Webstaff fails to request auth on some UI's

Bug #1653998 reported by Bill Erickson on 2017-01-04
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Undecided
Unassigned

Bug Description

Evergreen 2.11

First noted by Kyle Huckins in bug #1511742. Some browser staff interfaces fail to redirect the user to the login page when accessed without a valid authentication token. This is a usability issue, not a security issue, since privileged data still requires an authtoken to be accessed from the server.

Reported interfaces:

- Age Circulations to Lost
- Auto-Print Settings
- Patrons with Negative Balances
- Statistical Popularity Badges
- Possibly others...

I have confirmed "Patrons with Negative Balances". The browser appears to be trying to redirect to the login page, but it's not creating a functional URL.

This can be seen by logging out of the browser staff UI then navigating to:

https://EVERGREEN_SERVER/eg/staff/admin/local/circ/neg_balance_users

Galen Charlton (gmc) wrote :

I've narrowed this down to the fact that several page apps, neg_balance_user.js among them, aren't turning on $locationProvider's HTML5 mode. The following patch results the problem for the Patrons with Negative Balances page:

--- a/Open-ILS/web/js/ui/default/staff/admin/local/circ/neg_balance_users.js
+++ b/Open-ILS/web/js/ui/default/staff/admin/local/circ/neg_balance_users.js
@@ -2,6 +2,13 @@
 angular.module('egAdminCirc',
     ['ngRoute','ui.bootstrap','egCoreMod','egUiMod','egGridMod'])

+.config(['$routeProvider','$locationProvider','$compileProvider',
+ function($routeProvider , $locationProvider , $compileProvider) {
+
+ $locationProvider.html5Mode(true);
+ $compileProvider.aHrefSanitizationWhitelist(/^\s*(https?|blob):/);
+}])
+
 .controller('NegBalances',
        ['$scope','$q','$timeout','$location','$window','egCore',
         'egGridDataProvider','egProgressDialog',

Galen Charlton (gmc) wrote :

The fix would be easy to apply to the other affected page apps, but unless somebody beats me to it, I'll see if I can figure out a way to get that bit of initialization done in exactly one place across the board.

information type: Public → Public Security
Changed in evergreen:
assignee: nobody → Jason Etheridge (phasefx)
status: Confirmed → In Progress
Jason Etheridge (phasefx) wrote :

collab/phasefx/webstaff-bugs-lp1653998
http://git.evergreen-ils.org/?p=working/Evergreen.git;a=commitdiff;h=d4fa20e4902d68e9608772aa7e7111776038ba90

It looks like using it on the egCoreMod module in startup.js works. Any risk here? Easy way to test is to open the webclient in two tabs. Use one to Logout (it destroys the auth token). Then reload or navigate in the other tab.

tags: added: pullrequest
Changed in evergreen:
milestone: none → 3.0-alpha
Mike Rylander (mrylander) wrote :

WORKSFORME. Picked to master and 2.12 for great justice. Thanks, Jason!

Changed in evergreen:
assignee: Jason Etheridge (phasefx) → nobody
status: In Progress → Fix Committed
Bill Erickson (berick) wrote :

Pushed a follow-up fix to address the 'grunt test' error "Unknown provider: $routeProvider"

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/berick/lp1653998-continued

ngRoute is not loaded by egCoreMod and the patch for this branch doesn't use it, so I just removed the unused reference.

Changed in evergreen:
status: Fix Committed → Confirmed
Mike Rylander (mrylander) wrote :

Thanks, Bill. Picked to master and rel_2_12.

Changed in evergreen:
status: Confirmed → Fix Committed
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers