Before we jump the gun, we have no _real_ idea how the attack was accomplished. The core team is pouring over the log files to find more information. I agree that the class-variable thing is kind of bad practice, but it's set at the beginning of every request (and Rails only handles one at a time), so there will be no issue with a race condition.
Sean Andreas Schwarz wrote: > Andrea Franz wrote: > >> I've not been victim of an attack...but I think it could be better >> setting the current_user in a thread variable instead of using a >> class variable. >> >> I usually use something like this: >> >> def set_current_user >> Thread.current['current_user'] = current_user >> end >> > > That would only work if each request had its own thread. But Rails > doesn't even use threads at all. > > http://worsethanfailure.com/Articles/The_Cost_of_Static.aspx > _______________________________________________ Radiant mailing list Post: [email protected] Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
