https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815
--- Comment #12 from David Cook <[email protected]> --- (In reply to David Cook from comment #11) > But... the $session will still contain the wrong details. In theory, this > same problem applies beyond just userid/id. If the user's details are > changed and the session details are used anywhere else, they'll be wrong > until they log out and log back in. (Of course, that's not uncommon among > many systems.) As I suspected, at line 559 of ./members/memberentry.pl there is a C4::Auth::haspermission check that uses C4::Context->userenv->{id} which is populated from the database session which is the wrong value, and that triggers a permission/authorization failure (if you use borrowernumber to find the patron to get through check_cookie_auth). -- This is tricky. I suppose we could update/refresh the session, if we stored "updated_on" in the $session as well, and then checked that against the database at authentication time. That said, for an authenticate related change like userid perhaps it is best to expire the session, as a critical aspect of the user account has been changed. If we stored "updated_on" in the $session, we could also notify users if their user id has been changed. This would probably be easier on the staff interface than the OPAC. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
