Cached WAC-allow headers and 403 and 401 responses must be ignored after login #441
Comments
|
I guess they should be ignored after logout too. |
|
401 errors also should be ignored if the predate a login status change. |
|
Suggest: Add a date to the fetcher when the login state changes. Like |
|
This issue may be the underlying issue to SolidOS/solidos#29 |
|
From gitter: @jeff-zucker You made a good point in the meeting that, with the Wac-Allow header, we have to be wary of even responses like 200 and 404 which are not to do with authentication errors, as the WAC-Allow status my have changed for 200 (or 404) responses. Its not just 403 and 401 which need to be disregarded. |
|
Repopen, since the PR was only about the editable check |
|
With #512 merged the editable check now is working fine. But the fetcher still caches the 401 and 403 responses and will not re-fetch a resource after login unless it is forced. I guess the fetcher should consider the new outOfDate flag when deciding wether to fetch a resource or take it from cache. |
Currently the quad store in the Fetcher keeps copies of the HTTP headers of each response, and uses that to test whether something is forbidden (403), and is if modifiable by the current user (WAC-Alllow). The problem is that if the app accesses a resource, gets those headers, and then the user logs in, the cached values will be wrong: the operation should be retried to get a value appropriate to the now-logged-in user.
So these functions need some way of testing the date-time of the user's last login status change.
An example problem causes by this is: SolidOS/chat-pane#48
The text was updated successfully, but these errors were encountered: