Defect #17023
closed
The error flash message on session expiration is not in the language of the user but of the user of the previous request
0%
Description
One of our customers at Planio noticed that after an expired session, the notification message is displayed in a wrong language. The i18n gem saves the current locale in Thread.current[:i18n_config], which on some app servers (i.e. most other than Webrick) is preserved between requests. That means, if the current locale is not updated for each request, the one from the previous request will be used.
Currently, the session_expiration before filter in ApplicationController does not set the locale, leading to the flash message with the expiration message to be saved to the session in the language of the previous user.
The attached patch fixes this behaviour. It sets the language defined for the user_id of the session (if present) or the default language.
This bug is probably not a grave security issue as no further information besides the language of the previous request is leaked.
Files
Related issues
Updated by Jan from Planio www.plan.io over 10 years ago
- Category changed from Text formatting to I18n
- Target version set to Candidate for next minor release
Updated by Toshi MARUYAMA over 10 years ago
- Target version changed from Candidate for next minor release to 2.6.0
Updated by Etienne Massip over 10 years ago
- Target version changed from 2.6.0 to 2.5.3
Since it's a simply fixed issue.
I'm not fond of the assignment inside the if test, though.
Updated by Holger Just about 10 years ago
Another option would be to move the session_expiration filter after the user_setup. That way, we would have a proper User.current set and could just reuse the existing logic in set_localization. This could then look like this:
def session_expiration
if session[:user_id]
if session_expired? && !try_to_autologin
reset_session
set_localization
flash[:error] = l(:error_session_expired)
redirect_to signin_url
else
session[:atime] = Time.now.utc.to_i
end
end
end
Updated by Etienne Massip about 10 years ago
user_setup requires session, but why not simply call set_localization when session is expired?
Updated by Holger Just about 10 years ago
Because set_localization uses User.current to find the language selected in the user's preferences, however User.current is only set by user_setup. As such, we can run set_localozation only after user_setup.
Updated by Jean-Philippe Lang about 10 years ago
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Fixed in r13391.
Updated by Jean-Philippe Lang about 10 years ago
- Status changed from Resolved to Closed
- Target version changed from 2.5.3 to 2.6.0
Updated by Toshi MARUYAMA almost 10 years ago
- Has duplicate Defect #18747: Automatic log out error message is in another language. added
Updated by Josh Miller almost 10 years ago
Removed to start a new ticket, sorry for the noise.