Fix dont save timeout path to session#8142
Conversation
| class TimeoutsController < Decidim::ApplicationController | ||
| prepend_before_action :skip_timeout, only: :seconds_until_timeout | ||
| # Skip these methods because they can call Devise's store_location_for, which can save timeouts path to session. | ||
| skip_before_action :store_current_location, :ensure_authenticated! |
There was a problem hiding this comment.
💬 Mmm, should we add :ensure_authenticated! to all lines calling skip_before_action :store_current_location?
We could even create a ShouldNotStorePath concern to be more DRY. What do you think? (it's not needed to merge this, of course)
There was a problem hiding this comment.
speech_balloon Mmm, should we add
:ensure_authenticated!to all lines callingskip_before_action :store_current_location?
We could even create a ShouldNotStorePath concern to be more DRY. What do you think? (it's not needed to merge this, of course)
Hmmm.. Could we just remove store_location_for , from ensure_authenticated! method? It seems to me that we are saving location twice if "Force users to authenticate before access organization" is set.
There was a problem hiding this comment.
I think you are right. It seems that that call was added in #6300 because the redirect was done before storing the current location, but I'd say that after #8036 it should work properly without the store_location_for call. Can you remove it and the skip_before_action for ensure_authenticated! and check if it works? Thanks!
* develop: (47 commits) New Crowdin updates (#8150) Move the webpacker config override to @decidim/webpacker (#8158) Fix admin stylesheet dynamic imports (#8154) Fix session timeout conflicting with remember me (#7467) Allow to create online meetings without an URL (#8152) Fix verification route issues (#8146) Fix dont save timeout path to session (#8142) Fix access to import CSV results in accountability (#8132) Fix user report notification reported user name (#8130) Allow users to comment and delete their own comments (#8072) New Crowdin updates (#8124) Fix webpacker issues (#8136) Add comments in participatory space presentation page stats block (#8034) Split NPM dependencies to more granular packages (#8121) Metric is not shown when value is zero for blocked and reported users (#8117) Add missing templates translations (#8133) Add missing translation for authorization_modals (#8129) Polls in meetings (#8065) Fix flaky test on initiatives (#8128) Filter participants admin (#8104) ...
🎩 What? Why?
When "Force users to authenticate before access organization" is set from system panel, automatic session timeout isn't working as expected: it's not always singing out in all tabs and stores /timeouts/seconds_until_timeout location (as redirect path) to user's session. This is because ensure_authenticated! method calls store_location_for which stores /timeouts/seconds_until_timeout location to session.
Testing
📋 Checklist
🚨 Please review the guidelines for contributing to this repository.
docs/.📷 Screenshots