[Bug 31908] New: Context accessed but not always set on mainpage.pl
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Bug ID: 31908 Summary: Context accessed but not always set on mainpage.pl Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: nick@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org To recreate: 1 - Sign in to staff interface as a user without 'catalogue' permission 2 - Get a message that you don't have access 3 - From that page, sign in as an authorised user 4 - Error: Can't use an undefined value as a HASH reference at /kohadevbox/koha/mainpage.pl line 88 I have also seen this error in production when using SSO and signing out of the staff client -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart+koha@gmail. | |com, tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #1 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 142361 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142361&action=edit Bug 31908: Only count local suggestions if there is a userenv -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #2 from Nick Clemens <nick@bywatersolutions.com> --- Hmm..I though maybe we could just fix the front end, but it gets weird Apply patch Sign in as unauthorised user You are not allowed Sign in as authorised user Note username refers to unauthorised user -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |major --- Comment #3 from Nick Clemens <nick@bywatersolutions.com> --- Not moving to security - you must have a vlid users authentication to get in - and accessing any page immediately logs you out again, but this is weird and bad, upping severity -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |nick@bywatersolutions.com |ity.org | Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |In Discussion -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=32123 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=30109, | |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=31042 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=32075 CC| |m.de.rooy@rijksmuseum.nl --- Comment #4 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- - my $local_pendingsuggestions_count = $pendingsuggestions->search({ 'me.branchcode' => C4::Context->userenv()->{'branch'} })->count(); + if( C4::Context->userenv() && C4::Context->userenv()->{branch} ){ In this case there should be a userenv. Why it isnt? Reported this too on bug 32075. Weird. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #5 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Nick Clemens from comment #2)
Hmm..I though maybe we could just fix the front end, but it gets weird
Apply patch Sign in as unauthorised user You are not allowed Sign in as authorised user Note username refers to unauthorised user
Without your patch, this triggers: Can't use an undefined value as a HASH reference at /usr/share/koha/mainpage.pl line 88 This brings us closer to finding the cause ! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |32124 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32124 [Bug 32124] [OMNIBUS] Problems with C4::Context->userenv -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #6 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- *** Bug 32075 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #7 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Digging a bit further. With your test plan in mind I tend to not trust these lines in Auth: else { $info{'nopermission'} = 1; C4::Context::_unset_userenv($sessionID); } -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #8 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Apparently not the above. But this seems to work: #if a user enters an id ne to the id in the current session, we need to log them in... #first we need to clear the anonymous session... $anon_search_history = $session->param('search_history'); $session->delete(); $session->flush; $cookie = $cookie_mgr->clear_unless( $query->cookie, @$cookie ); C4::Context::_unset_userenv($sessionID); $sessionID = undef; undef $userid; If we clear $userid here, it will go into the unless($userid) block and get a new session. Note that $userid and $q_userid are not equal here ! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #9 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> ---
From 20.11.x:
#if a user enters an id ne to the id in the current session, we need to log them in... #first we need to clear the anonymous session... $debug and warn "query id = $q_userid but session id = $s_userid"; $anon_search_history = $session->param('search_history'); $session->delete(); $session->flush; C4::Context->_unset_userenv($sessionID); $sessionID = undef; $userid = undef; See former comment too. Note that probably in the 2FA changes, this $userid line got "lost" somewhere. So I propose to reinsert it here. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch Status|In Discussion |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #10 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 143392 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143392&action=edit Bug 31908: Resolve second login with another userid Somewhere the line undef $userid got removed. We need it to resolve the second login situation. Test plan: Login in staff with user missing privileges. On the login form login again with another staff user. Note that you do no longer crash. Run t/db../Auth.t Run t/db../Koha/Auth/TwoFactorAuth.t Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|nick@bywatersolutions.com |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #142361|0 |1 is obsolete| | --- Comment #11 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Comment on attachment 142361 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142361 Bug 31908: Only count local suggestions if there is a userenv This patch should no longer be needed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Context accessed but not |New login fails while |always set on mainpage.pl |having cookie from previous | |session -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #12 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- You can recreate the problem too by logging into the OPAC with user A, and on another tab login with user B on staff. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 --- Comment #13 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Marcel de Rooy from comment #12)
You can recreate the problem too by logging into the OPAC with user A, and on another tab login with user B on staff.
And if you try to replicate with two OPAC tabs, the second tab will not login but it will logout the first one too. Nice. Resolved with the patch. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_22_11_candidate -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31908 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Group|Koha security | Product|Koha security |Koha Component|Koha |Authentication -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org