[CONFSERVER-29144] Directly being linked to an attachment before logging in will redirect to a 'action not permitted' message

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.5
Affects Version/s: 5.1.2, 5.1.3, 5.1.4, 5.1-OD-5, 5.1-OD-6, 5.2.3, 5.3-OD-7, 5.3, 5.4, 5.3.4
Component/s: None
Labels:
- affects-cloud
- affects-server
- critical
- editor
- loyalty
- ondemand
- permissions

Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

If a user receives a direct link to a file on Confluence, they used to be asked to log in, and were then redirected to the file.

However, since 5.1-OD-5, the redirect instead sends the user to a 'This action is not permitted' page after being logged in.

The login screen will direct to login.action?os_destination=%2Fnotpermitted.action%3Fversion%3D1%26modificationDate%3D1366730801169%26api%3Dv2, instead of login?dest-url=%2Fwiki%2Fdownload%2Fattachments%2F622598%2Ffilename%3Fapi%3Dv2

This prevents users from opening files easily from their email notifications.

Steps to reproduce
In a default Confluence instance.

Create a new Space and File list
Upload a file
Once uploaded, copy the link URL to the file.
Log out
Paste the link in your browser
- You will be asked to log in
Log in, and you will see 'Action not permitted'

Note:
Able to replicate with 'user logged in initially' in Confluence version 5.3.4.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

Screen Shot 2014-03-21 at 4.06.50 PM.png
21/Mar/2014 9:08 AM
56 kB
Son Lien Hoang

is duplicated by

CONFSERVER-31122 REF: CONF-29144 - "Directly being linked to an attachment before logging in will redirect to a 'action not permitted' message"

Closed

CONFSERVER-30930 Directly downloading an attachment will fail if not logged in

Closed

CONFSERVER-29302 Attempting to view attachment from an email link will always redirect to the 'Not permitted' page when the user is initially not logged in

Closed

is related to

CONFSERVER-35884 ${originalurl} does not include server base url for attachment urls

Closed

relates to

CONFCLOUD-29144 Directly being linked to an attachment before logging in will redirect to a 'action not permitted' message

Closed

CONFSERVER-33015 It redirects to Confluence home when click on Japanese name attached files

Closed

CONFSERVER-35249 last-updated macro doesn't display anonymous profile picture but broken image

Closed

mentioned in: Page Loading...; Page Loading...

(2 relates to, 2 mentioned in)

childnode added a comment - 05/May/2015 7:05 AM

This fix also opened another regression: ~~CONF-35884~~ "great job" guys

childnode added a comment - 05/May/2015 7:05 AM This fix also opened another regression: CONF-35884 "great job" guys

Steve Haffenden (Inactive) added a comment - 13/Jul/2014 10:46 PM

Hi qian

Thanks for getting in touch. ~~CONF-30930~~ is being used to track the regression of this issue as it seems as though not all paths that lead to this issue have been dealt with.

Regards
Steve Haffenden
Confluence Bugmaster
Atlassian

Steve Haffenden (Inactive) added a comment - 13/Jul/2014 10:46 PM Hi qian Thanks for getting in touch. CONF-30930 is being used to track the regression of this issue as it seems as though not all paths that lead to this issue have been dealt with. Regards Steve Haffenden Confluence Bugmaster Atlassian

Qian Zhao added a comment - 09/Jul/2014 1:07 PM

Do we have this issue fixed? The top of this page says fixed in 5.5 but at the end of the comment list it says "This issue is duplicated by ~~CONF-30930~~" and ~~CONF-30930~~ remains open.

Qian Zhao added a comment - 09/Jul/2014 1:07 PM Do we have this issue fixed? The top of this page says fixed in 5.5 but at the end of the comment list it says "This issue is duplicated by CONF-30930 " and CONF-30930 remains open.

François Nonnenmacher added a comment - 18/Mar/2014 11:04 AM

He! I ended up using a RewriteMap indeed, though with a Perl script that does the escaping. Many thanks for your solution, it's more elegant (and I learned something .

François Nonnenmacher added a comment - 18/Mar/2014 11:04 AM He! I ended up using a RewriteMap indeed, though with a Perl script that does the escaping. Many thanks for your solution, it's more elegant (and I learned something .

mreissmann added a comment - 18/Mar/2014 10:03 AM - edited

You can do that via RewriteMap

This is our current ruleset:

	# Workaround bug: https://jira.atlassian.com/browse/CONF-29144
	AllowEncodedSlashes On
	RewriteEngine On
	RewriteMap escapeblanks int:escape
	RewriteRule ^/download/attachments/(.*) - [CO=CONF29144:${escapeblanks:$1}:%{HTTP_HOST}:1,L]
	RewriteCond %{QUERY_STRING} notpermitted
	RewriteCond %{HTTP_COOKIE} CONF29144=([^;]+)
	RewriteRule ^/login.action /login.action?os_destination=/download/attachments/%1 [B,P]

mreissmann added a comment - 18/Mar/2014 10:03 AM - edited You can do that via RewriteMap This is our current ruleset: # Workaround bug: https: //jira.atlassian.com/browse/CONF-29144 AllowEncodedSlashes On RewriteEngine On RewriteMap escapeblanks int :escape RewriteRule ^/download/attachments/(.*) - [CO=CONF29144:${escapeblanks:$1}:%{HTTP_HOST}:1,L] RewriteCond %{QUERY_STRING} notpermitted RewriteCond %{HTTP_COOKIE} CONF29144=([^;]+) RewriteRule ^/login.action /login.action?os_destination=/download/attachments/%1 [B,P]

François Nonnenmacher added a comment - 07/Mar/2014 10:21 PM - edited

Here's my set of rules for Apache:

# Workaround bug: https://jira.atlassian.com/browse/CONF-29144
AllowEncodedSlashes On
RewriteEngine On
RewriteRule ^/download/attachments/.* - [CO=CONF29144:%{REQUEST_URI}:%{HTTP_HOST},L]
RewriteCond %{QUERY_STRING} notpermitted
RewriteCond %{HTTP_COOKIE} CONF29144=([^;]+)
RewriteRule ^/login.action /login.action?os_destination=%1 [B,P]

What this does is set a cookie (aptly named against this bug) to memorize the attachment reference. Then if the notpermitted action is triggered AND this cookie is set, change the os_destination parameter to something that will work after login.

Notes:

the P in the last line will proxy the redirection straight through Confluence, saving one round-trip, but the URL in the browser won't change (it will still display the "not permitted.action"). Download should start right after login. If you prefer to send the redirection to the browser instead, replace P by R (adds an extra round-trip but shows the final URL in the browser)
AllowEncodedSlashes works only since Apache 2.2.18
in the example above, the cookie is a session cookie. Ideally it should be deleted after the download to avoid a potential side-effect (a real "not permitted" action). You might want to set a short duration in minutes after the domain like this (2 min here): [CO=CONF29144:$1:example.com:2,L]

P.S. well, this doesn't seem to work with files that have spaces in their name. Confluence is happy to serve a URL like "/download/attachements/12345678/My File.txt" but if you use it as a parameter to "?os_destination" then you'll get the following error in the logs:

“Redirect request to '/download/attachements/12345678/My File.txt' is not allowed. Will send user to the context root instead.”

Any Apache expert around to tell me if it's possible to get a URI like "My File.txt" transfered as "My%20File.txt" in a cookie (instead of being turned into "My File.txt")?

François Nonnenmacher added a comment - 07/Mar/2014 10:21 PM - edited Here's my set of rules for Apache: # Workaround bug: https://jira.atlassian.com/browse/CONF-29144 AllowEncodedSlashes On RewriteEngine On RewriteRule ^/download/attachments/.* - [CO=CONF29144:%{REQUEST_URI}:%{HTTP_HOST},L] RewriteCond %{QUERY_STRING} notpermitted RewriteCond %{HTTP_COOKIE} CONF29144=([^;]+) RewriteRule ^/login.action /login.action?os_destination=%1 [B,P] What this does is set a cookie (aptly named against this bug) to memorize the attachment reference. Then if the notpermitted action is triggered AND this cookie is set, change the os_destination parameter to something that will work after login. Notes: the P in the last line will proxy the redirection straight through Confluence, saving one round-trip, but the URL in the browser won't change (it will still display the "not permitted.action"). Download should start right after login. If you prefer to send the redirection to the browser instead, replace P by R (adds an extra round-trip but shows the final URL in the browser) AllowEncodedSlashes works only since Apache 2.2.18 in the example above, the cookie is a session cookie. Ideally it should be deleted after the download to avoid a potential side-effect (a real "not permitted" action). You might want to set a short duration in minutes after the domain like this (2 min here): [CO=CONF29144:$1:example.com:2,L] P.S. well, this doesn't seem to work with files that have spaces in their name. Confluence is happy to serve a URL like "/download/attachements/12345678/My File.txt" but if you use it as a parameter to "?os_destination" then you'll get the following error in the logs: “Redirect request to '/download/attachements/12345678/My File.txt' is not allowed. Will send user to the context root instead.” Any Apache expert around to tell me if it's possible to get a URI like "My File.txt" transfered as "My%20File.txt" in a cookie (instead of being turned into "My File.txt")?

Cédric Dubourg added a comment - 06/Mar/2014 2:13 PM

Maybe a similar solution under Linux - Apache ?

A timing would be very much appreciate to fix this issue because users keep complaing about this very frequently

Cédric Dubourg added a comment - 06/Mar/2014 2:13 PM Maybe a similar solution under Linux - Apache ? A timing would be very much appreciate to fix this issue because users keep complaing about this very frequently

Gareth White added a comment - 28/Feb/2014 11:20 AM

This is the IIS rewrite rule I ended up using on our server to work around the problem. The regex is a little complicated because the URL is slightly different depending on whether you already have a session cookie - if you don't, Confluence will add ";jessionid=..." to the "notpermitted" URL.

Place this under configuration/system.webServer/rewrite/outboundRules in your web config file (web.config or applicationHost.config).

                <rule name="Fix attachment links when not logged in" preCondition="DownloadAttachmentsRequest" enabled="true" patternSyntax="ECMAScript">
                    <match serverVariable="RESPONSE_LOCATION" pattern="(.*)/login\.action(;jsessionid=.*?)?\?os_destination=%2Fnotpermitted\.action.*" />
                    <action type="Rewrite" value="{R:1}/login.action{R:2}?os_destination={UrlEncode:{HTTP_URL}}" />
                </rule>
                <preConditions>
                    <preCondition name="DownloadAttachmentsRequest" patternSyntax="Wildcard">
                        <add input="{REQUEST_URI}" pattern="/download/attachments/*" />
                    </preCondition>
                </preConditions>

This of course assumes you're already running Confluence behind an IIS reverse proxy and you have the URL Rewrite module installed.

Gareth White added a comment - 28/Feb/2014 11:20 AM This is the IIS rewrite rule I ended up using on our server to work around the problem. The regex is a little complicated because the URL is slightly different depending on whether you already have a session cookie - if you don't, Confluence will add ";jessionid=..." to the "notpermitted" URL. Place this under configuration/system.webServer/rewrite/outboundRules in your web config file (web.config or applicationHost.config). <rule name= "Fix attachment links when not logged in" preCondition= "DownloadAttachmentsRequest" enabled= " true " patternSyntax= "ECMAScript" > <match serverVariable= "RESPONSE_LOCATION" pattern= "(.*)/login\.action(;jsessionid=.*?)?\?os_destination=%2Fnotpermitted\.action.*" /> <action type= "Rewrite" value= "{R:1}/login.action{R:2}?os_destination={UrlEncode:{HTTP_URL}}" /> </rule> <preConditions> <preCondition name= "DownloadAttachmentsRequest" patternSyntax= "Wildcard" > <add input= "{REQUEST_URI}" pattern= "/download/attachments/*" /> </preCondition> </preConditions> This of course assumes you're already running Confluence behind an IIS reverse proxy and you have the URL Rewrite module installed.

LL added a comment - 28/Feb/2014 1:41 AM - edited

After looking over Gareth's solution, i figured out that you really just need to add this to the start of any link:
http://[servername]/login.action?os_destination=

Original Link:
http://[servername]/download/attachments/[12345678]/[filename]?api=v2

Modified Link:
http://[servername]/login.action?os_destination=http://[servername]/download/attachments/[12345678]/[filename]?api=v2

Also, I believe you still have to use the %2520 modification for attachments with spaces in the filename.

LL added a comment - 28/Feb/2014 1:41 AM - edited After looking over Gareth's solution, i figured out that you really just need to add this to the start of any link: http://[servername]/login.action?os_destination= Original Link: http://[servername]/download/attachments/[12345678]/[filename]?api=v2 Modified Link: http://[servername]/login.action?os_destination=http://[servername]/download/attachments/[12345678]/[filename]?api=v2 Also, I believe you still have to use the %2520 modification for attachments with spaces in the filename.

David Rizzuto added a comment - 27/Feb/2014 12:32 AM

cedric3,

Depending on your browser, you may also need to clear your cache, some browsers, as mentioned by janusz.janowski above, will cache the "not permitted" page even though you are logged in.

I'm aware that this is quite annoying, and as I said, this bug is on our backlog.

Thanks
David Rizzuto
Atlassian

David Rizzuto added a comment - 27/Feb/2014 12:32 AM cedric3 , Depending on your browser, you may also need to clear your cache, some browsers, as mentioned by janusz.janowski above, will cache the "not permitted" page even though you are logged in. I'm aware that this is quite annoying, and as I said, this bug is on our backlog. Thanks David Rizzuto Atlassian

Assignee:: Giang Vo

Reporter:: Ivan Maduro (Inactive)

Affected customers:: 47 This affects my team

Watchers:: 64 Start watching this issue

Created:: 01/May/2013 9:43 AM

Updated:: 11/Oct/2018 9:03 AM

Resolved:: 27/Mar/2014 8:18 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: childnode added a comment - 05/May/2015 7:05 AM

Expand comment: childnode added a comment - 05/May/2015 7:05 AM

Collapse comment: Steve Haffenden (Inactive) added a comment - 13/Jul/2014 10:46 PM

Expand comment: Steve Haffenden (Inactive) added a comment - 13/Jul/2014 10:46 PM

Collapse comment: Qian Zhao added a comment - 09/Jul/2014 1:07 PM

Expand comment: Qian Zhao added a comment - 09/Jul/2014 1:07 PM

Collapse comment: François Nonnenmacher added a comment - 18/Mar/2014 11:04 AM

Expand comment: François Nonnenmacher added a comment - 18/Mar/2014 11:04 AM

Collapse comment: mreissmann added a comment - 18/Mar/2014 10:03 AM, Edited by mreissmann - 18/Mar/2014 10:04 AM

Expand comment: mreissmann added a comment - 18/Mar/2014 10:03 AM, Edited by mreissmann - 18/Mar/2014 10:04 AM

Collapse comment: François Nonnenmacher added a comment - 07/Mar/2014 10:21 PM, Edited by François Nonnenmacher - 14/Mar/2014 12:41 AM

Expand comment: François Nonnenmacher added a comment - 07/Mar/2014 10:21 PM, Edited by François Nonnenmacher - 14/Mar/2014 12:41 AM

Collapse comment: Cédric Dubourg added a comment - 06/Mar/2014 2:13 PM

Expand comment: Cédric Dubourg added a comment - 06/Mar/2014 2:13 PM

Collapse comment: Gareth White added a comment - 28/Feb/2014 11:20 AM

Expand comment: Gareth White added a comment - 28/Feb/2014 11:20 AM

Collapse comment: LL added a comment - 28/Feb/2014 1:41 AM, Edited by LL - 28/Feb/2014 2:17 AM

Expand comment: LL added a comment - 28/Feb/2014 1:41 AM, Edited by LL - 28/Feb/2014 2:17 AM

Collapse comment: David Rizzuto added a comment - 27/Feb/2014 12:32 AM

Expand comment: David Rizzuto added a comment - 27/Feb/2014 12:32 AM

People

Dates