Details
-
Story
-
Resolution: Fixed
-
High
-
None
-
None
Description
Currently all setup of Repository needs to load a user to set it as current user, however:
- Security: As loading user by id does not check permissions on API to be able to allow exactly this, it does not provide any added security, with this need removed we can consider adding permission checks on user loading again to fix this inconsistency.
- Performance: It leads to unnecessary loading on every request, and currently the whole User Content is serialized into session causing slow read/write/serialization of sessions.
For both repository and session we actually only need to know the id for authentication and authorization needs, so way to fix this is to introduce a very simple UserReference interface that exposes just this, and for BC change User to implement this as well.
Attachments
Issue Links
- relates to
-
EZP-24852 Add UserReference support in Authentication/User providers
-
- Closed
-