Current session removed after sending bulk emails

Hi there folks. I need a bit of help. What happens if you try this in your tutor dev environment (nightly):

  1. Turn on the bulk email flags for all courses:

  2. Ensure CELERY_ALWAYS_EAGER = True

  3. Now, try sending an email to All learners. Ensure there’s more than one learner enrolled in the course

This is what we’ve been experiencing:

With and without the MFE. These are some useful logs:

2023-09-04 14:25:34,972 WARNING 1047 [openedx.core.djangoapps.safe_sessions.middleware] [user None] [ip None] - SafeCookieData user at initial request '6' does not match user at response time: '10' for request path '/courses/course-v1:edX+DemoX+Demo_Course/instructor/api/send_email'.
Session did not change.
Hash of session ID from various sources: parsed_cookie=67c5f60d; at_request=67c5f60d; at_response=67c5f60d
2023-09-04 14:25:34,974 WARNING 1047 [openedx.core.djangoapps.safe_sessions.middleware] [user None] [ip None] - SafeCookieData deleted session cookie for session None

Is that supposed to happen? This is sending me into a rabbit hole, not sure what’s wrong :sweat_smile: .

I think this may be releated to a change in the default value of ENFORCE_SAFE_SESSIONS back in nutmeg.

I don’t know very well how that middleware work, but it probably has to do with the celery tasks running locally and messing up the request users.

Setting ENFORCE_SAFE_SESSIONS = False makes sense for a dev environment. Thanks!

The point of Safe Sessions is to help ensure that the user associated with a session doesn’t change. There are some exceptions to this, like masquerading as another user, and it is possible for code to register itself as an exception.

It seems odd to me that bulk email send needs to change the authenticated user associated with the session. It sounds like you have a workaround, but if anyone ever looks into this, it may be to determine how we can avoid changing the user associated with the session, if that is in fact what is happening. Or, if we can explain why the user needs to change, the code could mark this as an exceptional case.