fix: Creating a session can delete another user's session#10582
Conversation
|
🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review. Tip
Note Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect. Caution Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughSession deduplication now skips deletion when an earlier response exists. A new test verifies that creating a session for another user with a shared installation ID preserves the original session record and authentication token. ChangesSession deduplication
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 7✅ Passed checks (7 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## alpha #10582 +/- ##
==========================================
- Coverage 92.70% 92.69% -0.01%
==========================================
Files 193 193
Lines 17025 17027 +2
Branches 248 248
==========================================
+ Hits 15783 15784 +1
- Misses 1221 1222 +1
Partials 21 21 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
@coderabbitai full review |
✅ Action performedFull review finished. |
## [9.10.1-alpha.2](9.10.1-alpha.1...9.10.1-alpha.2) (2026-07-14) ### Bug Fixes * Creating a session can delete another user's session ([#10582](#10582)) ([0df8779](0df8779))
|
🎉 This change has been released in version 9.10.1-alpha.2 |
Issue
RestWrite.destroyDuplicatedSessions()runs the_Sessiondeduplication delete without theif (this.response) return;guard that the other write-pipeline steps (runDatabaseOperation,runAfterSaveTrigger) use. On a non-masterPOST /classes/_Sessioncreate,handleSession()has already created the caller's own session and setthis.response, but the dedup then issues a master-privileged delete keyed on the client-supplieduserandinstallationIdfrom the request body instead of the server-generated session data. As a result, creating a session can delete another user's_Sessionrecord for the suppliedinstallationId.Tasks
Summary by CodeRabbit