Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
Description
This issue needs to be duplicated first.
Activity
I think maintenance mode only restricts client access to their account.
Tyson Phillips (Inactive)
added a comment - I think maintenance mode only restricts client access to their account. After testing this issue, I see that it does not matter whether maintenance mode is enabled or not. If a page is loaded that makes an AJAX request in which a 401 response is received, the page will refresh, causing a loop of the page refreshing.
This occurs in the admin and client JS, buttom of the files:
// Attempt reload due to 401 unauthorized response, let the system
// handle the approrpriate redirect.
if (request.status == 401) {
window.location = window.location.href;
}
Tyson Phillips (Inactive)
added a comment - After testing this issue, I see that it does not matter whether maintenance mode is enabled or not. If a page is loaded that makes an AJAX request in which a 401 response is received, the page will refresh, causing a loop of the page refreshing.
This occurs in the admin and client JS, buttom of the files:
// Attempt reload due to 401 unauthorized response, let the system
// handle the approrpriate redirect.
if (request.status == 401) {
window.location = window.location.href;
}
We should investigate whether or not we can/should remove the redirect. If I recall correctly, it's there to redirect users if they encountered a AJAX request they don't have access to (due to permissions).
Cody Phillips (Inactive)
added a comment - We should investigate whether or not we can/should remove the redirect. If I recall correctly, it's there to redirect users if they encountered a AJAX request they don't have access to (due to permissions). Users without permission to a page encounter a '403 Forbidden' response, such as when removing permission to view a widget on the client dashboard.
If an AJAX request is made to a resource when a user is not logged in, and they are required to be, a 401 response is generated.
Most every other AJAX request in the system that is deemed invalid sends a 401 response back.
Is there any other reason 401 should redirect in the JS?
Tyson Phillips (Inactive)
added a comment - Users without permission to a page encounter a '403 Forbidden' response, such as when removing permission to view a widget on the client dashboard.
If an AJAX request is made to a resource when a user is not logged in, and they are required to be, a 401 response is generated.
Most every other AJAX request in the system that is deemed invalid sends a 401 response back.
Is there any other reason 401 should redirect in the JS? What's an example flow of encountering a 401 where JavaScript redirects the user so we can look at how that affects the UI with and without the redirect?
Cody Phillips (Inactive)
added a comment - What's an example flow of encountering a 401 where JavaScript redirects the user so we can look at how that affects the UI with and without the redirect? A less-practical example would require editing an existing AJAX request.
Consider the edit service page in the admin UI. This page makes an AJAX request to display the totals in a box.
If the GET parameters for this request do not include both a valid client and service ID, or the service does not match the client, a 401 response is encountered.
Currently, a 401 response will cause the edit-service page to refresh continuously because it will continuously make the same invalid AJAX request.
If a 401 response did not perform a redirect, the UI would not be updated to include the totals box.
On a side note, the JS also performs an identical redirect for status code 406.
// If an ajax request was attempted, but the resource does not support it, reload
if (request.status == 406) {
window.location = window.location.href;
}
Tyson Phillips (Inactive)
added a comment - A less-practical example would require editing an existing AJAX request.
Consider the edit service page in the admin UI. This page makes an AJAX request to display the totals in a box.
If the GET parameters for this request do not include both a valid client and service ID, or the service does not match the client, a 401 response is encountered.
Currently, a 401 response will cause the edit-service page to refresh continuously because it will continuously make the same invalid AJAX request.
If a 401 response did not perform a redirect, the UI would not be updated to include the totals box.
On a side note, the JS also performs an identical redirect for status code 406.
// If an ajax request was attempted, but the resource does not support it, reload
if (request.status == 406) {
window.location = window.location.href;
}
Appears to be related to the fact that the event is triggered on all requests, for that particular use case (attempting to load a URL that can't be accessed in maintenance mode).
Maybe maintenance mode should disable all events? What else do we disable in maintenance mode, or not disable in maintenance mode that should be disabled?