View Issue Details

IDProjectCategoryView StatusLast Update
0011031mantisbtauthenticationpublic2010-02-22 14:34
Reporterhubdog Assigned Tojreese  
PriorityurgentSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0rc2 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011031: Can not view changelog page without login as user
Description

I just upgraded my mantis system to 1.2rc2.After I upgraded to new version,
my changelog page (http://xxx.com/changelog_page.php?project_id=5)can not be viewed by visitor without login as a user.

When I click the changelog page url, the mantis will always redirect me to the login page(http://xxx.com/login_page.php?return=changelog_page.php%3Fproject_id%3D5) which is not oberserved in the previous 1.2 rc1.

I checked the Permissions Report and found that View Change Log permission is setted to viewer as before. Because I am not familiar with php. Would you please tell me what is wrong ?

best regards

TagsNo tags attached.

Relationships

related to 0010930 closedjreese User verification results in redirection loop 
has duplicate 0011058 closeddhx Issue links redirect to login form if user is not logged in even if anonymous login is enabled 

Activities

hubdog

hubdog

2009-10-12 21:13

reporter   ~0023158

By the way , anonymous login is already enabled which is ok in the previous version. but not ok in the rc2

vboctor

vboctor

2009-10-18 14:17

manager   ~0023230

I've tested it on this bug tracker and confirmed the behavior. The change log shows: "No Change Log information available".

jreese

jreese

2009-10-18 15:52

reporter   ~0023231

<pre>jreese@kepler[~/workspace/mantisbt] git bisect good
aa34cdfd0ff53fd8eb1247025cf3b1a7bb86d89d is first bad commit
commit aa34cdfd0ff53fd8eb1247025cf3b1a7bb86d89d
Author: John Reese <jreese@leetcode.net>
Date: Sat Sep 12 20:13:59 2009 -0400

Fix 0010930: Fix verification redirect loop

User verification was logging out the user, and then calling auth_api
functions that implicitly logged in the anonymous user, resulting in an
endless redirection loop.  By adding a parameter to the appropriate
auth_api function, the verification page can specify that the anonymous
user should not be implicitly logged in.

:040000 040000 0832500f52409821b04b2b9264feac35b767314d 622121dd85df3564399c3041d5fc4a3feb9beada M core
</pre>

vboctor

vboctor

2009-11-12 08:26

manager   ~0023688

@jreese, did you get a chance to look at this? This is one of the bad bugs that we need to fix before the next release drop. Also would be nice to update this bug tracker once it is fixed.

dhx

dhx

2009-11-23 07:47

reporter   ~0023787

I've had a look at authentication_api to see if I could work out what was going wrong. However, it's not the most trivial thing to understand. Which developer(s) wrote and/or understand this part of the MantisBT codebase?

dhx

dhx

2009-11-26 07:04

reporter   ~0023808

Bumping priority and severity as this is a big problem for trackers that are open to anonymous users.

jreese

jreese

2009-12-03 09:41

reporter   ~0023844

Fix committed to 1.2.x and master branches.

Related Changesets

MantisBT: master-1.2.x 0085bcd7

2009-12-03 09:33

jreese


Details Diff
Fix 0011031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase. By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.
Affected Issues
0010930, 0011031
mod - verify.php Diff File
mod - core/authentication_api.php Diff File

MantisBT: master aa042ae6

2009-12-03 09:33

jreese


Details Diff
Fix 0011031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase. By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.
Affected Issues
0010930, 0011031
mod - verify.php Diff File
mod - core/authentication_api.php Diff File

MantisBT: master-1.2.x 4dab8016

2009-12-17 16:17

jreese


Details Diff
Fix regression of issue 0010930 in commit 0085bcd7

The initial fixes for 0010930 and issue 0011031 did not take into account
the usage of auth_is_user_authenticated() in multiple locations during
the core bootstrap routines. By defining and looking for a global flag,
rather than an argument to the function, we fix both the problems and
the regression.
Affected Issues
0010930, 0011031
mod - core/authentication_api.php Diff File
mod - core.php Diff File
mod - verify.php Diff File

MantisBT: master 429448ee

2009-12-17 16:17

jreese


Details Diff
Fix regression of issue 0010930 in commit 0085bcd7

The initial fixes for 0010930 and issue 0011031 did not take into account
the usage of auth_is_user_authenticated() in multiple locations during
the core bootstrap routines. By defining and looking for a global flag,
rather than an argument to the function, we fix both the problems and
the regression.
Affected Issues
0010930, 0011031
mod - core.php Diff File
mod - core/authentication_api.php Diff File
mod - verify.php Diff File