};
subtest 'While still logged in, relogin with another user' => sub {
- plan tests => 4;
+ plan tests => 6;
+
my $patron = $builder->build_object({ class => 'Koha::Patrons', value => {} });
my $patron2 = $builder->build_object({ class => 'Koha::Patrons', value => {} });
# Create 'former' session
$cgi->param( -name => 'userid', -value => $patron2->userid );
$cgi->param( -name => 'password', -value => $password );
$cgi->param( -name => 'koha_login_context', -value => 1 );
- my @return;
+ my ( @return, $stdout );
{
local *STDOUT;
local %ENV;
$ENV{REMOTE_ADDR} = '1.2.3.4';
- my $stdout;
open STDOUT, '>', \$stdout;
@return = C4::Auth::checkauth( $cgi, 0, {} );
close STDOUT;
is( $return[0], $patron2->userid, 'Login of patron2 approved' );
isnt( $return[2], $sessionID, 'Did not return previous session ID' );
ok( $return[2], 'New session ID not empty' );
+
+ # Similar situation: Relogin with former session of $patron, new user $patron2 has no permissions
+ $patron2->flags(undef)->store;
+ $session->param( 'number', $patron->id );
+ $session->param( 'id', $patron->userid );
+ $session->param( 'interface', 'intranet' );
+ $session->flush;
+ $sessionID = $session->id;
+ C4::Context->_new_userenv($sessionID);
+ $cgi->param( -name => 'userid', -value => $patron2->userid );
+ $cgi->param( -name => 'password', -value => $password );
+ $cgi->param( -name => 'koha_login_context', -value => 1 );
+ {
+ local *STDOUT;
+ local %ENV;
+ $ENV{REMOTE_ADDR} = '1.2.3.4';
+ $stdout = q{};
+ open STDOUT, '>', \$stdout;
+ @return = C4::Auth::checkauth( $cgi, 0, { catalogue => 1 }, 'intranet' ); # patron2 has no catalogue perm
+ close STDOUT;
+ }
+ like( $stdout, qr/You do not have permission to access this page/, 'No permission response' );
+ is( @return, 0, 'checkauth returned failure' );
};
subtest 'Two-factor authentication' => sub {