Do not initiate auth instance if a user is already logged in in FrontController::init() #15591
Conversation
…Controller::init().
diosmosis
added
not-in-changelog
core/FrontController.php
Outdated
| // user may already be logged in when init() is called, eg, in a CLI command | ||
| if (!Access::getInstance()->isUserLoggedIn()) { | ||
| // try authenticating w/ session first... | ||
| $sessionAuth = $this->makeSessionAuthenticator(); |
There was a problem hiding this comment.
@diosmosis I'm not sure re possible side effects or so.
I wonder... if technically someone could do something like this
$_GET['token_auth'] = ...
FrontController::getInstance()->dispatch()
if that could be any issue. Or if the user may be temporarily logged in using doAsSuperUser but then the Access::$login is not reset or so.
It might be a great fix I'm just unable to tell re side effects etc it's so tricky! In generally it does sound good though cause there should be a need to authenticate again. Unless maybe for some random use case, not sure. I reckon we could do this only on CLI and maybe only skip the session auth? Or always skip session auth on CLI since there is no session? Might be more "secure" in terms of possible side effects?
There was a problem hiding this comment.
I guess it makes sense to just skip sessionauth if in cli mode. Can't imagine how it would work when used in cli mode...
There was a problem hiding this comment.
There was a problem hiding this comment.
👍 Although I reckon you mean Common::isPhpClimode?
There was a problem hiding this comment.
Yes :) don't know how that got past me :)
|
btw moving this into 3.13.4 for now. I reckon it's actually not needed in 3.13.3 |
diosmosis
force-pushed
the
15550-no-session-auth
branch
from
5951663
to
f673f93
Compare
|
@tsteur ready for another review |
…Controller::init() (matomo-org#15591)
…Controller::init() (matomo-org#15591)
@tsteur think this will solve the problem for the wp-matomo command?
Fixes #15550