CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • Authentication using PHP API
Pages: 1 [2]

Author Topic: Authentication using PHP API  (Read 3493 times)

totten

  • Administrator
  • Ask me questions
  • *****
  • Posts: 695
  • Karma: 64
Re: Authentication using PHP API
April 25, 2012, 07:35:28 pm
FWIW, that looks like it could work sometimes, but it's still likely to be brittle/racy. Consider these two examples:

 * http://api.drupal.org/api/function/user_access/6
 * http://svn.civicrm.org/civicrm/trunk/CRM/Core/Permission/Drupal.php

In both cases, there's core code which uses a static variable to cache the current user's permissions for the duration of one request. I can't see how that snippet would flush static-variable caches (or global-variable caches). And the problem isn't about these two files -- the problem is that the technique is commonly used in both core code and contrib modules, so the list of static/global variables is open-ended.

I was a little surprised that user_access() checks worked in that example. However, it turns out that user_access() has a special case with uid=1 -- it always returns TRUE and totally bypasses the cache, neither writing nor reading from it. But if you tried a different uid, then the cache would be corruptible.

Chris Burgess

  • Ask me questions
  • ****
  • Posts: 675
  • Karma: 59
Re: Authentication using PHP API
April 25, 2012, 08:51:22 pm
Definitely - discovered when I went from my clean CiviCRM sandbox to the customer's dev site that having any other module fire civicrm_initialize() before the user swap will prevent auth working.

At a glance of your above code references - the Drupal implementation caches per-user by keying the static cache of perms checks by UID (note the static is $perm but it stores to $perm[$user->uid]). So yes, it caches the current user's perms, but if the current user changes, it will cache the new user's perms as well.

It doesn't seem that CiviCRM keys cached results the same way, so the UID swap works in Drupal space, but doesn't work in CiviCRM *unless* you beat everything else to set the perms cache in CiviCRM (which may introduce its own problems).

Looking at REST now ;)

PS. You're right, uid=1 is bad to use in examples for that reason - as well as because blind copypasting can be ruinous, but I am too lazy to add caveats to example pasted code. My bad!
« Last Edit: April 25, 2012, 09:10:36 pm by grobot »
@xurizaemon ● www.fuzion.co.nz

totten

  • Administrator
  • Ask me questions
  • *****
  • Posts: 695
  • Karma: 64
Re: Authentication using PHP API
April 26, 2012, 12:08:40 pm
Quote from: grobot on April 25, 2012, 08:51:22 pm
At a glance of your above code references - the Drupal implementation caches per-user by keying the static cache of perms checks by UID (note the static is $perm but it stores to $perm[$user->uid]). So yes, it caches the current user's perms, but if the current user changes, it will cache the new user's perms as well.

Oh, good call!
Pages: 1 [2]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • Authentication using PHP API

This forum was archived on 2017-11-26.