User access control does not work well when different computers/browsers are used #556
Comments
|
Maybe I've been to fast is filing an issue, i eventually found #107 but supposed to be fixed... |
Do not die a horrible death if the key you are attempting to remove from the session upon logout doesn't exist. Attempt at fixing #556
|
@AmedeeBulle I'm sorry, I can't for the life of me reproduce this (tried the exact steps outlined above with the exact same module versions), but given the stack trace I've whipped up a quick possible workaround, see commit e77efde Could you test if that helps/what it changes? |
|
Thank you, I'll test that early next week when back home... |
|
@foosel I tried to be systematic in my testing:
What happens is consistent with the fix:
I don't speak very well Python and don't know much about Flask, so I can't easily debug myself... elif "passive" in request.values.keys():
user = current_user
if user is not None and not user.is_anonymous():
identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id()))
return jsonify(user.asDict())So if I understand correctly, the 'passive' login method is called from the LoginStateViewModel 'class' when we have a user in the environment (cookie). (This is a shot in the dark, maybe I am saying something stupid -- as I said I have very limited knowledge in this area) |
So far when logging in from two different browsers, then logging out in one of them the user was logged out across all browsers. This should now be changed in so far as that each individual browser session is tracked and only that session is ended by a logout that belongs to the browser where the logout button was clicked. Should fix #556
|
@AmedeeBulle it took me a while to get to the ground of this, and once I understood what was causing this, I immediately could reproduce it. Yes, I know, it's supposed to go the other way around, I don't know why I couldn't reproduce it earlier. Thanks for the thorough report and the patience. I just pushed a patch (see above) that enables proper session tracking across multiple browsers (that not being there was the core reason here) and should fix this issue (and also allow for some interesting things in the future, like "how many users are logged in right now" which could also contribute to #527). Could you please test if this is indeed the case for you? It would also be great if you could give the whole logging in/out etc stuff a critical but quick test -- I did my best to check through various scenarios, but I've looked on that code now for so long that I might have missed some obvious things (not seeing the forest due to all those trees as we say in .de). |
foosel
added
needs information
So far when logging in from two different browsers, then logging out in one of them the user was logged out across all browsers. This should now be changed in so far as that each individual browser session is tracked and only that session is ended by a logout that belongs to the browser where the logout button was clicked. Should fix OctoPrint#556
|
Considering this solved due to not getting any reply from OP and my tests so far looked good. |
|
Apologies for no answer... |
It took me some time to understand what was happening...
Here is the scenario:
Environement:
OS: raspbian on rasberry pi (no OctoPi)
Octoprint:: Version: 1.2.0-dev-118-gfbd9440
Logs:
Attempt to logout generates a stack trace: https://gist.github.com/AmedeeBulle/f2a02d86aee4f8c8dea0
No other error.
It is a 'fresh' install form a couple of days ago, so all libraries should be current. As it seems related to Flask, i have:
My python skill are somewhat limited, can't drill down much more on this...
The text was updated successfully, but these errors were encountered: