGNED → RESOLVED
Closed: 24 years ago20 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: