Thread unsafe current_user usage in Auth::DefaultCurrentUserProvider

bjfish · April 29, 2022, 2:26pm

I believe there is a thread unsafe usage of a model instance where it appears to be sent to another thread here and later accessed concurrently:

github.com

discourse/discourse/blob/c88ca23e8f657de747a5ad864978970f1bd3fa56/lib/auth/default_current_user_provider.rb#L223-L226

      
        
            Scheduler::Defer.later "Updating Last Seen" do
              u.update_last_seen!
              u.update_ip_address!(ip)
            end

Please review this thread which discusses the issue and a possible fix:

github.com/rails/rails

Update ActiveModel::AttributeSet::Builder to use Concurrent::Map

rails:main ← bjfish:attribute-set-builder-thread-safe

opened 07:28PM - 28 Apr 22 UTC

bjfish

+2 -1

### Summary While using rails in a multi-threaded Ruby implementation and se…rver (TruffleRuby/Puma), errors are produced by the unsafe hash usage in `AttributeSet::Builder`. This resolves the issue by using `Concurrent::Map` for `@casted_values`.

sam · May 2, 2022, 7:28am

I see …

Something like this I guess:

@daniel / @david / @tgxworld ?

It adds a new “find” query once a minute, but I guess this is acceptable since it will not happen every single request. I kept the old interface in place.

Can not easily be tuned further without breaking the plugin interface which would be a bit of a nightmare.

Topic		Replies	Views
Thread unsafe hash usage in Logster Bug	6	692	May 1, 2022
Changes Requested to Support Discourse on TruffleRuby Dev	5	910	May 4, 2022
Thread unsafe lazy initialization in PostActionType Bug	7	598	May 27, 2022
API Error: You are not permitted to view the requested resource Dev rest-api	13	10091	June 19, 2020
Discourse REST API Documentation Developer Guides rest-api , reference	0	125466	December 1, 2014

Thread unsafe current_user usage in Auth::DefaultCurrentUserProvider

Related topics