Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve UserProfile Loading Errors From Unsecure pages #2494

Merged

Conversation

mean2me
Copy link
Contributor

@mean2me mean2me commented Nov 30, 2018

When we have SSL enabled on single pages we get same-origin errors on loading AdminExperience -> Users -> UserProfile, since it's loaded into an iframe from an unsecure source.
This change will detect this specific case and will force iframe (or popup) source to be loaded as a secure page.

Steps to reproduce

  1. Install DNN under HTTPS
  2. Activate SSL Enabled and SSL Enforced in Settings > Security > More
  3. Create a blank page.
  4. Make sure Secure Connection for the page is enabled in Page Settings > Advanced > More
  5. Browse to the page (should navigate under HTTPS)
  6. Open PersonaBar > Manage > Users
  7. Click on Profile Settings icon of any user

Current Behavior:
User profile is not displayed and browser shows following error in console:

Mixed Content: The page at 'https://platform-930.dnndev.me/Secure' was loaded over HTTPS, but requested an insecure resource 'http://platform-930.dnndev.me/Host/Superuser-Accounts/ctl/Edit/mid/353/UserId/1/editprofile/true/portalid/0?popUp=true'.
This request has been blocked; the content must be served over HTTPS.

zyhfish and others added 15 commits July 12, 2018 11:10
@mitchelsellers
Copy link
Contributor

@mean2me for all future Pull Requests can we please get detailed titles that are helpful to all reviewing requests. References to internal ESW tickets that we do not have exposure to make management of the PR's as well as release notes complicated. I've updated the title on this one for you.

@ashishpd @daguiler can you communicate this to the rest of the team?

@mitchelsellers mitchelsellers added the esw Issues reported by ESW team or Evoq customers label Nov 30, 2018
@mitchelsellers mitchelsellers changed the title Customer defect/dnn 26576 Resolve UserProfile Loading Errors From Unsecure pages Nov 30, 2018
@mean2me
Copy link
Contributor Author

mean2me commented Nov 30, 2018

@mitchelsellers You're right. Actually I forgot to adjust PR title. 🙇 👍

@daguiler
Copy link
Contributor

This works as expected now @mean2me. Approving.

@daguiler
Copy link
Contributor

@mitchelsellers I added repro steps to the PR's description.

@mitchelsellers mitchelsellers merged commit 102d49d into dnnsoftware:development Dec 31, 2018
@ohine ohine added this to the 9.3.0 milestone Jan 13, 2019
zyhfish pushed a commit to zyhfish/Dnn.Platform that referenced this pull request Mar 29, 2019
)

* NOJIRA: mark as stable.

* DNN-21637: add config key.

* DNN-26576: prevent same-origin errors when loading popup and iframes from a secure page.

* code review

* Code review
mitchelsellers pushed a commit that referenced this pull request May 14, 2019
* DNN-27517: force user logout after password changed in other place.

* DNN-27517: update code by review.

* DNN-27517: add host settings to control whether force logout after password changed.

* NOJIRA: mark as stable.

* Fixed bugs on add/remove user permissions for modules

* Change algorithm to SHA1CryptoServiceProvider

* Updated Issue Templates to include new RFC template and to support submissions for 9.3.0 release

* Corrected structure to avoid issue linking

* code review

* User registration: end the response after redirect (#2511)

* Initial New User Email Not Sending At Time of Creation (#2492)

This is alternative way to fix above issue proposed in dnnsoftware/Dnn.AdminExperience#174

As per @sleupold , we need to move email notifications from UI to core part.
Once this will be approved and merged, we can remove email notifications from UI and replace it with updated controller method to let notifications to be send to their recipients.

fixes #2424

* Fix for missing SQL change (#2522)

Fixes #2521 by rebuilding the PortalsDefaultLanguage view

* Resolve UserProfile Loading Errors From Unsecure pages (#2494)

* NOJIRA: mark as stable.

* DNN-21637: add config key.

* DNN-26576: prevent same-origin errors when loading popup and iframes from a secure page.

* code review

* Code review

* (DNN-10795) - All pages except home page return 404 (#2032)

* DNN-10795 - All pages except home page return 404

I have witnessed that occasionally on app pool recycle all,except the home page, will return 404 until the application pool is recycled a second time.

I've reviewed the code & believe that the root cause of the issue is due to the fact that the code that builds the tab index, portalDepths dictionary & tabPaths dictionary is not thread safe. I can see code in the method TabIndexController.FetchTabDictionary is using SharedDictionary classes to store the tab dictionaries, however the code is not thread safe when adding the dictionaries to the cache. Therefore when multiple threads are executing the FetchTabDictionary method it's possible for an empty dictionary to be added to the cache.

To resolve this issue the code has been updated so that only one thread can add the dictionaries to cache at a time.

* Updated comment to trigger Code Licence workflow.

* Added compiled DLLs that include the fix for bug DNN-10795 (All pages except home page return 404) for DNn versions 8.0.4 through 9.2.2

* Recursive read lock acquisitions not allowed (#2423)

* DNN-23293 Recursive read lock acquisitions not allowed in this mode.

* DNN-23293 Recursive read lock acquisitions not allowed in this mode.

* Performance problems when huge number of portal aliases is in use (#2514)

* DNN-27498 Performance Issues

* DNN-27498 Performance Issues

* minor formatting

* Fixed case sensitivity issue

* Added mixed cased alias support to unit tests

* Fixed VanityUrl unit tests

* Fixed broken LockStrategy unit tests (#2531)

* Delete Fixed-DLLs folder that was added as part of PR for bug DNN-10795. (#2535)

* Modules > ModuleCreator > fixed path error (#2527)

* Fixed issue in ModuleCreator > Web > template.ascx

* Update DNN Platform/Admin Modules/Dnn.Modules.ModuleCreator/Templates/Web/Module - HTML/template.ascx

Co-Authored-By: mean2me <emanuele.colonnelli@gmail.com>

* All languages are highlighted along with current
- add css for languages

* Log name of package when uninstalling extensions (#2557)

* remove spaces

* DNN-20856 After export with Content Localization site language flags disappears from pages (#2578)

* Fixed parallel build (#2562)

* Set active Nuget package source to All

* Fixed parallel build

* Inclusion of NDepend logo on the readme. (#2598)

* Fix for missing SQL change

Fixes #2521 by rebuilding the PortalsDefaultLanguage view

* Added attribution to NDepend for the usage of their ADO tooling

* Fix image/link markdown

* Get language from transferred parameter (#2607)

* switch encrypt method. (#2616)

* DNN-29484: switch encrypt method.

* NuGet Package Improvements

Changes to modernize the NuGet packages published by the DNN Platform, fixes #2586.  The below-submitted changes in structure have been validated by consultation with the DNN Platform Community, Microsoft Representatives, as well as validation of documentation per the published .nuspec file definition (https://docs.microsoft.com/en-us/nuget/reference/nuspec)

In detail, the following items have been changed:

* Migration of license information to the suggested <license> node rather than the deprecated <licenseurl> node.
* Inclusion of target framework for all included .dll files, this prevents installation of the package to pre-4.5 projects protecting downstream users.
* Improved package descriptions based on discussions held in the RFC regarding these improvements
* Added Package-to-Package dependencies to ensure quick usage and inclusion
* Updated the WebAPI and MVC packages to be holistic packages, including references to ALL needed items to develop using those patterns.

All changes are current for DNN Platform version 9.3.0 or later.  Packages have been built & tested locally with success.

## Suggested Usage

With these improved packages, development & references should be easier.

### MVC Modules

`Install-Package DotNetNuke.Web.Mvc`

Should be the only needed package installation.  It will install all needed dependencies, including the items necessary for WebAPI

### Modules Needing WebAPI (Not MVC)

`Install-Package DotNetNuke.WebApi`

Should be the only needed package for extensions not using MVC, however, needing to use WebApi for services.  This will work well for WebForms or Library projects, etc. that don't need the extra references for MVC/Razor

### WebForms/Limited Modules

`Install-Package DotNetNuke.Core`

The most simple modules, still using the WebForms pattern can use this package for the smallest footprint

For #2600

* Adjust the Source package to include changes from GitVersion (#2609)

* remove old ckeditor packaging steps

* Remove version to allow GitVersion to set it at build time (#2639)

* Adding 09.03.01.SqlDataProvider file

* Upgrade DNN to .NET Framework 4.7.2 (#2644)

* Upgraded app projects to .NET Framework 4.7.2; Added missing dependency to DotNetNuke.Tests.Core as it was missing DotNetNuke.Web.Client

* Removed targetframework web.config reference from Dnn.Modules.Console

* Reverted unintended changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
esw Issues reported by ESW team or Evoq customers
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants