Problem/Motivation
Private tempstore should store a value that persists with the user's session.
However, if the user is anonymous, then this is broken, because saving to tempstore doesn't start a session.
You can see the problem by running this code (eg in Devel's exec PHP form). Each execution causes a new row in key_value_expire:
\Drupal::service('user.private_tempstore')->get('test')->set('test', 'test value!');
Status of key_value_expire by sending 2 request as anonymous user, triggering the above setter:
collection | name | value | expire
tempstore.private.test | DV4-7TPy5J2nr7V52f_ypSi-N4mauGQ0naxdx-5vL1s:test | O:8:"stdClass":3:{s:5:"owner";s:43:"DV4-7TPy5J2nr7V52f_ypSi-N4mauGQ0naxdx-5vL1s";s:4:"data";s:11:"test value!";s:7:"updated";i:1519653510;} | 1520258310
tempstore.private.test | TB0zFUl0FZbZwa02NMe6wovD3D5o1pE4KfOQ-Ap8hrA:test | O:8:"stdClass":3:{s:5:"owner";s:43:"TB0zFUl0FZbZwa02NMe6wovD3D5o1pE4KfOQ-Ap8hrA";s:4:"data";s:11:"test value!";s:7:"updated";i:1519653539;} | 1520258339The expected behaviour is that after the first row is inserted, subsequent executions just update it.
Further symptoms
All of these features rely on private temp store, therefore these features are all broken for anonymous users:
- #2703247: Previewing a node as an anonymous user results in a page not found error
- Quick edit
- Delete multiple nodes (from admin/content)
- Cancel multiple user accounts (from admin/people)
Proposed resolution
Ensure that an anonymous user has a session created.
There is no current way to make initialise a session other than storing something in it, so best option is:
if ($this->currentUser->isAnonymous()) {
$this->requestStack->getCurrentRequest()->getSession()->set('forced', TRUE);
}
This snippet will be placed as first thing in \Drupal\Core\TempStore\PrivateTempStore::set(), so when getOwner() will be called - by createkey() - a session always exists and its ID will be returned and used.
Remaining tasks
Prove the bug exists with a valid failing test#41Work on a fix#45Understand if the session enforcement need to happen on creating the tempstore instance#65Understand if we need a Browser tests too#64- Review && RTBC
User interface changes
No.
API changes
No. Setting a private tempstore value now force a session to be opened. However this should be the expected behaviour, so that is not technically a change?
Data model changes
No.