Users who are not logged in cannot attach file to ticket

[trainor1]

Hi All,

I installed version 1.0 last week. I believe that the new version has different behavior with respect to allowing users who are not logged in to attach files to tickets. I will include files below to help explain the circumstances.

Meanwhile, here is my use case. Users are students taking a Python programming course. We are using PyCharm. When they need coding help, I have told them to zip up their PyCharm project and upload it to a ticket. Despite the fact that django-heldesk to accept .zip files attached to emails, this workflow is not possible for my students because the university removes .zip files from outbound emails. So, the workaround has been for students to open a ticket with an email. Then, when they get the confirmation email from the server, they are to click on the ticket link to bring up the ticket page. Then, they are to navigate to the bottom of the page and attach the .zip file.

I believe that this was working fine before I installed version 1.0. Presently, whenever a user who is not logged in tries to attach a file to a ticket they receive a "500 Server Error" page. In the server log, I see the following message: "There are no public queues defined - public ticket creation is impossible". I can confirm that none of my queues allow public ticket creation. Yet, previously, this did not prevent users from attaching files.

I am going to attach my server log file and sanitized settings files below in case you they might help you understand the problem. Thanks for your help.

Kevin

django_02-error.log
base.py.settings.txt
production.py.settings.txt

[uhurusurfa]

It appears as if the link sent in the email is invalid.
Can you confirm the structure is something like this:
https://helpdesk.yourdomain.com/view/?ticket=[TICKET_ID HERE]&email=[SUBMITTER EMAIL HERE]&key=[SOME RANDOM STRING]

However, I have followed the logic in the code base and the only option for updating a ticket as an unauthorised user is to close the ticket.
Any other update to the ticket will require the user to be logged in and this logic has not been changed in well over 2 years as far as I can see.

NOTE: Allowing public users to add attachments to tickets opens up your site to DOS attacks where the attacker simply writes a script to submit attachments till your server storage fills up and this app is highly unlikely to support that behaviour by allowing public uploads of attachments.

[timthelion]

I'm pretty sure I wrotelogic to allow anyone with the ticket key (that thing in the URL) to update the ticket.

[trainor1]

I always assumed that we were relying on the ticket keys for security. So, I wasn't concerned that users could comment and attach files while not logged in.

In the last version, my users were able to click on the link in their confirmation email to bring up their ticket. Then, they were able to make comments and attach files.

In version 1.0, users can make comments. But, when they try to attach a file, they get a 500 server error.

Did we change this behavior intentionally or is it a side-effect of some other feature?

[timthelion]

This is either a bug or a configuration error.

[trainor1]

This is the ticket url from my most recent test ticket:

https://trainorhelpdesk.ligent.net/view/?ticket=test-course-172&email=ktrainor@ligent.net&key=93927c23-1f77-4a2e-8c06-f43b76e01a56

[timthelion]

What we need is a stack trace, you may need to configure stack trace loggibg to console. Chat gpt can tell you how to do that 😉

[trainor1]

I don't think that stack traces are currently included in my logging setup. So, I will figure that out and post back with a stack trace.

[trainor1]

I spoke too soon. Here is a copy of the stderr log:

django_02-error.log

[timthelion]

There were some changes to file perms in the latest version, but maybe a chown -r would fix this?

[trainor1]

I appreciate your work on this. I have been distracted by my day job and unable to follow up on my end. But, I hope to get back to it soon. It occurs to me that I should make sure that I have the most up-to-date copy of the software installed and that I should try to reproduce the symptoms using that software. Here are a few questions related to making sure that I have the up-to-date software:

1. I have been getting my django-helpdesk from PyPI. Is that sufficient?
2. I have not been doing anything special to make sure that I am running a current version of the get_mail command. Is that updated when I update the django-helpdesk package that is imported into my project? Or, do I need to do something further to apply updates to that function?

Thanks again for your help.

Best,

Kevin

[trainor1]

Hi All,

I have finally found some time to work on this issue and resolve the problem. Before I resolved it, I discovered that I had a more general problem uploading files to tickets -- even when logged in. I believe that these problems were all related to file permissions in the /media folder. My final solution was to make sure that the media folder was owned by the user who runs the Django Web app. Also, I made sure that the Django Web app and the cron job that does manage.py get_email were both run by the same user. These fixes appear to have resolved my various problems in this area.

Thanks everyone for your suggestions.

Best,

Kevin