Though the first thing that happens in the execution of this page is to attempt to authenticate the user. When a client app is accessing such url, there is no authentication cookie.
Scenario 1: a client that wants to download a file
The client will get the download_url but will fail to download the file (or returns invalid data) since it is not authenticated.
Scenario 2: MantisTouch wants to download the file
When the client attempts to access the download URL from MantisTouch and Mobile Browser, the authentication detects that user needs to be authenticated and directs them to login page, which directs them to MantisTouch. Hence, causing the download to fail.
The fix to the above scenarios is to have the SOAP API return a pre-authenticated url. The URL will look similar to the one above with a suffix like: &hash=<md5hash>. The md5 hash can be constructed from a secret plus info specific to the file. For example, in master it can be md5( <salt> . <file_id> . <file_size> ). In 1.2.x, it we can replace the salt with the db password. Note that the contract can be that the url is expected to be download soon after it is retrieved, so changing this over time should not be an issue.
Now if we want to enforce that the URL is short lived, we can also include a time stamp in it, and allow the URL to be used within 5 minutes from the time the url was created.
The change is pretty simple. I already have it implemented without the timestamp.
Let me know your thoughts.
From: firstname.lastname@example.org To: email@example.com Date: Thu, 10 Apr 2014 23:52:50 -0700 Subject: [mantisbt-dev] Redirecting to MantisTouch via a Plugin
I'm thinking of replacing MantisBT to MantisTouch redirection logic with a plugin. The plugin implementation can be found at .
The following code will be removed from master:
- code in core.php that does the redirection.
This will fix the following bugs:
- #15346: Unable to view attachments on mobile when g_mantistouch_url is set#
- Part of the fix for #17144: Need a way for new users to create an account.
The plugin utilizes the EVENT_CORE_READY event and does a redirect when appropriate.
Have a look at the code / approach and let me know your thoughts. If it makes sense, then I will submit a pull request for the changes to master to apply the changes listed above before we release.
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
mantisbt-dev mailing list