From 7d4598a3874536c365934f6f3e9745636415d642 Mon Sep 17 00:00:00 2001
From: Bill Erickson <berick@esilibrary.com>
Date: Mon, 14 Nov 2011 16:27:05 -0500
Subject: [PATCH] tpac; improve ssl and authentication redirection

Create a better separation between pages the require SSL and those
that also require authentication.  This change has a number of
beneficial side effects:

1. If a user is already logged in and is somehow redirected to the
non-SSL version of a page requiring SSL (via, for example, some external
link), they are simply taken to the SSL equivlent of the page first.  If
they are found to be logged in, we're done.  If not, they are directed to
the login page like usual.

2. password_reset page now requires SSL (but not auth, obviously)

3. Removed the unnecessary warning about logging out on a non-SSL
connection.  We now redirect the user to the SSL version of logout so,
if they are in fact logged in, they can be successfully logged out.

Signed-off-by: Bill Erickson <berick@esilibrary.com>
Signed-off-by: Mike Rylander <mrylander@gmail.com>
---
 .../src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm     | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
index e934a398dc..3c10db76f5 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
@@ -108,10 +108,13 @@ sub load {
     return $self->load_cache_clear if $path =~ m|opac/cache/clear|;
 
     # ----------------------------------------------------------------
-    # Logout and login require SSL
+    #  Everything below here requires SSL
     # ----------------------------------------------------------------
+    return $self->redirect_ssl unless $self->cgi->https;
+    return $self->load_password_reset if $path =~ m|opac/password_reset|;
+    return $self->load_logout if $path =~ m|opac/logout|;
+
     if($path =~ m|opac/login|) {
-        return $self->redirect_ssl unless $self->cgi->https;
         return $self->load_login unless $self->editor->requestor; # already logged in?
 
         # This will be less confusing to users than to be shown a login form
@@ -124,20 +127,10 @@ sub load {
         );
     }
 
-    if($path =~ m|opac/logout|) {
-        #return Apache2::Const::FORBIDDEN unless $self->cgi->https; 
-        $self->apache->log->warn("catloader: logout called in non-secure context from " . 
-            ($self->ctx->{referer} || '<no referer>')) unless $self->cgi->https;
-        return $self->load_logout;
-    }
-
-    return $self->load_password_reset if $path =~ m|opac/password_reset|;
-
     # ----------------------------------------------------------------
-    #  Everything below here requires SSL + authentication
+    #  Everything below here requires authentication
     # ----------------------------------------------------------------
-    return $self->redirect_auth
-        unless $self->cgi->https and $self->editor->requestor;
+    return $self->redirect_auth unless $self->editor->requestor;
 
     return $self->load_place_hold if $path =~ m|opac/place_hold|;
     return $self->load_myopac_holds if $path =~ m|opac/myopac/holds|;
-- 
2.11.0