relax force ssl if assuming secure protocol #13374 #17861
Conversation
|
Do we need to add documentation for this? |
sgiehl
added
Needs Review
| @@ -47,7 +47,7 @@ public function execute() | |||
|
|
|||
| $forceSSLEnabled = (Config::getInstance()->General['force_ssl'] == 1); | |||
|
|
|||
| if ($forceSSLEnabled) { | |||
| if ($forceSSLEnabled || @Config::getInstance()->General['assume_secure_protocol']) { | |||
There was a problem hiding this comment.
we should in general try to avoid using error suppression (@). In this case it shouldn't be needed at all, as assume_secure_protocol is defined in global.ini.php and therefor the key should always be available.
Also I guess in most cases we are checking such boolish config values with == 1
There was a problem hiding this comment.
Nice! Thanks @sgiehl for looking into this.
I agree with the error suppression and have corrected it. It was in another place also, which I had copied from previously and now also corrected.
However, I don't quite agree with the second point unless it is an accepted convention for this project for historical reasons.
Reasons being: PHP has the concept of falsy and truthy and I think we should be OK to take advantage of that language feature. Comparing with double equals (==) is the same check as checking 'is this variable "onesy"', so true == 1 is true while true === 1 is false. If we were checking for strict equality, we would need to check with triple equals (===).
For example to check if something is strictly false or strictly not false, one would do
<?php
false === $someVariableOrExpression
// or
false !== $someVariableOrExpression
if ($expression) echo 'prints'; // outputs 'prints' if $expression is truthySome functions in PHP return false or a mixed value for similar reasons.
There was a problem hiding this comment.
@geekdenz In general I would agree that using === should be prefered. But when using === we need to cast the value, as the config value could be a string or integer. So something like (int) Config::getInstance()->General['assume_secure_protocol'] === 1 would work.
There was a problem hiding this comment.
Btw. the reason for doing a comparison here at all was to prevent that a "invalid" config value like a random string would be counted as enabled
There was a problem hiding this comment.
I actually didn't know that. We're actually not doing it everywhere currently and maybe eventually might rather want to change it to trigger an exception then if it's not 0 or 1 as otherwise people won't actually realise they misconfigured it. @sgiehl can you document that we're currently checking == 1 for 0/1 configs in https://developer.matomo.org/guides/piwiks-ini-configuration ?
There was a problem hiding this comment.
Actually @geekdenz for this we have a method in Url::isPiwikConfiguredToAssumeSecureConnection() (which btw converts to bool so we shouldn't regress behaviour there now and generally reuse that method)
|
Thanks. Makes sense. I hadn't considered the case where any string could be truthy unless some special cases. Should we change it in the other place too then? |
|
Actually, to make this less of a problem or discussion topic in the future we could have a method in the configuration class that checks if a configuration value is 1. |
|
@geekdenz Have you seen my post in #13374 (comment)? I'm not entirely sure if this is a change we should do. After all if Matomo is behind a reverse proxy that adds SSL, then Matomo should still act as if it was using HTTPS (so e.g. create links in E-Mail with https://, etc.) and therefore these people also will need to add |
|
@Findus23 maybe, when assume secure protocol is enabled we could apply additionally same behavior as if Maybe let's not merge this then and rather find a solution in the FAQ to suggest to also set |
Description:
See commit message.
Review