From 68cde441b325a8ceabe44355d616507e84d03783 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Tue, 8 Nov 2022 13:40:17 +0000 Subject: [PATCH] Bug 31908: Resolve second login with another userid Somewhere the line undef $userid got removed. We need it to resolve the second login situation. Test plan: Login in staff with user missing privileges. On the login form login again with another staff user. Note that you do no longer crash. Run t/db../Auth.t Run t/db../Koha/Auth/TwoFactorAuth.t Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens Signed-off-by: David Cook Signed-off-by: Martin Renvoize Signed-off-by: Wainui Witika-Park --- C4/Auth.pm | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index a8ed6a7569..1e3db9d7d5 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -950,6 +950,35 @@ sub checkauth { if ($session) { $session->delete(); $session->flush; + $cookie = $cookie_mgr->clear_unless( $query->cookie, @$cookie ); + C4::Context::_unset_userenv($sessionID); + $sessionID = undef; + undef $userid; # IMPORTANT: this assures us a new session in code below + } elsif (!$logout) { + + $cookie = $cookie_mgr->replace_in_list( $cookie, $query->cookie( + -name => 'CGISESSID', + -value => $session->id, + -HttpOnly => 1, + -secure => ( C4::Context->https_enabled() ? 1 : 0 ), + -sameSite => 'Lax', + )); + + $flags = haspermission( $userid, $flagsrequired ); + unless ( $flags ) { + $auth_state = 'failed'; + $info{'nopermission'} = 1; + } + } + } elsif ( !$logout ) { + if ( $return eq 'expired' ) { + $info{timed_out} = 1; + } elsif ( $return eq 'restricted' ) { + $info{oldip} = $more_info->{old_ip}; + $info{newip} = $more_info->{new_ip}; + $info{different_ip} = 1; + } elsif ( $return eq 'password_expired' ) { + $info{password_has_expired} = 1; } C4::Context->_unset_userenv($sessionID); -- 2.20.1