Bug 36149: Unset userenv from middleware

The userenv (logged in user's info) are stored in $C4::Context->context->{activeuser}, which persists in plack worker's memory. It's really bad in theory as we are not cleaning it before or after the HTTP request, but only when set_userenv is called (what we are doing commonly in C4::Auth::get_template_and_user). If C4::Context->userenv is called before set_userenv we should get undef, not the userenv from the previous request! In practice this should not be a problem, but well... who really knows? This patch suggests to have a middleware to deal with removing the userenv at the beginning of each request (maybe it should be after, right? - FIXME). To test: 1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers> 2 - Edit about.pl and add a line after: CGI->new: warn Data::Dumper::Dumper( C4::Cointext->userenv() ); 3 - tail -f /var/log/koha/kohadev/*.log 4 - View about.pl in staff interface, should get a "somethign's wrong" warning 5 - Reload, you get current user info 6 - Open an incognito tab, sign in as a different user and click some stuff 7 - Reload about.pl in other window 8 - You get the opac user info 9 - Apply patch 10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP": enable "+Koha::Middleware::UserEnv"; 11 - Restart all 12 - Reload about.pl - you get a "Something's wrong" warning 13 - Click things in opac on incognito window 14 - Reload about.pl - only "Something's wrong" - you no longer see any user info Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> (cherry picked from commit 576e7e09fdca703f76c0d10ae55eebf12ee1fdf4) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> (cherry picked from commit 3dd1cdd74f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
2024-03-08 16:06:11 +01:00 · 2024-03-08 16:06:11 +01:00 · c97d9db239
commit c97d9db239
parent 9ae16e10ae
3 changed files with 20 additions and 2 deletions
--- a/C4/Context.pm
+++ b/C4/Context.pm
@ -837,8 +837,7 @@ Destroys the hash for activeuser user environment variables.

 sub _unset_userenv
 {
-    my ($sessionID)= @_;
-    undef $context->{activeuser} if $sessionID && $context->{activeuser} && $context->{activeuser} eq $sessionID;
+    delete $context->{activeuser};
 }


--- a/Koha/Middleware/UserEnv.pm
+++ b/Koha/Middleware/UserEnv.pm
@ -0,0 +1,18 @@
+package Koha::Middleware::UserEnv;
+use Modern::Perl;
+
+use parent qw(Plack::Middleware);
+
+use C4::Context;
+
+sub call {
+    my ( $self, $env ) =@_;
+
+    my $req = Plack::Request->new($env);
+
+    C4::Context->_unset_userenv;
+
+    return $self->app->($env);
+}
+
+1;
--- a/debian/templates/plack.psgi
+++ b/debian/templates/plack.psgi
@ -73,6 +73,7 @@ builder {
    enable "Plack::Middleware::Static";

    # + is required so Plack doesn't try to prefix Plack::Middleware::
+    enable "+Koha::Middleware::UserEnv";
    enable "+Koha::Middleware::SetEnv";
    enable "+Koha::Middleware::RealIP";