diff options
Diffstat (limited to 'perllib')
| -rw-r--r-- | perllib/Catalyst/Plugin/FixMyStreet/Session/RotateSession.pm | 26 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App.pm | 1 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report/New.pm | 8 |
3 files changed, 32 insertions, 3 deletions
diff --git a/perllib/Catalyst/Plugin/FixMyStreet/Session/RotateSession.pm b/perllib/Catalyst/Plugin/FixMyStreet/Session/RotateSession.pm new file mode 100644 index 000000000..8da88721f --- /dev/null +++ b/perllib/Catalyst/Plugin/FixMyStreet/Session/RotateSession.pm @@ -0,0 +1,26 @@ +package Catalyst::Plugin::FixMyStreet::Session::RotateSession; +use Moose::Role; +use namespace::autoclean; + +# After successful authentication, rotate the session ID +after set_authenticated => sub { + my $c = shift; + $c->change_session_id; +}; + +# The below is necessary otherwise the rotation fails due to the delegate +# holding on to the now-deleted old session. See +# https://rt.cpan.org/Public/Bug/Display.html?id=112679 + +after delete_session_data => sub { + my ($c, $key) = @_; + + my ($field) = split(':', $key); + if ($field eq 'session') { + $c->_session_store_delegate->_session_row(undef); + } elsif ($field eq 'flash') { + $c->_session_store_delegate->_flash_row(undef); + } +}; + +1; diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm index 1173523bc..3e8c07fb0 100644 --- a/perllib/FixMyStreet/App.pm +++ b/perllib/FixMyStreet/App.pm @@ -27,6 +27,7 @@ use Catalyst ( 'Session::State::Cookie', # FIXME - we're using our own override atm 'Authentication', 'SmartURI', + 'FixMyStreet::Session::RotateSession', 'FixMyStreet::Session::StoreSessions', ); diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm index 585337d8b..b748a34e0 100644 --- a/perllib/FixMyStreet/App/Controller/Report/New.pm +++ b/perllib/FixMyStreet/App/Controller/Report/New.pm @@ -514,9 +514,11 @@ sub initialize_report : Private { ->first; if ($report) { - # log the problem creation user in to the site - $c->authenticate( { email => $report->user->email, email_verified => 1 }, - 'no_password' ); + # log the problem creation user in to the site, if not already logged in + if (!$c->user_exists || $c->user->email ne $report->user->email) { + $c->authenticate( { email => $report->user->email, email_verified => 1 }, + 'no_password' ); + } # save the token to delete at the end $c->stash->{partial_token} = $token if $report; |