Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

salt method missing in card-mod-account 0.16.0 #1077

Closed
localhost opened this issue Jun 11, 2024 · 13 comments
Closed

salt method missing in card-mod-account 0.16.0 #1077

localhost opened this issue Jun 11, 2024 · 13 comments

Comments

@localhost
Copy link

I have a problem with a fresh Decko 0.16.0 installation.

Upon setting up the very first account, I get the following error when submitting the signup form:

exception = Card::Error::ServerError: undefined method `salt' for #<Card:0x00007efc9e821cd8>

I found that the error is raised in set/right/password.rb line 21 from the Decko dependency gem card-mod-account (0.16.0). If I temporarily assign an empty string to salt, it works. But the password wouldn't be salted then?

--- set/right/password.rb.orig
+++ set/right/password.rb
@@ -18,7 +18,7 @@
 end

 event :encrypt_password, :store, on: :save, changed: :content do
-  salt = left&.salt
+  salt = '' # left&.salt
   self.content = Auth.encrypt content, salt

   # errors.add :password, 'need a valid salt'
@ethn
Copy link
Member

ethn commented Jun 12, 2024

Thanks for the report! I just pushed out Decko 0.17.0, which I believe should fix this problem.

@localhost
Copy link
Author

Hey @ethn, thank you very much!

Unfortunately, with the latest 0.17.0 installed and bundle exec decko update run, I get:

Processing by CardController#read as HTML
exception = Card::Error::ServerError: undefined method `read_rules_hash' for #<Card:0x00007f112e274bb0>
exception = NoMethodError: undefined method `read_rules_hash' for #<Card:0x00007f112e274bb0>
Completed 500 Internal Server Error in 43ms (ActiveRecord: 0.0ms | Allocations: 18866)

undefined_read_rules_hash.txt

@localhost
Copy link
Author

I also have added quite a bit of content to my installation.

Would I need to involve the event to finalize registering somehow manually?

@localhost
Copy link
Author

localhost commented Jun 12, 2024

Ok, I managed to render the login page (although without stylesheets) and then could reset my password with these safeguards:

diff -u card-mod-permissions-0.17.0/set/all/permissions.rb.orig card-mod-permissions-0.17.0/set/all/permissions.rb
--- card-mod-permissions-0.17.0/set/all/permissions.rb.orig
+++ card-mod-permissions-0.17.0/set/all/permissions.rb
@@ -97,7 +97,7 @@
   return false if Card.config.read_only # :read does not call #permit
   return true if Auth.always_ok?

-  Auth.as_card.among? who_can(action)
+  Auth.as_card.respond_to?(:among?) && Auth.as_card.among?(who_can(action))
 end

 def permit action, verb=nil
@@ -136,7 +136,7 @@
   return true if Auth.always_ok?

   self.read_rule_id ||= permission_rule_id :read
-  return true if Auth.as_card.read_rules_hash[read_rule_id]
+  return true if Auth.as_card&.respond_to?(:read_rules_hash) && Auth.as_card.read_rules_hash&.[](read_rule_id)

   deny_because you_cant "read this"
 end

Now I can logout and login again with my password, without having to do a password reset to be logged in.

The signin page source shows 3 of these:

<span class="denied"><!-- Sorry, you don't have permission (read) --></span>

But the users table is still empty. Is this normal?

@ethn
Copy link
Member

ethn commented Jun 12, 2024

It's normal that the users table is empty. That table is legacy and will be deleted at Decko 1.0. All the user handling was long ago moved into cards.

The problem is that you are somehow authenticated with a card that is not an account holder. Can you figure out what kind of card it is? For example, you could add debugging like:

puts Card::Auth.as_card.name
puts Card::Auth.as_card.codename
puts Card::Auth.as_card.type_name

My guess is that this card would be "Decko Bot" (with the codename wagn_bot). If so it's very strange that this card would not have the account holder methods.

If we can resolve the authentication issue, decko update should run. If we are able to get decko update to run, the stylesheet problems will likely get resolved`

Sorry for the nuisance.

@ethn
Copy link
Member

ethn commented Jun 12, 2024

Come to think of it, this is probably related to the "salt" thing. Somehow the account methods are not being reached.

If you find a card that is supposed to be a user card that doesn't have the type "user", you can consider changing its type by going to bundle exec decko console and doing something like:

Card::Auth.as_bot { cardmark.card.update! type_id: :user.card_id }

... where cardmark is an id (Integer), name (String), or codename (Symbol).

If the problem is the DeckoBot card, we may have to correct the data in the database directly.

@localhost
Copy link
Author

localhost commented Jun 13, 2024

Thanks for you help, I really appreciate it!

Unregistered, index:

Started GET "/" for 10.42.0.11 at 2024-06-13 10:14:59 +0200
Processing by CardController#read as HTML
ok_to_read?
Anonymous
anonymous
RichText
permitted?
Anonymous
anonymous
RichText
ok_to_read?
Anonymous
anonymous
RichText
ok_to_read?
Anonymous
anonymous
RichText
ok_to_read?
Anonymous
anonymous
RichText
  Rendered text template (Duration: 0.0ms | Allocations: 1)
Completed 403 Forbidden in 25ms (Views: 0.3ms | Allocations: 9873)
Started GET "/favicon.ico" for 10.42.0.11 at 2024-06-13 10:14:59 +0200
Processing by CardController#read as */*
  Parameters: {"mark"=>"favicon"}
  Rendered text template (Duration: 0.1ms | Allocations: 1)
Completed 404 Not Found in 16ms (Views: 1.0ms | Allocations: 1880)

"Sign In"

Started GET "/favicon.ico" for 10.42.0.11 at 2024-06-13 10:14:59 +0200
Processing by CardController#read as */*
  Parameters: {"mark"=>"favicon"}
  Rendered text template (Duration: 0.1ms | Allocations: 1)
Completed 404 Not Found in 16ms (Views: 1.0ms | Allocations: 1880)
Started GET "/*signin/titled" for 10.42.0.11 at 2024-06-13 10:16:50 +0200
Processing by CardController#read as HTML
  Parameters: {"mark"=>"*signin", "view"=>"titled"}
ok_to_read?
Anonymous
anonymous
RichText
ok_to_read?
Anonymous
anonymous
RichText
ok_to_read?
Anonymous
anonymous
RichText
  Rendered text template (Duration: 0.0ms | Allocations: 1)
Completed 200 OK in 44ms (Views: 0.3ms | Allocations: 22812)

Successful login:

Started PATCH "/update/*signin" for 10.42.0.11 at 2024-06-13 10:17:29 +0200
Processing by CardController#update as HTML
  Parameters: {"utf8"=>"_", "success"=>{"redirect"=>"true", "mark"=>"/"}, "card"=>{"subcards"=>{"+*email"=>{"content"=>"[email protected]", "type_id"=>"43"}, "+*password"=>"[FILTERED]"}}, "button"=>"", "mark"=>"*signin"}
permitted?
Anonymous
anonymous
RichText
Redirected to http://decko.example.com:3000/
Completed 303 See Other in 79ms (ActiveRecord: 24.6ms | Allocations: 18653)
Started GET "/" for 10.42.0.11 at 2024-06-13 10:17:29 +0200
Processing by CardController#read as HTML
  Rendered text template (Duration: 0.0ms | Allocations: 1)
Completed 200 OK in 219ms (Views: 0.3ms | ActiveRecord: 0.5ms | Allocations: 102341)
Started GET "/files/~445/1718130022.css" for 10.42.0.11 at 2024-06-13 10:17:30 +0200
Processing by CardController#read as CSS
  Parameters: {"explicit_file"=>true, "mark"=>"~445", "rev_id"=>"1718130022"}
Sent file /home/admin/plants/files/445/1718130022.css (0.2ms)
Completed 200 OK in 14ms (ActiveRecord: 0.0ms | Allocations: 3781)
Started GET "/files/~539/1718130012.js" for 10.42.0.11 at 2024-06-13 10:17:30 +0200
Processing by CardController#read as JS
  Parameters: {"explicit_file"=>true, "mark"=>"~539", "rev_id"=>"1718130012"}
Sent file /home/admin/plants/files/539/1718130012.js (0.1ms)
Completed 200 OK in 13ms (ActiveRecord: 0.0ms | Allocations: 3685)
Started GET "/files/~543/list.js" for 10.42.0.11 at 2024-06-13 10:17:30 +0200
Processing by CardController#read as JS
  Parameters: {"explicit_file"=>true, "mark"=>"~543", "rev_id"=>"list"}
Sent file /home/admin/plants/files/543/list.js (0.1ms)
Completed 200 OK in 9ms (ActiveRecord: 0.0ms | Allocations: 3682)
Started GET "/files/~552/search.js" for 10.42.0.11 at 2024-06-13 10:17:30 +0200
Processing by CardController#read as JS

...

Started GET "/files/:favicon/carrierwave-small.png" for 10.42.0.11 at 2024-06-13 10:17:30 +0200
Processing by CardController#read as PNG
  Parameters: {"explicit_file"=>true, "mark"=>":favicon", "rev_id"=>"carrierwave", "size"=>"small"}
Sent file /home/admin/.gem/ruby/3.3.2/gems/card-mod-carrierwave-0.17.0/data/files/favicon/image-small.png (0.4ms)
Completed 200 OK in 28ms (ActiveRecord: 0.0ms | Allocations: 3540)

When logged in, it doesn't seem to hit my puts. I'll try to gather a bit more information.

Addendum:

I just put it in ok? and my user's card name is alex, codename is empty, type is User.

@localhost
Copy link
Author

Something different: I just got bitten by this: rubyworks/facets/issues/307, when I tried to add an image to a card using the menu option in the visual editor.

If I rename the method call in facets-3.1.0/lib/standard/facets/ostruct/initialize.rb from new_ostruct_member to new_ostruct_member!, it works. :)

@localhost
Copy link
Author

localhost commented Jun 13, 2024

Ok, this is strange. The CSS error seems to be gone since I fixed the ostruct thing. 🍀

@ethn
Copy link
Member

ethn commented Jun 13, 2024

Can you now run bundle exec decko update without error?

@localhost
Copy link
Author

Yep, but that also worked previously, it just had no effect on the problems.

@ethn
Copy link
Member

ethn commented Jun 13, 2024

Ah, I think I misread an early comment.

I'm still a bit curious about that initial authentication error. Do you still have the #read_rules_hash error if you drop your respond_to? clause? I'm trying to figure out whether "Anonymous" or your own user card is the problem.

It's probably fine that you're not seeing the debugging after signed in if at that point you have an admin user and are probably bypassing the one-off permission checks with always_ok?.

But I'm now noticing that the permissions.rb code snippet you included doesn't look like 0.17 code. It should look like https://github.com/decko-commons/decko/blob/main/mod/permissions/set/all/permissions.rb(see #permit).

It's also surprising to me that this facets gem would cause problems for decko because it's not a gem that decko uses. Are you adding that (or something that depends on it) to your Gemfile?

@localhost
Copy link
Author

localhost commented Jun 13, 2024

Got it! It's the JS interpreter ducktape (used via execjs, which itself is required by coffee-script coming from activesupport), that imports facets/ostruct.

I just removed card-mod-permission and reinstalled it via gem install card-mod-permissions --version 0.17.0. It produces exactly the same diff output.

Also my local 0.17.0 is exactly the same as the refs/heads/main you linked.

I'm now using the unpatched permissions.rb from v0.17.0 and I also see the CSS when not logged in. Everything else works fine, too.

So it seems this was all related to the fact, that Ruby 3.3.2 triggers the new_ostruct_member missing method exception from facets, which is used with the ducktape JS interpreter.

Well, it could be, that originally the admin account wasn't set up completely, because the registration didn't go through. But this seems to have been fixed with your account event change from 0.17.0.

Maybe the constellation of the stars was also involved somehow. 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants