[TurboGears] #2471: Default templates in tg.devtools generate invalid redirects.

2 views
Skip to first unread message

TurboGears

unread,
Mar 2, 2010, 8:31:05 AM3/2/10
to turbogear...@googlegroups.com
#2471: Default templates in tg.devtools generate invalid redirects.
------------------------+---------------------------------------------------
Reporter: Clicky | Owner:
Type: defect | Status: new
Priority: normal | Milestone: __unclassified__
Component: unassigned | Version: 2.0.3
Severity: normal | Keywords:
------------------------+---------------------------------------------------
While deploying a Turbogears application, we noticed sometimes users
sometime had issues going through the login form and got 404 error pages
as a result. In our environment, the app is served using Apache from a
sub-directory of the DocumentRoot, but I also managed to reproduce this
with Paste and a composite application setup.

Steps to reproduce :
1. Quickstart a new project with auth enabled.
2. Change the settings in development.ini so that the application is NOT
mounted at the root.
eg. replace `[app:main]` with :
{{{
[composite:main]
use = egg:Paste#urlmap
/yourapp = yourapp

[app:yourapp]
}}}

3. Start the webserver.
4. In your browser, go to a page which requires authentication (eg.
http://localhost:8080/yourapp/manage_permission_only).
5. Enter a bad username/password
6. At this point, your browser may indicate that a circular redirection
is taking place, or, the login form may show up again, or you may be
presented with a 404 error page (see notes below).
7. If the login form showed up, try authenticating with a valid
username/password (in my case, I used manager/managepass), you should end
up on a 404 error page.

I noticed some variations of the problem:
* when the application is served with Paste, my browser either detected a
circular redirect (step !#6) or ended up on a non-existing page
(/yourapp/yourapp/login)
* when the application is served with Apache, the redirect works
correctly, but after the first authentication attempt (with an invalid
username/password), the came_from parameter is incorrect
(/yourapp/yourapp/manage_permission_only), so that when you successfully
authenticate, your browser is redirected to a non-existing page (step
!#7).

This seems to be the result of a few extraneous url() in tg.devtools'
default templates.
AFAICT, redirect() already applies url() to its input. Therefore, the URL
gets rewritten twice (which gives a double "/yourapp" prefix in my case)
at the time the redirect occurs.

Getting rid of a few url() in
http://svn.turbogears.org/projects/tg.devtools/trunk/devtools/templates/turbogears/+package+/controllers/root.py_tmpl
seems to do the trick. I'll try to attach a patch sometime this week.

--
Ticket URL: <http://trac.turbogears.org/ticket/2471>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development

TurboGears

unread,
Mar 3, 2010, 5:00:38 AM3/3/10
to turbogear...@googlegroups.com
#2471: Default templates in tg.devtools generate invalid redirects.
------------------------+---------------------------------------------------
Reporter: Clicky | Owner:
Type: defect | Status: new
Priority: normal | Milestone: __unclassified__
Component: unassigned | Version: 2.0.3
Severity: normal | Resolution:
Keywords: |
------------------------+---------------------------------------------------
Comment (by chrisz):

Clicky, the trunk is not in SVN any more, it is now here:
http://bitbucket.org/turbogears/tgdevtools-dev/

--
Ticket URL: <http://trac.turbogears.org/ticket/2471#comment:3>

TurboGears

unread,
Mar 3, 2010, 3:01:24 AM3/3/10
to turbogear...@googlegroups.com
#2471: Default templates in tg.devtools generate invalid redirects.
------------------------+---------------------------------------------------
Reporter: Clicky | Owner:
Type: defect | Status: new
Priority: normal | Milestone: __unclassified__
Component: unassigned | Version: 2.0.3
Severity: normal | Resolution:
Keywords: |
------------------------+---------------------------------------------------
Comment (by Clicky):

Oops, looks like a dup of the ticket you mentioned above, though, even if
#2371 says it's been fixed, I can still see this in the latest version of
tg.devtools' trunk (see link at the end of the original post), am I
overlooking something here or has the ticket been closed before the patch
was actually applied ?

Also, I am not sure this particular url() call is the only one which
should be removed. It is my understanding that the url received as input
for post_login() will usually be the same as that obtained from the dict
returned by login(), which also applies url() to its default parameter
value. If so, the same should hold true for post_login()/post_logout()
that also have a default value for the came_from parameter, pointing to
url('/').

--
Ticket URL: <http://trac.turbogears.org/ticket/2471#comment:2>

TurboGears

unread,
Mar 8, 2010, 9:23:10 AM3/8/10
to turbogear...@googlegroups.com
#2471: Default templates in tg.devtools generate invalid redirects.
------------------------+---------------------------------------------------
Reporter: Clicky | Owner:
Type: defect | Status: closed
Priority: normal | Milestone: __unclassified__
Component: unassigned | Version: 2.0.3
Severity: normal | Resolution: duplicate
Keywords: |
------------------------+---------------------------------------------------
Changes (by Clicky):

* status: new => closed
* resolution: => duplicate

Comment:

Hmm, so I guess this bug can be closed as a duplicate of #2371 then.
Thanks for the heads up on the repository's new location.
Please keep up the good work.

--
Ticket URL: <http://trac.turbogears.org/ticket/2471#comment:4>

Reply all
Reply to author
Forward
0 new messages