From 11a853a1c194030c4f54acdd8e9574f845ab6c17 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Tue, 15 Nov 2022 13:53:17 +0000 Subject: [PATCH] Bug 32208: Extend Auth.t Test plan: Without follow-up patch, Auth.t should fail: not ok 5 - No permission response not ok 6 - checkauth returned failure Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens Signed-off-by: Chris Cormack Signed-off-by: Martin Renvoize Signed-off-by: Wainui Witika-Park --- t/db_dependent/Auth.t | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t index 9e013bb1c4..68d7543d82 100755 --- a/t/db_dependent/Auth.t +++ b/t/db_dependent/Auth.t @@ -150,7 +150,8 @@ subtest 'checkauth() tests' => sub { }; subtest 'While still logged in, relogin with another user' => sub { - plan tests => 4; + plan tests => 6; + my $patron = $builder->build_object({ class => 'Koha::Patrons', value => {} }); my $patron2 = $builder->build_object({ class => 'Koha::Patrons', value => {} }); # Create 'former' session @@ -176,12 +177,11 @@ subtest 'checkauth() tests' => sub { $cgi->param( -name => 'userid', -value => $patron2->userid ); $cgi->param( -name => 'password', -value => $password ); $cgi->param( -name => 'koha_login_context', -value => 1 ); - my @return; + my ( @return, $stdout ); { local *STDOUT; local %ENV; $ENV{REMOTE_ADDR} = '1.2.3.4'; - my $stdout; open STDOUT, '>', \$stdout; @return = C4::Auth::checkauth( $cgi, 0, {} ); close STDOUT; @@ -190,6 +190,29 @@ subtest 'checkauth() tests' => sub { is( $return[0], $patron2->userid, 'Login of patron2 approved' ); isnt( $return[2], $sessionID, 'Did not return previous session ID' ); ok( $return[2], 'New session ID not empty' ); + + # Similar situation: Relogin with former session of $patron, new user $patron2 has no permissions + $patron2->flags(undef)->store; + $session->param( 'number', $patron->id ); + $session->param( 'id', $patron->userid ); + $session->param( 'interface', 'intranet' ); + $session->flush; + $sessionID = $session->id; + C4::Context->_new_userenv($sessionID); + $cgi->param( -name => 'userid', -value => $patron2->userid ); + $cgi->param( -name => 'password', -value => $password ); + $cgi->param( -name => 'koha_login_context', -value => 1 ); + { + local *STDOUT; + local %ENV; + $ENV{REMOTE_ADDR} = '1.2.3.4'; + $stdout = q{}; + open STDOUT, '>', \$stdout; + @return = C4::Auth::checkauth( $cgi, 0, { catalogue => 1 }, 'intranet' ); # patron2 has no catalogue perm + close STDOUT; + } + like( $stdout, qr/You do not have permission to access this page/, 'No permission response' ); + is( @return, 0, 'checkauth returned failure' ); }; subtest 'Two-factor authentication' => sub { -- 2.39.5