Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-135
PUBLIC project visibility does not support anonymous access — unauthenticated users redirected to login (SZ-135)
rk@tigase.net opened 17 hours ago

Summary

PUBLIC project visibility does not support anonymous access. Unauthenticated users are redirected to the login page instead of seeing PUBLIC projects.

Steps to Reproduce

  1. Create a PUBLIC project (e.g. test-public)
  2. Log out completely
  3. Navigate to http://localhost/app/projects

Expected Behavior

PUBLIC projects should be visible to unauthenticated users without requiring login. This is the standard semantics of PUBLIC visibility in any project management platform.

Actual Behavior

Frontend calls GET /api/users/me on load. Receives 403 Forbidden. Redirects to /login. No project content is shown.

  • rk@tigase.net commented 17 hours ago

    Root Cause

    Two separate gaps:

    1. Frontend: unconditionally calls /api/users/me on application load and redirects to /login on 403, with no anonymous browsing path.
    2. Backend: /api/projects is protected by session authentication with no carve-out for unauthenticated access to PUBLIC projects.

    Current Effective Semantics

    PUBLIC visibility currently means "visible to all authenticated users" rather than "visible to everyone including anonymous." This is an incomplete implementation of the visibility contract.

    Known Limitation for 1.10.0

    Anonymous access to PUBLIC projects is out of scope for this release. The limitation is accepted and documented here.

    Proposed Fix (backlog)

    Frontend:

    • On 403 from /api/users/me, do not redirect to login — instead render in anonymous mode showing only PUBLIC content
    • Protect write actions and non-PUBLIC routes with login redirect

    Backend:

    • Permit unauthenticated GET /api/projects in SecurityConfig, returning only PUBLIC projects when no session is present
    • Permit unauthenticated GET /api/projects/{id} for PUBLIC projects only

    Affected Components

    • Frontend app bootstrap / auth guard
    • SessionAuthSecurityConfig (permitAll rules)
    • ProjectController (anonymous project list)
    • ProjectServiceImpl (anonymous project query)

    Severity

    Medium — PUBLIC visibility is partially implemented. Authenticated external users are also affected (separate defect logged). Anonymous access is a known gap.

    Time Estimate

    3–5 days (frontend anonymous mode + backend permitAll + testing)

issue 1 of 1
Type
Bug
Priority
Normal
Assignee
rk@tigase.net
Version
none
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-135
Please wait...
Page is in error, reload to recover