Details
-
Type:
Improvement
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 2.0
-
Fix Version/s: Unscheduled
-
Component/s: Core CiviCRM
-
Labels:None
Description
The problem is, once ContactID and ufID are set in the CRM_Core_Session, they are pretty much stuck.
However, the CMS might manipulate the ufID, in which case, CiviCRM should follow along. The prime example of this is Drupal's masquerade module, which allows developers to browse the site as another user.
As a solution, I would propose that the CiviCRM session identify the CMS user object and key where ufID (and perhaps other relevant information) can be verified.
So, as a quick and dirty example, CRM_Core_Session::singleton could become :
<pre>
static function &singleton($key = 'CiviCRM') {
if (self::$_singleton === null )
{ self::$_singleton =& new CRM_Core_Session($key); } else {
$session = self::$_singleton;
$uf_user_object = $GLOBALS[$session->uf_user_object];
$uf_user_key = $session->uf_user_key;
if ($uf_user_object->$uf_user_key != $session->ufID)
}
return self::$_singleton;
}
</pre>