Bug 29543: Enforce authentication for self-checkout
The self-checkout feature is assuming a patron is logged in if patronid
is passed. It also assumes that "We're in a controlled environment; we
trust the user", which is terribly wrong!
This patch is suggesting to generate a JSON Web Token (JWT) to store in
a cookie and only allow action (renew, check in/out) is the token is
valid. The token is only generated once the user has been authenticated
And is removed when the user finish the session/logout.
Test plan:
You must know exactly how the self-checkout feature works to test this patch.
The 4 following sysprefs must be tested:
SelfCheckoutByLogin, AutoSelfCheckAllowed, AutoSelfCheckID, AutoSelfCheckPass
Confirm that you can renew, checkin for the items you own, and checkout new items.
Confirm that you are not allowed to access other account's info.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit
77e21f30062dc23edb2c79f609d854d553e67f7c)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit
f57465ad024e461bb00b2c0aeebff4adb1a651b5)
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
projects / koha.git / commit