XWIKI-22430: Logging out does not unlock pages that were being edited #3380
Conversation
| for (String wikiId : this.wikiDescriptorManager.getAllIds()) { | ||
| if (!currentWiki.equals(wikiId)) { | ||
| context.setWikiReference(new WikiReference(wikiId)); | ||
| this.releaseAllLocksForUser(userDoc, context); |
There was a problem hiding this comment.
If this fail, the context wiki will be broken. Would be better to restore the context wiki only once in a try/finally around the whole for (there is no need to restore it after each releaseAllLocksForUser anyway).
| this.releaseAllLocksForCurrentUser(ctx); | ||
| } finally { | ||
| ctx.setWikiId(cdb); | ||
| String currentWiki = context.getWikiId(); |
There was a problem hiding this comment.
Would probably make more sense to use getWikiReference here, it avoids creating a new WikiReference just to restore it.
| String currentWiki = context.getWikiId(); | ||
| for (String wikiId : this.wikiDescriptorManager.getAllIds()) { | ||
| if (!currentWiki.equals(wikiId)) { | ||
| context.setWikiReference(new WikiReference(wikiId)); |
There was a problem hiding this comment.
Feels simpler to use setWikiId here.
There was a problem hiding this comment.
I thought setWikiId was deprecated. Will check.
...tform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/XWikiHibernateStore.java
Show resolved
Hide resolved
| @@ -292,7 +292,8 @@ public boolean processLogout(SecurityRequestWrapper securityRequestWrapper, | |||
| HttpServletResponse httpServletResponse, URLPatternMatcher urlPatternMatcher) throws Exception | |||
| { | |||
| boolean result = super.processLogout(securityRequestWrapper, httpServletResponse, urlPatternMatcher); | |||
| if (result == true) { | |||
| if (result) { | |||
| this.getUserAuthenticatedEventNotifier().notifyUserUnauthenticated(securityRequestWrapper.getRemoteUser()); | |||
There was a problem hiding this comment.
Hmm, this should probably be called after the forgetLogin.
There was a problem hiding this comment.
I'll add a comment about that one: I thought the same at first but then what I'm doing doesn't work anymore because forgetLogin reset the wrapped request user to null.
There was a problem hiding this comment.
forgetLogin reset the wrapped request user to null.
Yes, that's why the event should be sent after. You just need to remember the user reference before it's reseted.
| } finally { | ||
| ctx.setWikiId(cdb); | ||
| String currentWiki = context.getWikiId(); | ||
| for (String wikiId : this.wikiDescriptorManager.getAllIds()) { |
There was a problem hiding this comment.
This feels too big a change for a LTS (I'm afraid logout on myxwiki.org is going to be quite long now, for example).
There was a problem hiding this comment.
Honestly I wasn't really sure about this loop: it feels a bit overkill but on the other side that's the only way to guarantee that a user properly has release all locks to my knowledge.
There was a problem hiding this comment.
It's not overkill, the user could have lock anywhere in the farm (there are many use cases where you have only main wiki users and various subwikis, xwiki.org for example). It's just very expensive in a farm like myxwiki.org (I guess we might want to move the locks to Solr eventually, or just stop with the locks since that's another thing we talked about).
There was a problem hiding this comment.
Ok, so it will impact perf, you think it's enough to prevent backporting?
I guess we might want to move the locks to Solr eventually
Interesting idea.
There was a problem hiding this comment.
Ok, so it will impact perf, you think it's enough to prevent backporting?
I updated the description to not backport.
| * @since 15.10.13 | ||
| */ | ||
| @Unstable | ||
| public class UserUnauthenticatedEvent implements Event |
There was a problem hiding this comment.
Maybe UserUnauthenticatedEvent and UserAuthenticatedEvent should share a common abstract class since their content is mostly the same.
There was a problem hiding this comment.
Yeah, I hesitated about doing that but was lazy :)
| @Override | ||
| public boolean matches(Object other) | ||
| { | ||
| return other instanceof UserUnauthenticatedEvent; |
There was a problem hiding this comment.
It would worth improving this to take into account this.userReference as otherwise it's quite missleading to have two different constructors from the point of view of a listener.
There was a problem hiding this comment.
Honestly I'm surprised that the code for UserAuthenticatedEvent doesn't use it, since the javadoc says otherwise, see: https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/xwiki-platform-security-authentication-api/src/main/java/org/xwiki/security/authentication/UserAuthenticatedEvent.java#L39
I'd preferably have same behaviour for both events, but changing this implem in UserAuthenticatedEvent is a breaking change behaviour...
There was a problem hiding this comment.
I'd preferably have same behaviour for both events, but changing this implem in UserAuthenticatedEvent is a breaking change behaviour...
IMO it's fixing a bug and that's typically something that should go in the abstract.
There was a problem hiding this comment.
IMO it's fixing a bug
Would need to check usage first but I tend to agree that we should use it.
that's typically something that should go in the abstract.
+1
There was a problem hiding this comment.
Can't find any usage in xwiki-contrib, except to trigger the event: https://github.com/search?q=org%3Axwiki-contrib%20UserAuthenticatedEvent&type=code
| if (userUnauthenticatedEvent.getUserReference() != null) { | ||
| DocumentReference userDoc = XWikiHibernateStore.this.userReferenceSerializer.serialize( | ||
| userUnauthenticatedEvent.getUserReference()); | ||
| releaseAllLocksForUser(userDoc, (XWikiContext) data); |
There was a problem hiding this comment.
Why does this release all locks? Shouldn't this only release locks of the current session of the user? I mean when I log out on my phone, this shouldn't release locks that I'm holding on my desktop browser, should it?
There was a problem hiding this comment.
We don't really have the concept of session right now in the locks, but yes ideally they should.
There was a problem hiding this comment.
That would be an improvment to add in the future I think, the expectation of current mechanism is that it does release all locks
There was a problem hiding this comment.
Could be done at the same time as moving the locks to solr for better perf as Thomas suggested.
There was a problem hiding this comment.
Storing a reference to all active locks of the user in the session would solve both the session and the performance problem.
There was a problem hiding this comment.
Storing a reference to all active locks of the user in the session would solve both the session and the performance problem.
It would probably be enough for the performance problem, yes (there is very little chance that the user has locks on many wikis at the same time in practice).
There was a problem hiding this comment.
I'd do that as part of another improvment ticket: IMO it's out of the scope of current PR.
There was a problem hiding this comment.
It's kind of the same scope as the for you added, the session references was another way to fix this problem (but yes, it's more complex than adding a for :)). It would also make the new event useless for this need, as the trigger would be more the session invalidation (which is also triggered by the logout) and not the logout (as a bonus this would work with all authenticators right away).
* Provide a new UserUnauthenticatedEvent to detect whenever a user
logged out, the same way that we have UserAuthenticatedEvent
* Trigger that new event when processing a logout in
MyFormAuthenticator
* Refactor the code in XWikiHibernateStore to listen for
UserUnauthenticatedEvent for cleaning the locks of a user, instead
of listening to an action event
* Rename UserAuthenticatedEventNotifier and use it for both
authenticated and unauthenticated events
* Fix test
* Provide an abstract event for authentication
Jira URL
https://jira.xwiki.org/browse/XWIKI-22430
Changes
Description
Clarifications
Screenshots & Video
N/A
Executed Tests
mvn clean install -Pqualityon:Expected merging strategy