authx - Support Joomla users+sessions - Prevent leaks among stateless requests

author Tim Otten <totten@civicrm.org>

Sat, 20 Feb 2021 02:30:13 +0000 (18:30 -0800)

committer Tim Otten <totten@civicrm.org>

Tue, 2 Mar 2021 19:37:53 +0000 (11:37 -0800)
author Tim Otten <totten@civicrm.org>
Sat, 20 Feb 2021 02:30:13 +0000 (18:30 -0800)
committer Tim Otten <totten@civicrm.org>
Tue, 2 Mar 2021 19:37:53 +0000 (11:37 -0800)
diff --git a/ext/authx/Civi/Authx/Joomla.php b/ext/authx/Civi/Authx/Joomla.php

index b36376b19c1cecd42d5f9f1e7037db1093fd0e4b..51b9f4d1bc91362fc8bc1f268fc9a5f002289c1d 100644 (file)
--- a/ext/authx/Civi/Authx/Joomla.php
+++ b/ext/authx/Civi/Authx/Joomla.php
@@ -70,6 +70,17 @@ class Joomla implements AuthxInterface {
     * @inheritDoc
     */
    public function loginStateless($userId) {
+    // Joomla CMSApplication always starts a session. It is impossible for any extension/plugin/component to influence this.
+    // See eg https://github.com/joomla/joomla-cms/issues/8772
+    // Our implementation here uses a simple (if ugly) mitigation to ensure that
+    // (1) all data is thread-local and (2) nothing is persisted from the request.
+
+    // I'm not aware of a more canonical solution. Since this tied-up with the `AbstractApplication` class
+    // hierarchy, perhaps one is supposed to make a new entry-point (`[cms.root]/components/com_civicrm/myapp.php`)?
+
+    // In any event, this work-around passes `AllFlowsTest::testMultipleStateless`.
+
+    \JFactory::getSession()->destroy();
      \JFactory::getSession()->setHandler(new \CRM_Utils_FakeJoomlaSession('CIVISCRIPT'));
      $user = new \JUser($userId);
      $session = \JFactory::getSession();
author	Tim Otten <totten@civicrm.org>
	Sat, 20 Feb 2021 02:30:13 +0000 (18:30 -0800)
committer	Tim Otten <totten@civicrm.org>
	Tue, 2 Mar 2021 19:37:53 +0000 (11:37 -0800)