]> git.koha-community.org Git - koha.git/commit
Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 15 Mar 2017 17:52:49 +0000 (14:52 -0300)
committerKyle M Hall <kyle@bywatersolutions.com>
Mon, 20 Mar 2017 13:00:02 +0000 (13:00 +0000)
commit2470e225d8791d1b87daaebde2591caab6427d49
tree369f2b09b73a57b3205045ef67a024b2288d04b5
parent3844d6f36bcee2b0e2102c2df1323cdd86940303
Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required

From opac/opac-memberentry.pl, authnotrequired is set.
That means a patron can access the page without being logged in. It is
used on this page for the self registration feature.

From C4::Auth::get_template_and_user, we have
  $userid = $q_userid;
$q_userid is previously set to the 'userid' CGI param.

We end up here if authonotrequired is set AND CGISESSID does not exist.

Test plan:
- Run:
  $ prove t/db_dependent/Auth.t
=> FAIL: Regression test for checkauth fails
- Apply this patch
- Run:
  $ prove t/db_dependent/Auth.t
=> SUCCESS: Tests pass.
- Sign off :-D

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
C4/Auth.pm