One more thing, I discovered that there needs to be a change to SOAP API to make this scenario and any client access to attachments work.

At the moment, the soap api returns a url that looks as follows:
http://www.example.com/mantisbt/file_download.php?file_id=123&type=bug

Though the first thing that happens in the execution of this page is to attempt to authenticate the user.  When a client app is accessing such url, there is no authentication cookie.

Scenario 1: a client that wants to download a file
The client will get the download_url but will fail to download the file  (or returns invalid data) since it is not authenticated.

Scenario 2: MantisTouch wants to download the file
When the client attempts to access the download URL from MantisTouch and Mobile Browser, the authentication detects that user needs to be authenticated and directs them to login page, which directs them to MantisTouch.  Hence, causing the download to fail.

The fix to the above scenarios is to have the SOAP API return a pre-authenticated url.  The URL will look similar to the one above with a suffix like: &hash=<md5hash>.  The md5 hash can be constructed from a secret plus info specific to the file.  For example, in master it can be md5( <salt> . <file_id> . <file_size> ).  In 1.2.x, it we can replace the salt with the db password.  Note that the contract can be that the url is expected to be download soon after it is retrieved, so changing this over time should not be an issue.

Now if we want to enforce that the URL is short lived, we can also include a time stamp in it, and allow the URL to be used within 5 minutes from the time the url was created.

The change is pretty simple.  I already have it implemented without the timestamp.

Let me know your thoughts.



From: vboctor@outlook.com
To: mantisbt-dev@lists.sourceforge.net
Date: Thu, 10 Apr 2014 23:52:50 -0700
Subject: [mantisbt-dev] Redirecting to MantisTouch via a Plugin

Hi all,

I'm thinking of replacing MantisBT to MantisTouch redirection logic with a plugin.  The plugin implementation can be found at [1].

The following code will be removed from master:
- mobile_api.php
- $g_mantistouch_url
- code in core.php that does the redirection.

This will fix the following bugs:
- #15346: Unable to view attachments on mobile when g_mantistouch_url is set#
- Part of the fix for #17144: Need a way for new users to create an account.

The plugin utilizes the EVENT_CORE_READY event and does a redirect when appropriate.

Have a look at the code / approach and let me know your thoughts.  If it makes sense, then I will submit a pull request for the changes to master to apply the changes listed above before we release.

[1] https://github.com/vboctor/MantisTouchRedirect

Thanks,
-Victor

------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ mantisbt-dev mailing list mantisbt-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mantisbt-dev