[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Victor Grousset/tuxayo changed: What|Removed |Added Status|Pushed to oldstable |Pushed to oldoldstable CC||vic...@tuxayo.net Version(s)|20.05.00, 19.11.07 |20.05.00, 19.11.07, released in||19.05.13 --- Comment #10 from Victor Grousset/tuxayo --- Backported to 19.05.x branch for 19.05.13 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Aleisha Amohia changed: What|Removed |Added Version(s)|20.05.00|20.05.00, 19.11.07 released in|| Status|Pushed to stable|Pushed to oldstable --- Comment #9 from Aleisha Amohia --- backported to 19.11.x for 19.11.07 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Aleisha Amohia changed: What|Removed |Added Status|Pushed to master|Pushed to stable CC||alei...@catalyst.net.nz -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi changed: What|Removed |Added QA Contact||n...@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi changed: What|Removed |Added Blocks||25045 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25045 [Bug 25045] Add a way to restrict anonymous access to public routes (OpacPublic behaviour) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=24861 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Martin Renvoize changed: What|Removed |Added Status|Passed QA |Pushed to master Version(s)||20.05.00 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 --- Comment #8 from Martin Renvoize --- Nice work everyone! Pushed to master for 20.05 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Nick Clemens changed: What|Removed |Added Attachment #100693|0 |1 is obsolete|| --- Comment #7 from Nick Clemens --- Created attachment 100735 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100735=edit Bug 24862: Handle annonymous sessions gracefuly This patch introduces code to detect (cookie) annonymous sessions and act as expected. Right now, as check_cookie_auth is not passed the required permissions (because there aren't always required permissions, and the code to check permissions is shared with other authentication mechanisms) it returns 'ok' and the session id. This use case was overlooked when this was coded, and yeilds unexpected error codes (500) when the user logs out and the annonymous session cookie is used to hit the API. The end result doesn't pose any security issue (i.e. the resource access is rejected) but the returned error code is not correct and should be fixed. This patch verifies for an anonymous session (and avoids querying the corresponding patron) and then verifies if there is an authorization config on the route and if the patron object is defined. To test: 1. Apply the tests patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail, 500 instead of the expected 401 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 5. Repeat the original 'steps to reproduce' from the bug report using the browser => SUCCESS: Problem solved! 6. Sign off :-D Signed-off-by: Tomas Cohen Arazi Sponsored-by: ByWater Solutions Signed-off-by: David Nind Signed-off-by: Nick Clemens -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Nick Clemens changed: What|Removed |Added Attachment #100692|0 |1 is obsolete|| --- Comment #6 from Nick Clemens --- Created attachment 100734 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100734=edit Bug 24862: Regression tests This patch introduces tests for the expected behaviour on API routes that expect a logged in user, but the request is made with an anonymous session cookie. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail because the situation is not handled correctly in the code Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Nick Clemens changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 David Nind changed: What|Removed |Added Attachment #100684|0 |1 is obsolete|| --- Comment #5 from David Nind --- Created attachment 100693 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100693=edit Bug 24862: Handle annonymous sessions gracefuly This patch introduces code to detect (cookie) annonymous sessions and act as expected. Right now, as check_cookie_auth is not passed the required permissions (because there aren't always required permissions, and the code to check permissions is shared with other authentication mechanisms) it returns 'ok' and the session id. This use case was overlooked when this was coded, and yeilds unexpected error codes (500) when the user logs out and the annonymous session cookie is used to hit the API. The end result doesn't pose any security issue (i.e. the resource access is rejected) but the returned error code is not correct and should be fixed. This patch verifies for an anonymous session (and avoids querying the corresponding patron) and then verifies if there is an authorization config on the route and if the patron object is defined. To test: 1. Apply the tests patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail, 500 instead of the expected 401 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 5. Repeat the original 'steps to reproduce' from the bug report using the browser => SUCCESS: Problem solved! 6. Sign off :-D Signed-off-by: Tomas Cohen Arazi Sponsored-by: ByWater Solutions Signed-off-by: David Nind -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 David Nind changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 David Nind changed: What|Removed |Added Attachment #100683|0 |1 is obsolete|| --- Comment #4 from David Nind --- Created attachment 100692 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100692=edit Bug 24862: Regression tests This patch introduces tests for the expected behaviour on API routes that expect a logged in user, but the request is made with an anonymous session cookie. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail because the situation is not handled correctly in the code Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 24862] Wrong behaviour on anonymous sessions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi changed: What|Removed |Added Summary|API throws 500 errors for |Wrong behaviour on |browser after logout|anonymous sessions CC||agustinmoy...@theke.io -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
