[Koha-bugs] [Bug 11824] New: Login to OPAC user from apache http authentication popup
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Feb 21 23:37:09 CET 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11824
Bug ID: 11824
Summary: Login to OPAC user from apache http authentication
popup
Change sponsored?: ---
Product: Koha
Version: 3.14
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: gmcharlt at gmail.com
Reporter: homer.richardson at yahoo.com
QA Contact: testopia at bugs.koha-community.org
Created attachment 25555
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=25555&action=edit
OPAC user sees this when unexpectedly logged into koha from http login
If an OPAC user, that is a user with no administrative permissions, exists with
the same username and password as an http user, authenticating for http somehow
logs in the OPAC user on both the OPAC and the intranet sites. Note that this
has not been tested with a user who has any administrative permissions.
Environment
3.14.03.000
OS version ('uname -a'): Linux ID13723.example.com 3.8.0-29-generic
#42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64
GNU/Linux
Perl interpreter: /usr/bin/perl
Perl version: 5.014002
Perl @INC: /usr/share/koha/lib
/etc/perl
/usr/local/lib/perl/5.14.2
/usr/local/share/perl/5.14.2
/usr/lib/perl5
/usr/share/perl5
/usr/lib/perl/5.14
/usr/share/perl/5.14
/usr/local/lib/site_perl
.
MySQL version: mysql Ver 14.14 Distrib 5.5.35, for debian-linux-gnu
(x86_64) using readline 6.2
Apache version: Server version: Apache/2.2.22 (Ubuntu)
Zebra version: Zebra 2.0.44
To reproduce this bug
- Set up apache http authentication for both the OPAC and the intranet using
.htaccess as follows (maybe i did it wrong and that is the reason for the
bug?):
The .htaccess file is in /usr/share/koha/opac/htdocs
and also in /usr/share/koha/intranet/htdocs
The contents of the .htaccess file are as follows:
AuthUserFile /usr/share/koha/.htpasswd
AuthName "Password Protected Area"
AuthType Basic
<limit GET POST>
require valid-user
</limit>
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files .htpasswd>
Order allow,deny
Deny from all
</files>
- Set up an OPAC user with the same username and password as the apache http
user.
- Enter into the home page of the OPAC site and when the http login screen pops
up, enter the username and password. When the OPAC home page loads you will be
logged into the koha account with the same information.
- Enter into the home page of the intranet site and when the http login screen
pops up, enter the username and password. When the page loads you will be
logged into the OPAC koha account. You won't be able to do anything that your
OPAC user doesn't have permissions for but you will see Lists, Authorities, and
About Koha. If you click on any of them, you will be asked to log in. An
attached screenshot shows what a non-administrator OPAC user sees.
- Until you log in as a different user, the intranet will continue to show you
logged in as the OPAC user even if you log out. That is, if you log out and the
return to the home page, it will show you logged in as the user whose
credentials match the http user.
It's important that this is done on the home page of each site. If you are on
another page and logged in as a different user, it initially looks as though
you are still logged in as that user. But if you then go to the home page, you
will see that you are logged in as the OPAC user as mentioned above.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list