Project

General

Profile

Actions

Defect #17023

closed

The error flash message on session expiration is not in the language of the user but of the user of the previous request

Added by Holger Just over 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Category:
I18n
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

One of our customers at Planio noticed that after an expired session, the notification message is displayed in a wrong language. The i18n gem saves the current locale in Thread.current[:i18n_config], which on some app servers (i.e. most other than Webrick) is preserved between requests. That means, if the current locale is not updated for each request, the one from the previous request will be used.

Currently, the session_expiration before filter in ApplicationController does not set the locale, leading to the flash message with the expiration message to be saved to the session in the language of the previous user.

The attached patch fixes this behaviour. It sets the language defined for the user_id of the session (if present) or the default language.

This bug is probably not a grave security issue as no further information besides the language of the previous request is leaked.


Files


Related issues

Has duplicate Redmine - Defect #18747: Automatic log out error message is in another language.Closed

Actions
Actions #1

Updated by Jan from Planio www.plan.io over 10 years ago

  • Category changed from Text formatting to I18n
  • Target version set to Candidate for next minor release
Actions #2

Updated by Toshi MARUYAMA over 10 years ago

  • Target version changed from Candidate for next minor release to 2.6.0
Actions #3

Updated by Etienne Massip over 10 years ago

  • Target version changed from 2.6.0 to 2.5.3

Since it's a simply fixed issue.

I'm not fond of the assignment inside the if test, though.

Actions #4

Updated by Holger Just over 10 years ago

Another option would be to move the session_expiration filter after the user_setup. That way, we would have a proper User.current set and could just reuse the existing logic in set_localization. This could then look like this:

  def session_expiration
    if session[:user_id]
      if session_expired? && !try_to_autologin
        reset_session
        set_localization
        flash[:error] = l(:error_session_expired)
        redirect_to signin_url
      else
        session[:atime] = Time.now.utc.to_i
      end
    end
  end
Actions #5

Updated by Etienne Massip over 10 years ago

user_setup requires session, but why not simply call set_localization when session is expired?

Actions #6

Updated by Holger Just over 10 years ago

Because set_localization uses User.current to find the language selected in the user's preferences, however User.current is only set by user_setup. As such, we can run set_localozation only after user_setup.

Actions #7

Updated by Jean-Philippe Lang over 10 years ago

  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Fixed in r13391.

Actions #8

Updated by Jean-Philippe Lang over 10 years ago

  • Status changed from Resolved to Closed
  • Target version changed from 2.5.3 to 2.6.0
Actions #9

Updated by Toshi MARUYAMA almost 10 years ago

  • Has duplicate Defect #18747: Automatic log out error message is in another language. added
Actions #10

Updated by Josh Miller almost 10 years ago

Removed to start a new ticket, sorry for the noise.

Actions

Also available in: Atom PDF