From 44d991b0c492271b20d55e1e84918d70cb448c54 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Tue, 15 Nov 2022 13:55:18 +0000 Subject: [PATCH] Bug 32208: Adjust Auth.pm for relogin without perms If a second login on top of a current session fails on permissions, we should not grant access without context. Test plan: [1] Run t/db../Auth.t, it should pass now. [2] Test interface with/without this patch: Pick two users: A has perms, B has not. Put two staff login forms in two tabs. Login as A in tab1. Login as B in tab2. Without this patch, B gets in and crashes. With this patch, B does not get in ('no perms'). Bonus: Go to opac if on same domain. You are still logged in as B. NOTE: I added a FIXME here, since you could argue about filling the session info or otoh deleting the session. We present an authorization failure; people may not realize that they are still logged in (see test plan - bonus). Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens Signed-off-by: Chris Cormack Signed-off-by: Lucas Gass Signed-off-by: Lucas Gass (cherry picked from commit 0cc7c4991c6d09492c4389be5bee9cc92b7694da) --- C4/Auth.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index e0b73e8729..241babde46 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1109,6 +1109,11 @@ sub checkauth { $loggedin = 1; } else { + $auth_state = 'failed'; + # FIXME We could add $return = 0; or even delete the session? + # Currently return == 1 and we will fill session info later on, + # although we do present an authorization failure. (Yes, the + # authentication was actually correct.) $info{'nopermission'} = 1; C4::Context::_unset_userenv($sessionID); } -- 2.39.5