https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27305 --- Comment #16 from David Cook <dcook@prosentient.com.au> --- Created attachment 119833 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=119833&action=edit Bug 27305: Use low privilege tokens to enable authenticated iCal feed With the push of Bug 21325, it is no longer possible to authenticate via a GET request using username and password. While this is an improvement in security, it does mean that calendars like Google Calendar cannot consume private iCal feeds from Koha. This patch allows the autogeneration of unique tokens for users so that they can access their iCal feeds without their username/password. These tokens are pre-authenticated in opac-ics.pl and then passed to C4::Auth::checkauth() via get_template_and_user() for verification thanks to two very small changes in C4::Auth. Test plan: 1) Apply patch 2) Upgrade database (koha-upgrade-schema koha-dev) 3) Checkout item to patron (e.g. 39999000001310 to koha patron) 4) Log into /cgi-bin/koha/opac-user.pl 5) Right click iCal and copy link (e.g. http://localhost:8080/cgi-bin/koha/opac-ics.pl?token=facb63f231ecba45bc70aad...) 6) Log out of OPAC 7) Go to iCal link http://localhost:8080/cgi-bin/koha/opac-ics.pl?token=facb63f231ecba45bc70aad... 8) Observe that iCal download is performed 9) Go to OPAC home page (e.g. http://localhost:8080/cgi-bin/koha/opac-main.pl) 10) Note that you are not logged into the OPAC (FYI this is because opac-ics.pl does not send back a cookie. If it did, then you would be logged into the OPAC.) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.