Using Persona login at the transient login page, does not return you to the page you requested

Bug #1331319 reported by Aaron Wells on 2014-06-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Low
Aaron Wells

Bug Description

The "transient login page" is the page you see when you're logged out and you try to access a page that's not accessible to logged-out users. It contains only a login form.

If you fill in your username and password on that login form, then you are forwarded on to the page that you originally requested.

But! This doesn't work for Persona. If you click the Persona link and login that way, you are sent to the Mahara homepage.

To replicate:

1. You have a Mahara site with the Persona auth plugin turned on.
2. You are currently logged out of that site.
3. You receive an email with a link to a page in that site, which is only accessible to logged in users. e.g.: http://example.com/view/view.php?id=8
4. You click on that link
5. Since you are logged out, you see the transient login page, which contains only the login form and the Persona button.
6. You click the Persona button and log into Persona in the popup window.

Expected Result: The login popup should close, and you should be redirected back to http://example.com/view/view.php?id=8

Actual result: The login popup closes, and you are redirected to the dashboard, http://example.com/

Aaron Wells (u-aaronw) wrote :

The Mahara browserid/Persona plugin uses the older "navigator.id.get()" API to do login and logout: https://developer.mozilla.org/en-US/Persona/The_navigator.id_API#The_Callback_API

The crucial part of this, is that clicking that "Persona" button calls navigator.id.get() with a callback method. Our callback method simply submits a hidden form on the login page, and the hidden form submits you to login.php, verifies some stuff with browserid to make sure you are logged in successfully, and then it sets up your Mahara session and sends you to the dashboard page.

So, the fix is to put the requested URL into that hidden form so that it gets passed to login.php, and then tell login.php to redirect you to that page instead of the dashboard.

Reviewed: https://reviews.mahara.org/3450
Committed: http://gitorious.org/mahara/mahara/commit/42faf5d9167070f8eb08668d17951977aeec1403
Submitter: Son Nguyen (<email address hidden>)
Branch: master

commit 42faf5d9167070f8eb08668d17951977aeec1403
Author: Aaron Wells <email address hidden>
Date: Wed Jun 18 17:56:25 2014 +1200

Return to the original page requested, after Persona login

Bug 1331319

Change-Id: I26c58fc9ddde2c2a7c3c3b0c3d418e7872b01a88

Son Nguyen (ngson2000) on 2014-06-23
Changed in mahara:
status: In Progress → Fix Committed
assignee: nobody → Aaron Wells (u-aaronw)
Aaron Wells (u-aaronw) on 2014-10-21
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers