[Bug 33815] New: Crash when librarian changes their own username in the staff interface
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Bug ID: 33815 Summary: Crash when librarian changes their own username in the staff interface Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: oleonard@myacpl.org QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org, tomascohen@gmail.com I tried in our production system (22.05.11) to change the username on my own account (an account with superlibrarian privileges) and it let to a white page blank except for the text "Internal Server Error." I wasn't able to access any page in Koha until I cleared my browser's cookies. When I test in master I see this error: Can't call method "password_expired" on an undefined value at /kohadevbox/koha/C4/Auth.pm line 1780 I think the problem happens only when you change the username field but you enter your existing password. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #1 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- Created attachment 151609 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151609&action=edit Bug 33815: Do not explode if logged in user modify their own userid If the logged in librarian modifies their own userid they will get the following error when submitting the form: Can't call method "password_expired" on an undefined value at /kohadevbox/koha/C4/Auth.pm line 1780 We could handle this situation and flag the session as expired. Better would be to deal with this specific user case and update the cookie (?) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #2 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- Created attachment 151610 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151610&action=edit Bug 33815: Add a hint on the patron edit form -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart+koha@gmail. | |com --- Comment #3 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- Is a logout acceptable? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #4 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- We need tests for the first patch. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #151609|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #151610|0 |1 is obsolete| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |jonathan.druart+koha@gmail. |ity.org |com -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #5 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 151633 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151633&action=edit Bug 33815: Regression tests Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #6 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 151634 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151634&action=edit Bug 33815: Do not explode if logged in user modify their own userid If the logged in librarian modifies their own userid they will get the following error when submitting the form: Can't call method "password_expired" on an undefined value at /kohadevbox/koha/C4/Auth.pm line 1780 We could handle this situation and flag the session as expired. Better would be to deal with this specific user case and update the cookie (?) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #7 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 151635 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151635&action=edit Bug 33815: Add a hint on the patron edit form -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_23_05_candidate -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |33820 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33820 [Bug 33820] Add hints to warn the librarian that they will be logged out if they change their username -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #151635|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #151633|0 |1 is obsolete| | Attachment #151634|0 |1 is obsolete| | --- Comment #8 from Owen Leonard <oleonard@myacpl.org> --- Created attachment 151642 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151642&action=edit Bug 33815: Regression tests Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Owen Leonard <oleonard@myacpl.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #9 from Owen Leonard <oleonard@myacpl.org> --- Created attachment 151643 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151643&action=edit Bug 33815: Do not explode if logged in user modify their own userid If the logged in librarian modifies their own userid they will get the following error when submitting the form: Can't call method "password_expired" on an undefined value at /kohadevbox/koha/C4/Auth.pm line 1780 We could handle this situation and flag the session as expired. Better would be to deal with this specific user case and update the cookie (?) Signed-off-by: Owen Leonard <oleonard@myacpl.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #10 from David Cook <dcook@prosentient.com.au> --- I might have an idea for this one... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #10)
I might have an idea for this one...
The ID that can't be changed is borrowernumber, so in check_cookie_auth() we should get $patron using $session->param('number') instead of userid/cardnumber; But... the $session will still contain the wrong details. In theory, this same problem applies beyond just userid/id. If the user's details are changed and the session details are used anywhere else, they'll be wrong until they log out and log back in. (Of course, that's not uncommon among many systems.) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #12 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #11)
But... the $session will still contain the wrong details. In theory, this same problem applies beyond just userid/id. If the user's details are changed and the session details are used anywhere else, they'll be wrong until they log out and log back in. (Of course, that's not uncommon among many systems.)
As I suspected, at line 559 of ./members/memberentry.pl there is a C4::Auth::haspermission check that uses C4::Context->userenv->{id} which is populated from the database session which is the wrong value, and that triggers a permission/authorization failure (if you use borrowernumber to find the patron to get through check_cookie_auth). -- This is tricky. I suppose we could update/refresh the session, if we stored "updated_on" in the $session as well, and then checked that against the database at authentication time. That said, for an authenticate related change like userid perhaps it is best to expire the session, as a critical aspect of the user account has been changed. If we stored "updated_on" in the $session, we could also notify users if their user id has been changed. This would probably be easier on the staff interface than the OPAC. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off --- Comment #13 from Owen Leonard <oleonard@myacpl.org> --- I would be in favor of a perfect solution being a later follow-up to a good solution! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #14 from David Cook <dcook@prosentient.com.au> --- (In reply to Owen Leonard from comment #13)
I would be in favor of a perfect solution being a later follow-up to a good solution!
Agreed although I don't know if there is a perfect solution for this one! I'll look at QAing this shortly... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #151642|0 |1 is obsolete| | --- Comment #15 from David Cook <dcook@prosentient.com.au> --- Created attachment 151715 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151715&action=edit Bug 33815: Regression tests Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #151643|0 |1 is obsolete| | --- Comment #16 from David Cook <dcook@prosentient.com.au> --- Created attachment 151716 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151716&action=edit Bug 33815: Do not explode if logged in user modify their own userid If the logged in librarian modifies their own userid they will get the following error when submitting the form: Can't call method "password_expired" on an undefined value at /kohadevbox/koha/C4/Auth.pm line 1780 We could handle this situation and flag the session as expired. Better would be to deal with this specific user case and update the cookie (?) Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |23.05.00 released in| | Status|Passed QA |Pushed to master -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #17 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 23.05. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_23_05_candidate | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Laura Escamilla <Laura.escamilla@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Laura.escamilla@bywatersolu | |tions.com --- Comment #18 from Laura Escamilla <Laura.escamilla@bywatersolutions.com> --- Will this be backported to 22.11.xx? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|23.05.00 |23.05.00,22.11.07 released in| | Status|Pushed to master |Pushed to stable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 --- Comment #19 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Nice work everyone! Pushed to stable for 22.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33815 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joonas.kylmala@iki.fi --- Comment #20 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- *** Bug 31431 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org