-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
Future Dev
After we added readonly sessions, the biggest remaining candidate that could / should not need a session lock is the pluginfile. Right now it's ambigous if this is safe, there is possibly pluginfile handler functions who mutate the session and so we can't just blindly change the contract.
So we have two approaches:
1) we do change the contract and make pluginfile lockless and any plugin which attempts to mutate the session should get a strong exception / debugging
2) we introduce some way of each pluginfile specifying that is needs a lock in a similar way to the ajax webservice endpoint does. I'm not a huge fan of this because it would mean another lib.php function, if this approach is preferred then it might be better tackled as part of the new api in MDL-69708