Skip to content

Fix caching routes by users with an active session#56921

Merged
provokateurin merged 3 commits intomasterfrom
fix-caching-routes-by-users-with-an-active-session
Dec 15, 2025
Merged

Fix caching routes by users with an active session#56921
provokateurin merged 3 commits intomasterfrom
fix-caching-routes-by-users-with-an-active-session

Conversation

@danxuliu
Copy link
Member

@danxuliu danxuliu commented Dec 8, 2025
edited
Loading

Fixes #56789, which is a regression introduced in #52793

When a user has an active session only the apps that are enabled for the user are initially loaded*. In order to cache the routes the routes for all apps are loaded, but routes defined in routes.php are taken into account only if the app was already loaded. Therefore, when the routes were cached in a request by a user with an active session only the routes for apps enabled for that user were cached, and those routes were used by any other user, independently of which apps they had access to. To solve that now all the enabled apps are explicitly loaded before caching the routes.

Note that this did not affect routes defined using annotations on the controller files; in that case the loaded routes do not depend on the previously loaded apps, as it explicitly checks all the enabled apps.

*As soon as the session is initialized, which happens when loading base.php, the legacy OC_APP::getEnabledApps will return only the apps enabled for the user. That method is used by AppManager::loadApps, so once the session is initialized any load of (several) apps will be restricted to those enabled for the user (explicitly loading a single app still works as expected). Therefore, when $appManager->loadApps() is called from the OCS handler or from the index.php handler (through handleRequest in base.php) only the apps for the user are loaded.

Steps to reproduce

  • Use a development server and ensure that no other requests than the ones below are handled
  • Enable APCu cache (add 'memcache.local' => '\\OC\\Memcache\\APCu', to config.php) if not enabled already
  • Enable the weather_status app only for a specific group (for simplicity admin is used here)
occ app:enable --groups admin weather_status`
  • Adjust the variables below as needed for your setup and run the following Bash code:
export ADMIN_NAME=admin
export ADMIN_PASSWORD=admin
export USER_NAME=user0
export USER_PASSWORD=user0
export SERVER_URL=http://127.0.0.1:8000

function extractRequestToken() {
	echo $(echo $1 | grep --perl-regexp --only-matching 'data-requesttoken="\K([^"]*)')
}

function extractAuthenticationToken() {
	echo $(echo $1 | grep --perl-regexp --only-matching '"token":"\K([^"]*)')
}

# Open login page to get the request token
loginPage=$(curl --silent --cookie-jar "/tmp/cookie-jar-$USER_NAME" "$SERVER_URL/index.php/login")

requestToken=$(extractRequestToken "$loginPage")

# Perform actual login
loginPost=$(curl --silent --location --cookie "/tmp/cookie-jar-$USER_NAME" --cookie-jar "/tmp/cookie-jar-$USER_NAME" --header "Origin: $SERVER_URL" --data-urlencode "user=$USER_NAME" --data-urlencode "password=$USER_PASSWORD" --data-urlencode "requesttoken=$requestToken" "$SERVER_URL/index.php/login")

requestToken=$(extractRequestToken "$loginPost")

  • Clear the APCu cache (call apcu_clear_cache() somehow, for example using https://github.com/krakjoe/apcu/blob/master/apc.php or the helper apps/testing/clean_apcu_cache.php added in this pull request; restarting the web server would reset the APCu cache, but it might also kill the user session and make the test invalid)

  • In the same Bash terminal as before, do a request with the logged in user, for example:

curl --silent --location --cookie "/tmp/cookie-jar-$USER_NAME" --cookie-jar "/tmp/cookie-jar-$USER_NAME" --header "requesttoken: $requestToken" "$SERVER_URL/ocs/v1.php/cloud/user?format=json"
  • Now request an endpoint in the weather_status app by a user member of the group that it is enabled for (again for simplicity admin is used here):
curl --user "$ADMIN_NAME:$ADMIN_PASSWORD" --header "OCS-ApiRequest: true" "$SERVER_URL/ocs/v2.php/apps/weather_status/api/v1/location"

Result with this pull request

The query succeeded

Result without this pull request

Invalid query returned; if the APCu cache is cleared again and the request repeated then it will now succeed (as the routes will be regenerated by the admin, which has access to the app)

@danxuliu danxuliu added this to the Nextcloud 33 milestone Dec 8, 2025
@danxuliu danxuliu added bug 3. to review Waiting for reviews regression feature: caching Related to our caching system: scssCacher, jsCombiner... labels Dec 8, 2025
@danxuliu
Copy link
Member Author

danxuliu commented Dec 8, 2025

/backport to stable32

@danxuliu danxuliu force-pushed the fix-caching-routes-by-users-with-an-active-session branch 3 times, most recently from 74ea8f5 to 860bdfd Compare December 8, 2025 17:58
@danxuliu danxuliu marked this pull request as ready for review December 8, 2025 20:23
@danxuliu danxuliu requested a review from a team as a code owner December 8, 2025 20:23
@danxuliu danxuliu requested review from Altahrim, CarlSchwan, come-nc, icewind1991, provokateurin, salmart-dev and yemkareems and removed request for a team December 8, 2025 20:23
@solracsf
Copy link
Member

solracsf commented Dec 11, 2025

Is this still needed after #56926 ?

@provokateurin
Copy link
Member

provokateurin commented Dec 12, 2025

Yes the other PR was just a quick fix for the release. We still need to enable caching again and probably with this PR. @danxuliu can you rebase and revert my commit?

provokateurin
provokateurin requested changes Dec 12, 2025
View reviewed changes
Copy link
Member

@provokateurin provokateurin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM and also thanks for adding a test!

@danxuliu danxuliu force-pushed the fix-caching-routes-by-users-with-an-active-session branch from 860bdfd to a20a797 Compare December 12, 2025 14:07
@danxuliu
Revert "fix(CachingRouter): Disable cache for findMatchingRoute"
0ba2f5e 
This reverts commit 90948f5.

It temporary disabled cache for routes until an actual fix was added,
which is done in the following commits.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
@danxuliu
test: Fix recording app state when admin is not the current user
de7ddb6 
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
@danxuliu
fix: Fix caching routes by users with an active session
51ed61b 
When a user has an active session only the apps that are enabled for the
user are initially loaded. In order to cache the routes the routes for
all apps are loaded, but routes defined in routes.php are taken into
account only if the app was already loaded. Therefore, when the routes
were cached in a request by a user with an active session only the
routes for apps enabled for that user were cached, and those routes were
used by any other user, independently of which apps they had access to.
To solve that now all the enabled apps are explicitly loaded before
caching the routes.

Note that this did not affect routes defined using annotations on the
controller files; in that case the loaded routes do not depend on the
previously loaded apps, as it explicitly checks all the enabled apps.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
@danxuliu danxuliu force-pushed the fix-caching-routes-by-users-with-an-active-session branch from a20a797 to 51ed61b Compare December 12, 2025 15:10
@danxuliu
Copy link
Member Author

danxuliu commented Dec 12, 2025

Rebased again to fix the DCO in the revert commit.

@come-nc
Copy link
Contributor

come-nc commented Dec 15, 2025

I’m still wondering whether we should just load all enabled apps (for any user) even for users for which the application is not enabled.

The whole feature about enabling only for some users is a bit weird.

@provokateurin provokateurin merged commit db530d1 into master Dec 15, 2025
210 of 216 checks passed
@provokateurin provokateurin deleted the fix-caching-routes-by-users-with-an-active-session branch December 15, 2025 09:53
@backportbot backportbot bot mentioned this pull request Dec 15, 2025
Merged
nickvergessen
nickvergessen reviewed Dec 15, 2025
View reviewed changes
lib/private/Route/CachingRouter.php
}
parent::loadRoutes();
$cachedRoutes = $this->serializeRouteCollection($this->root);
$this->cache->set($key, $cachedRoutes, ($this->config->getSystemValueBool('debug') ? 3 : 3600));
Copy link
Member

@nickvergessen nickvergessen Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure debug is false in this test, otherwise the 3s can be ran over between the requests and the cache already expired

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen left review comments

@provokateurin provokateurin provokateurin approved these changes

@come-nc come-nc come-nc approved these changes

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@salmart-dev salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

@yemkareems yemkareems Awaiting requested review from yemkareems yemkareems is a code owner automatically assigned from nextcloud/server-backend

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan CarlSchwan is a code owner automatically assigned from nextcloud/server-backend

@Altahrim Altahrim Awaiting requested review from Altahrim

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug feature: caching Related to our caching system: scssCacher, jsCombiner... regression

Projects

None yet

Milestone

Nextcloud 33

Development

Successfully merging this pull request may close these issues.

[Bug]: memcache.local

5 participants

@danxuliu @solracsf @provokateurin @come-nc @nickvergessen