Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accessing admin views causes HTTP redirection loop in self-hosted environment #2101

Closed
1 task done
leor-gh opened this issue May 7, 2024 · 2 comments · Fixed by #2103
Closed
1 task done

Accessing admin views causes HTTP redirection loop in self-hosted environment #2101

leor-gh opened this issue May 7, 2024 · 2 comments · Fixed by #2103

Comments

@leor-gh
Copy link

leor-gh commented May 7, 2024

Please note that this is only for bug report.

For help on your account, please reach out to us at hi[at]simplelogin.io. Please make sure to check out our FAQ that contains frequently asked questions.

For feature request, you can use our forum.

For self-hosted question/issue, please ask in self-hosted forum

Prerequisites

  • I have searched open and closed issues to make sure that the bug has not yet been reported.

Bug report

Describe the bug
In a hosted environment, when a user logged in without admin privilege, accessing the Flask-Admin views causes HTTP redirection loop (too many redirections).

Expected behavior
A user without necessary privilege accessing protected areas should get a 403 HTTP response.

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (If applicable):

  • OS: Linux, Mac, Windows
  • Browser: Firefox, Chrome, Brave, Safari
  • Version [e.g. 78]

Additional context
The problem is caused by the admin index view. If the user is not logged in, or if the user is not an admin, the app redirects to the login page. However, if the user is logged in, there is no further login and it brings straight back to this line of code, thus causes an infinite redirection loop.

If the user accesses individual views in the admin area, checking for accessibility results in the same behavior. The check returns false, and the same logic in the callback just loops back to the login page.

The problem can be easily simplified and fixed. One approach is:

  • Remove the check in the admin index view, since all it does is redirecting to the admin user view, where the accessibility check will be applied again.
  • In the view's inaccessible callback, if the user is not logged in, redirect to the login page; otherwise return 403 Forbidden. (There are only two cases where the request will fall to the callback: user not logged in or user is not an admin.)
nguyenkims pushed a commit that referenced this issue May 7, 2024
fix the loop when non-admin user visits an admin URL
89bc36f 
#2101
@nguyenkims nguyenkims mentioned this issue May 7, 2024
Merged
@nguyenkims
Copy link
Contributor

Thanks, it'd be fixed in https://github.com/simple-login/app/pull/2103/files

@leor-gh
Copy link
Author

leor-gh commented May 7, 2024

Great. But there is another redirection loop at around line 92 of admin_model.py

acasajus pushed a commit that referenced this issue May 10, 2024
@nguyenkims
Fix admin loop (#2103)
b5b1674 
* mailbox page requires sudo

* fix the loop when non-admin user visits an admin URL

#2101

---------

Co-authored-by: Son NK <son@simplelogin.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix admin loop simple-login/app
2 participants
@nguyenkims @leor-gh