Modify

Opened 4 years ago

Closed 3 years ago

#8718 closed defect (invalid)

Logout when clicking on report

Reported by: anonymous Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: critical Keywords: non-persistent session
Cc: Trac Release: 0.12

Description

When clicking on "View tickets" I am getting logged out, when I click on another menu, I am logged in again. Other menus, like roadmap, wiki, etc. are working fine.

An error is shown, that I haven't suffiecient rights (REPORT_VIEW), but the user have REPORT_ADMIN!

I activated the LoginModule, but disabled RegistrationModule and EmailVerificationModule.

Systeminformationen Trac 0.12.2 Babel 0.9.6 Genshi 0.6 mod_wsgi 2.8 (WSGIProcessGroup WSGIApplicationGroup %{GLOBAL}) psycopg2 2.0.13 Python 2.6.5 (r265:79063, Apr 16 2010, 14:15:55) [GCC 4.4.3] setuptools 0.6c11 Subversion 1.6.6 (r40053) jQuery: 1.4.2

Attachments (0)

Change History (5)

comment:1 in reply to: ↑ description ; follow-up: Changed 4 years ago by hasienda

  • Keywords non-persistent session added

Replying to anonymous:

When clicking on "View tickets" I am getting logged out,

You can customize these mainnav item to point to arbitrary targets. Look into your trac.iniand tell me the exact (relative) Trac link that is called, please.

when I click on another menu, I am logged in again. Other menus, like roadmap, wiki, etc. are working fine.

So you've never been logged out in the first place. Still this is an permission (cache) inconsistency, but how comes that you think AccountManagerPlugin is the root cause?

An error is shown, that I haven't suffiecient rights (REPORT_VIEW), but the user have REPORT_ADMIN!

Well, that's just the PermissionSystem feedback. As questions before, it depends on the exact target in your environment (is it really '/report' ?) and if possibly some other stuff is tampering with the req.perm object.

comment:2 in reply to: ↑ 1 Changed 4 years ago by anonymous

Replying to hasienda:

You can customize these mainnav item to point to arbitrary targets. Look into your trac.iniand tell me the exact (relative) Trac link that is called, please.

the link is: report the mainnav and metanav entries in trac.ini are as following:

mainnav 	wiki,timeline,roadmap,browser,tickets,newticket
metanav 	login,logout,prefs,help,search,about

So you've never been logged out in the first place. Still this is an permission (cache) inconsistency, but how comes that you think AccountManagerPlugin is the root cause?

When setting setting apache2-authentication as described in Trac 0.12-wiki under TracCgi#AddingAuthentication it works fine:

<Location "/trac/login">
  AuthType Basic
  AuthName "Trac"
  AuthUserFile /somewhere/trac.htpasswd
  Require valid-user
</Location>

Well, that's just the PermissionSystem feedback. As questions before, it depends on the exact target in your environment (is it really '/report' ?) and if possibly some other stuff is tampering with the req.perm object.

I have some other self-made plugins at this instance of trac, but none of them are scoping with report-view and they just doing the usual checks with req.perm:

if 'TICKET_MODIFY' in req.perm(tkt.resource):
[...]
if ticket and ticket.exists and \
                    'TICKET_CREATE' in req.perm(ticket.resource):
[...]
if req.perm.has_permission('TRAC_ADMIN') or req.perm.has_permission("CONTROLLER_ADMIN"):
[...]

Just for clarity, how you can reproduce the error (at least at my installation): pre-requires (just to be sure, no flaws are left from some older sessions):

delete from session;
delete from session_attribute;
  1. login via HTML form
  2. click on "View tickets" (links to $PROJECT_ENV/report) or "Browse Source" (links to $PROJECT_ENV/browser)
  3. logout (correct error will be shown, because anonymous has no rights for this view)
  4. login with same user via HTML form
  5. Same error as with user anonymous will occur at views (links to $PROJECT_ENV/report) or "Browse Source" (links to $PROJECT_ENV/browser) and no user is displayed in metanav !!! The user can never view the view again at which he logged out previously (can be more than one!)

user have following right:

LOGIN_USER devel
devel REPORT_ADMIN
devel project # project is another group with rights as TICKET_CREATE and such
authenticated REPORT_VIEW

comment:3 Changed 4 years ago by anonymous

forgot to say that I am using version 0.3dev-r9929 of TracAccountManager

comment:4 Changed 4 years ago by framay

might be a bug in Trac itself, see http://trac.edgewall.org/ticket/10148

comment:5 Changed 3 years ago by hasienda

  • Resolution set to invalid
  • Status changed from new to closed

So it turned out to be no real logout, just a 'ghost' invalid page from a cache, so it's not a plugin issue as well.

rblank at Trac ticket #10148:

Ok, definitely a caching issue at the proxy, then. Nothing we can do in Trac, I'm afraid, except if setting some headers differently would improve the situation (and no, removing caching altogether is not an option).

Sorry, seems like we can't really do something good regarding the insane action with caching involved.

Add Comment

Modify Ticket

Action
as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.