Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-4788

Redirect loop going to /plugins/servlet URL that you don't have permission to access

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Tracked Elsewhere
    • Icon: Low Low
    • 2.0.0
    • 3.0.1
    • Crowd

      Go to a /plugins/servlet URL that you don't have permission to access.

      https://stash/plugins/servlet/embedded-crowd/directories/list
      http://stash/plugins/servlet/upm/purchases

      You get a redirect loop. Should get 401.

        1. Screen Shot 2014-05-28 at 2.44.35 pm.png
          Screen Shot 2014-05-28 at 2.44.35 pm.png
          28 kB

            [BSERV-4788] Redirect loop going to /plugins/servlet URL that you don't have permission to access

            bain added a comment - - edited

            Stash made the decision to redirect from the login if you are logged in. We still want this to happen. Stash is fundamentally of the opinion that you render a 401 (probably should be a 403) when you can't see a page rather than redirecting you a the login page. JIRA and Connie redirect to the login page and this is what the shared plugins do. This means we are at a fundamental disagreement.

            We could implement a mechanism to allow plugins to do the application specific correct behaviour on authorisation failure, however, for such a small bug I don't think it warrants the extra work.

            The smallest fix is to just make the plugin pass the right permission to the login screen. I have fixed EMBCWD-996 which should be coming into bitbucket as part of the platform 3 work (STASHDEV-10350). The other plugins (AO) is not linked (aka not worth fixing) in the UI and UPM is much too complicated for me to fix. I will close the issue awaiting fixes by those other teams.

            bain added a comment - - edited Stash made the decision to redirect from the login if you are logged in. We still want this to happen. Stash is fundamentally of the opinion that you render a 401 (probably should be a 403) when you can't see a page rather than redirecting you a the login page. JIRA and Connie redirect to the login page and this is what the shared plugins do. This means we are at a fundamental disagreement. We could implement a mechanism to allow plugins to do the application specific correct behaviour on authorisation failure, however, for such a small bug I don't think it warrants the extra work. The smallest fix is to just make the plugin pass the right permission to the login screen. I have fixed EMBCWD-996 which should be coming into bitbucket as part of the platform 3 work (STASHDEV-10350). The other plugins (AO) is not linked (aka not worth fixing) in the UI and UPM is much too complicated for me to fix. I will close the issue awaiting fixes by those other teams.

            bain added a comment -

            This was introduced in 3.4.0 with STASH-3118. Stash used to show the login form even when there was a currently logged in user. The behaviour in stash 3.4.0 change to redirect the user into the app if the user is already logged in.

            bain added a comment - This was introduced in 3.4.0 with STASH-3118 . Stash used to show the login form even when there was a currently logged in user. The behaviour in stash 3.4.0 change to redirect the user into the app if the user is already logged in.

            bain added a comment -

            I have raised https://ecosystem.atlassian.net/browse/EMBCWD-996 and https://ecosystem.atlassian.net/browse/UPM-5079 for these two problems.

            bain added a comment - I have raised https://ecosystem.atlassian.net/browse/EMBCWD-996 and https://ecosystem.atlassian.net/browse/UPM-5079 for these two problems.

            bain added a comment -

            This is basically happening when a user does not have access to a URL but is logged in.

            1. User hits a resource at URL that requires ADMIN/SYSADMIN.
            2. Resource detects the error and calls loginUriProvider.getLoginUri. This is redirects the user to http://stash/login?next=URL
            3. Login detects that there is a current user. No specific permission is given so it just re-directs to URL. Repeat.

            The redirect to the login page needs to indicate which permissions the current user must have. The LoginUriProvider.getLoginUriForRole provides a method to do this. When called correctly the login URL will be http://stash/login?next=URL&permission=(sys_)?admin

            The com.atlassian.upm.core.servlet.UpmServletHandler and com.atlassian.plugin.web.springmvc.interceptor.AuthorisationInterceptor classes probably need to be updated to call LoginUriProvider.getLoginUriForRole. I think it is safe to do so because both require at least ADMIN access in all the apps.

            bain added a comment - This is basically happening when a user does not have access to a URL but is logged in. User hits a resource at URL that requires ADMIN/SYSADMIN. Resource detects the error and calls loginUriProvider.getLoginUri . This is redirects the user to http://stash/login?next=URL Login detects that there is a current user. No specific permission is given so it just re-directs to URL. Repeat. The redirect to the login page needs to indicate which permissions the current user must have. The LoginUriProvider.getLoginUriForRole provides a method to do this. When called correctly the login URL will be http://stash/login?next=URL&permission=(sys_)?admin The com.atlassian.upm.core.servlet.UpmServletHandler and com.atlassian.plugin.web.springmvc.interceptor.AuthorisationInterceptor classes probably need to be updated to call LoginUriProvider.getLoginUriForRole . I think it is safe to do so because both require at least ADMIN access in all the apps.

              Unassigned Unassigned
              cszmajda Cristan Szmajda (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: