blog/utils.html somehow accesses a cached user object

Issue #465 resolved
Roger Haase
created an issue

Login and create a blog with a couple of entries. Change the ACLs for one entry such that you may update the entry but an anonymous user cannot update the entry.

Logout, restart the server, and access the blog. Note the anonymous user can update one entry but not the other per the modify icon and link at the right of the entries.

Login and access the blog with an id that should be able to update both entries per the ACLs. Note the modify icon and link has not changed.

The problem is made clearer if the start of /blog/utils.html is modified with the addition of {{ }} after the </h1> as shown below:

{% import "forms.html" as forms %}
{% import "utils.html" as utils %}

{% macro show_blog_entry(entry_item) %}
    {% set summary = entry_item.meta['summary'] %}
    <div class="bg-info moin-blog-entry">
        <h1><a href="{{ url_for('frontend.show_item', }}"
            title="{{ summary }}" class="moin-blog-entry-link">{{ summary }}</a></h1>

        {{ }}

        {% if user.may.write(entry_item.fqname) %}
            <div class="moin-blog-entry-modify">
                <span class="moin-blog-icon">&#x2710;</span>
                <a href="{{ url_for('frontend.modify_item', item_name=entry_item.fqname) }}">{{ _("Modify") }}</a>
        {% endif %}

Make the above change, restart the server, access the blog, login or out, access the blog again. Note the user name displayed is the first user to access the blog, not necessarily the current user.

Tried to reproduce this with tickets and other templates. The problem appears to only affect blog entries.

Comments (3)

  1. Log in to comment