http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11824 Bug ID: 11824 Summary: Login to OPAC user from apache http authentication popup Change sponsored?: --- Product: Koha Version: 3.14 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: gmcharlt@gmail.com Reporter: homer.richardson@yahoo.com QA Contact: testopia@bugs.koha-community.org Created attachment 25555 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=25555&action=edit OPAC user sees this when unexpectedly logged into koha from http login If an OPAC user, that is a user with no administrative permissions, exists with the same username and password as an http user, authenticating for http somehow logs in the OPAC user on both the OPAC and the intranet sites. Note that this has not been tested with a user who has any administrative permissions. Environment 3.14.03.000 OS version ('uname -a'): Linux ID13723.example.com 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Perl interpreter: /usr/bin/perl Perl version: 5.014002 Perl @INC: /usr/share/koha/lib /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl . MySQL version: mysql Ver 14.14 Distrib 5.5.35, for debian-linux-gnu (x86_64) using readline 6.2 Apache version: Server version: Apache/2.2.22 (Ubuntu) Zebra version: Zebra 2.0.44 To reproduce this bug - Set up apache http authentication for both the OPAC and the intranet using .htaccess as follows (maybe i did it wrong and that is the reason for the bug?): The .htaccess file is in /usr/share/koha/opac/htdocs and also in /usr/share/koha/intranet/htdocs The contents of the .htaccess file are as follows: AuthUserFile /usr/share/koha/.htpasswd AuthName "Password Protected Area" AuthType Basic <limit GET POST> require valid-user </limit> <files .htaccess> Order allow,deny Deny from all </files> <files .htpasswd> Order allow,deny Deny from all </files> - Set up an OPAC user with the same username and password as the apache http user. - Enter into the home page of the OPAC site and when the http login screen pops up, enter the username and password. When the OPAC home page loads you will be logged into the koha account with the same information. - Enter into the home page of the intranet site and when the http login screen pops up, enter the username and password. When the page loads you will be logged into the OPAC koha account. You won't be able to do anything that your OPAC user doesn't have permissions for but you will see Lists, Authorities, and About Koha. If you click on any of them, you will be asked to log in. An attached screenshot shows what a non-administrator OPAC user sees. - Until you log in as a different user, the intranet will continue to show you logged in as the OPAC user even if you log out. That is, if you log out and the return to the home page, it will show you logged in as the user whose credentials match the http user. It's important that this is done on the home page of each site. If you are on another page and logged in as a different user, it initially looks as though you are still logged in as that user. But if you then go to the home page, you will see that you are logged in as the OPAC user as mentioned above. -- You are receiving this mail because: You are watching all bug changes.