[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Katrin Fischer changed: What|Removed |Added Keywords|RM_priority | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Fridolin Somers changed: What|Removed |Added Status|Pushed to master|RESOLVED CC||fridolin.som...@biblibre.co ||m Resolution|--- |FIXED --- Comment #33 from Fridolin Somers --- Depends on Bug 34478 not in 23.11.x -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Bug 36349 depends on bug 36102, which changed state. Bug 36102 Summary: Protect login forms from CSRF attacks https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36102 What|Removed |Added Status|Pushed to master|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #32 from Katrin Fischer --- Pushed for 24.05! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Katrin Fischer changed: What|Removed |Added Version(s)||24.05.00 released in|| Status|Passed QA |Pushed to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Cook changed: What|Removed |Added QA Contact|testo...@bugs.koha-communit |dc...@prosentient.com.au |y.org | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Cook changed: What|Removed |Added Status|Signed Off |Passed QA --- Comment #31 from David Cook --- I think this was only in Failed QA because missing test, so with it added I think we can skip back to Signed Off, and I'll add Passed QA. -- It might not be the most elegant solution, but it's the most workable one, and I think workable is what we need right now. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Cook changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Cook changed: What|Removed |Added Attachment #164412|0 |1 is obsolete|| --- Comment #30 from David Cook --- Created attachment 164447 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=164447&action=edit Bug 36349: Add tests Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Cook changed: What|Removed |Added Attachment #164411|0 |1 is obsolete|| --- Comment #29 from David Cook --- Created attachment 164446 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=164446&action=edit Bug 36349: Remove passing CGI params from sco/printslip.pl Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Cook changed: What|Removed |Added Attachment #163553|0 |1 is obsolete|| --- Comment #28 from David Cook --- Created attachment 164445 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=164445&action=edit Bug 36349: Fix AutoSelfCheckAllowed Move the check to C4::Auth. Yes, it's not nice, I didn't expect to add exception to this code, and it's adding more ugly code to get_template_and_user, but... Suggestions welcome! Signed-off-by: Owen Leonard Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Cook changed: What|Removed |Added Attachment #163552|0 |1 is obsolete|| --- Comment #27 from David Cook --- Created attachment 16 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=16&action=edit Bug 36349: Make sure CSRF token is included for all login scenarios To test: 1 - In KTD visit: http://localhost:8080/cgi-bin/koha/sci/sci-main.pl 2 - Everything should be set for auto self check user etc, just login as a patron If not (or not using KTD) setup a self check user, enable SCO and SCI, set self check patron system preferences, then login with patron 3 - 403 Error 4 - Repeat with sco: http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 5 - Apply patch, restart all 6 - Try again, both should be successful Signed-off-by: Owen Leonard Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #26 from Jonathan Druart --- Good to go now if nothing better is found. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #25 from Jonathan Druart --- Created attachment 164412 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=164412&action=edit Bug 36349: Add tests -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #24 from Jonathan Druart --- Created attachment 164411 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=164411&action=edit Bug 36349: Remove passing CGI params from sco/printslip.pl -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #23 from David Cook --- I need to switch tasks, but let me know what you think. Otherwise, I can QA stamp this tomorrow... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #22 from David Cook --- For completeness, we should remove the AutoSelfCheck stuff from opac/sco/printslip.pl as well, since it's covered by the second patch. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #21 from David Cook --- With the 1st patch, we've got manual log in fixed for /cgi-bin/koha/sco/sco-main.pl If it's the first session, I can manually log into /cgi-bin/koha/sci/sci-main.pl (However, if I log into /cgi-bin/koha/sco/sco-main.pl and then log into /cgi-bin/koha/sci/sci-main.pl it doesn't work, as I'm presented with the message "Access denied. Sorry, the system doesn't think you have permission to access this page." It looks like it's because it's doing the "kick_out" since we have $is_sco_user. That's a current system thing so nothing to worry about.) -- The 2nd patch fixes AutoSelfCheckAllowed, but I can see what Jonathan means about it being ugly. Something to keep in mind is that we're re-authenticating on every SCO page load, but my bug 34478 commit 8b69d0b4d3e72171d9f2d51234f345405a433c4f actually makes the AutoSelfCheck session persistent, so once we have that authenticated session, we don't really need to re-authenticate. One option could be to move the AutoSelfCheck auth process into "checkauth". Another option could be to allow sco-main.pl to do a sort of "preauth" and create its own authenticated session before get_template_and_user() if necessary. (At the moment, this is sort of what we're trying to do by force stuffing the AutoSelfCheck credentials on every load of sco-main.pl.) However, this option would need some tweaks to things like get_template_and_user() and checkauth() to be able to accept a sessionID passed in (instead of just looking at the incoming session cookie). So I think we could do something a bit smarter when handling our sessions. -- But... both of those options would take more work. Jonathan has provided something that already appears to work, and we're getting closer to our May release deadline, so I think perhaps we shouldn't make the perfect the enemy of the good. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #20 from David Cook --- Sorry for neglecting this one so long. I'm taking a deeper look at the issue today... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Andrew Fuerste-Henry changed: What|Removed |Added Blocks||32256 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32256 [Bug 32256] Self checkout batch mode -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #19 from Victor Grousset/tuxayo --- (In reply to Jonathan Druart from comment #18) > What you describe is "expected". At least other login forms are affected by > this and should be reported on its own bug (ie. not only sci/sco). Ok, no deeper issue, great. What is the next step? Calling for help on koha-devel to find a cleaner approach? Or going with the current one? In that case I can sign-off. Found nothing else weird after messing around with the forms. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Jonathan Druart changed: What|Removed |Added Status|Failed QA |Needs Signoff --- Comment #18 from Jonathan Druart --- What you describe is "expected". At least other login forms are affected by this and should be reported on its own bug (ie. not only sci/sco). -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #17 from Victor Grousset/tuxayo --- oops, I though the confusion was about whether or not both SCI and SCO were affected by the bug. Turns out patches indeed addresses both even if touching opac/sci/sci-main.pl wasn't needed. --- Anyway, found this while testing: 1. Open both http://localhost:8080/cgi-bin/koha/sci/sci-main.pl and http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 2. log in and log out from SCI 3. go back to the SCO tab and try to log in 4. "The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again." That would likely only affect testing scenarios depending on detailed testing habits about when opening stuff. So not much impact likely. I don't know if the cause of that could still have a wider relevance. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #16 from Jonathan Druart --- (In reply to Victor Grousset/tuxayo from comment #14) > (In reply to Jonathan Druart from comment #12) > > (In reply to Nick Clemens from comment #10) > > > This works, but it doesn't cover the SCI too - separate bug or want to > > > update the patch? > > > > What's broken with SCI? > > Login fails too with > No CSRF token passed for POST http://localhost:8080/opac/sci/sci-main.pl With the patches? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Victor Grousset/tuxayo changed: What|Removed |Added Depends on||36195 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36195 [Bug 36195] CSRF - testing reports -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #15 from Victor Grousset/tuxayo --- I see what is confusing: When logged in the OPAC already (or in staff if it's the same domain), SCI seems to have no issue because it uses the current session. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Victor Grousset/tuxayo changed: What|Removed |Added CC||vic...@tuxayo.net --- Comment #14 from Victor Grousset/tuxayo --- (In reply to Jonathan Druart from comment #12) > (In reply to Nick Clemens from comment #10) > > This works, but it doesn't cover the SCI too - separate bug or want to > > update the patch? > > What's broken with SCI? Login fails too with No CSRF token passed for POST http://localhost:8080/opac/sci/sci-main.pl -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #13 from Jonathan Druart --- (In reply to Marcel de Rooy from comment #11) > Changes to Auth need tests. Yes, but first I would like to make sure there is not a better solution, because it smells! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #12 from Jonathan Druart --- (In reply to Nick Clemens from comment #10) > This works, but it doesn't cover the SCI too - separate bug or want to > update the patch? What's broken with SCI? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Marcel de Rooy changed: What|Removed |Added Status|Signed Off |Failed QA CC||m.de.r...@rijksmuseum.nl --- Comment #11 from Marcel de Rooy --- Changes to Auth need tests. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #10 from Nick Clemens --- This works, but it doesn't cover the SCI too - separate bug or want to update the patch? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #9 from Owen Leonard --- Created attachment 163553 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163553&action=edit Bug 36349: Fix AutoSelfCheckAllowed Move the check to C4::Auth. Yes, it's not nice, I didn't expect to add exception to this code, and it's adding more ugly code to get_template_and_user, but... Suggestions welcome! Signed-off-by: Owen Leonard -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Owen Leonard changed: What|Removed |Added Attachment #163356|0 |1 is obsolete|| Attachment #163514|0 |1 is obsolete|| --- Comment #8 from Owen Leonard --- Created attachment 163552 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163552&action=edit Bug 36349: Make sure CSRF token is included for all login scenarios To test: 1 - In KTD visit: http://localhost:8080/cgi-bin/koha/sci/sci-main.pl 2 - Everything should be set for auto self check user etc, just login as a patron If not (or not using KTD) setup a self check user, enable SCO and SCI, set self check patron system preferences, then login with patron 3 - 403 Error 4 - Repeat with sco: http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 5 - Apply patch, restart all 6 - Try again, both should be successful Signed-off-by: Owen Leonard -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Owen Leonard changed: What|Removed |Added Status|Needs Signoff |Signed Off Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Jonathan Druart changed: What|Removed |Added Assignee|koha-b...@lists.koha-commun |jonathan.dru...@gmail.com |ity.org | Keywords||RM_priority Severity|normal |major --- Comment #7 from Jonathan Druart --- Still not happy with this new patch, but it seems to restore the feature. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Jonathan Druart changed: What|Removed |Added Attachment #163386|0 |1 is obsolete|| --- Comment #6 from Jonathan Druart --- Created attachment 163514 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163514&action=edit Bug 36349: Fix AutoSelfCheckAllowed Move the check to C4::Auth. Yes, it's not nice, I didn't expect to add exception to this code, and it's adding more ugly code to get_template_and_user, but... Suggestions welcome! -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Jonathan Druart changed: What|Removed |Added Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #5 from Jonathan Druart --- And logout is broken as well, you cannot finish the user session. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #4 from Jonathan Druart --- Created attachment 163386 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163386&action=edit Bug 36349: Fix AutoSelfCheckAllowed This feels terribly wrong... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Jonathan Druart changed: What|Removed |Added CC||jonathan.dru...@gmail.com --- Comment #3 from Jonathan Druart --- We have a problem here. We are removing the credential (login_userid and login_password from CGI) in get_template_and_user if not a POST (and not op ne 'cud-login'). I am failing at finding a correct fix. Should we actually fix the AutoSelfCheckAllowed behavior in sco-main.pl and deal with the credentials retrieved from the prefs in the controller? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Nind changed: What|Removed |Added CC||da...@davidnind.com Status|Needs Signoff |Failed QA --- Comment #2 from David Nind --- For the SCO log in (step 3), I have to log in three times - I'm assuming this is not what is expected: 1. Normal log in 2. SCO log in 3. Normal log on --> Then get to check out items In addition, when using KTD I needed to enable the SelfCheckInModule system preference for step 1. Tested using both Firefox and Chromium. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 David Cook changed: What|Removed |Added CC||dc...@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Nick Clemens changed: What|Removed |Added Depends on||34478, 36102 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34478 [Bug 34478] Full CSRF protection https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36102 [Bug 36102] Protect login forms from CSRF attacks -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 --- Comment #1 from Nick Clemens --- Created attachment 163356 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=163356&action=edit Bug 36349: Make sure CSRF token is included for all login scenarios To test: 1 - In KTD visit: http://localhost:8080/cgi-bin/koha/sci/sci-main.pl 2 - Everything should be set for auto self check user etc, just login as a patron If not (or not using KTD) setup a self check user, enable SCO and SCI, set self check patron system preferences, then login with patron 3 - 403 Error 4 - Repeat with sco: http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 5 - Apply patch, restart all 6 - Try again, both should be successful -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36349] Login for SCO/SCI broken by CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36349 Nick Clemens changed: What|Removed |Added Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/