You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This assumption is problematic since users may be deleted while they are logged in. The expected behavior, for me, would be to immediately logout the user.
For me, this happened during an update of a Superset instance in which users are auto-created on first login via OAuth. In this case, we may simply drop and re-create the Superset/FAB database and the users should be re-created on their next login. But I assume the same would happen if someone simply deletes a users that is logged in.
Probably the fix is as easy, as checking for user to be not None before calling is_active on it.
When deleting a user with an active session in FAB, there should not be an exception but a clean logout/destruction of that session.
Describe the actual results
The behavior I described above. Not sure how I would reproduce this in code as it concerns the whole system and authentication via cookies.
Steps to reproduce
(1) Start a Superset instance using FAB (but I guess basic FAB would also be affected)
(2) Login as a user A
(3) Remove that user A
(4) Refresh any page as user A while the session is still active
The text was updated successfully, but these errors were encountered:
I can confirm that this is an issue. I'll try to find some time to create a pull request for this.
I would agree that the expected behaviour is to logout the user and will check if your code results in this behaviour
Encountering this issue in the context of using Apache Superset (v4.1.1) as reported here:
apache/superset#28188 (comment)
When, for some reason, a user is deleted while they have an active session in FAB, then this results in the following exception:
I think the core issue is that FAB assumes that a user provided by Flask Login will always be able to be found in the DB here:
Flask-AppBuilder/flask_appbuilder/security/manager.py
Line 2165 in 418ab8a
This assumption is problematic since users may be deleted while they are logged in. The expected behavior, for me, would be to immediately logout the user.
In fact, Flask Login will simply check for existence of any user in (still valid) cookie here:
https://github.com/maxcountryman/flask-login/blob/019dbe3ae0fb95966682e769280722afb0a6b904/src/flask_login/login_manager.py#L375
For me, this happened during an update of a Superset instance in which users are auto-created on first login via OAuth. In this case, we may simply drop and re-create the Superset/FAB database and the users should be re-created on their next login. But I assume the same would happen if someone simply deletes a users that is logged in.
Probably the fix is as easy, as checking for
user
to be not None before callingis_active
on it.Environment
Flask-Appbuilder version: flask-appbuilder==4.5.0
pip freeze output:
Describe the expected results
When deleting a user with an active session in FAB, there should not be an exception but a clean logout/destruction of that session.
Describe the actual results
The behavior I described above. Not sure how I would reproduce this in code as it concerns the whole system and authentication via cookies.
Steps to reproduce
(1) Start a Superset instance using FAB (but I guess basic FAB would also be affected)
(2) Login as a user A
(3) Remove that user A
(4) Refresh any page as user A while the session is still active
The text was updated successfully, but these errors were encountered: