From cd809940b71b8555fa6d40fe38ff662e5384233e Mon Sep 17 00:00:00 2001 From: Kyle M Hall Date: Fri, 22 Sep 2023 14:20:59 -0400 Subject: [PATCH] Bug 34893: ILS-DI can return the wrong patron for AuthenticatePatron Imagine we have a set of users. Some of those users have a NULL userid. We then call AuthenticatePatron from ILS-DI for a patron with a NULL userid, but a valid cardnumber. We call checkpw, which returns the cardnumber and userid. We then call Koha::Patrons->find on the userid *which is null*, meaning the borrowernumber returned is not the correct one, but instead the earliest patron inserted into the database that has a NULL userid. Test Plan: 1) Give three patrons a userid and a password 2) From the database cli, set all patrons's userid to null Run this query: update borrowers set userid = null; 3) Call AuthenticatePatron with username being the 1st patron cardnumber, and password being the password you set for that patron http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=AuthenticatePatron&username=kohacard&password=koha 4) Note you get back a borrowernumber for a different patron. Refresh the page and the number is correct. 5) Do the same with the 2nd patron. Same issue at 1st and correct number after. 6) Apply this patch 7) Restart all the things! 8) Do the same with the 3rd patron. 9) Note you get the correct borrowernumber! :D 10) prove t/Auth.t t/db_dependent/Auth_with_ldap.t t/Auth_with_shibboleth.t t/db_dependent/Auth_with_cas.t Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Tomas Cohen Arazi Signed-off-by: Wainui Witika-Park --- C4/Auth.pm | 14 ++++++++------ C4/Auth_with_cas.pm | 17 +++++++---------- C4/Auth_with_ldap.pm | 7 ++++--- C4/Auth_with_shibboleth.pm | 2 +- C4/ILSDI/Services.pm | 6 ++---- 5 files changed, 22 insertions(+), 24 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 9143038ec5..1a6f157085 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1917,9 +1917,10 @@ sub checkpw { if ( $patron and ( $patron->account_locked ) ) { # Nothing to check, account is locked } elsif ($ldap && defined($password)) { - my ( $retval, $retcard, $retuserid ) = checkpw_ldap(@_); # EXTERNAL AUTH + my ( $retval, $retcard, $retuserid ); + ( $retval, $retcard, $retuserid, $patron ) = checkpw_ldap(@_); # EXTERNAL AUTH if ( $retval == 1 ) { - @return = ( $retval, $retcard, $retuserid ); + @return = ( $retval, $retcard, $retuserid, $patron ); $passwd_ok = 1; } $check_internal_as_fallback = 1 if $retval == 0; @@ -1929,9 +1930,9 @@ sub checkpw { # In case of a CAS authentication, we use the ticket instead of the password my $ticket = $query->param('ticket'); $query->delete('ticket'); # remove ticket to come back to original URL - my ( $retval, $retcard, $retuserid, $cas_ticket ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH + my ( $retval, $retcard, $retuserid, $cas_ticket, $patron ) = checkpw_cas( $ticket, $query, $type ); # EXTERNAL AUTH if ( $retval ) { - @return = ( $retval, $retcard, $retuserid, $cas_ticket ); + @return = ( $retval, $retcard, $retuserid, $patron, $cas_ticket ); } else { @return = (0); } @@ -1949,9 +1950,9 @@ sub checkpw { # Then, we check if it matches a valid koha user if ($shib_login) { - my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib($shib_login); # EXTERNAL AUTH + my ( $retval, $retcard, $retuserid, $patron ) = C4::Auth_with_shibboleth::checkpw_shib($shib_login); # EXTERNAL AUTH if ( $retval ) { - @return = ( $retval, $retcard, $retuserid ); + @return = ( $retval, $retcard, $retuserid, $patron ); } $passwd_ok = $retval; } @@ -1962,6 +1963,7 @@ sub checkpw { # INTERNAL AUTH if ( $check_internal_as_fallback ) { @return = checkpw_internal( $dbh, $userid, $password, $no_set_userenv); + push(@return, $patron); $passwd_ok = 1 if $return[0] > 0; # 1 or 2 } diff --git a/C4/Auth_with_cas.pm b/C4/Auth_with_cas.pm index 3817a69d70..a3b1a5df88 100644 --- a/C4/Auth_with_cas.pm +++ b/C4/Auth_with_cas.pm @@ -117,17 +117,14 @@ sub checkpw_cas { # we should store the CAS ticekt too, we need this for single logout https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#233-single-logout # Does it match one of our users ? - my $sth = $dbh->prepare("select cardnumber from borrowers where userid=?"); - $sth->execute($userid); - if ( $sth->rows ) { - $retnumber = $sth->fetchrow; - return ( 1, $retnumber, $userid, $ticket ); + my $dbh = C4::Context->dbh; + my $patron = Koha::Patrons->find({ userid => $userid }); + if ( $patron ) { + return ( 1, $patron->cardnumber, $patron->userid, $ticket, $patron ); } - $sth = $dbh->prepare("select userid from borrowers where cardnumber=?"); - $sth->execute($userid); - if ( $sth->rows ) { - $retnumber = $sth->fetchrow; - return ( 1, $retnumber, $userid, $ticket ); + $patron = Koha::Patrons->find({ cardnumber => $userid }); + if ( $patron ) { + return ( 1, $patron->cardnumber, $patron->userid, $ticket, $patron ); } # If we reach this point, then the user is a valid CAS user, but not a Koha user diff --git a/C4/Auth_with_ldap.pm b/C4/Auth_with_ldap.pm index 7f6c99a9a4..a7ffe5271b 100644 --- a/C4/Auth_with_ldap.pm +++ b/C4/Auth_with_ldap.pm @@ -202,6 +202,7 @@ sub checkpw_ldap { my (%borrower); my ($borrowernumber,$cardnumber,$local_userid,$savedpw) = exists_local($userid); + my $patron; if (( $borrowernumber and $config{update} ) or (!$borrowernumber and $config{replicate}) ) { %borrower = ldap_entry_2_hash($userldapentry,$userid); @@ -218,7 +219,7 @@ sub checkpw_ldap { } } elsif ($config{replicate}) { # A2, C2 my @columns = Koha::Patrons->columns; - my $patron = Koha::Patron->new( + $patron = Koha::Patron->new( { map { exists( $borrower{$_} ) ? ( $_ => $borrower{$_} ) : () } @columns } @@ -237,7 +238,7 @@ sub checkpw_ldap { unless (exists($borrower{$code}) && $borrower{$code} !~ m/^\s*$/ ) { next; } - my $patron = Koha::Patrons->find($borrowernumber); + $patron = Koha::Patrons->find($borrowernumber); if ( $patron ) { # Should not be needed, but we are in C4::Auth LDAP... eval { my $attribute = Koha::Patron::Attribute->new({code => $code, attribute => $borrower{$code}}); @@ -249,7 +250,7 @@ sub checkpw_ldap { } } } - return(1, $cardnumber, $userid); + return(1, $cardnumber, $userid, $patron); } # Pass LDAP entry object and local cardnumber (userid). diff --git a/C4/Auth_with_shibboleth.pm b/C4/Auth_with_shibboleth.pm index e214a5307c..862985267a 100644 --- a/C4/Auth_with_shibboleth.pm +++ b/C4/Auth_with_shibboleth.pm @@ -108,7 +108,7 @@ sub checkpw_shib { if ($config->{'sync'}) { _sync($borrower->borrowernumber, $config, $match); } - return ( 1, $borrower->get_column('cardnumber'), $borrower->get_column('userid') ); + return ( 1, $borrower->get_column('cardnumber'), $borrower->get_column('userid'), $borrower ); } if ( $config->{'autocreate'} ) { diff --git a/C4/ILSDI/Services.pm b/C4/ILSDI/Services.pm index b33d794650..eb5361ab84 100644 --- a/C4/ILSDI/Services.pm +++ b/C4/ILSDI/Services.pm @@ -398,12 +398,10 @@ sub AuthenticatePatron { my ($cgi) = @_; my $username = $cgi->param('username'); my $password = $cgi->param('password'); - my ($status, $cardnumber, $userid) = C4::Auth::checkpw( C4::Context->dbh, $username, $password ); + my ($status, $cardnumber, $userid, $patron) = C4::Auth::checkpw( C4::Context->dbh, $username, $password ); if ( $status == 1 ) { # Track the login - C4::Auth::track_login_daily( $userid ); - # Get the borrower - my $patron = Koha::Patrons->find( { userid => $userid } ); + $patron->update_lastseen('connection'); return { id => $patron->borrowernumber }; } elsif ( $status == -2 ){ -- 2.39.5