Bug 32208: Adjust Auth.pm for relogin without perms
If a second login on top of a current session fails on
permissions, we should not grant access without context.
Test plan:
[1] Run t/db../Auth.t, it should pass now.
[2] Test interface with/without this patch:
Pick two users: A has perms, B has not.
Put two staff login forms in two tabs.
Login as A in tab1. Login as B in tab2.
Without this patch, B gets in and crashes.
With this patch, B does not get in ('no perms').
Bonus: Go to opac if on same domain. You are still
logged in as B.
NOTE: I added a FIXME here, since you could argue about filling
the session info or otoh deleting the session. We present an
authorization failure; people may not realize that they are
still logged in (see test plan - bonus).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>