[Koha-bugs] [Bug 33815] Crash when librarian changes their own username in the staff interface
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu May 25 02:44:37 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815
--- Comment #12 from David Cook <dcook at prosentient.com.au> ---
(In reply to David Cook from comment #11)
> But... the $session will still contain the wrong details. In theory, this
> same problem applies beyond just userid/id. If the user's details are
> changed and the session details are used anywhere else, they'll be wrong
> until they log out and log back in. (Of course, that's not uncommon among
> many systems.)
As I suspected, at line 559 of ./members/memberentry.pl there is a
C4::Auth::haspermission check that uses C4::Context->userenv->{id} which is
populated from the database session which is the wrong value, and that triggers
a permission/authorization failure (if you use borrowernumber to find the
patron to get through check_cookie_auth).
--
This is tricky.
I suppose we could update/refresh the session, if we stored "updated_on" in the
$session as well, and then checked that against the database at authentication
time.
That said, for an authenticate related change like userid perhaps it is best to
expire the session, as a critical aspect of the user account has been changed.
If we stored "updated_on" in the $session, we could also notify users if their
user id has been changed. This would probably be easier on the staff interface
than the OPAC.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list