Bug 794125 (JBEPP-1191)

Summary: Unauthorized access to Site Editor raises an unexpected JS error alert
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Miroslav Cupák <mcupak>
Component: unspecifiedAssignee: Matt Wringe <mwringe>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.2.0.ER01CC: epp-bugs, mwringe, tkyjovsk
Target Milestone: ---   
Target Release: 5.2.0.ER06   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-1191
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
EPP 5.2.0.ER01
Last Closed: 2011-10-26 15:49:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
blockid.png none

Description Miroslav Cupák 2011-09-19 12:30:16 UTC 
Steps to Reproduce: # Navigate to portal home page, sign in as root.
# Let the session expire (or e.g. sign out in another tab in your browser).
# Go to _Site Editor_ > _Add New Page_ (or any other item). JS alert appears.
project_key: JBEPP

Unauthorized use of Site Editor, e.g. clicking the _Add New Page_ link form the menu after session expiration, raises an unexpected JavaScript alert saying something like "_The target blockId to update is not found : _5371970_". It's only after you click _OK_ that the expected EPP info message saying you have no right to perform that particular action appears.
Comment 1 Miroslav Cupák 2011-09-19 12:34:02 UTC 
Screenshot attached.
Comment 2 Miroslav Cupák 2011-09-19 12:34:02 UTC 
Attachment: Added: blockid.png
Comment 3 Miroslav Cupák 2011-09-19 12:35:13 UTC 
Link: Added: This issue is related to JBQA-5399
Comment 4 Matt Wringe 2011-10-21 20:14:31 UTC 
Link: Added: This issue depends GTNPORTAL-2230
Comment 5 Matt Wringe 2011-10-21 20:21:49 UTC 
Ok, so there are a couple of issues here
- when clicking on the link it gets the div id for the popup based on the unauthenticated user, so its not the same as the popup div id for the current document (since the current document is based on the now stale authenticated user).
- the ajax request tries to set the popup using the wrong div, which is what causes the BlockNotFound error message to popup
- an infinite loop occurs and the page finally gets refresh due to a time out
- on the new refreshed page, its the unauthenticated user, so the div id is now valid and error message about not having permission to edit the page gets displayed

This situation is not limited to just the session expiration situation, it can also occur if a component on the page gets modified.

Solution applied to GateIn trunk to fix GTNPORTAL-2230 basically causes an alert to be displayed about the component not existing and the ajax request failing. It recommends refreshing the browser, but does not automatically perform this action.
Comment 7 Jared MORGAN 2011-11-22 23:24:41 UTC 
Release Notes Docs Status: Added: Not Required