New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not initiate auth instance if a user is already logged in in FrontController::init() #15591
Conversation
…Controller::init().
core/FrontController.php
Outdated
// user may already be logged in when init() is called, eg, in a CLI command | ||
if (!Access::getInstance()->isUserLoggedIn()) { | ||
// try authenticating w/ session first... | ||
$sessionAuth = $this->makeSessionAuthenticator(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@diosmosis I'm not sure re possible side effects or so.
I wonder... if technically someone could do something like this
$_GET['token_auth'] = ...
FrontController::getInstance()->dispatch()
if that could be any issue. Or if the user may be temporarily logged in using doAsSuperUser
but then the Access::$login
is not reset or so.
It might be a great fix I'm just unable to tell re side effects etc it's so tricky! In generally it does sound good though cause there should be a need to authenticate again. Unless maybe for some random use case, not sure. I reckon we could do this only on CLI and maybe only skip the session auth? Or always skip session auth on CLI since there is no session? Might be more "secure" in terms of possible side effects?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it makes sense to just skip sessionauth if in cli mode. Can't imagine how it would work when used in cli mode...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Although I reckon you mean Common::isPhpClimode
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes :) don't know how that got past me :)
btw moving this into 3.13.4 for now. I reckon it's actually not needed in 3.13.3 |
5951663
to
f673f93
Compare
@tsteur ready for another review |
…Controller::init() (matomo-org#15591)
…Controller::init() (matomo-org#15591)
@tsteur think this will solve the problem for the wp-matomo command?
Fixes #15550