RequestGuard::setRequest() should reset $this->user #56822
Unanswered
drunken-monkey
asked this question in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Laravel Version
9.52.16
PHP Version
8.2.13
Database Driver & Version
No response
Description
RequestGuard::user()uses$this->useras a cache to avoid computing the current user again for a given request. However, when rebinding the current request,$this->useris not reset so the previous request’s value will still be used, even though different requests can of course come from different users.I’ve stumbled onto this in the context of PHPUnit tests, where there can of course easily be several requests with different authentication inside a single PHP process. This caused my tests to fail, but I think this is an underlying logical problem in this package, not something I should just work around in my testing code.
Sorry if I got this completely wrong, I haven’t worked with the Laravel/Lumen internals much yet. However, this does seem to violate a pretty basic principle of caching: if a cached value (
$this->user) depends on something ($this->request), you have to invalidate the cache when the dependency changes.Note that this code has been the same since the
RequestGuardclass was initially added in 2015, the bug is still present in the latest 12.x version even though I personally used an older version.System:
illuminate/auth9.52.16Steps To Reproduce
I’ve only been able to reproduce this problem in tests, not “in the wild”. Basically, if you have a single test with multiple requests, and the requests should map to different users, then the user from the first request will also be applied to all the subsequent requests.
Beta Was this translation helpful? Give feedback.
All reactions