Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When you are logged out, the URL gets lost when you log in #13441

Merged
merged 1 commit into from Dec 6, 2018
Merged

Conversation

tsteur
Copy link
Member

@tsteur tsteur commented Sep 17, 2018

It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages.

To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue.

fix #13328

It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages.

To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue.

fix #13328
@tsteur tsteur added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels Sep 17, 2018
@tsteur tsteur added this to the 3.7.0 milestone Sep 17, 2018
if ($module !== 'Login' && $module !== Piwik::getLoginPluginName() && $referrer) {
$host = Url::getHostFromUrl($referrer);
// we only redirect to a trusted host
if ($host && Url::isValidHost($host)) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To increase security we could maybe do even if ($host && Url::isValidHost($host) && $host === Url::getCurrentHost()) { but this could be maybe tricky with proxies etc.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isValidHost does $host === Url::getCurrentHost() basically, so should be ok IMO

@diosmosis
Copy link
Member

Works for me, though I think a simple solution to support the hash would be to store in the session when redirecting to login. Think it's doable @tsteur ?

@tsteur
Copy link
Member Author

tsteur commented Dec 6, 2018

You'd just need to send the hash through JS which may be a problem or bit difficult...

@diosmosis
Copy link
Member

Of course, wasn't thinking...

I guess it could be sent through a custom query param when logging in, but that might be too much work, and maybe a security risk.

@diosmosis diosmosis merged commit 3db76a6 into 3.x-dev Dec 6, 2018
@diosmosis diosmosis deleted the 13328 branch December 6, 2018 00:52
@chris-morgan
Copy link

I shall be blunt: not handling the hash makes this a non-fix. The pages that I believe people spend almost all their time on depend fundamentally on the hash, and you’re effectively not on the same page at all if the hash is lost.

The correct fix is to stop using the hash, and put everything in the query string (using history.pushState to manage it all from the client).

@tsteur
Copy link
Member Author

tsteur commented Dec 6, 2018

@chris-morgan we will maybe in Matomo 4 or at some point stop using the hash but we can't easily do it as it requires changing quite a bit of code through our big codebase and couple plugins.

sgiehl pushed a commit that referenced this pull request Dec 6, 2018
It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages.

To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue.

fix #13328
diosmosis pushed a commit that referenced this pull request Dec 8, 2018
* Add reports dimensions to metadata of report and rows

* translate dimension columns

* updates test files

* fix possible error when no report is available

* update tests

* Improve subdimension detection

* Adjust tests for labelX logic

* Makes flattener compatible with 3 dimensions

* Adds new method getThirdLeveltableDimension to report class

* Do not ask for 2fa authentication code when CoreUpdater is being requested (#13796)

Could fix an edge case where user is logged in, but hasn't confirmed the auth code (so the user is not actually logged in), and then an update appears.

* Added Fallback Method for Alexa in SEO Plugin (#13552)

* added fallback method for Alexa, fixes issue #13427

* do not use short array syntax for consistency with other methods

* use mini link for Alexa, use DomXPath to filter out the global ranking instead of regex

* Use db sessions by default, deprecate file session handler (#13540)

* use db sessions by default, deprecate file session handler

* trying to fix tests

* Prevent trigger errors on demand for instances that are opened to anonymous (#13535)

fix #13513

* Remove the previous exception in base validator so the same error is not printed twice (#13801)

* Fixing build  (#13802)

* update submodule

* Update screenshots and try to get test to pass.

* Get SingleMetricView to pass. (#13803)

* Quickform2 throws warnings with PHP7.2 (#13463)

fixes #13272

Haven't actually tested it but should fix the issue. If tests pass, the logic would be still the same. I don't have a PHP 7.2 running here otherwise at the moment

* Send bulk requests in chunks when needed (#13444)

* send bulk requests in chunks

* send requests correctly

* Make log and report data screen less technical (#13464)

* When you are logged out, the URL gets lost when you log in (#13441)

It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages.

To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue.

fix #13328

* show full information of URL only on extra click (#13585)

* Add option to opt in to use send beacon (#13451)

* Add option to opt in to use send beacon

* Fix JS tracker test.

* do not overrwite existing subrow metadata

* update test files
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

When you are logged out, the URL gets lost when you log in
3 participants