Bug 10799: Limit the SCO user to the SCO module

The SCO user should only be allowed to access to the SCO module.

This patch make the session ends if the user tries to access another
page after the SCO module.

Test plan:
0/ Configure the SCO module correctly
1/ Go on the sco main page (sco/sco-main.pl)
2/ Try to go somewhere else: you should not be logged in

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

diff --git a/C4/Auth.pm b/C4/Auth.pm
index d18ad29..b8ee9a5 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -178,6 +178,29 @@ sub get_template_and_user {
         );
     }
 
+
+    # If the user logged in is the SCO user and he tries to go out the SCO module, log the user out removing the CGISESSID cookie
+    if ( $in->{type} eq 'opac' and $in->{template_name} !~ m|sco/| ) {
+        if (  C4::Context->preference('AutoSelfCheckID') && $user eq C4::Context->preference('AutoSelfCheckID') ) {
+            $template = C4::Templates::gettemplate( 'opac-auth.tt', 'opac', $in->{query} );
+            my $cookie = $in->{query}->cookie(
+                -name     => 'CGISESSID',
+                -value    => '',
+                -expires  => '',
+                -HttpOnly => 1,
+            );
+
+            $template->param( loginprompt => 1 );
+            print $in->{query}->header(
+                -type    => 'text/html',
+                -charset => 'utf-8',
+                -cookie  => $cookie,
+              ),
+            $template->output;
+            safe_exit;
+        }
+    }
+
     my $borrowernumber;
     if ($user) {
         require C4::Members;