Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-79350

setup_lang_from_browser should not write to session when readonly sessions is declared

    XMLWordPrintable

Details

    • MOODLE_401_STABLE, MOODLE_402_STABLE, MOODLE_403_STABLE
    • MOODLE_401_STABLE, MOODLE_402_STABLE
    • MDL-79350-401
    • MDL-79350-402
    • MDL-79350-master
    • Hide
      1. Install the "French / Français ‎(fr)" language pack.
      2. Set $CFG->enable_read_only_sessions = true;
      3. Set $CFG->enable_read_only_sessions_debug = true;
      4. Set the debugging level to NORMAL.
      5. Run the following request using curl, setting the hostname appropriately:

        curl -s 'https://moodle.example.com/lib/ajax/service.php?sesskey=123456789&info=core_calendar_get_action_events_by_timesort' -X OPTIONS -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: content-type" -H "Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5"
        

      6. Confirm that the error string is correctly translated:

        {"error":"Erreur de programmation d\u00e9tect\u00e9e. Ceci doit \u00eatre corrig\u00e9 par un programmeur\u00a0: Invalid json in request: Syntax error","errorcode":"codingerror","stacktrace":"* line 65 of \/lib\/ajax\/service.php: coding_exception thrown\n","debuginfo":"\nError code: codingerror","reproductionlink":"http:\/\/moodle.localhost\/"} 
        

      7. Confirm that in error.log in the server (usually in /var/log/apache2/error.log) there is no READ_ONLY_SESSION warning indicating that the session has been written to:

        "NOTICE: PHP message: Script /lib/ajax/service.php?sesskey=123456789&info=core_calendar_get_action_events_by_timesort defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->lang"

      Show
      Install the "French / Français ‎(fr)" language pack. Set $CFG->enable_read_only_sessions = true; Set $CFG->enable_read_only_sessions_debug = true; Set the debugging level to NORMAL. Run the following request using curl, setting the hostname appropriately: curl -s 'https://moodle.example.com/lib/ajax/service.php?sesskey=123456789&info=core_calendar_get_action_events_by_timesort' -X OPTIONS -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: content-type" -H "Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5" Confirm that the error string is correctly translated: {"error":"Erreur de programmation d\u00e9tect\u00e9e. Ceci doit \u00eatre corrig\u00e9 par un programmeur\u00a0: Invalid json in request: Syntax error","errorcode":"codingerror","stacktrace":"* line 65 of \/lib\/ajax\/service.php: coding_exception thrown\n","debuginfo":"\nError code: codingerror","reproductionlink":"http:\/\/moodle.localhost\/"} Confirm that in error.log in the server (usually in /var/log/apache2/error.log ) there is no READ_ONLY_SESSION warning indicating that the session has been written to: "NOTICE: PHP message: Script /lib/ajax/service.php?sesskey=123456789&info=core_calendar_get_action_events_by_timesort defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->lang"

    Description

      This writes to the session as a side effect:

      https://github.com/moodle/moodle/blob/master/lib/moodlelib.php#L10325

      If read only sessions is on then the language in the Accept-Language header should be honoured for this request but not attempt to persist it into the session

      This was found from a CORS preflight request which doesn't have a session, so it is making a fresh session because even though the user is logged in the preflight request never sends cookies. Then the script sets the lang, which breaks, all for an OPTIONS request that doesn't actually work:

      curl -s 'https://moodle.example.com/lib/ajax/service.php?sesskey=123456789&info=core_calendar_get_action_events_by_timesort' -X OPTIONS -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: content-type"  -H "Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5"

      {"error":"Erreur de programmation d\u00e9tect\u00e9e. Ceci doit \u00eatre corrig\u00e9 par un programmeur\u00a0: Invalid json in request: Syntax error","errorcode":"codingerror","stacktrace":null,"debuginfo":null,"reproductionlink":null}

      There is a few other things failing here which will be tackled in other trackers (eg proper CORS support)

      To reproduce you need to have other lang packs enabled

      Attachments

        Issue Links

          Activity

            People

              daviesdale Dale Davies
              brendanheywood Brendan Heywood
              Brendan Heywood Brendan Heywood
              Sara Arjona (@sarjona) Sara Arjona (@sarjona)
              Kim Jared Lucas Kim Jared Lucas
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 7 minutes
                  1h 7m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.