Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/debian/templates/plack.psgi
Jonathan Druart 3dd1cdd74f Bug 36149: Unset userenv from middleware 
The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?

This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).

To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl  and add a line after: CGI->new:
    warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
     enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl  - only "Something's wrong" - you no longer see any user info

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 576e7e09fdca703f76c0d10ae55eebf12ee1fdf4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2024-04-24 07:36:20 +02:00

125 lines
3.8 KiB
Perl
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/perl
# This file is part of Koha.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
use Modern::Perl;
use Plack::Builder;
use Plack::App::CGIBin;
use Plack::App::Directory;
use Plack::App::URLMap;
use Plack::Request;
use Mojo::Server::PSGI;
# Pre-load libraries
use C4::Koha;
use C4::Languages;
use C4::Letters;
use C4::Members;
use C4::XSLT;
use Koha::Caches;
use Koha::Cache::Memory::Lite;
use Koha::Database;
use Koha::DateUtils;
use Koha::Logger;
use Log::Log4perl;
use CGI qw(-utf8 ); # we will loose -utf8 under plack, otherwise
{
no warnings 'redefine';
my $old_new = \&CGI::new;
*CGI::new = sub {
my $q = $old_new->( @_ );
$CGI::PARAM_UTF8 = 1;
Koha::Caches->flush_L1_caches();
Koha::Cache::Memory::Lite->flush();
return $q;
};
}
my $home = $ENV{KOHA_HOME};
my $intranet = Plack::App::CGIBin->new(
root => $ENV{DEV_INSTALL}? $home: "$home/intranet/cgi-bin"
)->to_app;
my $opac = Plack::App::CGIBin->new(
root => $ENV{DEV_INSTALL}? "$home/opac": "$home/opac/cgi-bin/opac"
)->to_app;
my $apiv1 = builder {
my $server = Mojo::Server::PSGI->new;
$server->load_app("$home/api/v1/app.pl");
$server->to_psgi_app;
};
Koha::Logger->_init;
builder {
enable "ReverseProxy";
enable "Plack::Middleware::Static";
# + is required so Plack doesn't try to prefix Plack::Middleware::
enable "+Koha::Middleware::UserEnv";
enable "+Koha::Middleware::SetEnv";
enable "+Koha::Middleware::RealIP";
mount '/opac' => builder {
#NOTE: it is important that these are relative links
enable 'ErrorDocument',
400 => 'errors/400.pl',
401 => 'errors/401.pl',
402 => 'errors/402.pl',
403 => 'errors/403.pl',
404 => 'errors/404.pl',
500 => 'errors/500.pl',
subrequest => 1;
#NOTE: Without this middleware to catch fatal errors, ErrorDocument won't be able to render a 500 document
#NOTE: This middleware must be closer to the PSGI app than ErrorDocument
enable "HTTPExceptions";
if ( Log::Log4perl->get_logger('plack-opac')->has_appenders ){
enable 'Log4perl', category => 'plack-opac';
enable 'LogWarn';
}
$opac;
};
mount '/intranet' => builder {
#NOTE: it is important that these are relative links
enable 'ErrorDocument',
400 => 'errors/400.pl',
401 => 'errors/401.pl',
402 => 'errors/402.pl',
403 => 'errors/403.pl',
404 => 'errors/404.pl',
500 => 'errors/500.pl',
subrequest => 1;
#NOTE: Without this middleware to catch fatal errors, ErrorDocument won't be able to render a 500 document
#NOTE: This middleware must be closer to the PSGI app than ErrorDocument
enable "HTTPExceptions";
if ( Log::Log4perl->get_logger('plack-intranet')->has_appenders ){
enable 'Log4perl', category => 'plack-intranet';
enable 'LogWarn';
}
$intranet;
};
mount '/api/v1/app.pl' => builder {
if ( Log::Log4perl->get_logger('plack-api')->has_appenders ){
enable 'Log4perl', category => 'plack-api';
enable 'LogWarn';
}
$apiv1;
};
};
View git blame Copy permalink