Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Group Attendance Reminder Link Does Not Redirect Properly After Authentication #5615

Closed
2 tasks done
dataCollegechurch opened this issue Sep 28, 2023 · 5 comments
Closed
2 tasks done

Group Attendance Reminder Link Does Not Redirect Properly After Authentication #5615

dataCollegechurch opened this issue Sep 28, 2023 · 5 comments
Labels
Fixed in v16.1 Status: Confirmed It's clear what the subject of the issue is about, and what the resolution should be. Topic: Rock Internals Related to internal core stuff. Type: Bug Confirmed bugs or reports that are very likely to be bugs.

Comments

@dataCollegechurch
Copy link

dataCollegechurch commented Sep 28, 2023
edited

Description

The Group Attendance Reminder Email uses this lava to generate a link for leaders to quickly review and enter attendance.

{% capture attendanceLink %}{{ 'Global' | Attribute:'PublicApplicationRoot' }}page/368?{{ Person.ImpersonationParameter }}&GroupId={{ Group.Id }}&Occurrence={{ Occurrence | Date:'yyyy-MM-ddTHH:mm:ss' | EscapeDataString }}{% endcapture %}

Users with elevate privileges may have the Impersonation blocked and the sytem will end up generating a link that look something like this.

http://www.rocksolidchurchdemo.com/page/368?rckipid=TokenProhibited&GroupId=117&Occurrence=2023-09-28T09%3A00%3A00

After the user navigates to this link they will be redirected to the login page and the url will look like this: https://www.rocksolidchurchdemo.com/page/207?returnurl=%252fpage%252f368%253fGroupId%253d117%2526Occurrence%253d2023-09-28T09%25253a00%25253a00

After the user logs in they will not be redirected back to http://www.rocksolidchurchdemo.com/page/368?rckipid=TokenProhibited&GroupId=117&Occurrence=2023-09-28T09%3A00%3A00 as desired. Instead they are redirected back to https://www.rocksolidchurchdemo.com/

Actual Behavior

User are redirected to homepage instead of page specified in redirecturl

Expected Behavior

User is always redirected to redirecturl's parameter value after logging if Redirect Page block setting is not set

Steps to Reproduce

  1. Find or Setup a Small Group whose leader cannot be impersonated.
  2. Generate a Small Group Reminder Email that uses the Core Group Attendance Reminder Email Template
  3. Click on the Enter Attendance Button after receiving the email
  4. Login
  5. See Issue

Issue Confirmation

  • Perform a search on the Github Issues to see if your bug or enhancement is already reported.
  • Try to reproduce the problem on a fresh install or on the demo site.

Rock Version

15.1

Client Culture Setting

en-US
@dataCollegechurch
Copy link
Author

dataCollegechurch commented Sep 28, 2023
edited

Note: This issue appears to be present in both the Legacy Login Block and the Obsidian Login Block.

@rutledgek
Copy link

rutledgek commented Sep 28, 2023
edited

Yup, if in your email, you remove the escape data string from the date you should get redirected fine. The problem is that the data string is escaped here and then escaped again in the redirect to login steps. So when you try to login, the redirect url is unescaped once but again.

To fix the impersonation I also did this:

{% capture occurrenceDate %}{{ Occurrence | Date:'yyyyMMdd' }}{% endcapture %}
{% assign personToken = Person.ImpersonationParameter %}
{% capture link %}page/757?GroupId={{ Group.Id }}&Occurrence={{ Occurrence | Date:'yyyy-MM-dd' }}{% endcapture %}
{% capture attendanceLink %}
{% if personToken contains 'TokenProhibited' %}
    {{ 'Global' | Attribute:'PublicApplicationRoot' }}{{ link }}
{% else %}
    {{ 'Global' | Attribute:'PublicApplicationRoot' }}{{ link}}&{{ Person.ImpersonationParameter }}
{% endif %}
{% endcapture %}

Then use {{ attendanceLink }} in the email on the links.

I agree that the token creator should fail more graceully when the person cannot be impersonated, but there is a workaround.

@dataCollegechurch
Copy link
Author

dataCollegechurch commented Sep 28, 2023
edited

Is there any reason an occurrence parameter needs to have the time included?

@dataCollegechurch
Copy link
Author

my typical fix for the TokenProhibited issue looks like this:
{% assign attendanceLink = attendanceLink | RegExReplace:'rckipid=TokenProhibited&','','i' %}

@sparkdevnetwork-service sparkdevnetwork-service added Type: Bug Confirmed bugs or reports that are very likely to be bugs. Status: Confirmed It's clear what the subject of the issue is about, and what the resolution should be. labels Sep 28, 2023
@sparkdevnetwork-service sparkdevnetwork-service added the Status: In Dev Queue This issue is being worked on, and has someone assigned. label Oct 6, 2023
@sparkdevnetwork-service sparkdevnetwork-service removed the Status: In Dev Queue This issue is being worked on, and has someone assigned. label Oct 24, 2023
@sparkdevnetwork-service sparkdevnetwork-service added the Status: In Dev Queue This issue is being worked on, and has someone assigned. label Nov 9, 2023
shauncummings added a commit that referenced this issue Nov 28, 2023
@shauncummings
+ (Core) Fixed an issue that prevented datetime values from being pas…
d090d7a 
…sed through the login page URL redirection. (Fixes #5615)
@shauncummings
Copy link
Contributor

@dataCollegechurch and @rutledgek Thank you both for your work on this issue. There were two somewhat unrelated problems happening here:

  1. The "TokenProhibited" value was causing a null reference error because the code attempted to decrypt this value as if it were a token. That was corrected in 23e4981.
  2. Additionally, certain (slightly overzealous) security precautions were preventing your attendance reminder links from working if you accessed them without already being logged in from your current device/browser. The actual problem was not the URL escaping, but the fact that the default URL template included the time portion of the date, which is why @rutledgek's modified version works (because it omits the time). This was resolved in d090d7a.

These updates will be in the v16.1 release of Rock.

@shauncummings shauncummings added Topic: Rock Internals Related to internal core stuff. Fixed in v16.1 and removed Status: In Dev Queue This issue is being worked on, and has someone assigned. labels Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fixed in v16.1 Status: Confirmed It's clear what the subject of the issue is about, and what the resolution should be. Topic: Rock Internals Related to internal core stuff. Type: Bug Confirmed bugs or reports that are very likely to be bugs.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sparkdevnetwork-service @PraveenMathew92 @rutledgek @shauncummings @dataCollegechurch