ActionController::RespondToMismatchError in wiki controller
https://sentry.gitlab.net/gitlab/gitlabcom/issues/1726282/?referrer=gitlab_plugin
ActionController::RespondToMismatchError: respond_to was called multiple times and matched with conflicting formats in this action. Please note that you may only call respond_to and match on a single format per action.
(144 additional frame(s) were not displayed)
...
active_support/callbacks.rb:428:in `block in make_lambda'
target.send(method, *arguments, &block)
projects/application_controller.rb:61:in `method_missing'
authorize_action!($1.to_sym)
projects/application_controller.rb:45:in `authorize_action!'
access_denied!
application_controller.rb:215:in `access_denied!'
respond_to do |format|
action_controller/metal/mime_responds.rb:209:in `respond_to'
raise ActionController::RespondToMismatchError
ActionController::RespondToMismatchError: respond_to was called multiple times and matched with conflicting formats in this action. Please note that you may only call respond_to and match on a single format per action.
Issue was refined in #237798 (closed).
Permissions and Security
None.
Documentation
None.
Availability & Testing
Controller tests.
Recommended MR Breakdown
1 MR.
Proposed solution
See the upstream issue where two workarounds were proposed: https://github.com/rails/rails/issues/40023#issuecomment-673675138
- Swap the order in
access_denied!
soformat.html
comes first.- This means we'd return a HTML response for a client sending
Accept: */*
.
- This means we'd return a HTML response for a client sending
- Explicitly check for
request.formats.include?(Mime::ALL)
inaccess_denied!
.- This means we'd return a header-only response for a client sending
Accept: */*
.
- This means we'd return a header-only response for a client sending
Designs
- Show closed items
- Issue#324228BacklogCategory:SAST GitLab Core GitLab Premium GitLab Ultimate [deprecated] Accepting merge requests backend devops application security testing group static analysis section sec type feature
- Epicgitlab-org#130501219Feb 10 – Sep 13, 2024Category:SAST devops application security testing feature consolidation group static analysis section sec type feature
- Issue#439046BacklogCategory:SAST backend customer devops application security testing group static analysis section sec
- Issue#425084BacklogCategory:SAST devops application security testing group static analysis section sec type feature workflow planning breakdown
- Issue#373117515.9Category:SAST Deliverable Track Health Status [DEPRECATED] devops application security testing feature enhancement group static analysis section sec type feature workflow complete
- Issue#36295816.0Category:SAST Deliverable GitLab Free GitLab Premium GitLab Ultimate backend customer devops application security testing documentation group static analysis missed-deliverable missed:15.7 missed:15.8 section sec type feature workflow complete
- Issue#36284915.10Category:SAST Deliverable [deprecated] Accepting merge requests devops application security testing feature consolidation group static analysis section sec type feature workflow complete
- Issue#35266615.4Category:SAST GitLab Free GitLab Premium GitLab Ultimate backend devops application security testing documentation group static analysis missed:15.2 missed:15.3 section sec type feature
- Issue#34725815.4Category:SAST backend customer devops application security testing feature enhancement group static analysis section sec type feature workflow production
- Issue#335221BacklogCategory:SAST [deprecated] Accepting merge requests devops application security testing group static analysis maintenance workflow section sec type maintenance
- Issue#33406514.02Category:SAST backend devops application security testing group static analysis section sec type maintenance workflow in dev
- Epicgitlab-org#544064Feb 18 – Apr 17, 2021Category:SAST devops application security testing group static analysis section sec type feature
- EpicClosedgitlab-org#56881013Jan 18 – Jun 17, 2021Category:SAST backend devops application security testing group static analysis section sec
- Issue#331801BacklogCategory:SAST [deprecated] Accepting merge requests backend devops application security testing feature enhancement group static analysis section sec type feature
- Issue#330578BacklogCategory:SAST Product Feedback SAST: New Scanner [deprecated] Accepting merge requests customer devops application security testing group static analysis section sec
- Epicgitlab-org#57971015Apr 18 – May 17, 2021Category:SAST [deprecated] Accepting merge requests backend devops application security testing feature enhancement group static analysis section sec type feature
- Issue#327236BacklogCategory:SAST [deprecated] Accepting merge requests backend devops application security testing feature enhancement group static analysis section sec type feature
- Issue#321204BacklogCategory:SAST [deprecated] Accepting merge requests backend devops application security testing group static analysis section sec type feature
- Issue#118496BacklogCategory:SAST SAST: Integrate customer devops application security testing group static analysis section sec type feature workflow start
- Issue#26206813.11Category:SAST Deliverable Discovery SAST: Integrate [deprecated] Accepting merge requests backend devops application security testing group static analysis missed-deliverable missed:13.10 missed:13.9 section sec type feature workflow planning breakdown
- IssueClosed#300486BacklogCategory:SAST [deprecated] Accepting merge requests auto updated backend devops application security testing group static analysis section sec type feature
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Markus Koller added Category:Wiki backend devopscreate + 1 deleted label
added Category:Wiki backend devopscreate + 1 deleted label
- Contributor
@ddash2 this is a new bug introduced by !37466 (merged), apparently Rails doesn't like repeated calls to
respond_to
I wasn't able to reproduce this yet, I tried accessing
show
on a private wiki andedit
on a public wiki without write permission, with differentformat
parameters, but in all cases I got the expected 404 response. So I'll give this a tentative ~P4 / ~S4, also because it only happens when a user doesn't have permission in the first place.I'm also not really sure what Rails wants us to do here, so I opened an upstream issue: https://github.com/rails/rails/issues/40023
Collapse replies - Contributor
Was able to reproduce now with an
Accept: */*
header, e.g.curl --header 'Accept: */*' -I 'https://gitlab.com/gitlab-com/create-knowledge-load-performance-tests/-/wikis/home/edit'
triggers a 500 error.It does look like a bug with the
:any
format in Rails (see my comment here), but in the meantime I think we could also work around this by moving ourbefore_action { respond_to :html }
call after thebefore_action :authorize_*
calls.@ddash2 the workaround should be a small fix if you have some time left to work on this!
- Maintainer
- Contributor
@.luke I was wondering about that as well when working on the original fix, but that only controls the
(.:format)
segment in the path, and still allows requesting other formats with a?format=
query parameter or anAccept:
header.Upstream has also proposed two workarounds now at https://github.com/rails/rails/issues/40023#issuecomment-673675138, and I saw it also works if we simply swap the order so
format.any
comes last. I think that solution would make the most sense, WDYT?@ddash2 do you want to take this on, if you have time? We need to swap the order in
access_denied!
andrender_403
, and add some specs inspec/controllers/application_controller_spec.rb
andspec/support/shared_examples/controllers/wiki_actions_shared_examples.rb
.You should be able to request the
any
format with something likeheaders: { 'Accept' => '*/*' }
(same asparams:
in theget
/post
etc. methods in controller specs). - Contributor
Hey @toupeira, unfortunately I don't think I will have enough time for this issue, since I am still working on the service response MR, and I am nearing the end of my internship.
- Contributor
@ddash2 ok no worries!
- Maintainer
@toupeira Oh interesting. I could swear I've previously fixed this same problem a few years ago in another Rails app by setting
format
in the routes, but now that I test this idea out, it doesn't work!
- Markus Koller added priority4 severity4 labels
- Markus Koller added workflowplanning breakdown label
added workflowplanning breakdown label
- Darva Satcher added Backlog RefinementKnowledge label
added Backlog RefinementKnowledge label
- 🤖 GitLab Bot 🤖 mentioned in issue #237798 (closed)
mentioned in issue #237798 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue #237812 (closed)
mentioned in issue #237812 (closed)
- Luke Duncalfe changed the description
Compare with previous version changed the description
- Luke Duncalfe added workflowready for development label and removed workflowplanning breakdown label
added workflowready for development label and removed workflowplanning breakdown label
- Luke Duncalfe set weight to 1
set weight to 1
- Luke Duncalfe removed Backlog RefinementKnowledge label
removed Backlog RefinementKnowledge label
- 🤖 GitLab Bot 🤖 mentioned in issue #240843 (closed)
mentioned in issue #240843 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue #243456 (closed)
mentioned in issue #243456 (closed)
- Markus Koller changed the description
Compare with previous version changed the description
- 🤖 GitLab Bot 🤖 added sectiondev label
added sectiondev label
- 🤖 GitLab Bot 🤖 mentioned in issue #246447 (closed)
mentioned in issue #246447 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue #249049 (closed)
mentioned in issue #249049 (closed)
- Markus Koller changed the description
Compare with previous version changed the description
- Markus Koller added workflowscheduling label and removed workflowready for development label
added workflowscheduling label and removed workflowready for development label
- 🤖 GitLab Bot 🤖 mentioned in issue #254150 (closed)
mentioned in issue #254150 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue #257776 (closed)
mentioned in issue #257776 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue #261983 (closed)
mentioned in issue #261983 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#477 (closed)
mentioned in issue gitlab-org/quality/triage-reports#477 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#536 (closed)
mentioned in issue gitlab-org/quality/triage-reports#536 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#612 (closed)
mentioned in issue gitlab-org/quality/triage-reports#612 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#677 (closed)
mentioned in issue gitlab-org/quality/triage-reports#677 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#710 (closed)
mentioned in issue gitlab-org/quality/triage-reports#710 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#800 (closed)
mentioned in issue gitlab-org/quality/triage-reports#800 (closed)
- Eric Schurter added groupeditor [DEPRECATED] label and removed 1 deleted label
added groupeditor [DEPRECATED] label and removed 1 deleted label
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#1021 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1021 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#1098 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1098 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#1170 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1170 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#1255 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1255 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#1360 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1360 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#1440 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1440 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#1507 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1507 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#1569 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1569 (closed)
- Francisco Javier López changed milestone to %Backlog
changed milestone to %Backlog
- 🤖 GitLab Bot 🤖 added [deprecated] Accepting merge requests label
added [deprecated] Accepting merge requests label
- Contributor
- Roman Kuba changed milestone to %13.10
changed milestone to %13.10
- Roman Kuba added Deliverable workflowready for development labels and removed workflowscheduling label
added Deliverable workflowready for development labels and removed workflowscheduling label
- Roman Kuba assigned to @athar and @fjsanpedro
assigned to @athar and @fjsanpedro
- 🤖 GitLab Bot 🤖 removed [deprecated] Accepting merge requests label
removed [deprecated] Accepting merge requests label
- Athar Hameed added workflowin dev label and removed workflowready for development label
added workflowin dev label and removed workflowready for development label
- Ghost User created merge request !56288 (merged) to address this issue
created merge request !56288 (merged) to address this issue
- Ghost User mentioned in merge request !56288 (merged)
mentioned in merge request !56288 (merged)
- 🤖 GitLab Bot 🤖 changed milestone to %13.11
changed milestone to %13.11
- 🤖 GitLab Bot 🤖 added missed-deliverable missed:13.10 labels
added missed-deliverable missed:13.10 labels
- Ghost User mentioned in issue create-stage#12819 (closed)
mentioned in issue create-stage#12819 (closed)
- Francisco Javier López changed milestone to %13.12
changed milestone to %13.12
- Athar Hameed added workflowin review label and removed workflowin dev label
added workflowin review label and removed workflowin dev label
- Athar Hameed removed workflowin review label
removed workflowin review label
- Athar Hameed closed
closed
- John Hope mentioned in issue create-stage#12852 (closed)
mentioned in issue create-stage#12852 (closed)