From 95097d1cc2752715fea099940face25949d3b204 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 20 Jan 2022 10:10:05 +0100 Subject: [PATCH] Bug 29914: Make check_cookie_auth compare the userid check_cookie_auth is assuming that the user is authenticated if a cookie exists and that the login/username exists in the DB. So basically if you hit the login page, fill the login input with a valid username, click "login" => A cookie will be generated, and the sessions table will contain a line with this session id. On the second hit, if the username is in the DB, it will be enough to be considered authenticated. Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens Signed-off-by: Fridolin Somers --- C4/Auth.pm | 15 +++++++++------ Koha/REST/V1/Auth.pm | 7 ++++--- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 3ed770bb81..6ea03887ca 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1641,6 +1641,8 @@ Possible return values in C<$status> are: =item "ok" -- user authenticated; C<$sessionID> have valid values. +=item "anon" -- user not authenticated but valid for anonymous session. + =item "failed" -- credentials are not correct; C<$sessionid> are undef =item "maintenance" -- DB is in maintenance mode; no login possible at the moment @@ -1719,18 +1721,19 @@ sub check_cookie_auth { $session->flush; C4::Context->_unset_userenv($sessionID); return ( "restricted", undef, { old_ip => $ip, new_ip => $remote_addr}); - } else { + } elsif ( $userid ) { $session->param( 'lasttime', time() ); my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1; if ($flags) { return ( "ok", $session ); - } else { - $session->delete(); - $session->flush; - C4::Context->_unset_userenv($sessionID); - return ( "failed", undef ); } + } else { + return ( "anon", $session ); } + $session->delete(); + $session->flush; + C4::Context->_unset_userenv($sessionID); + return ( "failed", undef ); } else { return ( "expired", undef ); } diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index 01eef3375e..7bbf97fc05 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -223,9 +223,10 @@ sub authenticate_api_request { $cookie, undef, { remote_addr => $remote_addr }); if ($status eq "ok") { - $user = Koha::Patrons->find( $session->param('number') ) - unless $session->param('sessiontype') - and $session->param('sessiontype') eq 'anon'; + $user = Koha::Patrons->find( $session->param('number') ); + $cookie_auth = 1; + } + elsif ($status eq "anon") { $cookie_auth = 1; } elsif ($status eq "maintenance") { -- 2.39.5