@diosmosis opened this Pull Request on February 7th 2019 Member

Fixes #14075

@tsteur commented on February 7th 2019 Member

@diosmosis haven't tested but when doing the redirect, and then logging in, does the feature still work to load the same page as you loaded initially? Say you are logged out and open the users manager, then log in, is the users manager loaded after log in?

@diosmosis commented on February 7th 2019 Member

@tsteur It doesn't, but this doesn't work on 3.x-dev for me either. (To be clear that's: login, load users manager, logout, log back in, see dashboard not users manager.)

@tsteur commented on February 7th 2019 Member

What happens when you do load users manager, login? I think we added some feature to do that... but maybe it isn't merged yet or so

@diosmosis commented on February 7th 2019 Member

Would there need to be anonymous access to a site to do that? I'm not sure how I'd get past the login page w/o logging in.

@tsteur commented on February 7th 2019 Member

@diosmosis I might be understanding it wrong... it was implemented here: https://github.com/matomo-org/matomo/pull/13441

When you open eg https://example.com/index.php?module=UsersManager&action=userSettings&idSite=1&period=day&date=yesterday , then it should show the login form on that page... once you log in, it should show the same page again. Not sure if that URL would now redirect to login page?

@fdellwing commented on February 7th 2019 Contributor

It might be naive, but why is !$this->shouldHandleRememberMe() even called? Why not just take a look at $_POST['form_rememberme'] and if it is there set expires? Wouldn't that instantaniosly solve #14075 and not touch any redirect logic that is present in Matomo?

@diosmosis commented on February 8th 2019 Member

@tsteur I see, it should remember the URL, was testing incorrectly.

@fdellwing it's only needed to perform that logic in a single controller action, and w/o that check, the logic could be triggered by a user by simply adding a query parameter. To protect against future bugs/exploits that could arise w/ new features written in completely different places by people who are not aware or have forgotten about this specific code path, we restrict the code's execution to exactly where it needs to be used.

@diosmosis commented on February 8th 2019 Member

@tsteur interestingly enough, that feature still works, but remember me doesn't...

@diosmosis commented on February 8th 2019 Member

@tsteur updated the code and tweaked the URL retaining feature. Now it posts to module=Login and gets the referrer URL from a POST parameter. Can you check if this works for you?

@fdellwing commented on February 8th 2019 Contributor

Patch seems to work for me.

@tsteur commented on February 11th 2019 Member

@diosmosis I got redirected to this:

image

What I did was open https://apache.matomo/index.php?module=UsersManager&action=userSettings&idSite=1&period=day&date=yesterday and then logged in.

It was supposed to render userSettings but it is rendering users manager because of the wrong URL &

@diosmosis commented on February 11th 2019 Member

@tsteur should be fixed.

This Pull Request was closed on February 11th 2019
Powered by GitHub Issue Mirror