Closed drcrack closed 4 years ago
Indeed, that could benefit installations which may be serving more than one creator, or initiating more than one instance of the class for whatever reason.
I'll take a note of this. It'll likely be included in the next update.
@drcrack As i posted in the other thread: the below branch adds access token to cache hashes, as well as implementing a 'skip_read_from_cache' argument to skip reading from cache altogether.
https://github.com/codebard/patreon-php/tree/add_access_token_to_cache_hash
Tested, works. Please check it out and let me know if it works with your setup and resolves your issue.
I’m using this lib, and discovering this “feature” after noticing weird stuff happening in my application.
What in the hell did the devs of this lib had in mind when making this? You’re allowing creation of multiple instances of \Patreon\Api
with a different auth token (so different users), but then you’re caching results only based on the url of the query, so it returns the same result for every user???
Big security flaw, because since it’s not documented, people using this lib without noticing, this can lead to leak of personal data.
@ThibaultVlacich This shouldnt cause security concerns on a given page load that is exposed to a given user. In a page load all info cached should be related to the given user in any case. However it is indeed true that if you do mass processing of users in the backend it may cause inconsistencies. This will be addressed.
In the meantime, please check this new branch and let me know if it solves your problems:
https://github.com/codebard/patreon-php/tree/add_access_token_to_cache_hash
Hey, y'all, can you take me off the Patreon Github. I haven't worked at Patreon for 6 years or so.
On Wed, Jul 29, 2020 at 11:13 AM Oz (CodeBard) notifications@github.com wrote:
Closed #71 https://github.com/Patreon/patreon-php/issues/71.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Patreon/patreon-php/issues/71#event-3600248265, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIDMTYKCW7FFTSY4SPPZCLR6BRE5ANCNFSM4I3RASTQ .
src/API.php:12
should be non-static to prevent using the same cache for requests made from different instances with different access tokens OR access token should be a part of the md5 input