This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 19.11.x has been updated
via 99a3d1193ebfcb1ae5046bf36d60b1e53f8c2e93 (commit)
via 8d2255bddcdfad75d8b40daf47bb24c0fd13a9ed (commit)
from 3a86cc90816f27c9041fe051a870c0f14276a6fe (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 99a3d1193ebfcb1ae5046bf36d60b1e53f8c2e93
Author: Tomas Cohen Arazi <[email protected]>
Date: Fri Mar 13 12:03:03 2020 -0300
Bug 24862: Handle annonymous sessions gracefuly
This patch introduces code to detect (cookie) annonymous sessions and
act as expected.
Right now, as check_cookie_auth is not passed the required permissions
(because there aren't always required permissions, and the code to check
permissions is shared with other authentication mechanisms) it returns
'ok' and the session id. This use case was overlooked when this was
coded, and yeilds unexpected error codes (500) when the user logs out
and the annonymous session cookie is used to hit the API. The end result
doesn't pose any security issue (i.e. the resource access is rejected)
but the returned error code is not correct and should be fixed.
This patch verifies for an anonymous session (and avoids querying the
corresponding patron) and then verifies if there is an authorization
config on the route and if the patron object is defined.
To test:
1. Apply the tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t
=> FAIL: Tests fail, 500 instead of the expected 401
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Repeat the original 'steps to reproduce' from the bug report using
the browser
=> SUCCESS: Problem solved!
6. Sign off :-D
Sponsored-by: ByWater Solutions
Signed-off-by: Tomas Cohen Arazi <[email protected]>
Signed-off-by: David Nind <[email protected]>
Signed-off-by: Nick Clemens <[email protected]>
Signed-off-by: Martin Renvoize <[email protected]>
(cherry picked from commit de07356028d5b98af3a7cd7cbae02a7ad6402a43)
Signed-off-by: Aleisha Amohia <[email protected]>
commit 8d2255bddcdfad75d8b40daf47bb24c0fd13a9ed
Author: Tomas Cohen Arazi <[email protected]>
Date: Fri Mar 13 11:44:03 2020 -0300
Bug 24862: Regression tests
This patch introduces tests for the expected behaviour on API routes
that expect a logged in user, but the request is made with an anonymous
session cookie.
To test:
1. Apply this patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t
=> FAIL: Tests fail because the situation is not handled correctly in
the code
Signed-off-by: Tomas Cohen Arazi <[email protected]>
Signed-off-by: David Nind <[email protected]>
Signed-off-by: Martin Renvoize <[email protected]>
(cherry picked from commit 0547ad34dfe01ca7d7660df59e29bc30fdf3cf1d)
Signed-off-by: Aleisha Amohia <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
Koha/REST/V1/Auth.pm | 16 +++++++++++++---
.../api/v1/auth_authenticate_api_request.t | 21 ++++++++++++++++++++-
2 files changed, 33 insertions(+), 4 deletions(-)
hooks/post-receive
--
main Koha release repository
_______________________________________________
koha-commits mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-commits
