Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#10903] - Application fails in Joomla 3.6 if user record is deleted from #__users table

?
avatar joeforjoomla
joeforjoomla
22 Jun 2016

Steps to reproduce the issue

Once a login is performed and a session is started all user informations are stored in the serialized format in the #__session 'data' field. This implies that the user informations hold in the #__users table are not required to continue the session.

Expected result

Until Joomla 3.5 this worked, indeed the application worked fine without the dependency of the user record in the #__users table.

Actual result

Starting from Joomla 3.6 if the corresponding user beloging to the current logged in session is deleted from the #__users table, the application and session throw an exception and fail to start:

Error displaying the error page: Application Instantiation Error: Application Instantiation Error

System information (as much as possible)

This means that now a started session has a dependency with the corresponding #__users table record. It could be also a b/c break because apps that created guest users on the fly to perform a temporary login, now are no more working and are no more able to delete the #__users record that was not needed anymore until Joomla 3.5

Additional comments

avatar joeforjoomla joeforjoomla - open - 22 Jun 2016
avatar joeforjoomla joeforjoomla - change - 22 Jun 2016
The description was changed
Title
Application fails if user record is deleted from #__users table
Application fails in Joomla 3.6 if user record is deleted from #__users table
avatar joeforjoomla joeforjoomla - change - 22 Jun 2016
Title
Application fails if user record is deleted from #__users table
Application fails in Joomla 3.6 if user record is deleted from #__users table
avatar joeforjoomla
joeforjoomla - comment - 22 Jun 2016

It looks like the issue has been introduced because of the following wakeup magic method called when the session data is unserialized in the file: libraries/joomla/user/user.php

/**
 * Method to recover the full object on unserialize.
 *
 * @return  void
 *
 * @since   3.6.0
 */
public function __wakeup()
{
    // Initialise some variables
    $this->userHelper = new JUserWrapperHelper;
    $this->_params    = new Registry;

    // Load the user if it exists
    if (!empty($this->id))
    {
        $this->load($this->id);
    }
    else
    {
        // Initialise
        $this->id = 0;
        $this->sendEmail = 0;
        $this->aid = 0;
        $this->guest = 1;
    }
}
avatar mbabker
mbabker - comment - 22 Jun 2016

It's a needed change. There are security issues with how the user data was persisted to the session in previous releases. Not sure what can be done with the potential B/C arguments but this isn't something that can/should be easily reverted.

avatar joeforjoomla
joeforjoomla - comment - 22 Jun 2016

Thanks Michael, but take care the this is a potential issue.
If an admin would delete a user record currently logged in, he will face this issue. Joomla! will fail to load and he would get the error: Error displaying the error page: Application Instantiation Error: Application Instantiation Error
that's not properly acceptable.

I found that the error is thrown because in the file /libraries/joomla/log/logger/messagequeue.php
the
JFactory::getApplication()->enqueueMessage($entry->message, 'warning');
requires an empty application object with missing $id parameter.

avatar brianteeman
brianteeman - comment - 22 Jun 2016

Far better than a security issue

avatar mbabker
mbabker - comment - 22 Jun 2016

When a user is deleted unless you've disabled the Joomla User plugin their sessions should be immediately deleted as well.

I'm not going to detail the possible security issues with this here, but the manner in which the user data was previously serialized is indeed one that needed addressing.

The "Application Instantiation Error" is happening because the line you pointed out is trying to reference the application object before it has been set to JFactory::$application; since sessions are started in the application constructor instead of lazy started this creates an issue in an error condition on session start. It probably needs cleaning up now, but a variation of staging...mbabker:refactor-session-metadata-coupling would help massively in dealing with session startup and potential issues in it causing a fatal error.

avatar brianteeman brianteeman - change - 22 Jun 2016
Category Authentication
avatar brianteeman brianteeman - change - 22 Jun 2016
Labels Added: ?
avatar joeforjoomla
joeforjoomla - comment - 22 Jun 2016

As always i had to change the code of my extension to follow Joomla changes, that as always are not documented and have impact on all extensions that till now were aware that Joomla picked up user data from the session serialized field, instead now they are picked up always by the #__users table.

avatar brianteeman
brianteeman - comment - 22 Jun 2016

Taken you a long time to notice

avatar brianteeman
brianteeman - comment - 22 Jun 2016

Closed

avatar brianteeman brianteeman - change - 22 Jun 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-06-22 17:28:00
Closed_By brianteeman
avatar brianteeman brianteeman - close - 22 Jun 2016
avatar RaimisErvit
RaimisErvit - comment - 4 Aug 2016

upodate 3.6.1 same sessions errors...

avatar brianteeman
brianteeman - comment - 4 Aug 2016

@RaimisErvit commenting on a closed issue will not be seen

Add a Comment

Login with GitHub to post a comment