Webstaff fails to request auth on some UI's

Bug #1653998 reported by Bill Erickson on 2017-01-04
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Evergreen 2.11

First noted by Kyle Huckins in bug #1511742. Some browser staff interfaces fail to redirect the user to the login page when accessed without a valid authentication token. This is a usability issue, not a security issue, since privileged data still requires an authtoken to be accessed from the server.

Reported interfaces:

- Age Circulations to Lost
- Auto-Print Settings
- Patrons with Negative Balances
- Statistical Popularity Badges
- Possibly others...

I have confirmed "Patrons with Negative Balances". The browser appears to be trying to redirect to the login page, but it's not creating a functional URL.

This can be seen by logging out of the browser staff UI then navigating to:


Galen Charlton (gmc) wrote :

I've narrowed this down to the fact that several page apps, neg_balance_user.js among them, aren't turning on $locationProvider's HTML5 mode. The following patch results the problem for the Patrons with Negative Balances page:

--- a/Open-ILS/web/js/ui/default/staff/admin/local/circ/neg_balance_users.js
+++ b/Open-ILS/web/js/ui/default/staff/admin/local/circ/neg_balance_users.js
@@ -2,6 +2,13 @@

+ function($routeProvider , $locationProvider , $compileProvider) {
+ $locationProvider.html5Mode(true);
+ $compileProvider.aHrefSanitizationWhitelist(/^\s*(https?|blob):/);

Galen Charlton (gmc) wrote :

The fix would be easy to apply to the other affected page apps, but unless somebody beats me to it, I'll see if I can figure out a way to get that bit of initialization done in exactly one place across the board.

information type: Public → Public Security
Changed in evergreen:
assignee: nobody → Jason Etheridge (phasefx)
status: Confirmed → In Progress
Jason Etheridge (phasefx) wrote :


It looks like using it on the egCoreMod module in startup.js works. Any risk here? Easy way to test is to open the webclient in two tabs. Use one to Logout (it destroys the auth token). Then reload or navigate in the other tab.

tags: added: pullrequest
Changed in evergreen:
milestone: none → 3.0-alpha
Mike Rylander (mrylander) wrote :

WORKSFORME. Picked to master and 2.12 for great justice. Thanks, Jason!

Changed in evergreen:
assignee: Jason Etheridge (phasefx) → nobody
status: In Progress → Fix Committed
Bill Erickson (berick) wrote :

Pushed a follow-up fix to address the 'grunt test' error "Unknown provider: $routeProvider"


ngRoute is not loaded by egCoreMod and the patch for this branch doesn't use it, so I just removed the unused reference.

Changed in evergreen:
status: Fix Committed → Confirmed
Mike Rylander (mrylander) wrote :

Thanks, Bill. Picked to master and rel_2_12.

Changed in evergreen:
status: Confirmed → Fix Committed
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers