From fbfd534ba033771bb8296e39a2ff940159714d9f Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Tue, 13 Jan 2015 09:30:50 +0100
Subject: [PATCH] OO-1383: hardened against user without session

---
 .../java/org/olat/basesecurity/AuthHelper.java     | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/olat/basesecurity/AuthHelper.java b/src/main/java/org/olat/basesecurity/AuthHelper.java
index 3aaa608f680..d3f368e8ea9 100644
--- a/src/main/java/org/olat/basesecurity/AuthHelper.java
+++ b/src/main/java/org/olat/basesecurity/AuthHelper.java
@@ -394,14 +394,16 @@ public class AuthHelper {
 	 * @param ureq
 	 */
 	public static void doLogout(UserRequest ureq) {
-		//clear session settings of replayable urls / load performance mode 
-		//XX:GUIInterna.setLoadPerformanceMode(null);
-		Boolean wasGuest = ureq.getUserSession().getRoles().isGuestOnly();
+		if(ureq == null) return;
+
+		boolean wasGuest = false;
+		UserSession usess = ureq.getUserSession();
+		if(usess != null && usess.getRoles() != null) {
+			wasGuest = ureq.getUserSession().getRoles().isGuestOnly();
+		}
+		
 		String lang = I18nManager.getInstance().getLocaleKey(ureq.getLocale());
 		HttpSession session = ureq.getHttpReq().getSession(false);
-		//session.removeAttribute(SessionListener.SESSIONLISTENER_KEY);
-		//TODO: i assume tomcat, after s.invalidate(), lets the GC do the work
-		// if not, then do a s.removeAttribute....
 		// next line fires a valueunbound event to UserSession, which does some
 		// stuff on logout
 		if (session != null) {
-- 
GitLab