Context Navigation

Modify ↓

#12929 closed defect (fixed)

Known users cache may not be invalidated when creating a session

Reported by:	Ryan J Ollos	Owned by:	Ryan J Ollos
Priority:	normal	Milestone:	1.2.3
Component:	general	Version:
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:
API Changes:	Authenticated session without any session attributes is persisted when the session is saved. Previously the session would only be persisted if one or more session attributes were set.
Internal Changes:

Description

The case was missed in #11868. The known users cache will not be invalidated when creating a session without setting the name and email.

session = DetachedSession(self.env, sid)
session['authenticated'] = True
session.save()

Attachments (0)

Change History (3)

comment:1 by Ryan J Ollos, 7 years ago

Proposed changes: [54236d4d1/rjollos.git].

comment:2 by Jun Omae, 7 years ago

The authenticated is an attribute of session object, not an item of the object.

-session['authenticated'] = True
+session.authenticated = True

>>> from trac.test import EnvironmentStub, MockRequest
>>> from trac.web.session import Session
>>> env = EnvironmentStub()
>>> req = MockRequest(env, authname='user')
>>> req.authname
'user'
>>> sess = Session(env, req)
>>> sess.authenticated
True
>>> list(env.get_known_users())
[]
>>> sess.save()
>>> list(env.get_known_users())
[]  # should be 1 entry

Currently, new session without associated data is not be persisted, even if authenticated/anonymous session.

    def save(self):
        items = self.items()
        if not self._old and not items:
            # The session doesn't have associated data, so there's no need to
            # persist it
            return

If we should persist new authenticated session without associated data:

trac/web/session.py

diff --git a/trac/web/session.py b/trac/web/session.py
index 2b43535e5..d1ef6fd40 100644

                class DetachedSession(SessionDict):
                 self._old = {}
     def save(self):
-        items = self.items()
-        if not self._old and not items:
-            # The session doesn't have associated data, so there's no need to
-            # persist it
-            return
         authenticated = int(self.authenticated)
         now = int(time_now())
+        items = self.items()
+        if not authenticated and not self._old and not items:
+            # The session for anonymous doesn't have associated data,
+            # so there's no need to persist it
+            return
         # We can't do the session management in one big transaction,
         # as the intertwined changes to both the session and
-…
+               class DetachedSession(SessionDict):
                     db.rollback()
                     return
+            if authenticated and \
+                    (new or self._old.get('name') != self.get('name') or \
+                     self._old.get('email') != self.get('email')):
+                self.env.invalidate_known_users_cache()
             # Remove former values for session_attribute and save the
             # new ones. The last concurrent request to do so "wins".
             if self._old != self:
-                if new or self._old.get('name') != self.get('name') or \
-                        self._old.get('email') != self.get('email'):
-                    self.env.invalidate_known_users_cache()
                 if not items and not authenticated:
                     # No need to keep around empty unauthenticated sessions
                     db("DELETE FROM session WHERE sid=%s AND authenticated=0",

trac/web/tests/session.py

diff --git a/trac/web/tests/session.py b/trac/web/tests/session.py
index 6f0b01b91..f20984e21 100644

                class SessionTestCase(unittest.TestCase):
         """Setting attribute on a new session invalidates known_users cache."""
         sid = 'user'
         session = DetachedSession(self.env, sid)
         session['authenticated'] = True
+        session.authenticated = True
         self.assertEqual([], list(self.env.get_known_users()))
         session.save()
-…
+               class SessionTestCase(unittest.TestCase):
         self.assertIsNone(known_users[0][1])
         self.assertIsNone(known_users[0][2])
+    def test_create_new_anonymous_session(self):
+        """Setting attribute on a new anonymous session doesn't invalidate
+        known_users cache."""
+        sid = 'anonymous'
+        session = DetachedSession(self.env, sid)
+        session.authenticated = False
+        self.assertEqual([], list(self.env.get_known_users()))
+        # insert a session record without invalidating cache
+        self.env.insert_users([('user', 'Name' 'user@example.com', 1)])
+        session.save()
+        self.assertEqual([], list(self.env.get_known_users()))
+        self.env.invalidate_known_users_cache()
+        self.assertEqual(1, len(list(self.env.get_known_users())))
     def test_session_set_email(self):
         """Setting session email invalidates known_users cache."""
         sid = 'user'

comment:3 by Ryan J Ollos, 7 years ago

API Changes:	modified (diff)
Resolution:	→ fixed
Status:	assigned → closed

Committed with comment:2 changes in r16364, merged to trunk in r16365.

Modify Ticket

Change Properties

Summary:
Description:	The case was missed in #11868. The known users cache will not be invalidated when creating a session without setting the name and email. {{{#!python session = DetachedSession(self.env, sid) session['authenticated'] = True session.save() }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:	Authenticated session without any session attributes is persisted when the session is saved. Previously the session would only be persisted if one or more session attributes were set.
Internal Changes:

Action

leave as closed The owner will remain Ryan J Ollos.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: