Page MenuHomePhabricator
Create Task
Maniphest T257667

access denied for coordinator on applications/list
Closed, ResolvedPublic
Actions

Description

A coordinator (who isn't a superuser) got the following server error today on /applications/list:

Traceback: 

File "/venv/lib/python3.8/site-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)

File "/venv/lib/python3.8/site-packages/django/core/handlers/base.py" in _legacy_get_response
  249.             response = self._get_response(request)

File "/venv/lib/python3.8/site-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)

File "/venv/lib/python3.8/site-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/venv/lib/python3.8/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  23.                 return view_func(request, *args, **kwargs)

File "/venv/lib/python3.8/site-packages/django/views/generic/base.py" in view
  68.             return self.dispatch(request, *args, **kwargs)

File "/app/TWLight/view_mixins.py" in dispatch
  109.         if not self.test_func_coordinators_only(request.user):

File "/app/TWLight/view_mixins.py" in test_func_coordinators_only
  106.         return user.is_superuser or user in coordinators.user_set.all()

Exception Type: AttributeError at /applications/list/
Exception Value: 'NoneType' object has no attribute 'user_set'

Navigating to this page as a superuser doesn't seem to cause a server error. I was able to open the page without issue on an account in the Coordinator group (and not a superuser). Unclear how to reproduce.

Related Objects

Event Timeline

Samwalton9-WMF created this task.Jul 10 2020, 11:46 AM
Restricted Application added subscribers: Sadads, Aklapper. · View Herald TranscriptJul 10 2020, 11:46 AM
Samwalton9-WMF edited projects, added The-Wikipedia-Library; removed The-Wikipedia-Library (Kanban).Jul 10 2020, 11:46 AM
Samwalton9-WMF moved this task from Backlog to To be discussed on the The-Wikipedia-Library board.
Samwalton9-WMF added a comment.Jul 10 2020, 1:41 PM

The user in question was simply navigating to the page from the homepage.

Samwalton9-WMF triaged this task as High priority.Jul 10 2020, 1:41 PM
Samwalton9-WMF moved this task from To be discussed to Kanban on the The-Wikipedia-Library board.
Samwalton9-WMF edited projects, added The-Wikipedia-Library (Kanban); removed The-Wikipedia-Library.
Samwalton9-WMF mentioned this in T257794: Server error on /users/my_library/.Jul 13 2020, 9:00 AM
jsn.sherman claimed this task.Jul 15 2020, 1:00 PM
jsn.sherman moved this task from Ready to In Progress on the The-Wikipedia-Library (Kanban) board.
jsn.sherman added a comment.Jul 15 2020, 6:41 PM

This is was a caused by an edge case that we had mitigated in some of the mixins but not others. The views_mixins module was super not-DRY, and had some confusingly named classes and methods. I factored one of the repetitive bits out into a base class and moved most of the auth check methods out to reusable static functions (They could've gone in the base class, but static functions allow for more test design options).

Hotfix awating deployment. Once it's live, let's have our impacted coordinator verify the fix. It's possible they'll get an erroneous 403 now instead of a 500. If so, that means there's another underlying bug I need to ID and fix as well.

jsn.sherman added a comment.Jul 15 2020, 6:59 PM

Hotfix deployed.

Samwalton9-WMF moved this task from In Progress to Review on the The-Wikipedia-Library (Kanban) board.Jul 16 2020, 10:41 AM

I've requested that a coordinator check this.

Samwalton9-WMF moved this task from Review to Done on the The-Wikipedia-Library (Kanban) board.Jul 16 2020, 2:36 PM

Coordinator confirms this is now working as expected.

Samwalton9-WMF closed this task as Resolved.Jul 17 2020, 9:05 AM
Samwalton9-WMF mentioned this in T238754: Upgrade project to Django 3.0.Jul 17 2020, 9:25 AM
jsn.sherman reopened this task as Open.Jul 28 2020, 12:33 PM
jsn.sherman added a subscriber: SoWhy.

It looks like @SoWhy has been encountering the erroneous 403 situation that I thought might still happen. Investigating.

jsn.sherman renamed this task from Server error on applications/list to access denied for coordinator on applications/list.Jul 28 2020, 2:29 PM
jsn.sherman moved this task from Done to In Progress on the The-Wikipedia-Library (Kanban) board.
jsn.sherman added a comment.Aug 3 2020, 5:23 PM

Hotfix deployed. @SoWhy can you let us know if the issue is resolved?

SoWhy added a comment.Aug 3 2020, 6:20 PM

@jsn.sherman Actually, it started working again on Thursday, not sure why. I assumed it had been fixed already.

jsn.sherman added a comment.Aug 3 2020, 6:59 PM

The nature of this bug meant that it wouldn't happen all the time. I'm going to mark this as done, but if it does come up again, please let us know.

jsn.sherman moved this task from In Progress to Done on the The-Wikipedia-Library (Kanban) board.Aug 3 2020, 6:59 PM
Samwalton9-WMF closed this task as Resolved.Aug 7 2020, 8:14 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL