Bug 28735: Self-checkout users can access opac-user.pl for sco user when not using AutoSelfCheckID

This patch makes the sandboxing of the selfcheckout more robust by
adding a "sco_user" session variable which is turned on when
logging into the self-checkout (either by AutoSelfCheckAllowed or manually).

If a user with this session variable turned on tries to access
other parts of the system (like the rest of the OPAC), it will
"kick out", so that the browser user will lose the authenticated session.

Test plan:
1) Apply the patch
2) koha-plack --restart kohadev
3) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
4) Note that you are logged into the self-checkout
     So you see the login screen specific to the self-checkout.
     To log with the actual patron. It's a nested auth.
5) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
6) Note that you are not logged into the OPAC
7) Log into the staff interface and disable the
system preference AutoSelfCheckAllowed
8) Log out of the staff interface (this step is very important)
9) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
10) Note that you are prompted to log into Koha
11) Login using the "koha" user (when using koha-testing-docker)
12) Note that you are logged into the self-checkout
13) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
14) Note that you are not logged into the OPAC
      Without the patch you would still be logged as "koha"
15) Go back to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
16) Note that you will need to log in again as you've lost your
session cookie
      Without the patch you will still be logged in the self-checkout
Voila!

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

C4/Auth.pm

@@ -198,14 +198,26 @@ sub get_template_and_user {
     }
 
     if ( $in->{type} eq 'opac' && $user ) {
+        my $is_sco_user;
+        if ($sessionID){
+            my $session = get_session($sessionID);
+            if ($session){
+                $is_sco_user = $session->param('sco_user');
+            }
+        }
         my $kick_out;
 
         if (
 # If the user logged in is the SCO user and they try to go out of the SCO module,
 # log the user out removing the CGISESSID cookie
             $in->{template_name} !~ m|sco/| && $in->{template_name} !~ m|errors/errorpage.tt|
-            && C4::Context->preference('AutoSelfCheckID')
-            && $user eq C4::Context->preference('AutoSelfCheckID')
+            && (
+                $is_sco_user ||
+                (
+                    C4::Context->preference('AutoSelfCheckID')
+                    && $user eq C4::Context->preference('AutoSelfCheckID')
+                )
+            )
           )
         {
             $kick_out = 1;
@@ -1173,6 +1185,12 @@ sub checkauth {
                             $branchname    = $branches->{$br}->{'branchname'};
                         }
                     }
+
+                    my $is_sco_user = 0;
+                    if ( $query->param('sco_user_login') && ( $query->param('sco_user_login') eq '1' ) ){
+                        $is_sco_user = 1;
+                    }
+
                     $session->param( 'number',       $borrowernumber );
                     $session->param( 'id',           $userid );
                     $session->param( 'cardnumber',   $cardnumber );
@@ -1190,6 +1208,7 @@ sub checkauth {
                     $session->param( 'shibboleth',   $shibSuccess );
                     $session->param( 'register_id',  $register_id );
                     $session->param( 'register_name',  $register_name );
+                    $session->param( 'sco_user', $is_sco_user );
                 }
                 $session->param('cas_ticket', $cas_ticket) if $cas_ticket;
                 C4::Context->set_userenv(