search

UTRS2 / utrs

Unblock Ticket Request System (v2) used on Wikimedia projects
https://en.wikipedia.org/wiki/Wikipedia:Unblock_Ticket_Request_System
GNU Affero General Public License v3.0
25 stars 26 forks source link

Cannot view appeal (403) #738

Closed BlueberryFoxtrot closed 2 months ago

BlueberryFoxtrot commented 11 months ago

If I enter my appeal key on https://utrs-beta.wmflabs.org/ and click View my appeal, it says

403 Forbidden: You do not have access to view this page or perform this action."

Salvidrim commented 11 months ago

Clicking the "view my appeal" button on the home page loads https://utrs-beta.wmflabs.org/public/appeal/view with the message "your appeal key appeals to be wrong"

Clicking "view my appeal" on https://utrs-beta.wmflabs.org/public/appeal/view loads https://utrs-beta.wmflabs.org/public/appeal/view?hash=foobar123 and returns a 405 Method Not Allowed error

Unless this is some new server-side issue, might be related to the latest commit on Oct.2nd which was to address https://en.wikipedia.org/w/index.php?title=Wikipedia_talk:Unblock_Ticket_Request_System&diff=prev&oldid=1178203228

dqwiki commented 11 months ago

To address the originally reported issue of 403 Forbidden - My assumption is the appeal has been oversighted for whatever reason. I can't check that without knowing who the appeal was for, the appeal number or the key. That DOES NOT MEAN YOU SHARE THE APPEAL KEY HERE. Please send it to the developer email and I can investigate.

The 405s were the solutions to GHSA-p247-r7fj-jmm5 - and that is considered working as intended. Oct 2nd's change only affected the onwiki chart of appeals, it didn't touch any code in the application. If there is an actual issue, there would be no recent code change to affect it, as I've solely been working on #722

BlueberryFoxtrot commented 11 months ago

What is the developer email or where can the developer email be found?

BlueberryFoxtrot commented 11 months ago

Just to update, I'm starting to strongly suspect the bug is browser-dependent, and that the particular way the form is coded (new syntax?) causes the appeal key to not actually get submitted when using certain browsers, but that it works in others. I do note that the error I'm seeing is exactly the same as the server response I see when not entering any appeal key at all. I hope I can figure out more and provide additional information.

dqwiki commented 11 months ago

I doubt it's browser dependent. It's utrs-developers at-sign googlegroups.com (obviously replaced at-sign with @, just trying to prevent spam)

dqwiki commented 2 months ago

I found the source of the 403 I think was causing this. I've fixed it for now. Please advise if it comes back.