From 1460974627a7c094144fe4b834f07a5ee0c5b493 Mon Sep 17 00:00:00 2001
From: Nick Clemens <nick@bywatersolutions.com>
Date: Fri, 26 Jan 2024 14:10:01 +0000
Subject: [PATCH] Bug 35518: Check authentication and set userenv before
 fetching userenv variables
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently we get the userenv before we have set it correctly for the session

To test:
 1 - Sign in as a user with fast cataloging permission
 2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
 3 - Check the link, it should have your current signed in barcode
 4 - Sign in to a different browser with a different user and at a different branch
 5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
 6 - It may have your branch, but it may also have the other user's branch from the other window
 7 - Keep entering gibberish to get a link until one user has the correct branch
 8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
 9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90b6f68616e2ba5ca3fcbbd9698c97ef41a45593)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 26722f2a08af99b9e3cb4eb50398df896085f527)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 circ/circulation.pl | 93 +++++++++++++++++++++++----------------------
 1 file changed, 48 insertions(+), 45 deletions(-)

diff --git a/circ/circulation.pl b/circ/circulation.pl
index f725bcaab0..de6e0373cd 100755
--- a/circ/circulation.pl
+++ b/circ/circulation.pl
@@ -63,6 +63,54 @@ use List::MoreUtils qw( uniq );
 #
 my $query = CGI->new;
 
+my $borrowernumber = $query->param('borrowernumber');
+my $barcodes = [];
+my $barcode =  $query->param('barcode');
+
+
+# Barcode given by user could be '0'
+if ( $barcode || ( defined($barcode) && $barcode eq '0' ) ) {
+    $barcodes = [ $barcode ];
+} else {
+    my $filefh = $query->upload('uploadfile');
+    if ( $filefh ) {
+        while ( my $content = <$filefh> ) {
+            $content =~ s/[\r\n]*$//g;
+            push @$barcodes, $content if $content;
+        }
+    } elsif ( my $list = $query->param('barcodelist') ) {
+        push @$barcodes, split( /\s\n/, $list );
+        $barcodes = [ map { $_ =~ /^\s*$/ ? () : $_ } @$barcodes ];
+    } else {
+        @$barcodes = $query->multi_param('barcodes');
+    }
+}
+$barcodes = [ uniq @$barcodes ];
+
+my $template_name = q|circ/circulation.tt|;
+my $patron = $borrowernumber ? Koha::Patrons->find( $borrowernumber ) : undef;
+my $batch = $query->param('batch');
+my $batch_allowed = 0;
+if ( $batch && C4::Context->preference('BatchCheckouts') ) {
+    $template_name = q|circ/circulation_batch_checkouts.tt|;
+    my @batch_category_codes = split ',', C4::Context->preference('BatchCheckoutsValidCategories');
+    my $categorycode = $patron->categorycode;
+    if ( $categorycode && grep { $_ eq $categorycode } @batch_category_codes ) {
+        $batch_allowed = 1;
+    } else {
+        $barcodes = [];
+    }
+}
+
+my ( $template, $loggedinuser, $cookie ) = get_template_and_user (
+    {
+        template_name   => $template_name,
+        query           => $query,
+        type            => "intranet",
+        flagsrequired   => { circulate => 'circulate_remaining_permissions' },
+    }
+);
+
 my $override_high_holds     = $query->param('override_high_holds');
 my $override_high_holds_tmp = $query->param('override_high_holds_tmp');
 
@@ -73,11 +121,8 @@ my $userenv = C4::Context->userenv;
 my $branch  = $userenv->{'branch'} // '';
 my $desk_id = $userenv->{"desk_id"} || '';
 
-my $barcodes = [];
-my $barcode =  $query->param('barcode');
 my $findborrower;
 my $autoswitched;
-my $borrowernumber = $query->param('borrowernumber');
 
 if (C4::Context->preference("AutoSwitchPatron") && $barcode) {
     my $new_barcode = $barcode;
@@ -104,49 +149,7 @@ if ( $query->param('confirm_hold') ) {
     ModReserveAffect( $hold_itemnumber, $hold_borrowernumber, $diffBranchSend, $reserve_id, $desk_id );
 }
 
-# Barcode given by user could be '0'
-if ( $barcode || ( defined($barcode) && $barcode eq '0' ) ) {
-    $barcodes = [ $barcode ];
-} else {
-    my $filefh = $query->upload('uploadfile');
-    if ( $filefh ) {
-        while ( my $content = <$filefh> ) {
-            $content =~ s/[\r\n]*$//g;
-            push @$barcodes, $content if $content;
-        }
-    } elsif ( my $list = $query->param('barcodelist') ) {
-        push @$barcodes, split( /\s\n/, $list );
-        $barcodes = [ map { $_ =~ /^\s*$/ ? () : $_ } @$barcodes ];
-    } else {
-        @$barcodes = $query->multi_param('barcodes');
-    }
-}
 
-$barcodes = [ uniq @$barcodes ];
-
-my $template_name = q|circ/circulation.tt|;
-my $patron = $borrowernumber ? Koha::Patrons->find( $borrowernumber ) : undef;
-my $batch = $query->param('batch');
-my $batch_allowed = 0;
-if ( $batch && C4::Context->preference('BatchCheckouts') ) {
-    $template_name = q|circ/circulation_batch_checkouts.tt|;
-    my @batch_category_codes = split ',', C4::Context->preference('BatchCheckoutsValidCategories');
-    my $categorycode = $patron->categorycode;
-    if ( $categorycode && grep { $_ eq $categorycode } @batch_category_codes ) {
-        $batch_allowed = 1;
-    } else {
-        $barcodes = [];
-    }
-}
-
-my ( $template, $loggedinuser, $cookie ) = get_template_and_user (
-    {
-        template_name   => $template_name,
-        query           => $query,
-        type            => "intranet",
-        flagsrequired   => { circulate => 'circulate_remaining_permissions' },
-    }
-);
 my $logged_in_user = Koha::Patrons->find( $loggedinuser );
 
 my $force_allow_issue = $query->param('forceallow') || 0;