Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2471 (closed defect: duplicate)

Opened 9 years ago

Last modified 9 years ago

Default templates in tg.devtools generate invalid redirects.

Reported by: Clicky Owned by:
Priority: normal Milestone: 2.0.* bugfix
Component: unassigned Version: 2.0.3
Severity: normal Keywords:


While deploying a Turbogears application, we noticed sometimes users sometime had issues going through the login form and got 404 error pages as a result. In our environment, the app is served using Apache from a sub-directory of the DocumentRoot?, but I also managed to reproduce this with Paste and a composite application setup.

Steps to reproduce :

  1. Quickstart a new project with auth enabled.
  2. Change the settings in development.ini so that the application is NOT mounted at the root.

eg. replace [app:main] with :

use = egg:Paste#urlmap
/yourapp = yourapp

  1. Start the webserver.
  2. In your browser, go to a page which requires authentication (eg.  http://localhost:8080/yourapp/manage_permission_only).
  3. Enter a bad username/password
  4. At this point, your browser may indicate that a circular redirection is taking place, or, the login form may show up again, or you may be presented with a 404 error page (see notes below).
  5. If the login form showed up, try authenticating with a valid username/password (in my case, I used manager/managepass), you should end up on a 404 error page.

I noticed some variations of the problem:

  • when the application is served with Paste, my browser either detected a circular redirect (step #6) or ended up on a non-existing page (/yourapp/yourapp/login)
  • when the application is served with Apache, the redirect works correctly, but after the first authentication attempt (with an invalid username/password), the came_from parameter is incorrect (/yourapp/yourapp/manage_permission_only), so that when you successfully authenticate, your browser is redirected to a non-existing page (step #7).

This seems to be the result of a few extraneous url() in tg.devtools' default templates. AFAICT, redirect() already applies url() to its input. Therefore, the URL gets rewritten twice (which gives a double "/yourapp" prefix in my case) at the time the redirect occurs.

Getting rid of a few url() in  http://svn.turbogears.org/projects/tg.devtools/trunk/devtools/templates/turbogears/+package+/controllers/root.py_tmpl seems to do the trick. I'll try to attach a patch sometime this week.

Change History

comment:1 Changed 9 years ago by chrisz

I think this is a duplicate of #2371.

comment:2 Changed 9 years ago by Clicky

Oops, looks like a dup of the ticket you mentioned above, though, even if #2371 says it's been fixed, I can still see this in the latest version of tg.devtools' trunk (see link at the end of the original post), am I overlooking something here or has the ticket been closed before the patch was actually applied ?

Also, I am not sure this particular url() call is the only one which should be removed. It is my understanding that the url received as input for post_login() will usually be the same as that obtained from the dict returned by login(), which also applies url() to its default parameter value. If so, the same should hold true for post_login()/post_logout() that also have a default value for the came_from parameter, pointing to url('/').

comment:3 Changed 9 years ago by chrisz

Clicky, the trunk is not in SVN any more, it is now here:  http://bitbucket.org/turbogears/tgdevtools-dev/

comment:4 Changed 9 years ago by Clicky

  • Status changed from new to closed
  • Resolution set to duplicate

Hmm, so I guess this bug can be closed as a duplicate of #2371 then. Thanks for the heads up on the repository's new location. Please keep up the good work.

comment:5 Changed 9 years ago by chrisz

  • Milestone changed from __unclassified__ to 2.0.* bugfix
Note: See TracTickets for help on using tickets.