Defect #17023
closedThe error flash message on session expiration is not in the language of the user but of the user of the previous request
0%
Description
One of our customers at Planio noticed that after an expired session, the notification message is displayed in a wrong language. The i18n gem saves the current locale in Thread.current[:i18n_config]
, which on some app servers (i.e. most other than Webrick) is preserved between requests. That means, if the current locale is not updated for each request, the one from the previous request will be used.
Currently, the session_expiration
before filter in ApplicationController
does not set the locale, leading to the flash message with the expiration message to be saved to the session in the language of the previous user.
The attached patch fixes this behaviour. It sets the language defined for the user_id of the session (if present) or the default language.
This bug is probably not a grave security issue as no further information besides the language of the previous request is leaked.
Files
Related issues
Updated by Jan from Planio www.plan.io over 10 years ago
- Category changed from Text formatting to I18n
- Target version set to Candidate for next minor release
Updated by Toshi MARUYAMA over 10 years ago
- Target version changed from Candidate for next minor release to 2.6.0
Updated by Etienne Massip over 10 years ago
- Target version changed from 2.6.0 to 2.5.3
Since it's a simply fixed issue.
I'm not fond of the assignment inside the if
test, though.
Updated by Holger Just over 10 years ago
Another option would be to move the session_expiration
filter after the user_setup
. That way, we would have a proper User.current
set and could just reuse the existing logic in set_localization
. This could then look like this:
def session_expiration if session[:user_id] if session_expired? && !try_to_autologin reset_session set_localization flash[:error] = l(:error_session_expired) redirect_to signin_url else session[:atime] = Time.now.utc.to_i end end end
Updated by Etienne Massip over 10 years ago
user_setup
requires session, but why not simply call set_localization
when session is expired?
Updated by Holger Just over 10 years ago
Because set_localization
uses User.current
to find the language selected in the user's preferences, however User.current
is only set by user_setup
. As such, we can run set_localozation
only after user_setup
.
Updated by Jean-Philippe Lang over 10 years ago
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Fixed in r13391.
Updated by Jean-Philippe Lang over 10 years ago
- Status changed from Resolved to Closed
- Target version changed from 2.5.3 to 2.6.0
Updated by Toshi MARUYAMA almost 10 years ago
- Has duplicate Defect #18747: Automatic log out error message is in another language. added
Updated by Josh Miller almost 10 years ago
Removed to start a new ticket, sorry for the noise.