search

openwebwork / webwork2

Course management front end for WeBWorK
http://webwork.maa.org/wiki/Main_Page
Other
141 stars 164 forks source link

Add a session flash and use it to pass status messages for redirects. #2337

Closed drgrice1 closed 4 months ago

drgrice1 commented 5 months ago

The session flash method is similar to the session method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the flash method of Mojolicious::Plugin::DefaultHelpers if session_management_via is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request.

This is then used to save status_messages when redirects occur. This fixes issue #2336, since the status_message URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.

This builds on #2333, #2334, and #2335 and is part 4 of 3 of the authentication system revamp. So long, and thanks for all the fish!

Alex-Jordan commented 4 months ago

Can you suggest anything specific to test here? Or just switch to the branch and see that logging in with cookies works fine?

drgrice1 commented 4 months ago

That is of course something that should still work correctly. So that is something to test.

The main thing that this deals with is the status_message URL parameter. An easy way to test that is to use the PG problem editor and save a file using the Save As tab. With the develop branch when you do that, you will see the status_message in the URL with a long URL escaped html string. Those are all of those dismiss-able messages that are displayed after the file is saved. With this pull request, you won't see the URL parameter, but the messages will still be there. Instead they are in the session flash. Although, you won't really be able to see that. They are only in the session cookie (or database session when using $manage_session_via = 'key') for one request. So by the time the redirect finishes it has already been removed from the session.

Note that there is one message you won't see if you are saving a new problem from the PG problem editor opened from the site navigation menu. That is the message "No changes have been made to set". You will of course still see that if you are saving when editing a problem from a set (and not modifying the set), and then it will say "No changes have been made to set setID".

An important thing to test is what is stated in issue #2336. With the develop branch if you enter https://your.server.domain/webwork2/courseID?status_message=<script>console.log('hello')</script> into the address bar of the browser, then you will see 'hello' in the developer console. With this pull request you will not.