Bug #58446 if R/O user saves settings tab, no error message but broken HTML appears
Submitted: 24 Nov 2010 8:46 Modified: 13 Jan 2011 18:44
Reporter: Mario Beck Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Enterprise Monitor: Server Severity:S3 (Non-critical)
Version:2.3.0.2036 OS:Solaris (10, SPARC 64 bit)
Assigned to: Josh Sled CPU Architecture:Any
Tags: read only, save, settings

[24 Nov 2010 8:46] Mario Beck
Description:
When I access the "Settings" tab in MEM with a read-only user and modify options,
there is not the usual error message box but plain HTML displayed in my browser.

On all other tests to save information I get a wonderful error box.
Only the settings tab produces broken HTML.

How to repeat:
Log in to MEM 2.3 with a read only user.
Go to tab "Settings", enable SNMP or something else.
Click on the "save" button. You will see:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
		<link rel="stylesheet" type="text/css" href="/web/resources/css/default.css?B=2.3.0.2036" />
		<link rel="stylesheet" type="text/css" href="/web/resources/css/tree.css?B=2.3.0.2036" />
        <link rel="stylesheet" type="text/css" href="/web/resources/css/jqueryui-mem/jquery-ui-1.7.1.custom.css"/>
		<link rel="shortcut icon" href="/web/favicon.ico" />
		<script type="text/javascript" src="/web/resources/js/jquery-1.3.2.min.js"></script>
        <script type="text/javascript" src="/web/resources/js/jquery-ui-1.7.1.custom.min.js"></script>
        <script type="text/javascript" src="/web/resources/js/jquery-ui-i18n.js"></script>
        <script type="text/javascript" src="/web/resources/js/pxToEm.js"></script>
		<script type="text/javascript" language="javascript" src="/Constants.js?B=2.3.0.2036&amp;L=en_US"></script>
		<script type="text/javascript" language="javascript" src="/web/resources/js/render/full.js?B=2.3.0.2036"></script>
		<script type="text/javascript" language="javascript">
		/* <![CDATA[ */
			var GLOBAL_noticeFader = new noticeFade();
			GLOBAL_noticeFader.setObject('fader');
			GLOBAL_noticeFader.setMessageContainer('noticeMessages');
			GLOBAL_noticeFader.registerClose('noticeClose');
			
			GLOBAL_noticeFader.init();
		/* ]]> */
		</script>
		
		<title>User Not Authorized : MySQL Enterprise Dashboard</title>
	</head>
	<body>
		
		<table cellpadding="0" cellspacing="0" width="100%" style="margin-top: 10px;">
			<tr>
				<td id="bodyTop">
					<table cellpadding="0" cellspacing="0" width="100%">
						<tr class="secondaryHeaderBG">
							<td><img src="/web/resources/images/secondaryTL.gif" width="8" height="7" alt=""/></td>
							<td class="right"><img src="/web/resources/images/secondaryTR.gif" width="8" height="7" alt=""/></td>
						</tr>
					</table>
				</td>
			</tr>
			<tr>
				<td id="bodyContentsWrapper">
					<div id="bodyContents">
						

<div class="titleBar">Access Denied</div>
<div class="basicBox">
    <p>You do not have permissions to access this resource.</p>
</div>

					</div>
				</td>
			</tr>
			<tr>
				<td id="bodyBottom">
					<table cellpadding="0" cellspacing="0" width="100%">
						<tr class="secondaryFooterBG">
							<td><img src="/web/resources/images/secondaryBL.gif" width="8" height="7" alt=""/></td>
							<td class="right"><img src="/web/resources/images/secondaryBR.gif" width="8" height="7" alt=""/></td>
						</tr>
					</table>
				</td>
			</tr>
		</table>

		<table id="fader">
			<tr>
				<td>
					<table cellpadding="0" cellspacing="0" width="100%">
						<tr>
							<td><img src="/web/resources/images/secondaryTL.png" width="8" height="7" alt="" /></td>
							<td class="secondaryHeaderSpacer"><img src="/web/resources/images/spacer.gif" width="1" height="1" alt="" /></td>
							<td><img src="/web/resources/images/secondaryTR.png" width="8" height="7" alt="" /></td>
						</tr>
					</table>
					<table cellpadding="0" cellspacing="0" width="100%">
						<tr>
							<td class="noticeBody">
								<table cellpadding="0" cellspacing="0" width="100%">
									<tr>
										<td>Notice:</td>
										<td class="right"><img src="/web/resources/images/deleteIcon11.gif" id="noticeClose" width="11" height="11" alt="close" style="cursor: pointer;" /></td>
									</tr>
								</table>
								<ul id="noticeMessages">
								</ul>
							</td>
						</tr>
					</table>
					<table cellpadding="0" cellspacing="0" width="100%">
						<tr>
							<td><img src="/web/resources/images/secondaryBL.png" width="8" height="7" alt="" /></td>
							<td class="secondaryFooterSpacer"><img src="/web/resources/images/spacer.gif" width="1" height="1" alt="" /></td>
							<td><img src="/web/resources/images/secondaryBR.png" width="8" height="7" alt="" /></td>
						</tr>
					</table>
				</td>
			</tr>
		</table>
		<table id="popupError" style="display: none">
			<tr>
				<td>
					<table cellpadding="0" cellspacing="0" width="100%">
						<tr>
							<td><img src="/web/resources/images/errorTL.gif" width="8" height="7" alt="" /></td>
							<td class="errorHeaderSpacer"><img src="/web/resources/images/spacer.gif" width="1" height="1" alt="" /></td>
							<td><img src="/web/resources/images/errorTR.gif" width="8" height="7" alt="" /></td>
						</tr>
					</table>
					<table cellpadding="0" cellspacing="0" width="100%">
						<tr>
							<td id="popupErrorBody">
								<table cellpadding="0" cellspacing="0" width="100%">
									<tr>
										<td>An Error Occurred</td>
										<td class="right"><img src="/web/resources/images/deleteIcon11.png" id="errorClose" width="11" height="11" alt="close" style="cursor: pointer;" /></td>
									</tr>
								</table>
								<div id="popupErrorListWrapper">
									<ul id="popupErrorList">
									</ul>
								</div>
							</td>
						</tr>
					</table>
					<table cellpadding="0" cellspacing="0" width="100%">
						<tr>
							<td><img src="/web/resources/images/errorBL.gif" width="8" height="7" alt="" /></td>
							<td class="errorFooterSpacer"><img src="/web/resources/images/spacer.gif" width="1" height="1" alt="" /></td>
							<td><img src="/web/resources/images/errorBR.gif" width="8" height="7" alt="" /></td>
						</tr>
					</table>
				</td>
			</tr>
		</table>
	</body>
</html>

Suggested fix:
The HTML looks good.
Maybe wrong MIME type so that it is displayed as text only?
[24 Nov 2010 9:49] Carsten Segieth
checked with current development build 2.3.1.2040 I could not reproduce the problem:
- logged in with R/O user
- change to Settings tab
- any attempt to use a 'save' on this page results in a correct message '	
Access Denied: You do not have permissions to access this resource.'
[24 Nov 2010 10:13] Enterprise Tools JIRA Robot
Carsten Segieth writes: 
also with 2.3.0.2036 I could not reproduce this problem. I always get the correct message. Can you please give more hints and then perhaps re-open this bug.
I created a R/O user, logged out and logged in with this new user. Then all attempts to use 'save' on the 'Settings' page resulted in a correct message.
[26 Nov 2010 9:19] Mario Beck
I tested some combinations:

Firefox on MacOS (two machines) does not work
Firefox in XP does not work
Safari on MacOS (two machines) does not work
IE on XP (two machines) works fine.

I still suspect the mime type to be wrong or missing.
In Firefox I checked the content. FF goes in quirk mode because of document type "text/plain".
All other pages, that are displayed correctly are "text/html".

Probably the appserver does not send a mime type in its response. So the browser is forced to do
mime sniffing by inspecting the first bytes.
IE is quite good at mime sniffing (which creates some security vulnerabilities).
FF probably is more cautious and stays on the safe side of "text/plain".
Interestingly the first bytes of the page are newlines. Does this confuse the sniffer?
Anyway: Not sending a mime type in the http response would not be good style for the application.
[13 Jan 2011 18:43] Enterprise Tools JIRA Robot
Marcos Palacios writes: 
Now checked with current development build 2.3.2.2050 and I could not reproduce the problem:
* logged in with R/O user
* change to Settings tab
* any attempt to use a 'save' on this page results in the correct message:
'Access Denied
You do not have permissions to access this resource.'

I tested these combinations:
Firefox 3.6 on Mac OS X: works fine
Safari 5.0 on Mac OS X: works fine
Firefox 3.6 in Windows XP: works fine
IE 8 on Windows XP: works fine