28 February 2013, 13:40

When editing a portfolio page, if anyone clicks the "Done" button at the bottom of the page, it sends you to mahara.domain.edu/mahara/view/. Notice the missing http:// or https://. Instead of this being your actual portfolio "view" page, like it should be, it's instead the default mahara login page that asks for your username and password.

If I add https://mahara.domain.edu/mahara/view/ to the front of the URL, it directs me to the correct Portfolio view page.

So this bug, if it is one, doesn't actually log you out. Clicking the Done button simply doesn't append an https:// (in our case) at the begining of the URL. This can be frustrating to our students who think they've been logged out (even though they haven't!) after clicking that done button.

I couldn't find anyone else who'd experienced this problem after a search in the bug tracker and the mahara site. Does anyone know what might be going on?

28 February 2013, 15:16

Hi Tony,

I think the lack of "http://" in the URL may be a red herring. Recent versions of Firefox and Chrome don't show the protocol when you're visiting an "http://" URL. But if you copy the URL out of the address bar and paste it back in again, you should see the "http://", if the URL actually has one. So, please try that and see if it shows up.

Assuming that is the case, it sounds like you've got something going on with your web server such that users are getting a different session if they access the site via http versus https (and since the session stores whether you're logged in or not, this causes them to see the site as logged out when they access it via http).

In your config.php file, I suggest changing your $cfg->wwwroot value to start with "https://" rather than "http://", and see if that resolves the issue.

Cheers,

Aaron

01 March 2013, 6:38

Hi Aaron,

Thanks for the reply. Our site should be running HTTPS and the config.php is configured as such with the wwwroot being set to $cfg->wwwroot = 'https://mahara.domain.edu/mahara/';

All of the other pages on the site do have https:// at the begining of the URL. The only time it sends you to an HTTP page is if you click the Done button when editing a page. You're probably right about the different sessions being the issue, but why would it send people to an HTTP page with just that one button?

Might it have something to do with the authentication plugins I'm using?

I actually just remembered that when we first began using Mahara, we were on version 1.4 which didn't have reverse proxy SSL support, and so we were stuck using HTTP. When I upgraded to 1.5, the option for SSLproxy was added so we began using HTTPS. Maybe there is something in the database that still thinks our site is running HTTP and was never updated?

-Tony

01 March 2013, 7:38

Where can I find the code for that Done button? I was trying to locate it so I could take a look at what it's doing. I wonder if maybe it never got support for the sslproxy = true setting...

01 March 2013, 14:24

Hi Tony,

It's sort of split across two files. :)

• The PHP script for the page with the Done button on it, is /view/blocks.php.
• The content of the page is laid out by a dwoo template file "view/blocks.tpl" (you can see that on the last line of blocks.php). In the standard theme this template will actually be located at /theme/raw/templates/view/blocks.tpl

The "Done" button in question is on line 72 of blocks.tpl. Normally in HTML the URL you go to after clicking a button comes from the "action" parameter of the form the button is part of. In blocks.tpl on line 62 you'll see the action for that form is {$WWWROOT}. That's a dwoo template variable, which is set to the value of $cfg->wwwroot from your config.php file (it's set in /lib/dwoo/mahara/Dwoo_Mahara.php, line 71)

I'm not yet familiar with mahara's SSL proxy feature, but perhaps this can get you started to see whether this bit is missing support for it.

Cheers,

Aaron

05 March 2013, 12:50

Aaron, thanks a bunch for the info!

It seems like it's probably not an SSL proxy issue since it's just geting the $WWWROOT which is set to https://

After looking at the /theme/raw/templates/view/blocks.tpl (lines 61-74) file, I wonder if it has to do with these IF and ELSE statements:

<div id="view-wizard-controls" class="center">
        <form action="{$WWWROOT}{if $groupid}{if $viewtype == 'grouphomepage'}{$groupurl}{else}view/groupviews.php{/if}{elseif $institution}view/institutionviews.php{else}view{/if}" method="GET">
        {if $groupid}
            {if $viewtype == 'grouphomepage'}
            <input type="hidden" name="id" value="{$groupid}">
            {else}
            <input type="hidden" name="group" value="{$groupid}">
            {/if}
        {elseif $institution}
            <input type="hidden" name="institution" value="{$institution}">
        {/if}
            <input class="submit" type="submit" value="{str tag='done'}">
        </form>
    </div>

Are those IF and ELSE statements changing the tail-end of the URL based on which page you're on when you click the done button? Do you have to satisfy one of the IF or an ELSE statements for the whole link to even work? Because there isn't an IF $viewtype == 'userpage' (the 'userpage' being a user created page that's not a group or institution page... not sure what the actual $viewtype for that is called).

Or am I barking up the wrong tree here?

It's really odd that just this ONE button is not going to HTTPS :(

Tony

07 March 2013, 11:15

Well, if none of the conditions on any of those if's match, it'll fall through to the last else in the chain, which is just "view".

The one oddity I really notice there, is that it should be "view/" with a slash on the end. Going to "http://example.com/view", if "view" is a directory and not a file, will cause most web servers to redirect you to "http://example.com/view/".

Perhaps that redirect is causing you problems? Try changing it from "{else}view{/if}" to "{else}view/{if}"

Cheers,

Aaron

07 March 2013, 12:43

Woop! It worked! Thanks so much.

I guess this should be made into a bug ticket so that it's fixed in future versions? Should I go ahead and do that?

07 March 2013, 13:50

Awesome!

I've already created a bug for this issue: https://bugs.launchpad.net/mahara/+bug/1150831 . It may be too late to get it into the next release, 1.7, since the release candidate is supposed to go out this week, but it's a small fix so at least it should be able to get into 1.8.

By the way, what web server are you using? I'm curious about whether this problem handling the missing trailing slash is specific to a particular web server.

Cheers,
Aaron

08 March 2013, 7:36

Our servers are currently running Apache 2.2.15. It looks like the DirectorySlash option should default to On, but for some reason it's not. There's nothing overriding it in any of our .conf files... weird. Maybe it's interacting with some other rewrite rule that's being used either on our load balancer or on the server.

I have a feeling it could be related to our load balancer...

Thanks for making the ticket and for the help!