Quantcast

[Bug 18442] New: Permission error when logging into staff interface as db user

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] New: Permission error when logging into staff interface as db user

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

            Bug ID: 18442
           Summary: Permission error when logging into staff interface as
                    db user
 Change sponsored?: ---
           Product: Koha
           Version: 17.05
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5 - low
         Component: Authentication
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

After a user has gone through the installer and is logging in for the first
time when they enter the db user credentials it throws an error saying 'Error:
You do not have permission to access this page'

If you try entering in the db users credentials a second time then you can
login successfully and the staff interface will appear.

Similarly if once in the staff interface you log out then try logging back in
again with the db user then you get the 'Error: You do not have permission to
access this page' no matter how many times you try to log in.
However if you open the URL in a new tab the staff interface appears.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Chris Cormack <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
            Version|17.05                       |16.11

--- Comment #1 from Chris Cormack <[hidden email]> ---
I've had this occur on 16.11 also.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Alex Buckley <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

--- Comment #2 from Alex Buckley <[hidden email]> ---
Created attachment 62423
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62423&action=edit
Bug 18442 - Implemented assignment of the $userid variable before the
haspermission call so that a defined $userid with a value is being passed to
the haspermission() method.

Previously the $userid variable was undefined when it was handed to the
haspermission() method and this was causing 'Error: You do not have
permission to access this page' errors when logging into the staff
interface as database user. However if you viewed the url in a new tab
you could view the staff interface.

Test plan:
1. Drop and recreate your db

2. Clear memcached

3. Go through the installer (to speed up this test plan install all
sample data so you dont have to create libraries, patron categories etc. later)

4. On the installer page login as the database user and notice that it
does not work on the first attempt ( you get 'Error: You do not have
permission to access this page')

5. Try logging in as database user for a second time and notice you are
logged in successfully this time

4. In staff interface create a patron account with superlibrarian permissions

5. Logout of the staff interface

6. Login as database user

7. Notice you cant log in. You get the 'Error:: You do not have permission to
access this
page' error

8. Try a second attempt and notice you get the same error

9. Open the URL in a new tab and notice the staff interface appears
showing that you are logged in

10. log out and log back in as the superlibrarian user you created and
notice it works on first login attempt

11. Apply patch

12. Log out and try logging back in as database user and notice that you
can login successfully on first attempt

13. Repeat steps 1,2,3 and login as database user and notice the login
works on first attempt

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Alex Buckley <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

--- Comment #3 from Alex Buckley <[hidden email]> ---
This patch does not undo the security bug fixes of bug 18275
(opac-memberentry.pl security vulnerabilities) because all tests in the unit
test t/db_dependent/Auth.t run successfully with this patch applied.

See test output below:

kohadev-koha@kohadevbox:/home/vagrant/kohaclone/t/db_dependent$ prove Auth.t
Auth.t .. ok    
All tests successful.
Files=1, Tests=21,  3 wallclock secs ( 0.03 usr  0.00 sys +  2.12 cusr  0.08
csys =  2.23 CPU)
Result: PASS
kohadev-koha@kohadevbox:/home/vagrant/kohaclone/t/db_dependent$

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Marc Véron <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #62423|0                           |1
        is obsolete|                            |

--- Comment #4 from Marc Véron <[hidden email]> ---
Created attachment 62448
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62448&action=edit
Bug 18442 - Implemented assignment of the $userid variable before the
haspermission call so that a defined $userid with a value is being passed to
the haspermission() method.

Previously the $userid variable was undefined when it was handed to the
haspermission() method and this was causing 'Error: You do not have
permission to access this page' errors when logging into the staff
interface as database user. However if you viewed the url in a new tab
you could view the staff interface.

Test plan:
1. Drop and recreate your db

2. Clear memcached

3. Go through the installer (to speed up this test plan install all
sample data so you dont have to create libraries, patron categories etc. later)

4. On the installer page login as the database user and notice that it
does not work on the first attempt ( you get 'Error: You do not have
permission to access this page')

5. Try logging in as database user for a second time and notice you are
logged in successfully this time

4. In staff interface create a patron account with superlibrarian permissions

5. Logout of the staff interface

6. Login as database user

7. Notice you cant log in. You get the 'Error:: You do not have permission to
access this
page' error

8. Try a second attempt and notice you get the same error

9. Open the URL in a new tab and notice the staff interface appears
showing that you are logged in

10. log out and log back in as the superlibrarian user you created and
notice it works on first login attempt

11. Apply patch

12. Log out and try logging back in as database user and notice that you
can login successfully on first attempt

13. Repeat steps 1,2,3 and login as database user and notice the login
works on first attempt

Followed test plan, works as expected.
Signed-off-by: Marc Véron <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Marc Véron <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Signed Off
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|[hidden email]          |[hidden email]
                 CC|                            |[hidden email]-c
                   |                            |ommunity.org

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |18275

--- Comment #5 from Jonathan Druart <[hidden email]> ---
Introduced by bug 18275.


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18275
[Bug 18275] opac-memberentry.pl security vulnerabilities
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #6 from Marcel de Rooy <[hidden email]> ---
Version should be master?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|major                       |critical
            Version|16.11                       |unspecified
                 CC|                            |[hidden email],
                   |                            |martin.renvoize@ptfs-europe
                   |                            |.com, [hidden email]

--- Comment #7 from Jonathan Druart <[hidden email]> ---
I had more or less the same fix, but it was:

  $userid ||= $q_userid if $return == 2;

It makes thing safer I *think* because it will only affect behaviours for DB
user ($return == 2).
On the other hand if does not really make sense because if $return == 2,
$userid should not be set.
So maybe just
  $userid ||= $q_userid;
Could be enough.
And especially it will not erase $userid if one of the checkpw calls return a
userid different than the one we passed (possible??).

Martin? Tomas? Kyle?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|[hidden email]     |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

--- Comment #8 from Alex Buckley <[hidden email]> ---
Ah yup would you like me to implement:  $userid ||= $q_userid;

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

--- Comment #9 from Jonathan Druart <[hidden email]> ---
(In reply to Alex Buckley from comment #8)
> Ah yup would you like me to implement:  $userid ||= $q_userid;

I'd love only 1 patch and avoid follow-up, not to make git log (more)
complicated.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

Alex Buckley <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #62448|0                           |1
        is obsolete|                            |

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

--- Comment #10 from Alex Buckley <[hidden email]> ---
Created attachment 62567
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62567&action=edit
Bug 18442 - Implemented assignment of the $userid variable before the
haspermission call so that a defined $userid with a value is being passed to
the haspermission() method.

Previously the $userid variable was undefined when it was handed to the
haspermission() method and this was causing 'Error: You do not have
permission to access this page' errors when logging into the staff
interface as database user. However if you viewed the url in a new tab
you could view the staff interface.

Test plan:
1. Drop and recreate your db

2. Clear memcached

3. Go through the installer (to speed up this test plan install all
sample data so you dont have to create libraries, patron categories etc. later)

4. On the installer page login as the database user and notice that it
does not work on the first attempt ( you get 'Error: You do not have
permission to access this page')

5. Try logging in as database user for a second time and notice you are
logged in successfully this time

4. In staff interface create a patron account with superlibrarian permissions

5. Logout of the staff interface

6. Login as database user

7. Notice you cant log in. You get the 'Error:: You do not have permission to
access this
page' error

8. Try a second attempt and notice you get the same error

9. Open the URL in a new tab and notice the staff interface appears
showing that you are logged in

10. log out and log back in as the superlibrarian user you created and
notice it works on first login attempt

11. Apply patch

12. Log out and try logging back in as database user and notice that you
can login successfully on first attempt

13. Repeat steps 1,2,3 and login as database user and notice the login
works on first attempt

Followed test plan, works as expected.
Signed-off-by: Marc Véron <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

--- Comment #11 from Alex Buckley <[hidden email]> ---
(In  reply to Jonathan Druart in comment 9)

Hi Jonathan

I have added your suggested alteration in my patch so now we just have a single
patch attached to this bug report rather than a followup patch.

I have run Auth.t again and all tests run successfully as this test output
shows:

kohadev-koha@kohadevbox:/home/vagrant/kohaclone/t/db_dependent$ prove Auth.t
Auth.t .. ok    
All tests successful.
Files=1, Tests=21,  3 wallclock secs ( 0.03 usr  0.00 sys +  2.33 cusr  0.11
csys =  2.47 CPU)
Result: PASS
kohadev-koha@kohadevbox:/home/vagrant/kohaclone/t/db_dependent$ exit
exit

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 18442] Permission error when logging into staff interface as db user

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18442

--- Comment #12 from Jonathan Druart <[hidden email]> ---
The patch is ok to me.
I'd like opinion about

    $userid ||= $q_userid;

vs

  $userid ||= $q_userid if $return == 2;

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Loading...