event.buidlink bug in ColdBox SEEK 3.8.1.00076 ?

I just cut a site over to 3.8.1 and it seems that event.buildLink always uses an SSL parameter of True even when setting it to false. I have the below in my SSL interceptor. When I dump toURL in the else if it always returns https://www.foo.com. This code worked fine until I upgraded.

private void function checkSSL(event)

{

var isSSL = event.isSSL();

// check if SSL request and SSL Required

if( !isSSL && isSSLRequired(event) ){

flash.keep();

var toURL = event.buildLink( linkTo=reReplace( cgi.path_info, “^/”, “” ), queryString=cgi.query_string, ssl=true );

setNextEvent(url=toURL, statusCode=302);

}

// Check if in SSL and NO SSL Required

else if( isSSL && !isSSLRequired(event) ){

flash.keep();

var toURL = event.buildLink( linkTo=reReplace( cgi.path_info, “^/”, “” ), queryString=cgi.query_string, ssl=false );

setNextEvent(url=toURL, statusCode=302);

}

}

Looks like the old version I was using the request context is completely different.

I don’t see where it uses the isSSL function.

function buildLink(required linkTo, boolean ssl=false, baseURL="", queryString=""){

var frontController = “index.cfm”;

// Base URL Override

if( len( trim( arguments.baseURL ) ) neq 0 ){

frontController = arguments.baseURL;

}

// Check if sending in Query String

if( len( trim( arguments.queryString ) ) eq 0 ){

return “#frontController#?#getEventName()#=#arguments.linkto#”;

}

else{

return “#frontController#?#getEventName()#=#arguments.linkto#&#arguments.queryString#”;

}

}

boolean function isSSL(){

if (isBoolean(cgi.server_port_secure) AND cgi.server_port_secure) { return true; }

return false;

}

I fixed my interceptor, but this is a bug.

// Check if in SSL and NO SSL Required

else if( isSSL && !isSSLRequired(event) ){

flash.keep();

var toURL = event.buildLink( linkTo=reReplace( cgi.path_info, “^/”, “” ), queryString=cgi.query_string, ssl=false );

toURL = replacenocase(toURL,“https:”,“http:”); //added this to my interceptor

setNextEvent(url=toURL, statusCode=302);

}

Jonathan,

The SSL is built and stored into the baseURL, you will find that it is used in security service.

I have another interceptor named domain that has a preprocess function that does

arguments.event.setSESBaseURL(“http://” & cgi.http_host)

Not sure, I would be hesitant to say that, that forgebox module or interceptor is old and pre ColdBox 3.0 at a guess. Is that checkSSL() yours or does it belong to the forgebox interceptor that you are using?

checkSSL is part of the SSL interceptor that I got during a consult with Luis. No matter what I do in 3.8.1 if I do a event.buildLink(linkto=‘event.function’, ssl=false) the result is https. buildLink works fine when I go from http to http or if I go http tp https. Just not https to http using the false flag.

That change was make as part of this ticket in 3.6
https://ortussolutions.atlassian.net/browse/COLDBOX-100

I would agree it’s definitely a bug. Defaulting to SSL might be handy if you’re already in it, but just because the current page is SSL by no means should override that EVERY link every made has to also be SSL especially if you’re trying to override it to not be.

Honestly, I’m not a huge fan of this approach anyway-- especially since it isn’t clear from the API docs! The default value to the “SSL” parameter is false so it stands to reason that all links will be HTTP unless otherwise specified. If it were me, I would make that more clear, and perhaps change the name of the parameter to be “overrideSSL” or something. I actually prefer to create an SSLService that will tell me what events needs to be SSL and what doesn’t. Then I just ask it every time I build a link. In the past I used a request context decorator to do this for me. Then I don’t need it to try and “guess” what the links should be.

None the less, the SSL param should have final say and the isSSL check should only kick in if the user didn’t pass a value which means we need to remove the default value and explicitly check to see if it was passed. Can you put in a ticket for this please?

http://blog.coldbox.org/blog/how-to-create-a-jira-account-and-enter-coldbox-tickets

Thanks!

~Brad

ColdBox Platform Evangelist
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com