Defect #17023

The error flash message on session expiration is not in the language of the user but of the user of the previous request

Added by Holger Just over 4 years ago. Updated over 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:I18n
Target version:2.6.0
Resolution:Fixed Affected version:2.5.1

Description

One of our customers at Planio noticed that after an expired session, the notification message is displayed in a wrong language. The i18n gem saves the current locale in Thread.current[:i18n_config], which on some app servers (i.e. most other than Webrick) is preserved between requests. That means, if the current locale is not updated for each request, the one from the previous request will be used.

Currently, the session_expiration before filter in ApplicationController does not set the locale, leading to the flash message with the expiration message to be saved to the session in the language of the previous user.

The attached patch fixes this behaviour. It sets the language defined for the user_id of the session (if present) or the default language.

This bug is probably not a grave security issue as no further information besides the language of the previous request is leaked.

0001-Set-I18n-language-on-the-request-even-if-the-session.patch Magnifier (1.03 KB) Holger Just, 2014-05-28 17:11


Related issues

Duplicated by Redmine - Defect #18747: Automatic log out error message is in another language. Closed

Associated revisions

Revision 13391
Added by Jean-Philippe Lang about 4 years ago

Fixed: The error flash message on session expiration is not in the language of the user but of the user of the previous request (#17023).

History

#1 Updated by Jan from Planio www.plan.io over 4 years ago

  • Category changed from Text formatting to I18n
  • Target version set to Candidate for next minor release

#2 Updated by Toshi MARUYAMA over 4 years ago

  • Target version changed from Candidate for next minor release to 2.6.0

#3 Updated by Etienne Massip about 4 years ago

  • Target version changed from 2.6.0 to 2.5.3

Since it's a simply fixed issue.

I'm not fond of the assignment inside the if test, though.

#4 Updated by Holger Just about 4 years ago

Another option would be to move the session_expiration filter after the user_setup. That way, we would have a proper User.current set and could just reuse the existing logic in set_localization. This could then look like this:

  def session_expiration
    if session[:user_id]
      if session_expired? && !try_to_autologin
        reset_session
        set_localization
        flash[:error] = l(:error_session_expired)
        redirect_to signin_url
      else
        session[:atime] = Time.now.utc.to_i
      end
    end
  end

#5 Updated by Etienne Massip about 4 years ago

user_setup requires session, but why not simply call set_localization when session is expired?

#6 Updated by Holger Just about 4 years ago

Because set_localization uses User.current to find the language selected in the user's preferences, however User.current is only set by user_setup. As such, we can run set_localozation only after user_setup.

#7 Updated by Jean-Philippe Lang about 4 years ago

  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Fixed in r13391.

#8 Updated by Jean-Philippe Lang about 4 years ago

  • Status changed from Resolved to Closed
  • Target version changed from 2.5.3 to 2.6.0

#9 Updated by Toshi MARUYAMA almost 4 years ago

  • Duplicated by Defect #18747: Automatic log out error message is in another language. added

#10 Updated by Josh Miller over 3 years ago

Removed to start a new ticket, sorry for the noise.

Also available in: Atom PDF