プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #78539

完了

Don't redirect anonymous users to the login form for disabled modules

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:
Closed
優先度:
通常
担当者:
-
カテゴリ:
Permissions and roles_17
対象バージョン:
4.0.0_99
開始日:
2022/05/09
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/26145
category_id:
17
version_id:
99
issue_org_id:
26145
author_id:
71057
assigned_to_id:
1
comments:
3
status_id:
5
tracker_id:
1
plus1:
0
affected_version:
closed_on:
affected_version_id:
84
ステータス-->[Closed]
引用

説明

The use case is that a project enables a module (the Files module is the one we encountered) but later turns it off. If there are stray links to that URL, these generate a 403 error, which for anonymous users redirects to the login/registration page.

In our case, we had projects that served files publicly, then moved these to another location and turned off the Files module. The result is we now get a lot of spurious registration requests from users who are trying to download these files, because to the user it looks like the site is asking them to register before they can access the files.

I was able to address our immediate problem by patching ApplicationController.authorize to check whether the request is associated with a disabled project module, and redirect to the main project page in that case. I'm not sure how correct this code is (I don't know the Redmine internals all that well) and I know that this doesn't work for some modules (eg. Issues) which apparently operate through some other method. So this code is just for illustration, I guess.


    def authorize_with_custom(ctrl = params[:controller], action = params[:action], global = false)
      allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project || @projects, :global => global)
      if allowed
        true
      else
        if @project
          logger.debug 'Handling auth error for ' + ctrl + '/' + action

          # Figure out whether the permission for this path is handled by a module
          project_module = Redmine::AccessControl.permissions.select {|p| p.actions.include?(ctrl + '/' + action)}.first.try(:project_module)
          logger.debug 'Permission module is ' + project_module.to_s

          # If it is a module, and the module isn't enabled in this project, try to redirect to the main project page
          if project_module && !@project.module_enabled?(project_module)
            can_view_project = User.current.allowed_to?({:controller => :projects, :action => :show}, @project)
            logger.debug 'Can the user view the main project page? ' + can_view_project.to_s
            if can_view_project
              redirect_to project_path(@project)
              return false
            end
          end
        end
        if @project && @project.archived?
          render_403 :message => :notice_not_authorized_archived_project
        else
          deny_access
        end
      end
    end

journals

Fixed in r16726, they now get a 403 error without being redirected to the login form.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

操作
リンクをコピー
 #1

Admin Redmine さんが3年以上前に更新

  • カテゴリPermissions and roles_17 にセット
  • 対象バージョン4.0.0_99 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org