Jonathan Druart
c97d9db239
The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?
This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).
To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl and add a line after: CGI->new:
warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl - only "Something's wrong" - you no longer see any user info
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 576e7e09fdca703f76c0d10ae55eebf12ee1fdf4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 3dd1cdd74f
)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
125 lines
3.8 KiB
Perl
125 lines
3.8 KiB
Perl
#!/usr/bin/perl
|
||
|
||
# This file is part of Koha.
|
||
#
|
||
# This program is free software: you can redistribute it and/or modify
|
||
# it under the terms of the GNU General Public License as published by
|
||
# the Free Software Foundation, either version 3 of the License, or
|
||
# (at your option) any later version.
|
||
#
|
||
# This program is distributed in the hope that it will be useful,
|
||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
# GNU General Public License for more details.
|
||
#
|
||
# You should have received a copy of the GNU General Public License
|
||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
||
use Modern::Perl;
|
||
|
||
use Plack::Builder;
|
||
use Plack::App::CGIBin;
|
||
use Plack::App::Directory;
|
||
use Plack::App::URLMap;
|
||
use Plack::Request;
|
||
|
||
use Mojo::Server::PSGI;
|
||
|
||
# Pre-load libraries
|
||
use C4::Koha;
|
||
use C4::Languages;
|
||
use C4::Letters;
|
||
use C4::Members;
|
||
use C4::XSLT;
|
||
use Koha::Caches;
|
||
use Koha::Cache::Memory::Lite;
|
||
use Koha::Database;
|
||
use Koha::DateUtils;
|
||
use Koha::Logger;
|
||
|
||
use Log::Log4perl;
|
||
use CGI qw(-utf8 ); # we will loose -utf8 under plack, otherwise
|
||
{
|
||
no warnings 'redefine';
|
||
my $old_new = \&CGI::new;
|
||
*CGI::new = sub {
|
||
my $q = $old_new->( @_ );
|
||
$CGI::PARAM_UTF8 = 1;
|
||
Koha::Caches->flush_L1_caches();
|
||
Koha::Cache::Memory::Lite->flush();
|
||
return $q;
|
||
};
|
||
}
|
||
|
||
my $home = $ENV{KOHA_HOME};
|
||
my $intranet = Plack::App::CGIBin->new(
|
||
root => $ENV{DEV_INSTALL}? $home: "$home/intranet/cgi-bin"
|
||
)->to_app;
|
||
|
||
my $opac = Plack::App::CGIBin->new(
|
||
root => $ENV{DEV_INSTALL}? "$home/opac": "$home/opac/cgi-bin/opac"
|
||
)->to_app;
|
||
|
||
my $apiv1 = builder {
|
||
my $server = Mojo::Server::PSGI->new;
|
||
$server->load_app("$home/api/v1/app.pl");
|
||
$server->to_psgi_app;
|
||
};
|
||
|
||
Koha::Logger->_init;
|
||
|
||
builder {
|
||
enable "ReverseProxy";
|
||
enable "Plack::Middleware::Static";
|
||
|
||
# + is required so Plack doesn't try to prefix Plack::Middleware::
|
||
enable "+Koha::Middleware::UserEnv";
|
||
enable "+Koha::Middleware::SetEnv";
|
||
enable "+Koha::Middleware::RealIP";
|
||
|
||
mount '/opac' => builder {
|
||
#NOTE: it is important that these are relative links
|
||
enable 'ErrorDocument',
|
||
400 => 'errors/400.pl',
|
||
401 => 'errors/401.pl',
|
||
402 => 'errors/402.pl',
|
||
403 => 'errors/403.pl',
|
||
404 => 'errors/404.pl',
|
||
500 => 'errors/500.pl',
|
||
subrequest => 1;
|
||
#NOTE: Without this middleware to catch fatal errors, ErrorDocument won't be able to render a 500 document
|
||
#NOTE: This middleware must be closer to the PSGI app than ErrorDocument
|
||
enable "HTTPExceptions";
|
||
if ( Log::Log4perl->get_logger('plack-opac')->has_appenders ){
|
||
enable 'Log4perl', category => 'plack-opac';
|
||
enable 'LogWarn';
|
||
}
|
||
$opac;
|
||
};
|
||
mount '/intranet' => builder {
|
||
#NOTE: it is important that these are relative links
|
||
enable 'ErrorDocument',
|
||
400 => 'errors/400.pl',
|
||
401 => 'errors/401.pl',
|
||
402 => 'errors/402.pl',
|
||
403 => 'errors/403.pl',
|
||
404 => 'errors/404.pl',
|
||
500 => 'errors/500.pl',
|
||
subrequest => 1;
|
||
#NOTE: Without this middleware to catch fatal errors, ErrorDocument won't be able to render a 500 document
|
||
#NOTE: This middleware must be closer to the PSGI app than ErrorDocument
|
||
enable "HTTPExceptions";
|
||
if ( Log::Log4perl->get_logger('plack-intranet')->has_appenders ){
|
||
enable 'Log4perl', category => 'plack-intranet';
|
||
enable 'LogWarn';
|
||
}
|
||
$intranet;
|
||
};
|
||
mount '/api/v1/app.pl' => builder {
|
||
if ( Log::Log4perl->get_logger('plack-api')->has_appenders ){
|
||
enable 'Log4perl', category => 'plack-api';
|
||
enable 'LogWarn';
|
||
}
|
||
$apiv1;
|
||
};
|
||
};
|