Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
User access control does not work well when different computers/browsers are used #556
It took me some time to understand what was happening...
Here is the scenario:
It is a 'fresh' install form a couple of days ago, so all libraries should be current. As it seems related to Flask, i have:
My python skill are somewhat limited, can't drill down much more on this...
@foosel I tried to be systematic in my testing:
What happens is consistent with the fix:
I don't speak very well Python and don't know much about Flask, so I can't easily debug myself...
elif "passive" in request.values.keys(): user = current_user if user is not None and not user.is_anonymous(): identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id())) return jsonify(user.asDict())
So if I understand correctly, the 'passive' login method is called from the LoginStateViewModel 'class' when we have a user in the environment (cookie).
(This is a shot in the dark, maybe I am saying something stupid -- as I said I have very limited knowledge in this area)
@AmedeeBulle it took me a while to get to the ground of this, and once I understood what was causing this, I immediately could reproduce it. Yes, I know, it's supposed to go the other way around, I don't know why I couldn't reproduce it earlier. Thanks for the thorough report and the patience.
I just pushed a patch (see above) that enables proper session tracking across multiple browsers (that not being there was the core reason here) and should fix this issue (and also allow for some interesting things in the future, like "how many users are logged in right now" which could also contribute to #527). Could you please test if this is indeed the case for you? It would also be great if you could give the whole logging in/out etc stuff a critical but quick test -- I did my best to check through various scenarios, but I've looked on that code now for so long that I might have missed some obvious things (not seeing the forest due to all those trees as we say in .de).