[Koha-bugs] [Bug 24862] REST API throws 500 errors for browser after logout
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Mar 13 16:14:00 CET 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862
--- Comment #3 from Tomás Cohen Arazi <tomascohen at gmail.com> ---
Created attachment 100684
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100684&action=edit
Bug 24862: Handle annonymous sessions gracefuly
This patch introduces code to detect (cookie) annonymous sessions and
act as expected.
Right now, as check_cookie_auth is not passed the required permissions
(because there aren't always required permissions, and the code to check
permissions is shared with other authentication mechanisms) it returns
'ok' and the session id. This use case was overlooked when this was
coded, and yeilds unexpected error codes (500) when the user logs out
and the annonymous session cookie is used to hit the API. The end result
doesn't pose any security issue (i.e. the resource access is rejected)
but the returned error code is not correct and should be fixed.
This patch verifies for an anonymous session (and avoids querying the
corresponding patron) and then verifies if there is an authorization
config on the route and if the patron object is defined.
To test:
1. Apply the tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t
=> FAIL: Tests fail, 500 instead of the expected 401
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Repeat the original 'steps to reproduce' from the bug report using
the browser
=> SUCCESS: Problem solved!
6. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Sponsored-by: ByWater Solutions
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list