]> git.koha-community.org Git - koha.git/commit
Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 15 Mar 2017 17:52:49 +0000 (14:52 -0300)
committerKatrin Fischer <katrin.fischer.83@web.de>
Thu, 16 Mar 2017 22:35:07 +0000 (23:35 +0100)
commitcf837a537682c769908043ff6a93613967dd6334
tree87bf3c8f13a9e55d3c7a646b33469a3cadec6f0e
parent1a703faf6376a216a8ded37a50bd8c08613a8e9d
Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required

From opac/opac-memberentry.pl, authnotrequired is set.
That means a patron can access the page without being logged in. It is
used on this page for the self registration feature.

From C4::Auth::get_template_and_user, we have
  $userid = $q_userid;
$q_userid is previously set to the 'userid' CGI param.

We end up here if authonotrequired is set AND CGISESSID does not exist.

Test plan:
- Run:
  $ prove t/db_dependent/Auth.t
=> FAIL: Regression test for checkauth fails
- Apply this patch
- Run:
  $ prove t/db_dependent/Auth.t
=> SUCCESS: Tests pass.
- Sign off :-D

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
C4/Auth.pm