Bug 37056: Mount a new intranet_svc api to avoid redirects

When an unauthorized call to svc is made, we use the ErrorDocument middleware to respond with an HTML page. The API doens't do this, it simply returns its status. We should mount the svc as its own app to avoid the redirect to HTML for unauthorized responses To test: 1 - Create a report 2 - Add to IntranetUserJs: $(document).ready(function() { // Your report ID var reportId = '492'; // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); }); 3 - Log out 4 - Attempt to login 5 - KO 6 - Apply patch 7 - Reset all (or copy the necessary changes to your plack/apache files) 8 - Generate report and update user js again 8 - Logout, login 9 - Success! Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-06-07 16:59:58 +00:00 · 2024-06-07 16:59:58 +00:00 · edc5caf976
commit edc5caf976
parent aeb2a50a0b
3 changed files with 23 additions and 10 deletions
--- a/debian/templates/apache-shared-intranet-plack.conf
+++ b/debian/templates/apache-shared-intranet-plack.conf
@ -22,6 +22,9 @@
        # Point the intranet site to Plack
        ProxyPass /index.html "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet/mainpage.pl"
        ProxyPassReverse /index.html "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet/mainpage.pl"
+        ProxyPass /cgi-bin/koha/svc "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet_svc"
+        ProxyPassReverse /cgi-bin/koha/svc "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet_svc"
+
        ProxyPass /cgi-bin/koha "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet"
        ProxyPassReverse /cgi-bin/koha "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet"

--- a/debian/templates/plack.psgi
+++ b/debian/templates/plack.psgi
@ -56,6 +56,10 @@ my $intranet = Plack::App::CGIBin->new(
    root => $ENV{DEV_INSTALL}? $home: "$home/intranet/cgi-bin"
 )->to_app;

+my $intranet_svc = Plack::App::CGIBin->new(
+    root => $ENV{DEV_INSTALL}? "$home/svc": "$home/intranet/cgi-bin/svc"
+)->to_app;
+
 my $opac = Plack::App::CGIBin->new(
    root => $ENV{DEV_INSTALL}? "$home/opac": "$home/opac/cgi-bin/opac"
 )->to_app;
@ -117,6 +121,14 @@ builder {
        enable "+Koha::Middleware::CSRF";
        $intranet;
    };
+    mount '/intranet_svc'      => builder {
+        if ( Log::Log4perl->get_logger('plack-intranet')->has_appenders ){
+            enable 'Log4perl', category => 'plack-intranet';
+            enable 'LogWarn';
+        }
+        enable "+Koha::Middleware::CSRF";
+        $intranet_svc;
+    };
    mount '/api/v1/app.pl' => builder {
        if ( Log::Log4perl->get_logger('plack-api')->has_appenders ){
            enable 'Log4perl', category => 'plack-api';
--- a/svc/report
+++ b/svc/report
@ -20,10 +20,10 @@

 use Modern::Perl;

-use C4::Auth qw( get_template_and_user );
+use C4::Auth qw( check_api_auth );
 use C4::Reports::Guided qw( execute_query );
 use Koha::Reports;
-use JSON qw( encode_json decode_json );
+use JSON qw( encode_json decode_json to_json );
 use CGI qw ( -utf8 );

 use Koha::Caches;
@ -44,14 +44,12 @@ $report_id = $report_rec->id;
 my @sql_params  = $query->multi_param('sql_params');
 my @param_names  = $query->multi_param('param_names');

-my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
-    {
-        template_name   => "intranet-main.tt",
-        query           => $query,
-        type            => "intranet",
-        flagsrequired   => { catalogue => 1, },
-    }
-);
+my ($status, $cookie, $sessionID) = check_api_auth($query, { catalogue => '1'} );
+unless ($status eq "ok") {
+    print $query->header(-type => 'application/json', -status => '401 Unauthorized');
+    print to_json({ auth_status => $status });
+    exit 0;
+}

 my $cache = Koha::Caches->get_instance();
 my $cache_active = $cache->is_cache_active;