From 15535f9fd5290eaeea852008e3f1badc552316c6 Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 22 Jul 2021 06:34:20 +0000 Subject: [PATCH] Bug 28735: Self-checkout users can access opac-user.pl for sco user when not using AutoSelfCheckID This patch makes the sandboxing of the selfcheckout more robust by adding a "sco_user" session variable which is turned on when logging into the self-checkout (either by AutoSelfCheckAllowed or manually). If a user with this session variable turned on tries to access other parts of the system (like the rest of the OPAC), it will "kick out", so that the browser user will lose the authenticated session. Test plan: 1) Apply the patch 2) koha-plack --restart kohadev 3) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 4) Note that you are logged into the self-checkout So you see the login screen specific to the self-checkout. To log with the actual patron. It's a nested auth. 5) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl 6) Note that you are not logged into the OPAC 7) Log into the staff interface and disable the system preference AutoSelfCheckAllowed 8) Log out of the staff interface (this step is very important) 9) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 10) Note that you are prompted to log into Koha 11) Login using the "koha" user (when using koha-testing-docker) 12) Note that you are logged into the self-checkout 13) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl 14) Note that you are not logged into the OPAC Without the patch you would still be logged as "koha" 15) Go back to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 16) Note that you will need to log in again as you've lost your session cookie Without the patch you will still be logged in the self-checkout Voila! Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit 6d022889a2fac79c9148dd5f20c36f926d66065c) Signed-off-by: Victor Grousset/tuxayo --- C4/Auth.pm | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 1b63514cee..d389628c9b 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -196,14 +196,26 @@ sub get_template_and_user { } if ( $in->{type} eq 'opac' && $user ) { + my $is_sco_user; + if ($sessionID){ + my $session = get_session($sessionID); + if ($session){ + $is_sco_user = $session->param('sco_user'); + } + } my $kick_out; if ( # If the user logged in is the SCO user and they try to go out of the SCO module, # log the user out removing the CGISESSID cookie $in->{template_name} !~ m|sco/| && $in->{template_name} !~ m|errors/errorpage.tt| - && C4::Context->preference('AutoSelfCheckID') - && $user eq C4::Context->preference('AutoSelfCheckID') + && ( + $is_sco_user || + ( + C4::Context->preference('AutoSelfCheckID') + && $user eq C4::Context->preference('AutoSelfCheckID') + ) + ) ) { $kick_out = 1; @@ -1220,6 +1232,12 @@ sub checkauth { $branchname = $branches->{$br}->{'branchname'}; } } + + my $is_sco_user = 0; + if ( $query->param('sco_user_login') && ( $query->param('sco_user_login') eq '1' ) ){ + $is_sco_user = 1; + } + $session->param( 'number', $borrowernumber ); $session->param( 'id', $userid ); $session->param( 'cardnumber', $cardnumber ); @@ -1237,6 +1255,7 @@ sub checkauth { $session->param( 'shibboleth', $shibSuccess ); $session->param( 'register_id', $register_id ); $session->param( 'register_name', $register_name ); + $session->param( 'sco_user', $is_sco_user ); $debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map { $session->param($_) } qw(cardnumber firstname surname branch); } $session->param('cas_ticket', $cas_ticket) if $cas_ticket; -- 2.39.5