New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Memcache bypasses access restrictions (Trac #3018) #3018
Comments
trac user mrclay wrote on 41254359-03-28 For persistent key-value stores like Memcache, the entity and some information about its access should be stored separately. E.g.: Add a function:
Each time an entity is stored in Memcached, this key/value must be stored separately: When get_entity() finds an entity in Memcached, it must also check this "sees" key for the current user. If missing, it must call elgg_user_can_access_entity(), populating the "sees" key if it returns true. I don't suggest saving false because it's probably not a common case. |
ewinslow wrote on 41254796-07-05 You mean like this: http://reference.elgg.org/engine_2lib_2access_8php.html#af5f7246dfad0743a6568820d19858188? |
trac user mrclay wrote on 41256114-07-05 evan, yep! The remaining problem is that, when an entity's access changes, I see no way to invalidate the per-user visibility caches. Perhaps a better design would store the access info more like the DB:
...as well as caching the ACL member lists:
Now you still have a straightforward way to see if user 643 can see entity 12, and better, when either entities or ACLs change, we can immediately reflect this in the key/value store without managing tons of keys or waiting for values to expire. |
cash wrote on 41258144-08-12 I prefer the later solution (storing access information in memcache). |
Milestone changed to |
trac user ebogdanov wrote on 41996978-06-15 We are using Elgg, and have the same issues, |
trac user coldtrick wrote on 42760735-04-19 Pull request by Steve please apply!!!!!!!!!!!!!!! |
Milestone changed to |
…tity (suggested by Jerôme Bakker)
Fixes Elgg#3018: Checks DB for access before using memcache-stored entity
Original ticket http://trac.elgg.org/ticket/3018 on 41162597-06-28 by trac user miguel, assigned to unknown.
Elgg version: 1.7
With memcache active, the function get_entity($guid) can return objects not viewable by the current user, as long as the entity is found in memcache.
If it is not found, usual access restrictions work, because they are checked inside get_entity_as_row. This is with Elgg 1.7.7.
The text was updated successfully, but these errors were encountered: