Google OpenID and RSS loop.

[mfrazier]

If you are logged into Trac using Google OpenID and go to "View Tickets" at the bottom of the page you'll see the ability to "Download in other formats" choosing Comma-delimited text or Tab-delimited text those features work fine, but if you choose RSS it does not work. This issue also occurs when going to "Roadmap" and at the bottom of the screen it has a similar option to download in iCalendar this also does not work and I believe it's because this may be a bug in the authopenid-plugin.

[dairiki]

The RSS and iCal feeds work for me (when I click on the links using my logged-in-via-openid browser). (Trac 0.12.)

Can you be more specific about exactly what "does not work" means?

[sleske]

I think I can confirm this. To reproduce:

• log into trac using OpenID
• click "View tickets"
• under "Download in other formats" (page bottom) click the link "RSS Feed"

Instead of the RSS feed, you get an error page with the message:
Error: Not Found
No handler matched request to /login

When logged out, the RSS feed works correctly.

Configuration:
Trac from Debian package V1.0.1-2, running on Debian Linux, with
authopen-plugin 4.7, no other plugins installed.

############################

Looking into this, it seems the problem is that the link to the RSS feed
tries to re-authenticate the user.

The RSS link is rendered by:

    add_link(req, 'alternate',
             auth_link(req, report_href(format='rss')),
             _('RSS Feed'), 'application/rss+xml', 'rss')

(from ticket/report.py)

When logged in, the link is apparently intended to go to /login first to
authenticate the user. However, when authentication happens with the
authopenid-plugin, /login does not exist, thus the error.

[dairiki]

Thanks for the report @sleske . So this is a trac >= 1.0 issue.

At first guess it seems the only real fix would be to implement our own replacement handler for /login — one which respects the referer query arg; and one whch does nothing but redirect if the user is already authenticated. (There is PR #10, but I don't think that’s sufficient, since I don't think it does the redirects.)

As a hack, it may be possible to mangle the link URLs from an appropriately constructed site template — along the lines of what I describe here. Though it will be trickier to extract the real URL from the referer query arg — I suspect it's possible, but don't know quite how to do it, atm.

[mfrazier]

Thank you Sebastian for reproducing and thank you Jeff for looking into this, currently I am trying to circumvent this by using Apache rewrite, but if anyone has a better idea I am all ears.

[sleske]

Well, you could just change the line I indicated, by removing the auth_link() call. Then the link may not work for people not logged in, but it should work otherwise. Still not nice, but might help...

[mfrazier]

Even after removing the auth_link from trac/ticket/report.py, removing report.pyc, and restarting apache, the RSS Feed link still shows up as https://mydomain.com/trac/login?referer=%2Ftrac%2Freport%2F7%3Fasc%3D1%26format%3Drss%26USER%3Dmyuser which when clicked causes my browser to go back to the openid login, it verifies my login then goes back to the page I was on without doing anything for RSS.

[mfrazier]

I spoke too soon, there was another place I needed to remove the auth_link() call, I went ahead and did this, but the results are not what I am wanting it yields the url: https://mydomain.com/trac/report/RSS%20Feed, which of course tries to call the handler /report/RSS Feed which does not exists. I want the url to be https://mydomain.com/trac/report?asc=1&format=rss