fix optimisation with super session that may lead to integrity loss
at some point I've decided to stop ensuring ?1 cardinality was respected
when adding a new relation using a super session, to avoid the cost of
the delete query. That was yet discussable because it introduced unexpected
difference between execute and unsafe_execute, which is imo not worth it.
Also, now that rql() in migration script default to unsafe_execute, we
definitly don't want that implicit behaviour change (which already cause
bug when for instance adding another default workflow for an entity type:
without that fix we end up with *two* default workflows while the schema
tells we can have only one.
IMO we should go to the direction that super session skip all security
check, but nothing else, unless explicitly asked.
"""web session component: by dfault the session is actually the db connection
object :/
:organization: Logilab
:copyright: 2001-2010 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2.
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr
:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses
"""
__docformat__ = "restructuredtext en"
from cubicweb.web import InvalidSession
from cubicweb.web.application import AbstractSessionManager
class InMemoryRepositorySessionManager(AbstractSessionManager):
"""manage session data associated to a session identifier"""
def __init__(self, *args, **kwargs):
AbstractSessionManager.__init__(self, *args, **kwargs)
# XXX require a RepositoryAuthenticationManager which violates
# authenticate interface by returning a session instead of a user
#assert isinstance(self.authmanager, RepositoryAuthenticationManager)
self._sessions = {}
def dump_data(self):
return self._sessions
def restore_data(self, data):
self._sessions = data
def current_sessions(self):
return self._sessions.values()
def get_session(self, req, sessionid):
"""return existing session for the given session identifier"""
if not sessionid in self._sessions:
raise InvalidSession()
session = self._sessions[sessionid]
if self.has_expired(session):
self.close_session(session)
raise InvalidSession()
# give an opportunity to auth manager to hijack the session
# (necessary with the RepositoryAuthenticationManager in case
# the connection to the repository has expired)
try:
session = self.authmanager.validate_session(req, session)
# necessary in case session has been hijacked
self._sessions[session.sessionid] = session
except InvalidSession:
# invalid session
del self._sessions[sessionid]
raise
return session
def open_session(self, req):
"""open and return a new session for the given request
:raise ExplicitLogin: if authentication is required
"""
session = self.authmanager.authenticate(req)
self._sessions[session.sessionid] = session
return session
def close_session(self, session):
"""close session on logout or on invalid session detected (expired out,
corrupted...)
"""
self.info('closing http session %s' % session)
del self._sessions[session.sessionid]
try:
session.close()
except:
# already closed, may occurs if the repository session expired but
# not the web session
pass