Closed drgrice1 closed 4 months ago
Can you suggest anything specific to test here? Or just switch to the branch and see that logging in with cookies works fine?
That is of course something that should still work correctly. So that is something to test.
The main thing that this deals with is the status_message
URL parameter. An easy way to test that is to use the PG problem editor and save a file using the Save As
tab. With the develop branch when you do that, you will see the status_message
in the URL with a long URL escaped html string. Those are all of those dismiss-able messages that are displayed after the file is saved. With this pull request, you won't see the URL parameter, but the messages will still be there. Instead they are in the session flash. Although, you won't really be able to see that. They are only in the session cookie (or database session when using $manage_session_via = 'key'
) for one request. So by the time the redirect finishes it has already been removed from the session.
Note that there is one message you won't see if you are saving a new problem from the PG problem editor opened from the site navigation menu. That is the message "No changes have been made to set". You will of course still see that if you are saving when editing a problem from a set (and not modifying the set), and then it will say "No changes have been made to set setID".
An important thing to test is what is stated in issue #2336. With the develop branch if you enter
https://your.server.domain/webwork2/courseID?status_message=<script>console.log('hello')</script>
into the address bar of the browser, then you will see 'hello' in the developer console. With this pull request you will not.
The session
flash
method is similar to thesession
method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses theflash
method ofMojolicious::Plugin::DefaultHelpers
ifsession_management_via
is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request.This is then used to save
status_messages
when redirects occur. This fixes issue #2336, since thestatus_message
URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.This builds on #2333, #2334, and #2335 and is part 4 of 3 of the authentication system revamp. So long, and thanks for all the fish!