Closed
Bug 895439
Opened 8 years ago
Closed 7 years ago
Students using same computers but with different accounts are finding each others' Makes in each others separate accounts
Categories
(Webmaker Graveyard :: Thimble, defect)
Webmaker Graveyard
Thimble
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: kevinmillerjr, Assigned: michiel)
References
Details
(Whiteboard: crossteambugs)
Attachments
(5 files)
Jenny is logged in but she can also see Nhi's makes from another class.
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release) Build ID: 20130618035212 Steps to reproduce: After signing into Thimble, students from two different classes using the same computer are finding each others Makes in their accounts. In other words, a middle school student will log into their account and will see the high school students makes in their account. Their makes may be missing. When the high school student signs into their account, their makes may be missing but they will see the middle students makes. This problem occurs even if the middle school just uses Chrome while the high school uses Firefox. Students are all using separate user accounts for Thimble and have separate email accounts. Actual results: Same as above. A couple students could not see any of their makes at all. One student eventually saw her 5 makes after she published a new webpage. I am assuming that the school proxy may be the culprit but when I switched browsers between the two classes, the error replicated itself. In short, all students are using the same IP address from the school to access Thimble. Expected results: Students sign into Thimble, check their Makes and have all of their makes. They should not see other student's makes.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
|
Reporter | |
Comment 3•8 years ago
|
||
|
||
Comment 4•8 years ago
|
||
I can recreate the "x makes appear in y makes" bug by logging in as "jon", logging out, and then logging in as "jonatmozilla". Looks like we need to refresh the iframe we use for displaying makes.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 5•8 years ago
|
||
Pomax, is there an easy way to refresh the "My Makes" iframe when login/logout happens? or maybe even whenever they click to open it?
Assignee: nobody → pomax
Status: NEW → ASSIGNED
That shouldn't matter, since the makes pane is an iframe wrapping the "webmaker.org/me" link. Logging out and in keeps the URL the same. The only thing we do is clear it when you log out and then set it again when you login"https://github.com/mozilla/thimble.webmaker.org/blob/master/views/ssooverride.html#L19 Might be SSO not propagating to webmaker.org?
|
||
Comment 7•8 years ago
|
||
I can confirm - I've seen this when i switch accounts
|
|
||
Comment 8•8 years ago
|
||
SSO is very much propagating to webmaker.org, but if you sign out the content of https://webmaker.org/me doesn't change. Try visiting it, sign in, refresh, then sign out. Your content doesn't go away.
moving to webmaker.org component, let's find out what that /me route is serving, and why.
Component: Thimble → webmaker.org
|
Assignee | |
Comment 10•8 years ago
|
||
Attachment #787751 -
Flags: review?(scott)
|
||
Comment 11•8 years ago
|
||
Comment on attachment 787751 [details] [review] https://github.com/mozilla/thimble.webmaker.org/pull/196 Seems to not be working. I still have to refresh.
Attachment #787751 -
Flags: review?(scott) → review-
|
||
Updated•8 years ago
|
Whiteboard: crossteambugs
|
|
Assignee | |
Comment 13•8 years ago
|
||
is this on Thimble only, or is this also happening on popcorn?
Flags: needinfo?(brett)
|
|
Assignee | |
Comment 15•8 years ago
|
||
Debugging this, the problem is annoying on several levels. When logging out, webmaker.org is not informed of the logout, only the tool-local persona settings are changed. The first call to /me?app=thimble after a new user has logged in goes to webmaker.org with webmaker.org still thinking the old session in in effect, and servers the previous user's makes. A second request, *after the first resolves* will have webmaker.org going "wait, this is a different user" and serve up the list of makes for the new user instead. Right now, there is no codepath or REST route we can hit to force a logout on webmaker.org. I tried a solution where the userBar.updateMakes() sets an onload listener on the makes iframe so that it can be called a second time to ensure correct data, but this causes annoying wait periods as well as iframe wiping while you're looking at that iframe. Second, if we're doing check-before-show, then we should also make sure that the makes are updated after a publication. However, if we want to update the "my makes" list every time a page is published, we need to do that after webmaker.org knows about this new make, or the iframe src update will simply get the old information back, and still not show the new make. How does popcorn deal with the "my makes" bar between logout-logins and after publications?
Flags: needinfo?(jon)
|
||
Comment 16•8 years ago
|
||
Adding Matt in case he has thoughts based on what PM does.
|
||
Comment 17•8 years ago
|
||
Popcorn Maker uses our relic "/dashboard" endpoint that hit's up our own server before redirecting to the /me page. https://github.com/mozilla/popcorn.webmaker.org/blob/master/server.js#L163-L165
|
|
Assignee | |
Comment 18•8 years ago
|
||
Additional testing reveals that it takes several seconds, even on localhost, between "logging in in thimble" and "loginapi informing webmaker.org of this new login". I count at least 6 seconds on a really fast machine. During that period, webmaker.org will still think the old session is valid, and will server content based on its credentials.
|
|
Assignee | |
Comment 19•8 years ago
|
||
would it make sense to update the loginapi here so that it can signal applications that it has finished notifying webmaker.org of account changes? That way apps can know not to take actions that depend on webmaker.org having the correct session knowledge until loginapi gives them the all-clear
|
||
Updated•8 years ago
|
Attachment mime type: text/plain → text/x-github-pull-request
|
|
Assignee | |
Comment 20•7 years ago
|
||
we're switching over to a new auth system, and we've redesigned how the "my makes" link works, always opening as a new window/tab now. invalidating because other changes to the code made this issue disappear
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•