MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0010930mantisbtsignuppublic2009-09-12 20:192010-04-23 23:22
Reporterjreese 
Assigned Tojreese 
PriorityurgentSeverityblockReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.0rc2 
Target Version1.2.0rc2Fixed in Version1.2.0rc2 
Summary0010930: User verification results in redirection loop
DescriptionUser verification was logging out the user, and then calling auth_api functions that implicitly logged in the anonymous user, resulting in an endless redirection loop. By adding a parameter to the appropriate auth_api function, the verification page can specify that the anonymous user should not be implicitly logged in.
TagsNo tags attached.
Attached Files

- Relationships
has duplicate 0011292closedjreese Not able to create new account in MantisBT own tracker 
related to 0010926closeddhx Login problems, logging crashes httpd.exe 
related to 0011031closedjreese Can not view changelog page without login as user 

-  Notes
User avatar (0022908)
jreese (administrator)
2009-09-12 20:32

Fix committed to 1.2.x and master branches.
User avatar (0023832)
dhx (developer)
2009-12-01 05:48

Are you able to explain a step-by-step process for replicating this bug? I have reverted this patch (locally) to fix 0011031 and haven't noticed any side effects with respect to endless login loops.
User avatar (0023843)
jreese (administrator)
2009-12-03 09:27
edited on: 2009-12-03 09:28

This is required when an already-logged-in user (including an anonymous user) is visiting the signup verification url, and I think other places as well. I'll simply take the original fix a bit further to resolve both issues.

User avatar (0023880)
j-b-m2 (reporter)
2009-12-08 03:32

Hi! I am currently running mantis from git master 1.2.x and this issue reappeared when opening the url to complete a registration (cyclic link found...).

The recent fix for bug 0011031 made this issue appear again, and user sign up is now impossible!
User avatar (0023881)
jreese (administrator)
2009-12-08 08:05

On what page are you getting the redirect loop? The fix for 11031 should not have regressed this issue.
User avatar (0023883)
j-b-m (reporter)
2009-12-08 09:02
edited on: 2009-12-08 09:04

This happens when trying to open the link in the email sent after completing the signup page.

The email says:
------------------------------------
Thank you for registering. You have an account with username "jb_test". In order
to complete your registration, visit the following URL (make sure it is entered
as the single line) and set your own access password:

http://www.kdenlive.org/mantis/verify.php?id=684&confirm_hash=20aa1e6db59eb06cf24a1be193f959c3 [^]

If you did not request any registration, ignore this message and nothing will
happen.
------------------------------------------

If I click on the link, I get the cyclic link error.
If I revert the last change in core/authentication.api and try again, I can open the link without problem...

Edit: I removed the test user, so the link above won't work, but you get the idea...

User avatar (0023929)
jreese (administrator)
2009-12-17 16:30

This regression has been fixed in 1.2.x and master branches.

- Related Changesets
MantisBT: master-1.2.x aa34cdfd
Timestamp: 2009-09-13 00:13:59
Author: jreese
Details ] Diff ]
Fix 0010930: Fix verification redirect loop

User verification was logging out the user, and then calling auth_api
functions that implicitly logged in the anonymous user, resulting in an
endless redirection loop. By adding a parameter to the appropriate
auth_api function, the verification page can specify that the anonymous
user should not be implicitly logged in.
mod - core/authentication_api.php Diff ] File ]
MantisBT: master 0abe9b45
Timestamp: 2009-09-13 00:13:59
Author: jreese
Details ] Diff ]
Fix 0010930: Fix verification redirect loop

User verification was logging out the user, and then calling auth_api
functions that implicitly logged in the anonymous user, resulting in an
endless redirection loop. By adding a parameter to the appropriate
auth_api function, the verification page can specify that the anonymous
user should not be implicitly logged in.
mod - core/authentication_api.php Diff ] File ]
MantisBT: master-1.2.x 0085bcd7
Timestamp: 2009-12-03 14:33:19
Author: jreese
Details ] Diff ]
Fix 0011031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase. By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.
mod - verify.php Diff ] File ]
mod - core/authentication_api.php Diff ] File ]
MantisBT: master aa042ae6
Timestamp: 2009-12-03 14:33:19
Author: jreese
Details ] Diff ]
Fix 0011031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase. By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.
mod - verify.php Diff ] File ]
mod - core/authentication_api.php Diff ] File ]
MantisBT: master-1.2.x 4dab8016
Timestamp: 2009-12-17 21:17:19
Author: jreese
Details ] Diff ]
Fix regression of issue 0010930 in commit 0085bcd7

The initial fixes for 0010930 and issue 0011031 did not take into account
the usage of auth_is_user_authenticated() in multiple locations during
the core bootstrap routines. By defining and looking for a global flag,
rather than an argument to the function, we fix both the problems and
the regression.
mod - core/authentication_api.php Diff ] File ]
mod - core.php Diff ] File ]
mod - verify.php Diff ] File ]
MantisBT: master 429448ee
Timestamp: 2009-12-17 21:17:19
Author: jreese
Details ] Diff ]
Fix regression of issue 0010930 in commit 0085bcd7

The initial fixes for 0010930 and issue 0011031 did not take into account
the usage of auth_is_user_authenticated() in multiple locations during
the core bootstrap routines. By defining and looking for a global flag,
rather than an argument to the function, we fix both the problems and
the regression.
mod - core.php Diff ] File ]
mod - core/authentication_api.php Diff ] File ]
mod - verify.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2009-09-12 20:19 jreese New Issue
2009-09-12 20:30 jreese Resolution open => fixed
2009-09-12 20:30 jreese Fixed in Version => 1.3.x
2009-09-12 20:30 jreese Changeset attached master-1.2.x aa34cdfd =>
2009-09-12 20:30 jreese Changeset attached master 0abe9b45 =>
2009-09-12 20:32 jreese Note Added: 0022908
2009-09-12 20:32 jreese Status assigned => resolved
2009-09-12 20:32 jreese Fixed in Version 1.3.x => 1.2.2
2009-10-07 14:19 jreese Status resolved => closed
2009-10-19 11:22 vboctor Relationship added related to 0010926
2009-12-01 05:16 dhx Relationship added related to 0011031
2009-12-01 05:48 dhx Note Added: 0023832
2009-12-01 05:48 dhx Status closed => feedback
2009-12-01 05:48 dhx Resolution fixed => reopened
2009-12-03 09:27 jreese Note Added: 0023843
2009-12-03 09:27 jreese Status feedback => assigned
2009-12-03 09:28 jreese Note Edited: 0023843 View Revisions
2009-12-03 09:40 jreese Status assigned => resolved
2009-12-03 09:40 jreese Resolution reopened => fixed
2009-12-03 09:40 jreese Changeset attached master-1.2.x 0085bcd7 =>
2009-12-03 09:40 jreese Changeset attached master aa042ae6 =>
2009-12-08 03:32 j-b-m2 Note Added: 0023880
2009-12-08 08:05 jreese Note Added: 0023881
2009-12-08 09:02 j-b-m Note Added: 0023883
2009-12-08 09:03 j-b-m Note Edited: 0023883 View Revisions
2009-12-08 09:04 j-b-m Note Edited: 0023883 View Revisions
2009-12-17 16:30 jreese Changeset attached master-1.2.x 4dab8016 =>
2009-12-17 16:30 jreese Changeset attached master 429448ee =>
2009-12-17 16:30 jreese Note Added: 0023929
2009-12-17 16:33 jreese Relationship added has duplicate 0011292
2010-04-23 23:22 dhx Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1166 seconds.
memory usage: 3,126 KB
Powered by Mantis Bugtracker