Skip to content

Validate user login capability on each request.#2883

Merged
somiaj merged 1 commit into
openwebwork:developfrom
drgrice1:validate-user-login-each-request
Feb 1, 2026
Merged

Validate user login capability on each request.#2883
somiaj merged 1 commit into
openwebwork:developfrom
drgrice1:validate-user-login-each-request

Conversation

@drgrice1

@drgrice1 drgrice1 commented Jan 9, 2026

Copy link
Copy Markdown
Member

Currently the login capability of a user is only ever checked on initial sign in, and never again. So if a user logs in, and then the status or permission level of the user is changed so that the user no longer has the allow_course_access behavior or login permission level, then the user's current session remains valid, and the user may continue to work in the course (including submitting answers).

This changes that so that those things are checked on each request. So, for example, if a user is dropped (status changed to "D"), then the next thing the user tries to do in the course that involves a request to the server will result in the user being logged out.

This was reported for the Shibboleth authentication module in issue #2827, but really is an issue for all authentication modules. So this more generally fixes issue #2827 for all authentication modules.

This has been tested for all functional authentication modules (i.e., for all but the CAS and Moodle authentication modules. If the CAS module is fixed this should work for that as well. I plan to remove the Moodle authentication module in another pull request.

Note that this is done in such a way that no new database queries are needed. To make this happen the user record is cached in the check_user call, and then can be used any time after that. Future plans are to take this much further. There are many times in the code that the database record for the current user is fetched from the database, and now this cached user record from the current authentication module could directly be used instead.

Currently the login capability of a user is only ever checked on initial
sign in, and never again.  So if a user logs in, and then the status or
permission level of the user is changed so that the user no longer has
the `allow_course_access` behavior or `login` permission level, then the
user's current session remains valid, and the user may continue to work
in the course (including submitting answers).

This changes that so that those things are checked on each request.  So,
for example, if a user is dropped (status changed to "D"), then the next
thing the user tries to do in the course that involves a request to the
server will result in the user being logged out.

This was reported for the Shibboleth authentication module in issue openwebwork#2827,
but really is an issue for all authentication modules. So this more
generally fixes issue openwebwork#2827 for all authentication modules.

This has been tested for all functional authentication modules (i.e.,
for all but the `CAS` and `Moodle` authentication modules. If the `CAS`
module is fixed this should work for that as well.  I plan to remove the
`Moodle` authentication module in another pull request.

Note that this is done in such a way that no new database queries are
needed.  To make this happen the user record is cached in the
`check_user` call, and then can be used any time after that.  Future
plans are to take this much further.  There are many times in the code
that the database record for the current user is fetched from the
database, and now this cached user record from the current
authentication module could directly be used instead.
@drgrice1 drgrice1 force-pushed the validate-user-login-each-request branch from 22eddd9 to 326890f Compare January 13, 2026 21:53

@pstaabp pstaabp left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked for the basic authentication method.

@somiaj somiaj left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed it fixed the issue raised.

@somiaj somiaj merged commit 9d60716 into openwebwork:develop Feb 1, 2026
2 checks passed
@drgrice1 drgrice1 deleted the validate-user-login-each-request branch February 1, 2026 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants