Uploaded image for project: 'Blesta Core'
  1. Blesta Core
  2. CORE-1821

Structure event may lead to infinite loop when maintenance mode is enabled

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Activity

      Hide
      cody Cody Phillips (Inactive) added a comment -

      Appears to be related to the fact that the event is triggered on all requests, for that particular use case (attempting to load a URL that can't be accessed in maintenance mode).

      Maybe maintenance mode should disable all events? What else do we disable in maintenance mode, or not disable in maintenance mode that should be disabled?

      Show
      cody Cody Phillips (Inactive) added a comment - Appears to be related to the fact that the event is triggered on all requests, for that particular use case (attempting to load a URL that can't be accessed in maintenance mode). Maybe maintenance mode should disable all events? What else do we disable in maintenance mode, or not disable in maintenance mode that should be disabled?
      Hide
      tyson Tyson Phillips (Inactive) added a comment -

      I think maintenance mode only restricts client access to their account.

      Show
      tyson Tyson Phillips (Inactive) added a comment - I think maintenance mode only restricts client access to their account.
      Hide
      tyson Tyson Phillips (Inactive) added a comment -

      After testing this issue, I see that it does not matter whether maintenance mode is enabled or not. If a page is loaded that makes an AJAX request in which a 401 response is received, the page will refresh, causing a loop of the page refreshing.

      This occurs in the admin and client JS, buttom of the files:

      // Attempt reload due to 401 unauthorized response, let the system
      // handle the approrpriate redirect.
      if (request.status == 401) {
      	window.location = window.location.href;
      }
      
      Show
      tyson Tyson Phillips (Inactive) added a comment - After testing this issue, I see that it does not matter whether maintenance mode is enabled or not. If a page is loaded that makes an AJAX request in which a 401 response is received, the page will refresh, causing a loop of the page refreshing. This occurs in the admin and client JS, buttom of the files: // Attempt reload due to 401 unauthorized response, let the system // handle the approrpriate redirect. if (request.status == 401) { window.location = window.location.href; }
      Hide
      cody Cody Phillips (Inactive) added a comment -

      We should investigate whether or not we can/should remove the redirect. If I recall correctly, it's there to redirect users if they encountered a AJAX request they don't have access to (due to permissions).

      Show
      cody Cody Phillips (Inactive) added a comment - We should investigate whether or not we can/should remove the redirect. If I recall correctly, it's there to redirect users if they encountered a AJAX request they don't have access to (due to permissions).
      Hide
      tyson Tyson Phillips (Inactive) added a comment -

      Users without permission to a page encounter a '403 Forbidden' response, such as when removing permission to view a widget on the client dashboard.

      If an AJAX request is made to a resource when a user is not logged in, and they are required to be, a 401 response is generated.

      Most every other AJAX request in the system that is deemed invalid sends a 401 response back.

      Is there any other reason 401 should redirect in the JS?

      Show
      tyson Tyson Phillips (Inactive) added a comment - Users without permission to a page encounter a '403 Forbidden' response, such as when removing permission to view a widget on the client dashboard. If an AJAX request is made to a resource when a user is not logged in, and they are required to be, a 401 response is generated. Most every other AJAX request in the system that is deemed invalid sends a 401 response back. Is there any other reason 401 should redirect in the JS?
      Hide
      cody Cody Phillips (Inactive) added a comment -

      What's an example flow of encountering a 401 where JavaScript redirects the user so we can look at how that affects the UI with and without the redirect?

      Show
      cody Cody Phillips (Inactive) added a comment - What's an example flow of encountering a 401 where JavaScript redirects the user so we can look at how that affects the UI with and without the redirect?
      Hide
      tyson Tyson Phillips (Inactive) added a comment -

      A less-practical example would require editing an existing AJAX request.

      Consider the edit service page in the admin UI. This page makes an AJAX request to display the totals in a box.
      If the GET parameters for this request do not include both a valid client and service ID, or the service does not match the client, a 401 response is encountered.

      Currently, a 401 response will cause the edit-service page to refresh continuously because it will continuously make the same invalid AJAX request.
      If a 401 response did not perform a redirect, the UI would not be updated to include the totals box.

      On a side note, the JS also performs an identical redirect for status code 406.

      // If an ajax request was attempted, but the resource does not support it, reload
      if (request.status == 406) {
          window.location = window.location.href;
      }
      
      Show
      tyson Tyson Phillips (Inactive) added a comment - A less-practical example would require editing an existing AJAX request. Consider the edit service page in the admin UI. This page makes an AJAX request to display the totals in a box. If the GET parameters for this request do not include both a valid client and service ID, or the service does not match the client, a 401 response is encountered. Currently, a 401 response will cause the edit-service page to refresh continuously because it will continuously make the same invalid AJAX request. If a 401 response did not perform a redirect, the UI would not be updated to include the totals box. On a side note, the JS also performs an identical redirect for status code 406. // If an ajax request was attempted, but the resource does not support it, reload if (request.status == 406) { window.location = window.location.href; }

        People

        • Assignee:
          cody Cody Phillips (Inactive)
          Reporter:
          tyson Tyson Phillips (Inactive)
        • Votes:
          0 Vote for this issue
          Watchers:
          2 Start watching this issue

          Dates

          • Created:
            Updated:

            Time Tracking

            Estimated:
            Original Estimate - Not Specified
            Not Specified
            Remaining:
            Remaining Estimate - 0 minutes
            0m
            Logged:
            Time Spent - 2 weeks, 2 days, 1 hour, 48 minutes
            2w 2d 1h 48m