Merged r13110 from trunk to 2.5-stable (#16685)

introduce request_store to ensure that the current user doesn't leak across request boundaries.

Contributed by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/branches/2.5-stable@13111 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/Gemfile b/Gemfile
index 13915c6e8edde4d713a0bd4a73c0249707f4940f..ac0083ce8b82dabb6096662770d810faccf45763 100644 (file)
--- a/Gemfile
+++ b/Gemfile
@@ -6,6 +6,7 @@ gem "jquery-rails", "~> 2.0.2"
 gem "coderay", "~> 1.1.0"
 gem "fastercsv", "~> 1.5.0", :platforms => [:mri_18, :mingw_18, :jruby]
 gem "builder", "3.0.0"
+gem 'request_store'
 gem "mime-types"
 gem "awesome_nested_set", "2.1.6"
 

diff --git a/app/models/user.rb b/app/models/user.rb
index 4a33590f7048b6bbb1c4cac843e80184d9f88cf5..fd245c3e8c83c2a3bfb8235a50d748b08808eadf 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -626,11 +626,11 @@ class User < Principal
   end
 
   def self.current=(user)
-    Thread.current[:current_user] = user
+    RequestStore.store[:current_user] = user
   end
 
   def self.current
-    Thread.current[:current_user] ||= User.anonymous
+    RequestStore.store[:current_user] ||= User.anonymous
   end
 
   # Returns the anonymous user.  If the anonymous user does not exist, it is created.  There can be only