Traveling and security

I’m traveling and am logged out of the forum. When I log in again, I receive a simple page with a message:

“You are not permitted to view the requested resource.”

So I’m thrown out of my own forum. How to clear that bit? I have SSH access.

You just need to log in to the forum. You don’t need SSH.

If you’re getting a “you are not permitted” error, then my best guess is that you have multiple accounts and you have logged in to the wrong one.

I used “login with email” (successfully) and tried to change the password with my current password: Discourse tells me my password is the same as my current password.

So I think this is a new issue with changing IP addresses (I’ve been receiving security emails from Discourse telling me I have logged in from various places, which is totally OK in my case.)

But this getting logged out and forbidden to log in is quite unusual.

Maybe there’s a behavioral thing: I logged in and went straight to user preferences to check whether there’s a Basque translation (there’s not yet), and bam, the next thing I know is the error message.

Note that logging in by email seems to have reset the behavior somehow. It’s not a solution, but may point at something in the security process.

I am not following this at all? What are the repro steps?

It’s difficult to say. I received today a notice from a user who was logged out as well and could not reset password or something – it may or may not be related.

I guess there were existing sessions that somehow staled through the latest upgrade (06c2e28bbb) causing this weirdness. I did not review the commits in detail so I really don’t know what could interfere and how to reproduce the steps.

So far I’m left on this specific instance (the master of a multisite) with this bug and the Reordering Categories Produces Error 422 bug which do not appear on other instances in the same pool.

I’m thinking of regenerating this instance from a backup and see if that solves both bugs. What do you think? Is there a specific process to follow in order to ensure a migration was not missed or run incompletely?

Steps to Reproduce

  1. Have a logged-in session
  2. Be logged out (“You have been logged out”)
  3. Login again
    1. Either you get “You are not permitted to view the requested resource.”
    2. Or you go to step 2.

It’s difficult to say what is playing here, as I rebuilt the instances (multisite, multicontainer, but only this instance is showing wrong behavior), the behavior is not consistent, and a first load of the page shows a number of Ember.js deprecation notices and a warning about potential memory leaks:

[Warning] `decorateCooked` should be supplied with an `id` option to avoid memory leaks. (application-99518d64d00e736aef6d781a381fc85d8f31113c37f3ea1abca6c5b580c5dab9.js, line 1)
[Warning] [DEPRECATION] `ember-addons/ember-computed-decorators` is deprecated. Please use `discourse-common/utils/decorators` instead. (ember_jquery-c2cca4a19fd4c70eabc95b010a6d7643955ec2a2251aeb1d70f625773eebea21.js, line 1)

I had a bizarre issue last week which seemed to be resolved by a backup and restore. I restored to a different machine and never managed to test whether doing it in place would have fixed it.

1 Like

Tried backup/restore in-place: the 422 bug remains. I’m waiting to see the “auto-logout” feature :wink:

I’ll try to explore this and the other bug more in-depth by the end of the year.

1 Like

Can you repro this @jomaxro?

1 Like

Based on the steps in post 7, no, I cannot repro this. Test on try (not a multisite) as well as on a random hosted site which is part of a multisite.