Don't trigger ColdBox's invalid event looping protection #14
Conversation
This is the same fix that @elpete implemented in cbGuard for an issue I reported where introducing cbSecurity or cbGuard to an app would break the `invalidEventHandler` Coldbox setting, See here for details: coldbox-modules/cbguard#15
|
It looks like some of the unit tests are causing the checks to fail. I'm not exactly sure how to address these. My guess is that the tests themselves need to be updated to account for the new |
|
So @homestar9 before I left on holiday, I had resolved an issue with this, where the invalid event handler was creating this loop. I added a fix for it. ColdBox/coldbox-platform@39ebe21 So, can you try again WITHOUT this change. Because I tested it with it and it was working without it. |
|
Just make sure you are using the BE |
|
Thanks, @lmajano. I do see the change in Coldbox 6, and it appears to work. However, I'm having an issue with an app that still uses Coldbox 5.6.2. Will the fix you applied to Coldbox 6 also work on Coldbox 5? |
|
Well, no. It will only work for ColdBox 6. So maybe, we can pivot this fix to ONLY work with ColdBox 5 |
Checks the version of Coldbox and only applies the fix for Coldbox 5.
|
Okay, I have updated the pull request. I know in Coldbox 6 I could use something like This does create a reliance on future versions of Coldbox supporting |
Perfect!!!
That's perfect as that is the getter for the entire struct and that will probably will never go away |
interceptors/Security.cfc
Outdated
| } | ||
|
|
||
| private boolean function isInvalidEventHandlerBean( required handlerBean ) { | ||
| if ( isNull( variables.onInvalidEventHandlerBean ) ) { |
There was a problem hiding this comment.
I think this check belongs outside of the declared function. In reality, this function should never be called if the set invalid event handler bean is never set. This way we can shortcut it on line 232 as well.
interceptors/Security.cfc
Outdated
| var handlerBean = variables.handlerService.getHandlerBean( arguments.event.getCurrentEvent() ); | ||
|
|
||
| if ( | ||
| listGetAt( controller.getColdboxSettings().version, 1, "." ) == 5 && |
There was a problem hiding this comment.
The 3 conditions are
- is this coldbox < 6
- do we have an
onInvalidEventHandlerBeanthat is not null - is this the invalid event handler bean.
This way the shortcuts will work and the code will be fast.
interceptors/Security.cfc
Outdated
| var handlerBean = variables.handlerService.getHandlerBean( arguments.event.getCurrentEvent() ); | ||
|
|
||
| if ( | ||
| listGetAt( controller.getColdboxSettings().version, 1, "." ) == 5 && |
There was a problem hiding this comment.
Since this executes in every annotation check, this code needs to be extra fast. Therefore, evaluating the version into a list and comparing it takes time. Do this once no prob. 50 times in a request and it adds up.
I suggest you move the ColdBox version detection to the configure() method and set a boolean feature flag.
variables.invalidHandlerCleanupEnabled = getToken( controller.getColdboxSettings().version, 1, "." ) < 6;
Then in your if statement, you can just do a boolean evaluation:
if( variables.invalidHandlerCleanupEnabled && .... )
There was a problem hiding this comment.
I'm so glad you made the comment about performance and moving the check to configure(). That was an excellent suggestion! I'll get to work on it and update the thread once complete.
Moved Coldbox version and the invalidEventHandlerBean null checks to the `configure()` method. Refactored the `isInvalidEventHandlerBean()` so it only checks whether the passed handlerBean is a match (removed the null check). Simplified the `if` statement in `processAnnotationRules()` for performance and legibility.
|
All set. I also moved the My comments tend to be a bit verbose, so let me know if you'd like me to amend them. |
|
@homestar9 perfection. Now the issue are the tests :( |
|
Once the tests pass, I can merge, but you need to update them due to the changes in the source. |
|
I'm a little stumped with how to address the test changes. The error message I'm seeing is: Is this a symptom that Wirebox isn't injecting the Or is something else trying to treat Here's an example of the unit tests that fails: Another thought I had is that since this is a unit test, we may need to mock the Any tips you could provide would be very helpful! |
|
Yep, you need to inject the mocks since they don't exist. Since you have defined it as a setter, you can just call it: |
|
I had to go back to section 3 on mocking from my trusty course lecture printout from CBOX-205 for this one. The I also added 2 new unit tests that ensure the extra invalid event handler processing only occurs when the Coldbox version used is less than 6. If you see anything that could be improved, please do let me know. :) |
|
WOW! @homestar9 You have made me proud! I can guarantee you that your coding will become faster and more solid now! KUDOS!! 🎆 🍾 🍻 |
|
Thank you Luis! I hope you have a great start to your week. :) |
This is the same fix that @elpete implemented in cbGuard for an issue I reported where introducing cbSecurity or cbGuard to an app would break the
invalidEventHandlerColdbox setting, See here for details: coldbox-modules/cbguard#15