From 6b457885cd325da444d39b031eac567eb0f46351 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Fri, 8 Mar 2019 14:20:41 +0000 Subject: [PATCH] Bug 22483: (QA follow-up) Corrections to logic in check_cookie_auth check_cookie_auth needs to allow for cases where we wish to check for ANY permission and cases where we wish to skip the permissions check entirely and just authenticate the session. Signed-off-by: Martin Renvoize Signed-off-by: Kyle M Hall Signed-off-by: Tomas Cohen Arazi --- C4/Auth.pm | 8 ++++++-- Koha/REST/V1/Auth.pm | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 963584a185..2a3c492011 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1606,7 +1606,11 @@ sub check_api_auth { ($status, $sessionId) = check_api_auth($cookie, $userflags); Given a CGISESSID cookie set during a previous login to Koha, determine -if the user has the privileges specified by C<$userflags>. +if the user has the privileges specified by C<$userflags>. C<$userflags> +is passed unaltered into C and as such accepts all options +avaiable to that routine with the one caveat that C will +also allow 'undef' to be passed and in such a case the permissions check +will be skipped altogether. C is meant for authenticating special services such as tools/upload-file.pl that are invoked by other pages that @@ -1701,7 +1705,7 @@ sub check_cookie_auth { return ( "expired", undef ); } else { $session->param( 'lasttime', time() ); - my $flags = haspermission( $userid, $flagsrequired ); + my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1; if ($flags) { return ( "ok", $sessionID ); } else { diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index 71ef60a277..92cafc22f2 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -189,7 +189,7 @@ sub authenticate_api_request { # Manually pass the remote_address to check_auth_cookie my $remote_addr = $c->tx->remote_address; my ($status, $sessionID) = check_cookie_auth( - $cookie, '*', + $cookie, undef, { remote_addr => $remote_addr }); if ($status eq "ok") { my $session = get_session($sessionID); -- 2.39.5