Project

General

Profile

Bug #31934

User redirection does not work under certain conditions

Added by Marek Hulán 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Associated revisions

Revision 669eecb4 (diff)
Added by Marek Hulán 7 months ago

Fixes #31934 - correct redirection after user update

Saving the existing user form can lead to 404 under specific
circumstances. The reason is, we rely on HTTP Referer header to return
the user to where he entered the form from. This can be problematic in
case they had to resubmit the form because of validation error. That
sets /users/$id in the referer, however that route is only defined with
PATCH. The rails support for `return_back` does not take the HTTP method
into the consideration, therefore user is routed back to GET
/users/$id. Such route does not exist. The exact steps to reproduce

1) login as a user without email address, make sure you have access to
/users/index which is checked before redirecting
2) when you enter the form, create the poisoned Referer header by
submitting invalid form (e.g. empty email)
3) submit the form with valid data now
4) rails redirects you to previous page through /users/login and
verification before filter, in this case the page does not exists

This could be a problem elsewhere too, one can enter the page from other
page which is not accesible through GET. Therefore if the user has
permissions for user index page, we should redirect him or her to this
page (even though this may not be the page they come from). If they
don't have permission, we redirect them to the default landing page.

The impact is when I e.g. enter "My Account" from Subnets list, I'll end
up on Users list after I save my changes. I think that's acceptable
comparing to issues I'd see if I enter "My Account" from any invalid
form (and other pages).

History

#1 Updated by The Foreman Bot 7 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/8346 added

#2 Updated by The Foreman Bot 7 months ago

  • Fixed in Releases 2.5.0 added

#3 Updated by Marek Hulán 7 months ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF