OFBiz
  1. OFBiz
  2. OFBIZ-4256

after session timeout, ajax popup dialogbox shows ofbiz login screen

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: SVN trunk
    • Fix Version/s: SVN trunk
    • Component/s: ALL APPLICATIONS
    • Labels:
      None

      Description

      Take the following page (for example) https://localhost/content/control/findContent

      field "Data Resource Id" has an icon beside it that creates an ajax dialog pop up. If the session has already timed out. The dialog box would show the login screen.

      I suspect that all pages containing this functionality would exhibit the same symptom.

        Issue Links

          Activity

          Hide
          Sascha Rodekamp added a comment -

          The Patch is in Rev: 1102615

          Have a good day
          Sascha

          Show
          Sascha Rodekamp added a comment - The Patch is in Rev: 1102615 Have a good day Sascha
          Hide
          Sascha Rodekamp added a comment -

          The information comes from the request header if the X-Requested-With contains XMLHttpRequest we haven an ajax request.

          Your right, but you working with permissions and without the auth option.
          That is of course an alternative but my intention was not to add permission checks to each lookup, in my opinion it's more generic to differentiate in the request handler. Than a developers haven't to think of weather using an ajax or another request.

          Show
          Sascha Rodekamp added a comment - The information comes from the request header if the X-Requested-With contains XMLHttpRequest we haven an ajax request. Your right, but you working with permissions and without the auth option. That is of course an alternative but my intention was not to add permission checks to each lookup, in my opinion it's more generic to differentiate in the request handler. Than a developers haven't to think of weather using an ajax or another request.
          Hide
          Adrian Crum added a comment -

          How does the request handler know that a request is an "ajax request"? If you look at the example I gave, there is nothing special about the request.

          Using the Find Fixed Assets example, instead of the FixedAssetSearchResults screen doing nothing if the user isn't logged in, it would return some text like "Unable to complete request - user is not logged in."

          Show
          Adrian Crum added a comment - How does the request handler know that a request is an "ajax request"? If you look at the example I gave, there is nothing special about the request. Using the Find Fixed Assets example, instead of the FixedAssetSearchResults screen doing nothing if the user isn't logged in, it would return some text like "Unable to complete request - user is not logged in."
          Hide
          Sascha Rodekamp added a comment -

          Hi Adrian,
          i created a patch for this issue. It would be great if you can have a quick look before a commit it.

          The solution is simple.
          If the session is timed out i check in the request handler weather it is an ajax request or not.
          If it is an ajax request i don't return the normal "checkLogin" request, i return a a special ajaxCheckLogin request. This request can point to an site which shows the "Please Login Hint".

          What do you think?

          Show
          Sascha Rodekamp added a comment - Hi Adrian, i created a patch for this issue. It would be great if you can have a quick look before a commit it. The solution is simple. If the session is timed out i check in the request handler weather it is an ajax request or not. If it is an ajax request i don't return the normal "checkLogin" request, i return a a special ajaxCheckLogin request. This request can point to an site which shows the "Please Login Hint". What do you think?
          Hide
          Sascha Rodekamp added a comment -

          Jap that sounds good. Login screens in lookup windows are not a problem but don't look nice
          Ok i'll look for a good generic solution.

          Show
          Sascha Rodekamp added a comment - Jap that sounds good. Login screens in lookup windows are not a problem but don't look nice Ok i'll look for a good generic solution.
          Hide
          Adrian Crum added a comment -

          Personally, I don't see a problem with having the login prompt appear in a lookup screen. I believe that has been the lookup screen behavior all along. An alternative would be to have some kind of standard Ajax request response text like "Unable to complete request - session has timed out" or "Unable to complete request - user is not logged in" instead of an empty response.

          Show
          Adrian Crum added a comment - Personally, I don't see a problem with having the login prompt appear in a lookup screen. I believe that has been the lookup screen behavior all along. An alternative would be to have some kind of standard Ajax request response text like "Unable to complete request - session has timed out" or "Unable to complete request - user is not logged in" instead of an empty response.
          Hide
          Sascha Rodekamp added a comment -

          Ah jap got your point But therefore i have to made a few changes in the lookup screens/ decorator. I think i will follow this way (thanks for the hint)

          Nevertheless if a session is expired i would like to direct the user to the login page, opening a white lookup might be not the best for the usability (the user don't now hat's going on.... Just a thought.

          Show
          Sascha Rodekamp added a comment - Ah jap got your point But therefore i have to made a few changes in the lookup screens/ decorator. I think i will follow this way (thanks for the hint) Nevertheless if a session is expired i would like to direct the user to the login page, opening a white lookup might be not the best for the usability (the user don't now hat's going on.... Just a thought.
          Hide
          Adrian Crum added a comment -

          Sascha,

          I just edited my previous comment to include an example.

          To summarize:

          A screen that uses Ajax should separate its Ajax sections from the regular request sections. The Ajax sections are their own screens that perform permission checking and do nothing if the permission check fails (or the user isn't logged in). Those Ajax screens are then mapped to requests that have auth set to false.

          Show
          Adrian Crum added a comment - Sascha, I just edited my previous comment to include an example. To summarize: A screen that uses Ajax should separate its Ajax sections from the regular request sections. The Ajax sections are their own screens that perform permission checking and do nothing if the permission check fails (or the user isn't logged in). Those Ajax screens are then mapped to requests that have auth set to false.
          Hide
          Sascha Rodekamp added a comment -

          Jep that's right, but that don't work for lookups. Because when you call the direct request to the lookup page (https://localhost:8443/example/control/LookupGeoName) the direct request doesn't use AJAX itself.
          Only the lookup code (in the lookup.js) call the lookup content via an Ajax request. The direct request only returns the HTML for the lookup window and for that request we have to check if a user is looked in or not, haven't we?

          Show
          Sascha Rodekamp added a comment - Jep that's right, but that don't work for lookups. Because when you call the direct request to the lookup page ( https://localhost:8443/example/control/LookupGeoName ) the direct request doesn't use AJAX itself. Only the lookup code (in the lookup.js) call the lookup content via an Ajax request. The direct request only returns the HTML for the lookup window and for that request we have to check if a user is looked in or not, haven't we?
          Hide
          Adrian Crum added a comment - - edited

          Sascha,

          The approach I described is used in a number of Ajax requests already - just take a look at some of the current Ajax requests. If the user isn't logged in, the Ajax request will return an empty response.

          Take a look at Find Fixed Assets: FixedAssetScreens.xml#ListFixedAssets and FixedAssetScreens.xml#FixedAssetSearchResults.

          Show
          Adrian Crum added a comment - - edited Sascha, The approach I described is used in a number of Ajax requests already - just take a look at some of the current Ajax requests. If the user isn't logged in, the Ajax request will return an empty response. Take a look at Find Fixed Assets: FixedAssetScreens.xml#ListFixedAssets and FixedAssetScreens.xml#FixedAssetSearchResults.
          Hide
          Sascha Rodekamp added a comment -

          Hey Adrian when setting auth to false every user (if logged in or not) can directly call the lookup (i.e. https://localhost:8443/example/control/LookupGeoName) and can see the data which a presented in the lookup. I would not recommend that

          Some month ago i implement a redirect if the session is timed out. The user will be directed to the "normal" login page. That works in my local copy.
          So it's interesting which version you use @Wai.
          Maybe there is an improvement for my first solution, i'll check that.

          Show
          Sascha Rodekamp added a comment - Hey Adrian when setting auth to false every user (if logged in or not) can directly call the lookup (i.e. https://localhost:8443/example/control/LookupGeoName ) and can see the data which a presented in the lookup. I would not recommend that Some month ago i implement a redirect if the session is timed out. The user will be directed to the "normal" login page. That works in my local copy. So it's interesting which version you use @Wai. Maybe there is an improvement for my first solution, i'll check that.
          Hide
          Adrian Crum added a comment -

          Look for the request URI that the popup calls to populate its window. Find that request's request-map entry in controller.xml and make sure the security element has auth set to false.

          Show
          Adrian Crum added a comment - Look for the request URI that the popup calls to populate its window. Find that request's request-map entry in controller.xml and make sure the security element has auth set to false.
          Hide
          Jacques Le Roux added a comment -

          Wai,

          Which Release.revision? Maybe, as Sascha said, it's alreadsy fixed and you use an older version...

          Show
          Jacques Le Roux added a comment - Wai, Which Release.revision? Maybe, as Sascha said, it's alreadsy fixed and you use an older version...
          Hide
          Sascha Rodekamp added a comment -

          Hi Wai,
          we fixed this it once, but maybe something broke it. I'll follow up with this.
          Thanks for reporting!

          Have a good day
          Sascha

          Show
          Sascha Rodekamp added a comment - Hi Wai, we fixed this it once, but maybe something broke it. I'll follow up with this. Thanks for reporting! Have a good day Sascha

            People

            • Assignee:
              Sascha Rodekamp
              Reporter:
              Wai
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development