-
Notifications
You must be signed in to change notification settings - Fork 243
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix EZP-23176: Sessions are always started for anonymous user #1033
Fix EZP-23176: Sessions are always started for anonymous user #1033
Conversation
@@ -988,7 +988,9 @@ static function setCurrentlyLoggedInUser( $user, $userID, $flags = 0 ) | |||
if ( !( $flags & self::NO_SESSION_REGENERATE) ) | |||
eZSession::regenerate(); | |||
|
|||
eZSession::set( 'eZUserLoggedInID', $userID ); | |||
if ( $userID != self::anonymousId() || eZSession::hasStarted() ) | |||
eZSession::set( 'eZUserLoggedInID', $userID ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cs here? (more white spaces needed)
edit: don't know if we should worry about cs things for legacy code though. feel free to discard this comment if so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, CS indeed. updating
Scary, but might be good! |
Updated, cleanup() will try to remove session variables which actually starts a session... |
hmm, I think I might prefer the other one, this one looks a bit risky.. |
Alternative: ezsystems/ezpublish-kernel#936 |
Closing |
> https://jira.ez.no/browse/EZP-23176 Alternative of #932 and ezsystems/ezpublish-legacy#1033 by @joaoinacio . In security mapper, user was injected in legacy even if the current user wasn't authenticated. Problem is that `eZUser::setLoggedInUser()` always sets a session variable… This patch ensures user is authenticated in security context before injecting the user. Tests have been updated and improved.
> https://jira.ez.no/browse/EZP-23176 Alternative of #932 and ezsystems/ezpublish-legacy#1033 by @joaoinacio . In security mapper, user was injected in legacy even if the current user wasn't authenticated. Problem is that `eZUser::setLoggedInUser()` always sets a session variable… This patch ensures user is authenticated in security context before injecting the user. Tests have been updated and improved.
JIRA: https://jira.ez.no/browse/EZP-23176
eZUser::setCurrentlyLoggedInUser()
always starts a session, even for anonymous.Replaces ezsystems/ezpublish-kernel#932
Essentially this will not start a new session if the (new) current user is anonymous.
If a previously user was set, and setCurrentlyLoggedInUser() is for anonymous, a session should already exist, so it will still update the user ID.