Bug
Rights insufficient on back
Developer comments
Related to fetching .main-menu (which is already in the page).
This goes deep. The reason for the rights insufficient message is indeed the request to .main-menu. But it is also correct that the main menu is already in the page, but the problem is that it is the main menu of a different user group. The index gets taken from the browser cache where it might be the one of the user logged in before. This bug needs a login/logout to take effect. In this case the access of .main-menu was blocked, but even if it is open. The main-menu is individualized but .main-menu is a resource where only copies per language and user group are kept.
It is either necessary to prevent the index page from being cached client side (which other resources?). Or the main-menu keeps a copy per session in the server side cache. In any case: not a quick fix.
This also has security implications: a user might access the main menu of a previously logged in user (since it is embedded on the page and the page is in the client cache).
How to reproduce
* Go to ulti.info. Do not log in.
* Main menu > Players
* Click ongoing
* Click an entry to visit a player page
* Use the browser back button
* Rights insufficent message appears
|
Work sessions2
Start |
2017-07-31T19:14:43
|
End |
2017-07-31T20:14:50
|
Participant |
Robert Cerny
|
Start |
2017-08-01T09:39:16
|
End |
2017-08-01T10:17:22
|
Participant |
Robert Cerny
|
|
We are sorry
This page cannot be displayed in your browser. Use Firefox, Opera, Safari, or Chrome instead.