https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40943 Andrii Nugged <nugged@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nugged@gmail.com --- Comment #32 from Andrii Nugged <nugged@gmail.com> --- Koha::BackgroundJob::enqueue mutates live C4::Context->userenv when sanitizing job context - - - Houston, we have a problem. In Koha::BackgroundJob::enqueue we currently do: my $job_context = $params->{job_context} // C4::Context->userenv; This does not create a copy. It keeps an alias to the live request C4::Context->userenv hashref when no explicit job_context is passed. A few lines later we sanitize the job context with: # session_id must not be logged delete $job_context->{session_id}; Because $job_context may alias C4::Context->userenv, this also removes session_id from the live request context for the rest of the same Plack request. I traced this while debugging a 403 during item save from: POST .../cgi-bin/koha/cataloguing/additem.pl?biblionumber=... The visible failure happened in a value_builder plugin that does: my ($auth_status) = check_cookie_auth( C4::Context->userenv->{session_id}, { catalogue => 1 } ); After BackgroundJob::enqueue has deleted session_id from the live userenv, that auth call fails. In my case dateaccessioned.pl then printed a 403 header, and the request ended up as: PAGE GENERATED 403 So the plugin is not the root cause here. The root cause is that enqueue mutates the live request userenv while preparing background job context. A safer fix would be to decouple the job context from the live request context first, for example: my $job_context = { %{ $params->{job_context} // C4::Context->userenv // {} } }; Then: delete $job_context->{session_id}; $job_context->{interface} = C4::Context->interface; For a temporary local workaround I used: delete local $job_context->{session_id}; local $job_context->{interface} = C4::Context->interface; but I think copying the hashref is the better upstream fix because it avoids mutating the live request context at all. I only found one related production occurrence: Koha/BackgroundJob.pm delete $job_context->{session_id}; and one test occurrence: t/db_dependent/Koha/BackgroundJob.t delete $expected_context->{session_id}; It would be good to add a regression test to ensure enqueue does not mutate the live userenv, something along the lines of: my $original_session_id = C4::Context->userenv->{session_id}; ... is( C4::Context->userenv->{session_id}, $original_session_id, 'enqueue must not mutate live userenv session_id' ); -- You are receiving this mail because: You are watching all bug changes.