From 16ce9086e3c34f381d6d53c96e07145f19bf3ee9 Mon Sep 17 00:00:00 2001
From: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Date: Tue, 15 Nov 2022 13:55:18 +0000
Subject: [PATCH] Bug 32208: Adjust Auth.pm for relogin without perms

If a second login on top of a current session fails on
permissions, we should not grant access without context.

Test plan:
[1] Run t/db../Auth.t, it should pass now.
[2] Test interface with/without this patch:
    Pick two users: A has perms, B has not.
    Put two staff login forms in two tabs.
    Login as A in tab1. Login as B in tab2.
    Without this patch, B gets in and crashes.
    With this patch, B does not get in ('no perms').
    Bonus: Go to opac if on same domain. You are still
    logged in as B.

NOTE: I added a FIXME here, since you could argue about filling
the session info or otoh deleting the session. We present an
authorization failure; people may not realize that they are
still logged in (see test plan - bonus).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 C4/Auth.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index b70afa9988..8e5b5f6e54 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -1119,6 +1119,11 @@ sub checkauth {
                     $auth_state = "logged_in";
                 }
                 else {
+                    $auth_state = 'failed';
+                    # FIXME We could add $return = 0; or even delete the session?
+                    # Currently return == 1 and we will fill session info later on,
+                    # although we do present an authorization failure. (Yes, the
+                    # authentication was actually correct.)
                     $info{'nopermission'} = 1;
                     C4::Context::_unset_userenv($sessionID);
                 }
-- 
2.39.2