[Koha-bugs] [Bug 27305] Use low privileged tokens to enable authenticated iCal feed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Apr 19 09:04:23 CEST 2021
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27305
--- Comment #16 from David Cook <dcook at prosentient.com.au> ---
Created attachment 119833
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=119833&action=edit
Bug 27305: Use low privilege tokens to enable authenticated iCal feed
With the push of Bug 21325, it is no longer possible to authenticate
via a GET request using username and password. While this is an
improvement in security, it does mean that calendars like
Google Calendar cannot consume private iCal feeds from Koha.
This patch allows the autogeneration of unique tokens for users
so that they can access their iCal feeds without their username/password.
These tokens are pre-authenticated in opac-ics.pl and then passed
to C4::Auth::checkauth() via get_template_and_user() for verification
thanks to two very small changes in C4::Auth.
Test plan:
1) Apply patch
2) Upgrade database (koha-upgrade-schema koha-dev)
3) Checkout item to patron (e.g. 39999000001310 to koha patron)
4) Log into /cgi-bin/koha/opac-user.pl
5) Right click iCal and copy link (e.g.
http://localhost:8080/cgi-bin/koha/opac-ics.pl?token=facb63f231ecba45bc70aadedfdd045b)
6) Log out of OPAC
7) Go to iCal link
http://localhost:8080/cgi-bin/koha/opac-ics.pl?token=facb63f231ecba45bc70aadedfdd045b
8) Observe that iCal download is performed
9) Go to OPAC home page (e.g. http://localhost:8080/cgi-bin/koha/opac-main.pl)
10) Note that you are not logged into the OPAC
(FYI this is because opac-ics.pl does not send back a cookie. If it did, then
you would be logged into the OPAC.)
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list