From 6b457885cd325da444d39b031eac567eb0f46351 Mon Sep 17 00:00:00 2001
From: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Date: Fri, 8 Mar 2019 14:20:41 +0000
Subject: [PATCH] Bug 22483: (QA follow-up) Corrections to logic in
 check_cookie_auth

check_cookie_auth needs to allow for cases where we wish to check for
ANY permission and cases where we wish to skip the permissions check
entirely and just authenticate the session.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 C4/Auth.pm           | 8 ++++++--
 Koha/REST/V1/Auth.pm | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 963584a185..2a3c492011 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -1606,7 +1606,11 @@ sub check_api_auth {
   ($status, $sessionId) = check_api_auth($cookie, $userflags);
 
 Given a CGISESSID cookie set during a previous login to Koha, determine
-if the user has the privileges specified by C<$userflags>.
+if the user has the privileges specified by C<$userflags>. C<$userflags>
+is passed unaltered into C<haspermission> and as such accepts all options
+avaiable to that routine with the one caveat that C<check_api_auth> will
+also allow 'undef' to be passed and in such a case the permissions check
+will be skipped altogether.
 
 C<check_cookie_auth> is meant for authenticating special services
 such as tools/upload-file.pl that are invoked by other pages that
@@ -1701,7 +1705,7 @@ sub check_cookie_auth {
             return ( "expired", undef );
         } else {
             $session->param( 'lasttime', time() );
-            my $flags = haspermission( $userid, $flagsrequired );
+            my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1;
             if ($flags) {
                 return ( "ok", $sessionID );
             } else {
diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm
index 71ef60a277..92cafc22f2 100644
--- a/Koha/REST/V1/Auth.pm
+++ b/Koha/REST/V1/Auth.pm
@@ -189,7 +189,7 @@ sub authenticate_api_request {
         # Manually pass the remote_address to check_auth_cookie
         my $remote_addr = $c->tx->remote_address;
         my ($status, $sessionID) = check_cookie_auth(
-                                                $cookie, '*',
+                                                $cookie, undef,
                                                 { remote_addr => $remote_addr });
         if ($status eq "ok") {
             my $session = get_session($sessionID);
-- 
2.39.2