You are here: Foswiki>Tasks Web>Item900 (16 Mar 2009, EugenMayer)Edit Attach

Item900: FormPlugin breaks authentication system

pencil
Priority: Normal
Current State: Closed
Released In:
Target Release:
Applies To: Extension
Component: FormPlugin
Branches:
Reported By: EugenMayer
Waiting For: Main.EugenMayer
Last Change By: EugenMayer

Problem

Then a login is done, and the login form is displayed by the FormPlugin ( which i think is not a bad idea ) we get an extra redirect. The LoginManager, e.g. TemplateLogin checks for the user-data and decides, they are all wrong, so it write the login form again, using a 403.

The loginform includes %STARTFORM% etc and triggers the form plugin again, which itself recognises, hey there is some form data i need to process. ( FormPlugin.pm 395 comes into play, as the form got submitted ). So actually what it does it, again redirect the user to the /bin/login form.

  1. this is useless and extra load, as the login form is showed / fetched allread
  2. the 403 gets lost and e.g. ajax stuff gets broken

Possible Fix

Sol 1 ( i dont like this one )

the LoginManager could delete the form data as he processed it and decided a 403 on it. FormPlugin would not get triggered

Sol 2

Form plugin only fires the form-data transmission if we have a 403 response right now

Sol 3

we include some special cases where FormPlugin skips its own redirects
As part of the porting to foswiki, I think we should change the FormPlugin redirects to work like the foswiki oop's - all internally handled. FormsPlugin should throwing the appropriate exception (yes, it needs docco) and thus should not care / know how the redirect is actuated.

-- SvenDowideit - 29 Jan 2009

We got a way to restrict redirects now ( Task:Item985 )

-- EugenMayer - 05 Feb 2009

Can this item be closed then?

-- ArthurClemens - 05 Feb 2009

I dont think this adresses this issue directly. Its just a possibilty to do it on your own, but actually FormPlugin should not redirect at all. It should better load the corresponding template and show it, or run the UI::hadnleReuqeust handler with the requested action and parameters. We must get rid of this not visible "status 200" on erro redirects. -- EugenMayer - 05 Feb 2009

ItemTemplate edit

Summary FormPlugin breaks authentication system
ReportedBy EugenMayer
Codebase 1.0.0, trunk
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Extension
Component FormPlugin
Priority Normal
CurrentState Closed
WaitingFor EugenMayer
Checkins
ReleasedIn
Topic revision: r7 - 16 Mar 2009, EugenMayer
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy