[SOLVED] Impossible to logout

In 2 of my 4 KANBOARD installations I can not log out

STR:

  1. Log in to KANBOARD with Plugin “Group_assign” installed (if not already done)
  2. In Profile Image Dropdown (top right area of screen): Click ˋMy Dashboardˊ (but does not matter from where you try)
  3. In Profile Image Dropdown (top right area of screen) click last item “Logout”
    » expected: logout, login page appears
    actual: Message “Access Forbidden” right from KANBOARD project Icon :disappointed_relieved:
    and identical message with red background below. This message will disappear after several seconds.

Additional Info:

a) I tried with all other Plugins removed from installation. Reason is Plugin “Group_assign”
a1) but in 2 other installations with that plugin installed logout works fine.
b) More research: next year :wink:

My Configuration

  • Application version: 1.2.43 , installed at hoster All-Inkl

  • PHP version: 8.3.14-nmm1

  • PHP SAPI: fpm-fcgi

  • HTTP Client: cURL

  • OS Version: Linux 6.8.0-51-generic

  • Database driver: mysql

  • Datenbank Version: 10.11.8-MariaDB-0ubuntu0.24.04.1-log

  • Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:117.0a) Gecko/20100101 SeaMonkey/2.53.20B1, Build 20241213223615; Same with FF Trunk 135.0a1 (2024-12-31) (64-Bit),

  • Profile Language: German - DU

  • Plugins:

    • Broadcast 1.1.1
    • Calendar 1.5.0
    • Customizer 1.14.2
    • Group_assign 1.8.2
    • KanboardSearchPlugin 1.1.0
    • MarkdownPlus 1.1.5
    • PasteImageToMarkdown 1.1.0
    • PluginManager 4.7.0
    • Self-Registration 1.0.8
    • SubtaskDescription 1.1.1
    • TagManager 1.6.0
    • Task2pdf 1.8.0
    • Wiki 0.3.8 dev

Welcome to plugin hell!

This we already had earlier, in case you don’t remember. :wink:

Happy new year to everybody!

1 Like

Hi Alfred,

thx, the comment out trick does the job. The patched version of Customizer-1.14.2 does not help for the tested Installation, because reason is plugin Group_assign 1.8.2.

I remembered “Kanboard 1.2.41 …”, but only for “Customizer”; and to be honest, I did not test, which of both plugins is the reason for my problem in the other installation. I will test that immediately.

And for the other KANBOARD installation the patched Customizer-1.14.2 solved the problem.

Thx!

What’s wrong with Group_assign? Logout works on my testing instance with both plugins installed.

  • Customizer 1.14.2
  • Group_assign 1.8.2

Commenting worked fine for me, but the patched version did not fix my issue to logout.

note : the only other plugin I’m using is Moon, which does not prevent logout when alone.

I assume, you took the Customizer-1.14.2.zip from the GitHub repo, which indeed doesn’t work, as it doesn’t contain my modifications.

If you download and install my patched Customizer-1.14.2.zip, logout will work as expected.

Just verified with:

  • Kanboard 1.2.43
  • Customizer 1.14.2 (patched)
  • Moon 1.4.6

I was pretty confident that I did use the zip file hosted on Owncloud. I’ll try again before I give my definitive answer :slight_smile:

Ok my bad, your zip does the job. Thanks!

1 Like

Hi, s this just hit me out of the blue… I’d swear, the Logout worked until this week. The effect does not disturb anyone but me on this instance because nobody really logs #out… why should they. I was hit while trying to switch into an admin account to juggle some stuff.
I don’t have the Customizer installed, just the group assign. And I’m not sure which Line in which script I would have to comment out… Any new insights ?

Michael

1 Like

Really? Isn’t there any other plugin besides Group_assign?
I cannot reproduce this with Kanboard 1.2.43 and Group_assign 1.8.2.

Ahhh you got. me there…… I was fixed on the two mentioned in the thread….sorry for beeing so inspecific and thank you for a really quick reply.

We used a less advanced aproach to solve this. What actually happened was, that we upgraded from 1.2.39 to 1.2.43 this Morning. I wasn‘t aware off this, and yes,we need to use a QA System! So we rolled back to 1.2.40 wich Silvester the issue, but not the problem. That is a task for another day.

Anybody tried the logs for some additional information yet?

Thanks again and a good Weekend

With regards

Michael

In Kanboard 1.2.41, the function AuthController::logout was changed:

  • fix: add CSRF check to the logout endpoint

See the details here.

As a consequence, each plugin that overrides the file Template/header/user_dropdown.php requires to be updated.

You could still continue using the latest Kanboard (recommended), if you

  • update all your affected plugins, where available, or
  • patch the all your affected plugins by hand, or
  • apply my proposal below.
1 Like

Bonus hint

To locate affected plugins & lines, you can run this command from your Kanboard directory.

$ find plugins/ -type f -name user_dropdown.php | xargs grep -n AuthController 

to get affected lines

plugins/Group_assign/Template/header/user_dropdown.php:42:                <?= $this->url->icon('sign-out', t('Logout'), 'AuthController', 'logout') ?>
plugins/Customizer/Template/header/user_dropdown.php:37:                <?= $this->url->icon('sign-out', t('Logout'), 'AuthController', 'logout', [], true) ?>

As you can see, the Group_assign plugin isn’t patched, but the Customizer is.

2 Likes