From 3ae3b6a1864c75cea498cee8dfb5501adf798c29 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 20 Jan 2022 10:10:05 +0100 Subject: [PATCH] Bug 29914: Make check_cookie_auth compare the userid check_cookie_auth is assuming that the user is authenticated if a cookie exists and that the login/username exists in the DB. So basically if you hit the login page, fill the login input with a valid username, click "login" => A cookie will be generated, and the sessions table will contain a line with this session id. On the second hit, if the username is in the DB, it will be enough to be considered authenticated. Signed-off-by: Kyle M Hall (cherry picked from commit 7114dc2fb1a1440dd031ee771efee6e50bb86540) Signed-off-by: Victor Grousset/tuxayo (cherry picked from commit be18dc19b8e84919416eab5cd43f4ed345fc280a) Signed-off-by: Andrew Fuerste-Henry --- C4/Auth.pm | 19 +++++++++++-------- Koha/REST/V1/Auth.pm | 7 ++++--- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index b6d934eaa0..274e801ecf 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1744,6 +1744,8 @@ Possible return values in C<$status> are: =item "ok" -- user authenticated; C<$sessionID> have valid values. +=item "anon" -- user not authenticated but valid for anonymous session. + =item "failed" -- credentials are not correct; C<$sessionid> are undef =item "maintenance" -- DB is in maintenance mode; no login possible at the moment @@ -1828,20 +1830,21 @@ sub check_cookie_auth { $userid = undef; $sessionID = undef; return ( "expired", undef ); - } else { + } elsif ( $userid ) { $session->param( 'lasttime', time() ); my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1; if ($flags) { return ( "ok", $sessionID ); - } else { - $session->delete(); - $session->flush; - C4::Context->_unset_userenv($sessionID); - $userid = undef; - $sessionID = undef; - return ( "failed", undef ); } + } else { + return ( "anon", $session ); } + $session->delete(); + $session->flush; + C4::Context->_unset_userenv($sessionID); + $userid = undef; + $sessionID = undef; + return ( "failed", undef ); } else { return ( "expired", undef ); } diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index ea29bd6929..cbe5c4d739 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -221,9 +221,10 @@ sub authenticate_api_request { { remote_addr => $remote_addr }); if ($status eq "ok") { my $session = get_session($sessionID); - $user = Koha::Patrons->find( $session->param('number') ) - unless $session->param('sessiontype') - and $session->param('sessiontype') eq 'anon'; + $user = Koha::Patrons->find( $session->param('number') ); + $cookie_auth = 1; + } + elsif ($status eq "anon") { $cookie_auth = 1; } elsif ($status eq "maintenance") { -- 2.39.5