]> git.koha-community.org Git - koha.git/commit
Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 15 Mar 2017 17:52:49 +0000 (14:52 -0300)
committerJulian Maurice <julian.maurice@biblibre.com>
Thu, 16 Mar 2017 14:53:49 +0000 (15:53 +0100)
commitf1c9d2e2653912343c07d08bccf0f7f72616f0bb
tree87ae2b804e49a6e852acf012241ffaccb3723afe
parent5690d6bc540dcb9d3f2597065c737e2e7df1f121
Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required

From opac/opac-memberentry.pl, authnotrequired is set.
That means a patron can access the page without being logged in. It is
used on this page for the self registration feature.

From C4::Auth::get_template_and_user, we have
  $userid = $q_userid;
$q_userid is previously set to the 'userid' CGI param.

We end up here if authonotrequired is set AND CGISESSID does not exist.

Test plan:
- Run:
  $ prove t/db_dependent/Auth.t
=> FAIL: Regression test for checkauth fails
- Apply this patch
- Run:
  $ prove t/db_dependent/Auth.t
=> SUCCESS: Tests pass.
- Sign off :-D

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
C4/Auth.pm