Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required
From opac/opac-memberentry.pl, authnotrequired is set.
That means a patron can access the page without being logged in. It is
used on this page for the self registration feature.
From C4::Auth::get_template_and_user, we have
$userid = $q_userid;
$q_userid is previously set to the 'userid' CGI param.
We end up here if authonotrequired is set AND CGISESSID does not exist.
Test plan:
- Run:
$ prove t/db_dependent/Auth.t
=> FAIL: Regression test for checkauth fails
- Apply this patch
- Run:
$ prove t/db_dependent/Auth.t
=> SUCCESS: Tests pass.
- Sign off :-D
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>