From edc5caf976d2fe3348c890c90e980e296f6ac92c Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Fri, 7 Jun 2024 16:59:58 +0000 Subject: [PATCH] Bug 37056: Mount a new intranet_svc api to avoid redirects When an unauthorized call to svc is made, we use the ErrorDocument middleware to respond with an HTML page. The API doens't do this, it simply returns its status. We should mount the svc as its own app to avoid the redirect to HTML for unauthorized responses To test: 1 - Create a report 2 - Add to IntranetUserJs: $(document).ready(function() { // Your report ID var reportId = '492'; // Fetch the report $.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) { console.log('Kaboom'); }); }); 3 - Log out 4 - Attempt to login 5 - KO 6 - Apply patch 7 - Reset all (or copy the necessary changes to your plack/apache files) 8 - Generate report and update user js again 8 - Logout, login 9 - Success! Signed-off-by: Brendan Lawlor Signed-off-by: Martin Renvoize Signed-off-by: Katrin Fischer --- .../apache-shared-intranet-plack.conf | 3 +++ debian/templates/plack.psgi | 12 ++++++++++++ svc/report | 18 ++++++++---------- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/debian/templates/apache-shared-intranet-plack.conf b/debian/templates/apache-shared-intranet-plack.conf index 7f9f47e1e1..bcee399443 100644 --- a/debian/templates/apache-shared-intranet-plack.conf +++ b/debian/templates/apache-shared-intranet-plack.conf @@ -22,6 +22,9 @@ # Point the intranet site to Plack ProxyPass /index.html "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet/mainpage.pl" ProxyPassReverse /index.html "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet/mainpage.pl" + ProxyPass /cgi-bin/koha/svc "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet_svc" + ProxyPassReverse /cgi-bin/koha/svc "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet_svc" + ProxyPass /cgi-bin/koha "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet" ProxyPassReverse /cgi-bin/koha "unix:/var/run/koha/${instance}/plack.sock|http://localhost/intranet" diff --git a/debian/templates/plack.psgi b/debian/templates/plack.psgi index bf31ecf152..7dd49f3ae5 100644 --- a/debian/templates/plack.psgi +++ b/debian/templates/plack.psgi @@ -56,6 +56,10 @@ my $intranet = Plack::App::CGIBin->new( root => $ENV{DEV_INSTALL}? $home: "$home/intranet/cgi-bin" )->to_app; +my $intranet_svc = Plack::App::CGIBin->new( + root => $ENV{DEV_INSTALL}? "$home/svc": "$home/intranet/cgi-bin/svc" +)->to_app; + my $opac = Plack::App::CGIBin->new( root => $ENV{DEV_INSTALL}? "$home/opac": "$home/opac/cgi-bin/opac" )->to_app; @@ -117,6 +121,14 @@ builder { enable "+Koha::Middleware::CSRF"; $intranet; }; + mount '/intranet_svc' => builder { + if ( Log::Log4perl->get_logger('plack-intranet')->has_appenders ){ + enable 'Log4perl', category => 'plack-intranet'; + enable 'LogWarn'; + } + enable "+Koha::Middleware::CSRF"; + $intranet_svc; + }; mount '/api/v1/app.pl' => builder { if ( Log::Log4perl->get_logger('plack-api')->has_appenders ){ enable 'Log4perl', category => 'plack-api'; diff --git a/svc/report b/svc/report index 5d91494f93..e36e913280 100755 --- a/svc/report +++ b/svc/report @@ -20,10 +20,10 @@ use Modern::Perl; -use C4::Auth qw( get_template_and_user ); +use C4::Auth qw( check_api_auth ); use C4::Reports::Guided qw( execute_query ); use Koha::Reports; -use JSON qw( encode_json decode_json ); +use JSON qw( encode_json decode_json to_json ); use CGI qw ( -utf8 ); use Koha::Caches; @@ -44,14 +44,12 @@ $report_id = $report_rec->id; my @sql_params = $query->multi_param('sql_params'); my @param_names = $query->multi_param('param_names'); -my ( $template, $loggedinuser, $cookie ) = get_template_and_user( - { - template_name => "intranet-main.tt", - query => $query, - type => "intranet", - flagsrequired => { catalogue => 1, }, - } -); +my ($status, $cookie, $sessionID) = check_api_auth($query, { catalogue => '1'} ); +unless ($status eq "ok") { + print $query->header(-type => 'application/json', -status => '401 Unauthorized'); + print to_json({ auth_status => $status }); + exit 0; +} my $cache = Koha::Caches->get_instance(); my $cache_active = $cache->is_cache_active;