From a726a702725a8f6774354a557755a936855f8bfe Mon Sep 17 00:00:00 2001
From: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Date: Tue, 15 Nov 2022 13:53:17 +0000
Subject: [PATCH] Bug 32208: Extend Auth.t

Test plan:
Without follow-up patch, Auth.t should fail:
    not ok 5 - No permission response
    not ok 6 - checkauth returned failure

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
---
 t/db_dependent/Auth.t | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t
index d26a927cad..d0ef2a60a2 100755
--- a/t/db_dependent/Auth.t
+++ b/t/db_dependent/Auth.t
@@ -153,7 +153,8 @@ subtest 'checkauth() tests' => sub {
     };
 
     subtest 'While still logged in, relogin with another user' => sub {
-        plan tests => 4;
+        plan tests => 6;
+
         my $patron = $builder->build_object({ class => 'Koha::Patrons', value => {} });
         my $patron2 = $builder->build_object({ class => 'Koha::Patrons', value => {} });
         # Create 'former' session
@@ -179,12 +180,11 @@ subtest 'checkauth() tests' => sub {
         $cgi->param( -name => 'userid',             -value => $patron2->userid );
         $cgi->param( -name => 'password',           -value => $password );
         $cgi->param( -name => 'koha_login_context', -value => 1 );
-        my @return;
+        my ( @return, $stdout );
         {
             local *STDOUT;
             local %ENV;
             $ENV{REMOTE_ADDR} = '1.2.3.4';
-            my $stdout;
             open STDOUT, '>', \$stdout;
             @return = C4::Auth::checkauth( $cgi, 0, {} );
             close STDOUT;
@@ -193,6 +193,29 @@ subtest 'checkauth() tests' => sub {
         is( $return[0], $patron2->userid, 'Login of patron2 approved' );
         isnt( $return[2], $sessionID, 'Did not return previous session ID' );
         ok( $return[2], 'New session ID not empty' );
+
+        # Similar situation: Relogin with former session of $patron, new user $patron2 has no permissions
+        $patron2->flags(undef)->store;
+        $session->param( 'number',       $patron->id );
+        $session->param( 'id',           $patron->userid );
+        $session->param( 'interface',    'intranet' );
+        $session->flush;
+        $sessionID = $session->id;
+        C4::Context->_new_userenv($sessionID);
+        $cgi->param( -name => 'userid',             -value => $patron2->userid );
+        $cgi->param( -name => 'password',           -value => $password );
+        $cgi->param( -name => 'koha_login_context', -value => 1 );
+        {
+            local *STDOUT;
+            local %ENV;
+            $ENV{REMOTE_ADDR} = '1.2.3.4';
+            $stdout = q{};
+            open STDOUT, '>', \$stdout;
+            @return = C4::Auth::checkauth( $cgi, 0, { catalogue => 1 }, 'intranet' ); # patron2 has no catalogue perm
+            close STDOUT;
+        }
+        like( $stdout, qr/You do not have permission to access this page/, 'No permission response' );
+        is( @return, 0, 'checkauth returned failure' );
     };
 
     subtest 'Two-factor authentication' => sub {
-- 
2.39.5