Project

General

Profile

Actions

Bug #18287

closed

2FA subdomain login takes me to home page from arbitrary page

Added by Raffi Khatchadourian 10 months ago. Updated 9 months ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
Authentication
Target version:
Start date:
2023-05-30
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

Steps
  1. As an unauthenticated user, visit https://khatchad.commons.gc.cuny.edu/teaching/
  2. Click on the login box on the top right.
  3. Enter credentials
  4. Enter 2FA code.

Expected Result
After successfully entering the 2FA code, I should be redirected to https://khatchad.commons.gc.cuny.edu/teaching/.

Actual Results
I am taken to https://khatchad.commons.gc.cuny.edu/.

Related to https://redmine.gc.cuny.edu/issues/17965.

Actions #1

Updated by Raymond Hoh 10 months ago

  • Category name set to Authentication
  • Status changed from New to Staged for Production Release
  • Assignee set to Raymond Hoh
  • Target version set to 2.1.8

Thanks for the report and the steps to duplicate, Raffi.

This is related to a fix done for #3376: https://github.com/cuny-academic-commons/cac/commit/888ad2eaf2b38cdd4dcfe86f32f7ba1b895ba275. That fix disregards the login redirect URL and would force the redirect URL to be either the site's home URL or the site's admin dashboard depending on the user's role.

I've added a fix to allow the redirect URL through if not accessing the admin dashboard. (Code reference - https://github.com/cuny-academic-commons/cac/commit/238277ac45b5e5f2670ab2a4bb5137382cb94f47 .) This is scheduled to be part of the next maintenance release on June 13th.

Boone, the code also fixes some issues with checking the redirect URL after successful login. Since we force logins to the main site if not using the admin bar login, the older code to bypass the main site would not do checks against the redirect URL. In the fix, we're now checking the redirect URL to see if the redirect URL is for the admin dashboard and if the user has the correct capabilities for the site in question. We were previously using the 'edit_posts' capability for the permission check, but I've decided to go one step lower and allow the 'publish_posts' capability as well. This should make things easier for users accustomed to going directly to SUBDOMAIN.commons.gc.cuny.edu/wp-admin/, especially users with the 'author' role.

Actions #2

Updated by Boone Gorges 10 months ago

Thanks, Ray!

Actions #3

Updated by Boone Gorges 9 months ago

  • Status changed from Staged for Production Release to Resolved
Actions

Also available in: Atom PDF