Merged r13110 and r13112 from trunk to 2.4-stable (#16685)

introduce request_store to ensure that the current user doesn't leak across request boundaries. Contributed by Holger Just. git-svn-id: http://svn.redmine.org/redmine/branches/2.4-stable@13114 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-03-24 13:21:04 +01:00 · 2014-05-01 01:55:03 +00:00
parent 70bc3fd601
commit 11f5a159a7
2 changed files with 3 additions and 2 deletions
--- a/1
+++ b/1
@@ -6,6 +6,7 @@ gem "jquery-rails", "~> 2.0.2"
 gem "coderay", "~> 1.1.0"
 gem "fastercsv", "~> 1.5.0", :platforms => [:mri_18, :mingw_18, :jruby]
 gem "builder", "3.0.0"
+gem "request_store"

 # Optional gem for LDAP authentication
 group :ldap do
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -607,11 +607,11 @@ class User < Principal
  end

  def self.current=(user)
-    Thread.current[:current_user] = user
+    RequestStore.store[:current_user] = user
  end

  def self.current
-    Thread.current[:current_user] ||= User.anonymous
+    RequestStore.store[:current_user] ||= User.anonymous
  end

  # Returns the anonymous user.  If the anonymous user does not exist, it is created.  There can be only