]> git.koha-community.org Git - koha.git/commit
Bug 24862: Handle annonymous sessions gracefuly
authorTomas Cohen Arazi <tomascohen@theke.io>
Fri, 13 Mar 2020 15:03:03 +0000 (12:03 -0300)
committerVictor Grousset/tuxayo <victor@tuxayo.net>
Tue, 30 Jun 2020 19:19:22 +0000 (21:19 +0200)
commitbc822009481b7ad38db06c2d55b64ec7e0c25ae9
tree6a224e15e26807900f7b43b4adecab2b13175bbc
parent9484adb366738ce82c877ddf4fb84afad2daf1b8
Bug 24862: Handle annonymous sessions gracefuly

This patch introduces code to detect (cookie) annonymous sessions and
act as expected.

Right now, as check_cookie_auth is not passed the required permissions
(because there aren't always required permissions, and the code to check
permissions is shared with other authentication mechanisms) it returns
'ok' and the session id. This use case was overlooked when this was
coded, and yeilds unexpected error codes (500) when the user logs out
and the annonymous session cookie is used to hit the API. The end result
doesn't pose any security issue (i.e. the resource access is rejected)
but the returned error code is not correct and should be fixed.

This patch verifies for an anonymous session (and avoids querying the
corresponding patron) and then verifies if there is an authorization
config on the route and if the patron object is defined.

To test:
1. Apply the tests patch
2. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t
=> FAIL: Tests fail, 500 instead of the expected 401
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Repeat the original 'steps to reproduce' from the bug report using
   the browser
=> SUCCESS: Problem solved!
6. Sign off :-D

Sponsored-by: ByWater Solutions
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit de07356028d5b98af3a7cd7cbae02a7ad6402a43)

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 99a3d1193ebfcb1ae5046bf36d60b1e53f8c2e93)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Koha/REST/V1/Auth.pm