Opened 14 years ago
Closed 14 years ago
#8718 closed defect (invalid)
Logout when clicking on report
Reported by: | anonymous | Owned by: | Steffen Hoffmann |
---|---|---|---|
Priority: | normal | Component: | AccountManagerPlugin |
Severity: | critical | Keywords: | non-persistent session |
Cc: | Trac Release: | 0.12 |
Description
When clicking on "View tickets" I am getting logged out, when I click on another menu, I am logged in again. Other menus, like roadmap, wiki, etc. are working fine.
An error is shown, that I haven't suffiecient rights (REPORT_VIEW), but the user have REPORT_ADMIN!
I activated the LoginModule, but disabled RegistrationModule and EmailVerificationModule.
Systeminformationen Trac 0.12.2 Babel 0.9.6 Genshi 0.6 mod_wsgi 2.8 (WSGIProcessGroup WSGIApplicationGroup %{GLOBAL}) psycopg2 2.0.13 Python 2.6.5 (r265:79063, Apr 16 2010, 14:15:55) [GCC 4.4.3] setuptools 0.6c11 Subversion 1.6.6 (r40053) jQuery: 1.4.2
Attachments (0)
Change History (5)
comment:1 follow-up: 2 Changed 14 years ago by
Keywords: | non-persistent session added |
---|
comment:2 Changed 14 years ago by
Replying to hasienda:
You can customize these mainnav item to point to arbitrary targets. Look into your
trac.ini
and tell me the exact (relative) Trac link that is called, please.
the link is: report
the mainnav and metanav entries in trac.ini
are as following:
mainnav wiki,timeline,roadmap,browser,tickets,newticket metanav login,logout,prefs,help,search,about
So you've never been logged out in the first place. Still this is an permission (cache) inconsistency, but how comes that you think AccountManagerPlugin is the root cause?
When setting setting apache2-authentication as described in Trac 0.12-wiki under TracCgi#AddingAuthentication it works fine:
<Location "/trac/login"> AuthType Basic AuthName "Trac" AuthUserFile /somewhere/trac.htpasswd Require valid-user </Location>
Well, that's just the PermissionSystem feedback. As questions before, it depends on the exact target in your environment (is it really '/report' ?) and if possibly some other stuff is tampering with the
req.perm
object.
I have some other self-made plugins at this instance of trac, but none of them are scoping with report-view and they just doing the usual checks with req.perm:
if 'TICKET_MODIFY' in req.perm(tkt.resource): [...] if ticket and ticket.exists and \ 'TICKET_CREATE' in req.perm(ticket.resource): [...] if req.perm.has_permission('TRAC_ADMIN') or req.perm.has_permission("CONTROLLER_ADMIN"): [...]
Just for clarity, how you can reproduce the error (at least at my installation): pre-requires (just to be sure, no flaws are left from some older sessions):
delete from session; delete from session_attribute;
- login via HTML form
- click on "View tickets" (links to $PROJECT_ENV/report) or "Browse Source" (links to $PROJECT_ENV/browser)
- logout (correct error will be shown, because anonymous has no rights for this view)
- login with same user via HTML form
- Same error as with user anonymous will occur at views (links to $PROJECT_ENV/report) or "Browse Source" (links to $PROJECT_ENV/browser) and no user is displayed in metanav !!! The user can never view the view again at which he logged out previously (can be more than one!)
user have following right:
LOGIN_USER devel devel REPORT_ADMIN devel project # project is another group with rights as TICKET_CREATE and such authenticated REPORT_VIEW
comment:3 Changed 14 years ago by
forgot to say that I am using version 0.3dev-r9929 of TracAccountManager
comment:4 Changed 14 years ago by
might be a bug in Trac itself, see http://trac.edgewall.org/ticket/10148
comment:5 Changed 14 years ago by
Resolution: | → invalid |
---|---|
Status: | new → closed |
So it turned out to be no real logout, just a 'ghost' invalid page from a cache, so it's not a plugin issue as well.
rblank at Trac ticket #10148:
Ok, definitely a caching issue at the proxy, then. Nothing we can do in Trac, I'm afraid, except if setting some headers differently would improve the situation (and no, removing caching altogether is not an option).
Sorry, seems like we can't really do something good regarding the insane action with caching involved.
Replying to anonymous:
You can customize these mainnav item to point to arbitrary targets. Look into your
trac.ini
and tell me the exact (relative) Trac link that is called, please.So you've never been logged out in the first place. Still this is an permission (cache) inconsistency, but how comes that you think AccountManagerPlugin is the root cause?
Well, that's just the PermissionSystem feedback. As questions before, it depends on the exact target in your environment (is it really '/report' ?) and if possibly some other stuff is tampering with the
req.perm
object.