haspermission signature had changed
[wip/koha-chris_n.git] / C4 / Auth.pm
1 package C4::Auth;
2
3 # Copyright 2000-2002 Katipo Communications
4 #
5 # This file is part of Koha.
6 #
7 # Koha is free software; you can redistribute it and/or modify it under the
8 # terms of the GNU General Public License as published by the Free Software
9 # Foundation; either version 2 of the License, or (at your option) any later
10 # version.
11 #
12 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
13 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
14 # A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License along with
17 # Koha; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
18 # Suite 330, Boston, MA  02111-1307 USA
19
20 use strict;
21 use Digest::MD5 qw(md5_base64);
22 use Storable qw(thaw freeze);
23 use URI::Escape;
24 use CGI::Session;
25
26 require Exporter;
27 use C4::Context;
28 use C4::Output;    # to get the template
29 use C4::Members;
30 use C4::Koha;
31 use C4::Branch; # GetBranches
32 use C4::VirtualShelves;
33 use POSIX qw/strftime/;
34
35 # use utf8;
36 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout);
37
38 BEGIN {
39     $VERSION = 3.02;        # set version for version checking
40     $debug = $ENV{DEBUG};
41     @ISA   = qw(Exporter);
42     @EXPORT    = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions);
43     @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &get_all_subpermissions &get_user_subpermissions);
44     %EXPORT_TAGS = (EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)]);
45     $ldap = C4::Context->config('useldapserver') || 0;
46     $cas = C4::Context->preference('casAuthentication');
47     $caslogout = C4::Context->preference('casLogout');
48     if ($ldap) {
49         require C4::Auth_with_ldap;             # no import
50         import  C4::Auth_with_ldap qw(checkpw_ldap);
51     }
52     if ($cas) {
53         require C4::Auth_with_cas;             # no import
54         import  C4::Auth_with_cas qw(checkpw_cas login_cas logout_cas login_cas_url);
55     }
56
57 }
58
59 =head1 NAME
60
61 C4::Auth - Authenticates Koha users
62
63 =head1 SYNOPSIS
64
65   use CGI;
66   use C4::Auth;
67   use C4::Output;
68
69   my $query = new CGI;
70
71   my ($template, $borrowernumber, $cookie)
72     = get_template_and_user(
73         {
74             template_name   => "opac-main.tmpl",
75             query           => $query,
76       type            => "opac",
77       authnotrequired => 1,
78       flagsrequired   => {borrow => 1, catalogue => '*', tools => 'import_patrons' },
79   }
80     );
81
82   output_html_with_http_headers $query, $cookie, $template->output;
83
84 =head1 DESCRIPTION
85
86     The main function of this module is to provide
87     authentification. However the get_template_and_user function has
88     been provided so that a users login information is passed along
89     automatically. This gets loaded into the template.
90
91 =head1 FUNCTIONS
92
93 =over 2
94
95 =item get_template_and_user
96
97     my ($template, $borrowernumber, $cookie)
98         = get_template_and_user(
99           {
100             template_name   => "opac-main.tmpl",
101             query           => $query,
102             type            => "opac",
103             authnotrequired => 1,
104             flagsrequired   => {borrow => 1, catalogue => '*', tools => 'import_patrons' },
105           }
106         );
107
108     This call passes the C<query>, C<flagsrequired> and C<authnotrequired>
109     to C<&checkauth> (in this module) to perform authentification.
110     See C<&checkauth> for an explanation of these parameters.
111
112     The C<template_name> is then used to find the correct template for
113     the page. The authenticated users details are loaded onto the
114     template in the HTML::Template LOOP variable C<USER_INFO>. Also the
115     C<sessionID> is passed to the template. This can be used in templates
116     if cookies are disabled. It needs to be put as and input to every
117     authenticated page.
118
119     More information on the C<gettemplate> sub can be found in the
120     Output.pm module.
121
122 =cut
123
124 sub get_template_and_user {
125     my $in       = shift;
126     my $template =
127       gettemplate( $in->{'template_name'}, $in->{'type'}, $in->{'query'} );
128     my ( $user, $cookie, $sessionID, $flags ) = checkauth(
129         $in->{'query'},
130         $in->{'authnotrequired'},
131         $in->{'flagsrequired'},
132         $in->{'type'}
133     ) unless ($in->{'template_name'}=~/maintenance/);
134
135     my $borrowernumber;
136     my $insecure = C4::Context->preference('insecure');
137     if ($user or $insecure) {
138
139         # load the template variables for stylesheets and JavaScript
140         $template->param( css_libs => $in->{'css_libs'} );
141         $template->param( css_module => $in->{'css_module'} );
142         $template->param( css_page => $in->{'css_page'} );
143         $template->param( css_widgets => $in->{'css_widgets'} );
144
145         $template->param( js_libs => $in->{'js_libs'} );
146         $template->param( js_module => $in->{'js_module'} );
147         $template->param( js_page => $in->{'js_page'} );
148         $template->param( js_widgets => $in->{'js_widgets'} );
149
150         # user info
151         $template->param( loggedinusername => $user );
152         $template->param( sessionID        => $sessionID );
153
154                 my ($total, $pubshelves, $barshelves) = C4::Context->get_shelves_userenv();
155                 if (defined($pubshelves)) {
156                 $template->param(       pubshelves      => scalar (@$pubshelves),
157                                                         pubshelvesloop  => $pubshelves,
158                                                         );
159                         $template->param(       pubtotal                => $total->{'pubtotal'}, ) if ($total->{'pubtotal'} > scalar (@$pubshelves));
160                 }
161                 if (defined($barshelves)) {
162                 $template->param(       barshelves      => scalar (@$barshelves),
163                                                         barshelvesloop  => $barshelves,
164                                                         );
165                         $template->param(       bartotal                => $total->{'bartotal'}, ) if ($total->{'bartotal'} > scalar (@$barshelves));
166                 }
167
168         $borrowernumber = getborrowernumber($user);
169         my ( $borr ) = GetMemberDetails( $borrowernumber );
170         my @bordat;
171         $bordat[0] = $borr;
172         $template->param( "USER_INFO" => \@bordat );
173
174         my $all_perms = get_all_subpermissions();
175
176         my @flagroots = qw(circulate catalogue parameters borrowers permissions reserveforothers borrow
177                             editcatalogue updatecharges management tools editauthorities serials reports acquisition);
178         # We are going to use the $flags returned by checkauth
179         # to create the template's parameters that will indicate
180         # which menus the user can access.
181         if (( $flags && $flags->{superlibrarian}==1) or $insecure==1) {
182             $template->param( CAN_user_circulate        => 1 );
183             $template->param( CAN_user_catalogue        => 1 );
184             $template->param( CAN_user_parameters       => 1 );
185             $template->param( CAN_user_borrowers        => 1 );
186             $template->param( CAN_user_permissions      => 1 );
187             $template->param( CAN_user_reserveforothers => 1 );
188             $template->param( CAN_user_borrow           => 1 );
189             $template->param( CAN_user_editcatalogue    => 1 );
190             $template->param( CAN_user_updatecharges     => 1 );
191             $template->param( CAN_user_acquisition      => 1 );
192             $template->param( CAN_user_management       => 1 );
193             $template->param( CAN_user_tools            => 1 );
194             $template->param( CAN_user_editauthorities  => 1 );
195             $template->param( CAN_user_serials          => 1 );
196             $template->param( CAN_user_reports          => 1 );
197             $template->param( CAN_user_staffaccess      => 1 );
198             foreach my $module (keys %$all_perms) {
199                 foreach my $subperm (keys %{ $all_perms->{$module} }) {
200                     $template->param( "CAN_user_${module}_${subperm}" => 1 );
201                 }
202             }
203         }
204
205         if (C4::Context->preference('GranularPermissions')) {
206             if ( $flags ) {
207                 foreach my $module (keys %$all_perms) {
208                     if ( $flags->{$module} == 1) {
209                         foreach my $subperm (keys %{ $all_perms->{$module} }) {
210                             $template->param( "CAN_user_${module}_${subperm}" => 1 );
211                         }
212                     } elsif ( ref($flags->{$module}) ) {
213                         foreach my $subperm (keys %{ $flags->{$module} } ) {
214                             $template->param( "CAN_user_${module}_${subperm}" => 1 );
215                         }
216                     }
217                 }
218             }
219         } else {
220             foreach my $module (keys %$all_perms) {
221                 foreach my $subperm (keys %{ $all_perms->{$module} }) {
222                     $template->param( "CAN_user_${module}_${subperm}" => 1 );
223                 }
224             }
225         }
226
227         if ($flags) {
228             foreach my $module (keys %$flags) {
229                 if ( $flags->{$module} == 1 or ref($flags->{$module}) ) {
230                     $template->param( "CAN_user_$module" => 1 );
231                     if ($module eq "parameters") {
232                         $template->param( CAN_user_management => 1 );
233                     }
234                 }
235             }
236         }
237                 # Logged-in opac search history
238                 # If the requested template is an opac one and opac search history is enabled
239                 if ($in->{'type'} == "opac" && C4::Context->preference('EnableOpacSearchHistory')) {
240                         my $dbh = C4::Context->dbh;
241                         my $query = "SELECT COUNT(*) FROM search_history WHERE userid=?";
242                         my $sth = $dbh->prepare($query);
243                         $sth->execute($borrowernumber);
244                         
245                         # If at least one search has already been performed
246                         if ($sth->fetchrow_array > 0) { 
247                         # We show the link in opac
248                         $template->param(ShowOpacRecentSearchLink => 1);
249                         }
250
251                         # And if there's a cookie with searches performed when the user was not logged in, 
252                         # we add them to the logged-in search history
253                         my @recentSearches;
254                         my $searchcookie = $in->{'query'}->cookie('KohaOpacRecentSearches');
255                         if ($searchcookie){
256                                 $searchcookie = uri_unescape($searchcookie);
257                                 if (thaw($searchcookie)) {
258                                         @recentSearches = @{thaw($searchcookie)};
259                                 }
260
261                                 if (@recentSearches > 0) {
262                                         my $query = "INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, total, time) VALUES";
263                                         my $icount = 1;
264                                         foreach my $asearch (@recentSearches) {
265                                                 $query .= "(";
266                                                 $query .= $borrowernumber . ", ";
267                                                 $query .= '"' . $in->{'query'}->cookie("CGISESSID") . "\", ";
268                                                 $query .= '"' . $asearch->{'query_desc'} . "\", ";
269                                                 $query .= '"' . $asearch->{'query_cgi'} . "\", ";
270                                                 $query .=       $asearch->{'total'} . ", ";
271                                                 $query .= 'FROM_UNIXTIME(' . $asearch->{'time'} . "))";
272                                                 if ($icount < @recentSearches) { $query .= ", ";}
273                                                 $icount++;
274                                         }
275
276                                         my $sth = $dbh->prepare($query);
277                                         $sth->execute;
278
279                                         # And then, delete the cookie's content
280                                         my $newsearchcookie = $in->{'query'}->cookie(
281                                                                                                 -name => 'KohaOpacRecentSearches',
282                                                                                                 -value => freeze([]),
283                                                                                                 -expires => ''
284                                                                                          );
285                                         $cookie = [$cookie, $newsearchcookie];
286                                 }
287                         }
288                 }
289     }
290         else {  # if this is an anonymous session, setup to display public lists...
291
292         # load the template variables for stylesheets and JavaScript
293         $template->param( css_libs => $in->{'css_libs'} );
294         $template->param( css_module => $in->{'css_module'} );
295         $template->param( css_page => $in->{'css_page'} );
296         $template->param( css_widgets => $in->{'css_widgets'} );
297
298         $template->param( js_libs => $in->{'js_libs'} );
299         $template->param( js_module => $in->{'js_module'} );
300         $template->param( js_page => $in->{'js_page'} );
301         $template->param( js_widgets => $in->{'js_widgets'} );
302
303         $template->param( sessionID        => $sessionID );
304         
305         my ($total, $pubshelves) = C4::Context->get_shelves_userenv();  # an anonymous user has no 'barshelves'...
306         if (defined(($pubshelves))) {
307             $template->param(   pubshelves      => scalar (@$pubshelves),
308                                 pubshelvesloop  => $pubshelves,
309                             );
310             $template->param(   pubtotal        => $total->{'pubtotal'}, ) if ($total->{'pubtotal'} > scalar (@$pubshelves));
311         }
312
313     }
314         # Anonymous opac search history
315         # If opac search history is enabled and at least one search has already been performed
316         if (C4::Context->preference('EnableOpacSearchHistory') && $in->{'query'}->cookie('KohaOpacRecentSearches')) {
317             # We show the link in opac
318             if (thaw(uri_unescape($in->{'query'}->cookie('KohaOpacRecentSearches')))) {
319                         my @recentSearches = @{thaw(uri_unescape($in->{'query'}->cookie('KohaOpacRecentSearches')))};
320                         if (@recentSearches > 0) {
321                                 $template->param(ShowOpacRecentSearchLink => 1);
322                         }
323             }
324         }
325
326     # these template parameters are set the same regardless of $in->{'type'}
327     $template->param(
328             "BiblioDefaultView".C4::Context->preference("BiblioDefaultView")         => 1,
329             EnhancedMessagingPreferences => C4::Context->preference('EnhancedMessagingPreferences'),
330             GoogleJackets                => C4::Context->preference("GoogleJackets"),
331             KohaAdminEmailAddress        => "" . C4::Context->preference("KohaAdminEmailAddress"),
332             LoginBranchcode              => (C4::Context->userenv?C4::Context->userenv->{"branch"}:"insecure"),
333             LoginFirstname               => (C4::Context->userenv?C4::Context->userenv->{"firstname"}:"Bel"),
334             LoginSurname                 => C4::Context->userenv?C4::Context->userenv->{"surname"}:"Inconnu",
335             TagsEnabled                  => C4::Context->preference("TagsEnabled"),
336             hide_marc                    => C4::Context->preference("hide_marc"),
337             'item-level_itypes'          => C4::Context->preference('item-level_itypes'),
338             patronimages                 => C4::Context->preference("patronimages"),
339             singleBranchMode             => C4::Context->preference("singleBranchMode"),
340             XSLTDetailsDisplay        => C4::Context->preference("XSLTDetailsDisplay"),
341             XSLTResultsDisplay        => C4::Context->preference("XSLTResultsDisplay"),
342                  );
343
344     if ( $in->{'type'} eq "intranet" ) {
345         $template->param(
346             AmazonContent               => C4::Context->preference("AmazonContent"),
347             AmazonSimilarItems          => C4::Context->preference("AmazonSimilarItems"),
348             AutoLocation                => C4::Context->preference("AutoLocation"),
349             "BiblioDefaultView".C4::Context->preference("IntranetBiblioDefaultView") => 1,
350             CircAutocompl               => C4::Context->preference("CircAutocompl"),
351             FRBRizeEditions             => C4::Context->preference("FRBRizeEditions"),
352             IndependantBranches         => C4::Context->preference("IndependantBranches"),
353             IntranetNav                 => C4::Context->preference("IntranetNav"),
354             IntranetmainUserblock       => C4::Context->preference("IntranetmainUserblock"),
355             LibraryName                 => C4::Context->preference("LibraryName"),
356             LoginBranchname             => (C4::Context->userenv?C4::Context->userenv->{"branchname"}:"insecure"),
357             TemplateEncoding            => C4::Context->preference("TemplateEncoding"),
358             advancedMARCEditor          => C4::Context->preference("advancedMARCEditor"),
359             canreservefromotherbranches => C4::Context->preference('canreservefromotherbranches'),
360             intranetcolorstylesheet     => C4::Context->preference("intranetcolorstylesheet"),
361             intranetreadinghistory      => C4::Context->preference("intranetreadinghistory"),
362             intranetstylesheet          => C4::Context->preference("intranetstylesheet"),
363             intranetuserjs              => C4::Context->preference("intranetuserjs"),
364             intranetbookbag             => C4::Context->preference("intranetbookbag"),
365             noItemTypeImages            => C4::Context->preference("noItemTypeImages"),
366             suggestion                  => C4::Context->preference("suggestion"),
367             virtualshelves              => C4::Context->preference("virtualshelves"),
368             StaffSerialIssueDisplayCount => C4::Context->preference("StaffSerialIssueDisplayCount"),
369             NoZebra                     => C4::Context->preference('NoZebra'),
370         );
371     }
372     else {
373         warn "template type should be OPAC, here it is=[" . $in->{'type'} . "]" unless ( $in->{'type'} eq 'opac' );
374         #TODO : replace LibraryName syspref with 'system name', and remove this html processing
375         my $LibraryNameTitle = C4::Context->preference("LibraryName");
376         $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
377         $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
378         # variables passed from CGI: opac_css_override and opac_search_limits.
379         my $opac_search_limit = $ENV{'OPAC_SEARCH_LIMIT'};
380         my $opac_limit_override = $ENV{'OPAC_LIMIT_OVERRIDE'};
381         my $mylibraryfirst = C4::Context->preference("SearchMyLibraryFirst");
382         my $opac_name;
383         if($opac_limit_override && ($opac_search_limit =~ /branch:(\w+)/) ){
384              $opac_name = C4::Branch::GetBranchName($1)   # opac_search_limit is a branch, so we use it.
385         } elsif($mylibraryfirst){
386             $opac_name = C4::Branch::GetBranchName($mylibraryfirst);
387         }
388         $template->param(
389             AmazonContent             => "" . C4::Context->preference("AmazonContent"),
390             AnonSuggestions           => "" . C4::Context->preference("AnonSuggestions"),
391             AuthorisedValueImages     => C4::Context->preference("AuthorisedValueImages"),
392             LibraryName               => "" . C4::Context->preference("LibraryName"),
393             LibraryNameTitle          => "" . $LibraryNameTitle,
394             LoginBranchname           => C4::Context->userenv?C4::Context->userenv->{"branchname"}:"",
395             OPACAmazonSimilarItems    => "" . C4::Context->preference("OPACAmazonSimilarItems"),
396             OPACFRBRizeEditions       => C4::Context->preference("OPACFRBRizeEditions"),
397             OPACItemHolds             => C4::Context->preference("OPACItemHolds"),
398             OPACShelfBrowser          => "". C4::Context->preference("OPACShelfBrowser"),
399             OPACURLOpenInNewWindow    => "" . C4::Context->preference("OPACURLOpenInNewWindow"),
400             OPACUserCSS               => "". C4::Context->preference("OPACUserCSS"),
401             OPACViewOthersSuggestions => "" . C4::Context->preference("OPACViewOthersSuggestions"),
402             OpacAuthorities           => C4::Context->preference("OpacAuthorities"),
403             OPACBaseURL               => ($in->{'query'}->https() ? "https://" : "http://") . $ENV{'SERVER_NAME'} .
404                    ($ENV{'SERVER_PORT'} eq ($in->{'query'}->https() ? "443" : "80") ? '' : ":$ENV{'SERVER_PORT'}"),
405             opac_name             => $opac_name,
406             opac_css_override           => $ENV{'OPAC_CSS_OVERRIDE'},
407             opac_search_limit         => $opac_search_limit,
408             opac_limit_override       => $opac_limit_override,
409             OpacBrowser               => C4::Context->preference("OpacBrowser"),
410             OpacCloud                 => C4::Context->preference("OpacCloud"),
411             OpacMainUserBlock         => "" . C4::Context->preference("OpacMainUserBlock"),
412             OpacNav                   => "" . C4::Context->preference("OpacNav"),
413             OpacPasswordChange        => C4::Context->preference("OpacPasswordChange"),
414             OPACPatronDetails        => C4::Context->preference("OPACPatronDetails"),
415             OPACFinesTab              => C4::Context->preference("OPACFinesTab"),
416             OpacTopissue              => C4::Context->preference("OpacTopissue"),
417             RequestOnOpac             => C4::Context->preference("RequestOnOpac"),
418             TemplateEncoding          => "". C4::Context->preference("TemplateEncoding"),
419             'Version'                 => C4::Context->preference('Version'),
420             hidelostitems             => C4::Context->preference("hidelostitems"),
421             mylibraryfirst            => (C4::Context->preference("SearchMyLibraryFirst") && C4::Context->userenv) ? C4::Context->userenv->{'branch'} : '',
422             opaclayoutstylesheet      => "" . C4::Context->preference("opaclayoutstylesheet"),
423             opaccolorstylesheet       => "" . C4::Context->preference("opaccolorstylesheet"),
424             opacstylesheet            => "" . C4::Context->preference("opacstylesheet"),
425             opacbookbag               => "" . C4::Context->preference("opacbookbag"),
426             opaccredits               => "" . C4::Context->preference("opaccredits"),
427             opacheader                => "" . C4::Context->preference("opacheader"),
428             opaclanguagesdisplay      => "" . C4::Context->preference("opaclanguagesdisplay"),
429             opacreadinghistory        => C4::Context->preference("opacreadinghistory"),
430             opacsmallimage            => "" . C4::Context->preference("opacsmallimage"),
431             opacuserjs                => C4::Context->preference("opacuserjs"),
432             opacuserlogin             => "" . C4::Context->preference("opacuserlogin"),
433             reviewson                 => C4::Context->preference("reviewson"),
434             suggestion                => "" . C4::Context->preference("suggestion"),
435             virtualshelves            => "" . C4::Context->preference("virtualshelves"),
436                         OPACSerialIssueDisplayCount => C4::Context->preference("OPACSerialIssueDisplayCount"),
437         );
438     }
439         $template->param(listloop=>[{shelfname=>"Freelist", shelfnumber=>110}]);
440     return ( $template, $borrowernumber, $cookie, $flags);
441 }
442
443 =item checkauth
444
445   ($userid, $cookie, $sessionID) = &checkauth($query, $noauth, $flagsrequired, $type);
446
447 Verifies that the user is authorized to run this script.  If
448 the user is authorized, a (userid, cookie, session-id, flags)
449 quadruple is returned.  If the user is not authorized but does
450 not have the required privilege (see $flagsrequired below), it
451 displays an error page and exits.  Otherwise, it displays the
452 login page and exits.
453
454 Note that C<&checkauth> will return if and only if the user
455 is authorized, so it should be called early on, before any
456 unfinished operations (e.g., if you've opened a file, then
457 C<&checkauth> won't close it for you).
458
459 C<$query> is the CGI object for the script calling C<&checkauth>.
460
461 The C<$noauth> argument is optional. If it is set, then no
462 authorization is required for the script.
463
464 C<&checkauth> fetches user and session information from C<$query> and
465 ensures that the user is authorized to run scripts that require
466 authorization.
467
468 The C<$flagsrequired> argument specifies the required privileges
469 the user must have if the username and password are correct.
470 It should be specified as a reference-to-hash; keys in the hash
471 should be the "flags" for the user, as specified in the Members
472 intranet module. Any key specified must correspond to a "flag"
473 in the userflags table. E.g., { circulate => 1 } would specify
474 that the user must have the "circulate" privilege in order to
475 proceed. To make sure that access control is correct, the
476 C<$flagsrequired> parameter must be specified correctly.
477
478 If the GranularPermissions system preference is ON, the
479 value of each key in the C<flagsrequired> hash takes on an additional
480 meaning, e.g.,
481
482 =item 1
483
484 The user must have access to all subfunctions of the module
485 specified by the hash key.
486
487 =item *
488
489 The user must have access to at least one subfunction of the module
490 specified by the hash key.
491
492 =item specific permission, e.g., 'export_catalog'
493
494 The user must have access to the specific subfunction list, which
495 must correspond to a row in the permissions table.
496
497 The C<$type> argument specifies whether the template should be
498 retrieved from the opac or intranet directory tree.  "opac" is
499 assumed if it is not specified; however, if C<$type> is specified,
500 "intranet" is assumed if it is not "opac".
501
502 If C<$query> does not have a valid session ID associated with it
503 (i.e., the user has not logged in) or if the session has expired,
504 C<&checkauth> presents the user with a login page (from the point of
505 view of the original script, C<&checkauth> does not return). Once the
506 user has authenticated, C<&checkauth> restarts the original script
507 (this time, C<&checkauth> returns).
508
509 The login page is provided using a HTML::Template, which is set in the
510 systempreferences table or at the top of this file. The variable C<$type>
511 selects which template to use, either the opac or the intranet
512 authentification template.
513
514 C<&checkauth> returns a user ID, a cookie, and a session ID. The
515 cookie should be sent back to the browser; it verifies that the user
516 has authenticated.
517
518 =cut
519
520 sub _version_check ($$) {
521     my $type = shift;
522     my $query = shift;
523     my $version;
524     # If Version syspref is unavailable, it means Koha is beeing installed,
525     # and so we must redirect to OPAC maintenance page or to the WebInstaller
526         # also, if OpacMaintenance is ON, OPAC should redirect to maintenance
527         if (C4::Context->preference('OpacMaintenance') && $type eq 'opac') {
528                 warn "OPAC Install required, redirecting to maintenance";
529                 print $query->redirect("/cgi-bin/koha/maintenance.pl");
530         }
531     unless ($version = C4::Context->preference('Version')) {    # assignment, not comparison
532       if ($type ne 'opac') {
533         warn "Install required, redirecting to Installer";
534         print $query->redirect("/cgi-bin/koha/installer/install.pl");
535       }
536       else {
537         warn "OPAC Install required, redirecting to maintenance";
538         print $query->redirect("/cgi-bin/koha/maintenance.pl");
539       }
540       exit;
541     }
542
543     # check that database and koha version are the same
544     # there is no DB version, it's a fresh install,
545     # go to web installer
546     # there is a DB version, compare it to the code version
547     my $kohaversion=C4::Context::KOHAVERSION;
548     # remove the 3 last . to have a Perl number
549     $kohaversion =~ s/(.*\..*)\.(.*)\.(.*)/$1$2$3/;
550     $debug and print STDERR "kohaversion : $kohaversion\n";
551     if ($version < $kohaversion){
552         my $warning = "Database update needed, redirecting to %s. Database is $version and Koha is $kohaversion";
553         if ($type ne 'opac'){
554             warn sprintf($warning, 'Installer');
555             print $query->redirect("/cgi-bin/koha/installer/install.pl?step=3");
556         } else {
557             warn sprintf("OPAC: " . $warning, 'maintenance');
558             print $query->redirect("/cgi-bin/koha/maintenance.pl");
559         }
560         exit;
561     }
562 }
563
564 sub _session_log {
565     (@_) or return 0;
566     open L, ">>/tmp/sessionlog" or warn "ERROR: Cannot append to /tmp/sessionlog";
567     printf L join("\n",@_);
568     close L;
569 }
570
571 sub checkauth {
572     my $query = shift;
573         $debug and warn "Checking Auth";
574     # $authnotrequired will be set for scripts which will run without authentication
575     my $authnotrequired = shift;
576     my $flagsrequired   = shift;
577     my $type            = shift;
578     $type = 'opac' unless $type;
579
580     my $dbh     = C4::Context->dbh;
581     my $timeout = C4::Context->preference('timeout');
582     # days
583     if ($timeout =~ /(\d+)[dD]/) {
584         $timeout = $1 * 86400;
585     };
586     $timeout = 600 unless $timeout;
587
588     _version_check($type,$query);
589     # state variables
590     my $loggedin = 0;
591     my %info;
592     my ( $userid, $cookie, $sessionID, $flags, $barshelves, $pubshelves );
593     my $logout = $query->param('logout.x');
594
595     if ( $userid = $ENV{'REMOTE_USER'} ) {
596         # Using Basic Authentication, no cookies required
597         $cookie = $query->cookie(
598             -name    => 'CGISESSID',
599             -value   => '',
600             -expires => ''
601         );
602         $loggedin = 1;
603     }
604     elsif ( $sessionID = $query->cookie("CGISESSID")) {     # assignment, not comparison
605         my $session = get_session($sessionID);
606         C4::Context->_new_userenv($sessionID);
607         my ($ip, $lasttime, $sessiontype);
608         if ($session){
609             C4::Context::set_userenv(
610                 $session->param('number'),       $session->param('id'),
611                 $session->param('cardnumber'),   $session->param('firstname'),
612                 $session->param('surname'),      $session->param('branch'),
613                 $session->param('branchname'),   $session->param('flags'),
614                 $session->param('emailaddress'), $session->param('branchprinter')
615             );
616             C4::Context::set_shelves_userenv('bar',$session->param('barshelves'));
617             C4::Context::set_shelves_userenv('pub',$session->param('pubshelves'));
618             C4::Context::set_shelves_userenv('tot',$session->param('totshelves'));
619             $debug and printf STDERR "AUTH_SESSION: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
620             $ip       = $session->param('ip');
621             $lasttime = $session->param('lasttime');
622             $userid   = $session->param('id');
623                         $sessiontype = $session->param('sessiontype');
624         }
625         if ( ($query->param('koha_login_context')) && ($query->param('userid') ne $session->param('id')) ) {
626             #if a user enters an id ne to the id in the current session, we need to log them in...
627             #first we need to clear the anonymous session...
628             $debug and warn "query id = " . $query->param('userid') . " but session id = " . $session->param('id');
629             $session->flush;      
630             $session->delete();
631             C4::Context->_unset_userenv($sessionID);
632                         $sessionID = undef;
633                         $userid = undef;
634                 }
635         elsif ($logout) {
636             # voluntary logout the user
637             $session->flush;
638             $session->delete();
639             C4::Context->_unset_userenv($sessionID);
640             _session_log(sprintf "%20s from %16s logged out at %30s (manually).\n", $userid,$ip,(strftime "%c",localtime));
641             $sessionID = undef;
642             $userid    = undef;
643
644             if ($cas and $caslogout) {
645                 logout_cas($query);
646             }
647         }
648         elsif ( $lasttime < time() - $timeout ) {
649             # timed logout
650             $info{'timed_out'} = 1;
651             $session->delete();
652             C4::Context->_unset_userenv($sessionID);
653             _session_log(sprintf "%20s from %16s logged out at %30s (inactivity).\n", $userid,$ip,(strftime "%c",localtime));
654             $userid    = undef;
655             $sessionID = undef;
656         }
657         elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
658             # Different ip than originally logged in from
659             $info{'oldip'}        = $ip;
660             $info{'newip'}        = $ENV{'REMOTE_ADDR'};
661             $info{'different_ip'} = 1;
662             $session->delete();
663             C4::Context->_unset_userenv($sessionID);
664             _session_log(sprintf "%20s from %16s logged out at %30s (ip changed to %16s).\n", $userid,$ip,(strftime "%c",localtime), $info{'newip'});
665             $sessionID = undef;
666             $userid    = undef;
667         }
668         else {
669             $cookie = $query->cookie( CGISESSID => $session->id );
670             $session->param('lasttime',time());
671             unless ( $sessiontype eq 'anon' ) { #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
672                 $flags = haspermission($userid, $flagsrequired);
673                 if ($flags) {
674                     $loggedin = 1;
675                 } else {
676                     $info{'nopermission'} = 1;
677                 }
678             }
679         }
680     }
681     unless ($userid || $sessionID) {
682         #we initiate a session prior to checking for a username to allow for anonymous sessions...
683                 my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
684         my $sessionID = $session->id;
685         C4::Context->_new_userenv($sessionID);
686         $cookie = $query->cookie(CGISESSID => $sessionID);
687             $userid    = $query->param('userid');
688             if ($cas || $userid) {
689                 my $password = $query->param('password');
690                 my ($return, $cardnumber);
691                 if ($cas && $query->param('ticket')) {
692                     my $retuserid;
693                     ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, $password, $query );
694                     $userid = $retuserid;
695                     $info{'invalidCasLogin'} = 1 unless ($return);
696                 } else {
697                     ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query );
698                 }
699                 if ($return) {
700                 _session_log(sprintf "%20s from %16s logged in  at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},localtime);
701                 if ( $flags = haspermission(  $userid, $flagsrequired ) ) {
702                                         $loggedin = 1;
703                 }
704                         else {
705                         $info{'nopermission'} = 1;
706                         C4::Context->_unset_userenv($sessionID);
707                 }
708
709                                 my ($borrowernumber, $firstname, $surname, $userflags,
710                                         $branchcode, $branchname, $branchprinter, $emailaddress);
711
712                 if ( $return == 1 ) {
713                         my $select = "
714                         SELECT borrowernumber, firstname, surname, flags, borrowers.branchcode, 
715                             branches.branchname    as branchname, 
716                                 branches.branchprinter as branchprinter, 
717                                 email 
718                         FROM borrowers 
719                         LEFT JOIN branches on borrowers.branchcode=branches.branchcode
720                         ";
721                         my $sth = $dbh->prepare("$select where userid=?");
722                         $sth->execute($userid);
723                                         unless ($sth->rows) {
724                                 $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
725                                                 $sth = $dbh->prepare("$select where cardnumber=?");
726                                 $sth->execute($cardnumber);
727                                                 unless ($sth->rows) {
728                                         $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
729                                 $sth->execute($userid);
730                                                         unless ($sth->rows) {
731                                                 $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
732                                                         }
733                                                 }
734                                         }
735                         if ($sth->rows) {
736                         ($borrowernumber, $firstname, $surname, $userflags,
737                                 $branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow;
738                                                 $debug and print STDERR "AUTH_3 results: " .
739                                                         "$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n";
740                                         } else {
741                                                 print STDERR "AUTH_3: no results for userid='$userid', cardnumber='$cardnumber'.\n";
742                                         }
743
744 # launch a sequence to check if we have a ip for the branch, i
745 # if we have one we replace the branchcode of the userenv by the branch bound in the ip.
746
747                                         my $ip       = $ENV{'REMOTE_ADDR'};
748                                         # if they specify at login, use that
749                                         if ($query->param('branch')) {
750                                                 $branchcode  = $query->param('branch');
751                                                 $branchname = GetBranchName($branchcode);
752                                         }
753                                         my $branches = GetBranches();
754                                         if (C4::Context->boolean_preference('IndependantBranches') && C4::Context->boolean_preference('Autolocation')){
755                                                 # we have to check they are coming from the right ip range
756                                                 my $domain = $branches->{$branchcode}->{'branchip'};
757                                                 if ($ip !~ /^$domain/){
758                                                         $loggedin=0;
759                                                         $info{'wrongip'} = 1;
760                                                 }
761                                         }
762
763                                         my @branchesloop;
764                                         foreach my $br ( keys %$branches ) {
765                                                 #     now we work with the treatment of ip
766                                                 my $domain = $branches->{$br}->{'branchip'};
767                                                 if ( $domain && $ip =~ /^$domain/ ) {
768                                                         $branchcode = $branches->{$br}->{'branchcode'};
769
770                                                         # new op dev : add the branchprinter and branchname in the cookie
771                                                         $branchprinter = $branches->{$br}->{'branchprinter'};
772                                                         $branchname    = $branches->{$br}->{'branchname'};
773                                                 }
774                                         }
775                                         $session->param('number',$borrowernumber);
776                                         $session->param('id',$userid);
777                                         $session->param('cardnumber',$cardnumber);
778                                         $session->param('firstname',$firstname);
779                                         $session->param('surname',$surname);
780                                         $session->param('branch',$branchcode);
781                                         $session->param('branchname',$branchname);
782                                         $session->param('flags',$userflags);
783                                         $session->param('emailaddress',$emailaddress);
784                                         $session->param('ip',$session->remote_addr());
785                                         $session->param('lasttime',time());
786                                         $debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
787                                 }
788                                 elsif ( $return == 2 ) {
789                                         #We suppose the user is the superlibrarian
790                                         $borrowernumber = 0;
791                                         $session->param('number',0);
792                                         $session->param('id',C4::Context->config('user'));
793                                         $session->param('cardnumber',C4::Context->config('user'));
794                                         $session->param('firstname',C4::Context->config('user'));
795                                         $session->param('surname',C4::Context->config('user'));
796                                         $session->param('branch','NO_LIBRARY_SET');
797                                         $session->param('branchname','NO_LIBRARY_SET');
798                                         $session->param('flags',1);
799                                         $session->param('emailaddress', C4::Context->preference('KohaAdminEmailAddress'));
800                                         $session->param('ip',$session->remote_addr());
801                                         $session->param('lasttime',time());
802                                 }
803                                 C4::Context::set_userenv(
804                                         $session->param('number'),       $session->param('id'),
805                                         $session->param('cardnumber'),   $session->param('firstname'),
806                                         $session->param('surname'),      $session->param('branch'),
807                                         $session->param('branchname'),   $session->param('flags'),
808                                         $session->param('emailaddress'), $session->param('branchprinter')
809                                 );
810
811                                 # Grab borrower's shelves and public shelves and add them to the session
812                                 # $row_count determines how many records are returned from the db query
813                                 # and the number of lists to be displayed of each type in the 'Lists' button drop down
814                                 my $row_count = 10; # FIXME:This probably should be a syspref
815                                 my ($total, $totshelves, $barshelves, $pubshelves);
816                                 ($barshelves, $totshelves) = C4::VirtualShelves::GetRecentShelves(1, $row_count, $borrowernumber);
817                                 $total->{'bartotal'} = $totshelves;
818                                 ($pubshelves, $totshelves) = C4::VirtualShelves::GetRecentShelves(2, $row_count, undef);
819                                 $total->{'pubtotal'} = $totshelves;
820                                 $session->param('barshelves', $barshelves->[0]);
821                                 $session->param('pubshelves', $pubshelves->[0]);
822                                 $session->param('totshelves', $total);
823
824                                 C4::Context::set_shelves_userenv('bar',$barshelves->[0]);
825                                 C4::Context::set_shelves_userenv('pub',$pubshelves->[0]);
826                                 C4::Context::set_shelves_userenv('tot',$total);
827                         }
828                 else {
829                 if ($userid) {
830                         $info{'invalid_username_or_password'} = 1;
831                         C4::Context->_unset_userenv($sessionID);
832                 }
833                         }
834         }       # END if ( $userid    = $query->param('userid') )
835                 elsif ($type eq "opac") {
836             # if we are here this is an anonymous session; add public lists to it and a few other items...
837             # anonymous sessions are created only for the OPAC
838                         $debug and warn "Initiating an anonymous session...";
839
840                         # Grab the public shelves and add to the session...
841                         my $row_count = 20; # FIXME:This probably should be a syspref
842                         my ($total, $totshelves, $pubshelves);
843                         ($pubshelves, $totshelves) = C4::VirtualShelves::GetRecentShelves(2, $row_count, undef);
844                         $total->{'pubtotal'} = $totshelves;
845                         $session->param('pubshelves', $pubshelves->[0]);
846                         $session->param('totshelves', $total);
847                         C4::Context::set_shelves_userenv('pub',$pubshelves->[0]);
848                         C4::Context::set_shelves_userenv('tot',$total);
849
850                         # setting a couple of other session vars...
851                         $session->param('ip',$session->remote_addr());
852                         $session->param('lasttime',time());
853                         $session->param('sessiontype','anon');
854                 }
855     }   # END unless ($userid)
856     my $insecure = C4::Context->boolean_preference('insecure');
857
858     # finished authentification, now respond
859     if ( $loggedin || $authnotrequired || ( defined($insecure) && $insecure ) )
860     {
861         # successful login
862         unless ($cookie) {
863             $cookie = $query->cookie( CGISESSID => '' );
864         }
865         return ( $userid, $cookie, $sessionID, $flags );
866     }
867
868 #
869 #
870 # AUTH rejected, show the login/password template, after checking the DB.
871 #
872 #
873
874     # get the inputs from the incoming query
875     my @inputs = ();
876     foreach my $name ( param $query) {
877         (next) if ( $name eq 'userid' || $name eq 'password' || $name eq 'ticket' );
878         my $value = $query->param($name);
879         push @inputs, { name => $name, value => $value };
880     }
881     # get the branchloop, which we need for authentication
882     my $branches = GetBranches();
883     my @branch_loop;
884     for my $branch_hash (sort keys %$branches) {
885                 push @branch_loop, {branchcode => "$branch_hash", branchname => $branches->{$branch_hash}->{'branchname'}, };
886     }
887
888     my $template_name = ( $type eq 'opac' ) ? 'opac-auth.tmpl' : 'auth.tmpl';
889     my $template = gettemplate( $template_name, $type, $query );
890     $template->param(branchloop => \@branch_loop,);
891     $template->param(
892     login        => 1,
893         INPUTS               => \@inputs,
894         casAuthentication    => C4::Context->preference("casAuthentication"),
895         suggestion           => C4::Context->preference("suggestion"),
896         virtualshelves       => C4::Context->preference("virtualshelves"),
897         LibraryName          => C4::Context->preference("LibraryName"),
898         opacuserlogin        => C4::Context->preference("opacuserlogin"),
899         OpacNav              => C4::Context->preference("OpacNav"),
900         opaccredits          => C4::Context->preference("opaccredits"),
901         opacreadinghistory   => C4::Context->preference("opacreadinghistory"),
902         opacsmallimage       => C4::Context->preference("opacsmallimage"),
903         opaclayoutstylesheet => C4::Context->preference("opaclayoutstylesheet"),
904         opaccolorstylesheet  => C4::Context->preference("opaccolorstylesheet"),
905         opaclanguagesdisplay => C4::Context->preference("opaclanguagesdisplay"),
906         opacuserjs           => C4::Context->preference("opacuserjs"),
907         opacbookbag          => "" . C4::Context->preference("opacbookbag"),
908         OpacCloud            => C4::Context->preference("OpacCloud"),
909         OpacTopissue         => C4::Context->preference("OpacTopissue"),
910         OpacAuthorities      => C4::Context->preference("OpacAuthorities"),
911         OpacBrowser          => C4::Context->preference("OpacBrowser"),
912         opacheader           => C4::Context->preference("opacheader"),
913         TagsEnabled                  => C4::Context->preference("TagsEnabled"),
914         OPACUserCSS           => C4::Context->preference("OPACUserCSS"),
915         intranetcolorstylesheet =>
916                                                                 C4::Context->preference("intranetcolorstylesheet"),
917         intranetstylesheet => C4::Context->preference("intranetstylesheet"),
918         intranetbookbag    => C4::Context->preference("intranetbookbag"),
919         IntranetNav        => C4::Context->preference("IntranetNav"),
920         intranetuserjs     => C4::Context->preference("intranetuserjs"),
921         TemplateEncoding   => C4::Context->preference("TemplateEncoding"),
922         IndependantBranches=> C4::Context->preference("IndependantBranches"),
923         AutoLocation       => C4::Context->preference("AutoLocation"),
924                 wrongip            => $info{'wrongip'}
925     );
926     $template->param( loginprompt => 1 ) unless $info{'nopermission'};
927
928     if ($cas) { 
929         $template->param(
930             casServerUrl    => login_cas_url(),
931             invalidCasLogin => $info{'invalidCasLogin'}
932         );
933     }
934
935     my $self_url = $query->url( -absolute => 1 );
936     $template->param(
937         url         => $self_url,
938         LibraryName => C4::Context->preference("LibraryName"),
939     );
940     $template->param( \%info );
941 #    $cookie = $query->cookie(CGISESSID => $session->id
942 #   );
943     print $query->header(
944         -type   => 'text/html',
945         -charset => 'utf-8',
946         -cookie => $cookie
947       ),
948       $template->output;
949     exit;
950 }
951
952 =item check_api_auth
953
954   ($status, $cookie, $sessionId) = check_api_auth($query, $userflags);
955
956 Given a CGI query containing the parameters 'userid' and 'password' and/or a session
957 cookie, determine if the user has the privileges specified by C<$userflags>.
958
959 C<check_api_auth> is is meant for authenticating users of web services, and
960 consequently will always return and will not attempt to redirect the user
961 agent.
962
963 If a valid session cookie is already present, check_api_auth will return a status
964 of "ok", the cookie, and the Koha session ID.
965
966 If no session cookie is present, check_api_auth will check the 'userid' and 'password
967 parameters and create a session cookie and Koha session if the supplied credentials
968 are OK.
969
970 Possible return values in C<$status> are:
971
972 =over 4
973
974 =item "ok" -- user authenticated; C<$cookie> and C<$sessionid> have valid values.
975
976 =item "failed" -- credentials are not correct; C<$cookie> and C<$sessionid> are undef
977
978 =item "maintenance" -- DB is in maintenance mode; no login possible at the moment
979
980 =item "expired -- session cookie has expired; API user should resubmit userid and password
981
982 =back
983
984 =cut
985
986 sub check_api_auth {
987     my $query = shift;
988     my $flagsrequired = shift;
989
990     my $dbh     = C4::Context->dbh;
991     my $timeout = C4::Context->preference('timeout');
992     $timeout = 600 unless $timeout;
993
994     unless (C4::Context->preference('Version')) {
995         # database has not been installed yet
996         return ("maintenance", undef, undef);
997     }
998     my $kohaversion=C4::Context::KOHAVERSION;
999     $kohaversion =~ s/(.*\..*)\.(.*)\.(.*)/$1$2$3/;
1000     if (C4::Context->preference('Version') < $kohaversion) {
1001         # database in need of version update; assume that
1002         # no API should be called while databsae is in
1003         # this condition.
1004         return ("maintenance", undef, undef);
1005     }
1006
1007     # FIXME -- most of what follows is a copy-and-paste
1008     # of code from checkauth.  There is an obvious need
1009     # for refactoring to separate the various parts of
1010     # the authentication code, but as of 2007-11-19 this
1011     # is deferred so as to not introduce bugs into the
1012     # regular authentication code for Koha 3.0.
1013
1014     # see if we have a valid session cookie already
1015     # however, if a userid parameter is present (i.e., from
1016     # a form submission, assume that any current cookie
1017     # is to be ignored
1018     my $sessionID = undef;
1019     unless ($query->param('userid')) {
1020         $sessionID = $query->cookie("CGISESSID");
1021     }
1022     if ($sessionID) {
1023         my $session = get_session($sessionID);
1024         C4::Context->_new_userenv($sessionID);
1025         if ($session) {
1026             C4::Context::set_userenv(
1027                 $session->param('number'),       $session->param('id'),
1028                 $session->param('cardnumber'),   $session->param('firstname'),
1029                 $session->param('surname'),      $session->param('branch'),
1030                 $session->param('branchname'),   $session->param('flags'),
1031                 $session->param('emailaddress'), $session->param('branchprinter')
1032             );
1033
1034             my $ip = $session->param('ip');
1035             my $lasttime = $session->param('lasttime');
1036             my $userid = $session->param('id');
1037             if ( $lasttime < time() - $timeout ) {
1038                 # time out
1039                 $session->delete();
1040                 C4::Context->_unset_userenv($sessionID);
1041                 $userid    = undef;
1042                 $sessionID = undef;
1043                 return ("expired", undef, undef);
1044             } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
1045                 # IP address changed
1046                 $session->delete();
1047                 C4::Context->_unset_userenv($sessionID);
1048                 $userid    = undef;
1049                 $sessionID = undef;
1050                 return ("expired", undef, undef);
1051             } else {
1052                 my $cookie = $query->cookie( CGISESSID => $session->id );
1053                 $session->param('lasttime',time());
1054                 my $flags = haspermission($userid, $flagsrequired);
1055                 if ($flags) {
1056                     return ("ok", $cookie, $sessionID);
1057                 } else {
1058                     $session->delete();
1059                     C4::Context->_unset_userenv($sessionID);
1060                     $userid    = undef;
1061                     $sessionID = undef;
1062                     return ("failed", undef, undef);
1063                 }
1064             }
1065         } else {
1066             return ("expired", undef, undef);
1067         }
1068     } else {
1069         # new login
1070         my $userid = $query->param('userid');
1071         my $password = $query->param('password');
1072         unless ($userid and $password) {
1073             # caller did something wrong, fail the authenticateion
1074             return ("failed", undef, undef);
1075         }
1076         my ($return, $cardnumber);
1077         if ($cas && $query->param('ticket')) {
1078             my $retuserid;
1079             ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, $password, $query );
1080             $userid = $retuserid;
1081         } else {
1082             ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query );
1083         }
1084         if ($return and haspermission(  $userid, $flagsrequired)) {
1085             my $session = get_session("");
1086             return ("failed", undef, undef) unless $session;
1087
1088             my $sessionID = $session->id;
1089             C4::Context->_new_userenv($sessionID);
1090             my $cookie = $query->cookie(CGISESSID => $sessionID);
1091             if ( $return == 1 ) {
1092                 my (
1093                     $borrowernumber, $firstname,  $surname,
1094                     $userflags,      $branchcode, $branchname,
1095                     $branchprinter,  $emailaddress
1096                 );
1097                 my $sth =
1098                   $dbh->prepare(
1099 "select borrowernumber, firstname, surname, flags, borrowers.branchcode, branches.branchname as branchname,branches.branchprinter as branchprinter, email from borrowers left join branches on borrowers.branchcode=branches.branchcode where userid=?"
1100                   );
1101                 $sth->execute($userid);
1102                 (
1103                     $borrowernumber, $firstname,  $surname,
1104                     $userflags,      $branchcode, $branchname,
1105                     $branchprinter,  $emailaddress
1106                 ) = $sth->fetchrow if ( $sth->rows );
1107
1108                 unless ($sth->rows ) {
1109                     my $sth = $dbh->prepare(
1110 "select borrowernumber, firstname, surname, flags, borrowers.branchcode, branches.branchname as branchname, branches.branchprinter as branchprinter, email from borrowers left join branches on borrowers.branchcode=branches.branchcode where cardnumber=?"
1111                       );
1112                     $sth->execute($cardnumber);
1113                     (
1114                         $borrowernumber, $firstname,  $surname,
1115                         $userflags,      $branchcode, $branchname,
1116                         $branchprinter,  $emailaddress
1117                     ) = $sth->fetchrow if ( $sth->rows );
1118
1119                     unless ( $sth->rows ) {
1120                         $sth->execute($userid);
1121                         (
1122                             $borrowernumber, $firstname, $surname, $userflags,
1123                             $branchcode, $branchname, $branchprinter, $emailaddress
1124                         ) = $sth->fetchrow if ( $sth->rows );
1125                     }
1126                 }
1127
1128                 my $ip       = $ENV{'REMOTE_ADDR'};
1129                 # if they specify at login, use that
1130                 if ($query->param('branch')) {
1131                     $branchcode  = $query->param('branch');
1132                     $branchname = GetBranchName($branchcode);
1133                 }
1134                 my $branches = GetBranches();
1135                 my @branchesloop;
1136                 foreach my $br ( keys %$branches ) {
1137                     #     now we work with the treatment of ip
1138                     my $domain = $branches->{$br}->{'branchip'};
1139                     if ( $domain && $ip =~ /^$domain/ ) {
1140                         $branchcode = $branches->{$br}->{'branchcode'};
1141
1142                         # new op dev : add the branchprinter and branchname in the cookie
1143                         $branchprinter = $branches->{$br}->{'branchprinter'};
1144                         $branchname    = $branches->{$br}->{'branchname'};
1145                     }
1146                 }
1147                 $session->param('number',$borrowernumber);
1148                 $session->param('id',$userid);
1149                 $session->param('cardnumber',$cardnumber);
1150                 $session->param('firstname',$firstname);
1151                 $session->param('surname',$surname);
1152                 $session->param('branch',$branchcode);
1153                 $session->param('branchname',$branchname);
1154                 $session->param('flags',$userflags);
1155                 $session->param('emailaddress',$emailaddress);
1156                 $session->param('ip',$session->remote_addr());
1157                 $session->param('lasttime',time());
1158             } elsif ( $return == 2 ) {
1159                 #We suppose the user is the superlibrarian
1160                 $session->param('number',0);
1161                 $session->param('id',C4::Context->config('user'));
1162                 $session->param('cardnumber',C4::Context->config('user'));
1163                 $session->param('firstname',C4::Context->config('user'));
1164                 $session->param('surname',C4::Context->config('user'));
1165                 $session->param('branch','NO_LIBRARY_SET');
1166                 $session->param('branchname','NO_LIBRARY_SET');
1167                 $session->param('flags',1);
1168                 $session->param('emailaddress', C4::Context->preference('KohaAdminEmailAddress'));
1169                 $session->param('ip',$session->remote_addr());
1170                 $session->param('lasttime',time());
1171             }
1172             C4::Context::set_userenv(
1173                 $session->param('number'),       $session->param('id'),
1174                 $session->param('cardnumber'),   $session->param('firstname'),
1175                 $session->param('surname'),      $session->param('branch'),
1176                 $session->param('branchname'),   $session->param('flags'),
1177                 $session->param('emailaddress'), $session->param('branchprinter')
1178             );
1179             return ("ok", $cookie, $sessionID);
1180         } else {
1181             return ("failed", undef, undef);
1182         }
1183     }
1184 }
1185
1186 =item check_cookie_auth
1187
1188   ($status, $sessionId) = check_api_auth($cookie, $userflags);
1189
1190 Given a CGISESSID cookie set during a previous login to Koha, determine
1191 if the user has the privileges specified by C<$userflags>.
1192
1193 C<check_cookie_auth> is meant for authenticating special services
1194 such as tools/upload-file.pl that are invoked by other pages that
1195 have been authenticated in the usual way.
1196
1197 Possible return values in C<$status> are:
1198
1199 =over 4
1200
1201 =item "ok" -- user authenticated; C<$sessionID> have valid values.
1202
1203 =item "failed" -- credentials are not correct; C<$sessionid> are undef
1204
1205 =item "maintenance" -- DB is in maintenance mode; no login possible at the moment
1206
1207 =item "expired -- session cookie has expired; API user should resubmit userid and password
1208
1209 =back
1210
1211 =cut
1212
1213 sub check_cookie_auth {
1214     my $cookie = shift;
1215     my $flagsrequired = shift;
1216
1217     my $dbh     = C4::Context->dbh;
1218     my $timeout = C4::Context->preference('timeout');
1219     $timeout = 600 unless $timeout;
1220
1221     unless (C4::Context->preference('Version')) {
1222         # database has not been installed yet
1223         return ("maintenance", undef);
1224     }
1225     my $kohaversion=C4::Context::KOHAVERSION;
1226     $kohaversion =~ s/(.*\..*)\.(.*)\.(.*)/$1$2$3/;
1227     if (C4::Context->preference('Version') < $kohaversion) {
1228         # database in need of version update; assume that
1229         # no API should be called while databsae is in
1230         # this condition.
1231         return ("maintenance", undef);
1232     }
1233
1234     # FIXME -- most of what follows is a copy-and-paste
1235     # of code from checkauth.  There is an obvious need
1236     # for refactoring to separate the various parts of
1237     # the authentication code, but as of 2007-11-23 this
1238     # is deferred so as to not introduce bugs into the
1239     # regular authentication code for Koha 3.0.
1240
1241     # see if we have a valid session cookie already
1242     # however, if a userid parameter is present (i.e., from
1243     # a form submission, assume that any current cookie
1244     # is to be ignored
1245     unless (defined $cookie and $cookie) {
1246         return ("failed", undef);
1247     }
1248     my $sessionID = $cookie;
1249     my $session = get_session($sessionID);
1250     C4::Context->_new_userenv($sessionID);
1251     if ($session) {
1252         C4::Context::set_userenv(
1253             $session->param('number'),       $session->param('id'),
1254             $session->param('cardnumber'),   $session->param('firstname'),
1255             $session->param('surname'),      $session->param('branch'),
1256             $session->param('branchname'),   $session->param('flags'),
1257             $session->param('emailaddress'), $session->param('branchprinter')
1258         );
1259
1260         my $ip = $session->param('ip');
1261         my $lasttime = $session->param('lasttime');
1262         my $userid = $session->param('id');
1263         if ( $lasttime < time() - $timeout ) {
1264             # time out
1265             $session->delete();
1266             C4::Context->_unset_userenv($sessionID);
1267             $userid    = undef;
1268             $sessionID = undef;
1269             return ("expired", undef);
1270         } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
1271             # IP address changed
1272             $session->delete();
1273             C4::Context->_unset_userenv($sessionID);
1274             $userid    = undef;
1275             $sessionID = undef;
1276             return ("expired", undef);
1277         } else {
1278             $session->param('lasttime',time());
1279             my $flags = haspermission($userid, $flagsrequired);
1280             if ($flags) {
1281                 return ("ok", $sessionID);
1282             } else {
1283                 $session->delete();
1284                 C4::Context->_unset_userenv($sessionID);
1285                 $userid    = undef;
1286                 $sessionID = undef;
1287                 return ("failed", undef);
1288             }
1289         }
1290     } else {
1291         return ("expired", undef);
1292     }
1293 }
1294
1295 =item get_session
1296
1297   use CGI::Session;
1298   my $session = get_session($sessionID);
1299
1300 Given a session ID, retrieve the CGI::Session object used to store
1301 the session's state.  The session object can be used to store
1302 data that needs to be accessed by different scripts during a
1303 user's session.
1304
1305 If the C<$sessionID> parameter is an empty string, a new session
1306 will be created.
1307
1308 =cut
1309
1310 sub get_session {
1311     my $sessionID = shift;
1312     my $storage_method = C4::Context->preference('SessionStorage');
1313     my $dbh = C4::Context->dbh;
1314     my $session;
1315     if ($storage_method eq 'mysql'){
1316         $session = new CGI::Session("driver:MySQL;serializer:yaml;id:md5", $sessionID, {Handle=>$dbh});
1317     }
1318     elsif ($storage_method eq 'Pg') {
1319         $session = new CGI::Session("driver:PostgreSQL;serializer:yaml;id:md5", $sessionID, {Handle=>$dbh});
1320     }
1321     else {
1322         # catch all defaults to tmp should work on all systems
1323         $session = new CGI::Session("driver:File;serializer:yaml;id:md5", $sessionID, {Directory=>'/tmp'});
1324     }
1325     return $session;
1326 }
1327
1328 sub checkpw {
1329
1330     my ( $dbh, $userid, $password, $query ) = @_;
1331     if ($ldap) {
1332         $debug and print "## checkpw - checking LDAP\n";
1333         my ($retval,$retcard) = checkpw_ldap(@_);    # EXTERNAL AUTH
1334         ($retval) and return ($retval,$retcard);
1335     }
1336
1337     if ($cas && $query->param('ticket')) {
1338         $debug and print STDERR "## checkpw - checking CAS\n";
1339         # In case of a CAS authentication, we use the ticket instead of the password
1340         my $ticket = $query->param('ticket');
1341         my ($retval,$retcard,$retuserid) = checkpw_cas($dbh, $ticket, $query);    # EXTERNAL AUTH
1342         ($retval) and return ($retval,$retcard,$retuserid);
1343         return 0;
1344     }
1345
1346     # INTERNAL AUTH
1347     my $sth =
1348       $dbh->prepare(
1349 "select password,cardnumber,borrowernumber,userid,firstname,surname,branchcode,flags from borrowers where userid=?"
1350       );
1351     $sth->execute($userid);
1352     if ( $sth->rows ) {
1353         my ( $md5password, $cardnumber, $borrowernumber, $userid, $firstname,
1354             $surname, $branchcode, $flags )
1355           = $sth->fetchrow;
1356         if ( md5_base64($password) eq $md5password and $md5password ne "!") {
1357
1358             C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber,
1359                 $firstname, $surname, $branchcode, $flags );
1360             return 1, $cardnumber;
1361         }
1362     }
1363     $sth =
1364       $dbh->prepare(
1365 "select password,cardnumber,borrowernumber,userid, firstname,surname,branchcode,flags from borrowers where cardnumber=?"
1366       );
1367     $sth->execute($userid);
1368     if ( $sth->rows ) {
1369         my ( $md5password, $cardnumber, $borrowernumber, $userid, $firstname,
1370             $surname, $branchcode, $flags )
1371           = $sth->fetchrow;
1372         if ( md5_base64($password) eq $md5password ) {
1373
1374             C4::Context->set_userenv( $borrowernumber, $userid, $cardnumber,
1375                 $firstname, $surname, $branchcode, $flags );
1376             return 1, $userid;
1377         }
1378     }
1379     if (   $userid && $userid eq C4::Context->config('user')
1380         && "$password" eq C4::Context->config('pass') )
1381     {
1382
1383 # Koha superuser account
1384 #     C4::Context->set_userenv(0,0,C4::Context->config('user'),C4::Context->config('user'),C4::Context->config('user'),"",1);
1385         return 2;
1386     }
1387     if (   $userid && $userid eq 'demo'
1388         && "$password" eq 'demo'
1389         && C4::Context->config('demo') )
1390     {
1391
1392 # DEMO => the demo user is allowed to do everything (if demo set to 1 in koha.conf
1393 # some features won't be effective : modify systempref, modify MARC structure,
1394         return 2;
1395     }
1396     return 0;
1397 }
1398
1399 =item getuserflags
1400
1401     my $authflags = getuserflags($flags, $userid, [$dbh]);
1402
1403 Translates integer flags into permissions strings hash.
1404
1405 C<$flags> is the integer userflags value ( borrowers.userflags )
1406 C<$userid> is the members.userid, used for building subpermissions
1407 C<$authflags> is a hashref of permissions
1408
1409 =cut
1410
1411 sub getuserflags {
1412     my $flags   = shift;
1413     my $userid  = shift;
1414     my $dbh     = @_ ? shift : C4::Context->dbh;
1415     my $userflags;
1416     $flags = 0 unless $flags;
1417     my $sth = $dbh->prepare("SELECT bit, flag, defaulton FROM userflags");
1418     $sth->execute;
1419
1420     while ( my ( $bit, $flag, $defaulton ) = $sth->fetchrow ) {
1421         if ( ( $flags & ( 2**$bit ) ) || $defaulton ) {
1422             $userflags->{$flag} = 1;
1423         }
1424         else {
1425             $userflags->{$flag} = 0;
1426         }
1427     }
1428
1429     # get subpermissions and merge with top-level permissions
1430     my $user_subperms = get_user_subpermissions($userid);
1431     foreach my $module (keys %$user_subperms) {
1432         next if $userflags->{$module} == 1; # user already has permission for everything in this module
1433         $userflags->{$module} = $user_subperms->{$module};
1434     }
1435
1436     return $userflags;
1437 }
1438
1439 =item get_user_subpermissions
1440
1441 =over 4
1442
1443 my $user_perm_hashref = get_user_subpermissions($userid);
1444
1445 =back
1446
1447 Given the userid (note, not the borrowernumber) of a staff user,
1448 return a hashref of hashrefs of the specific subpermissions
1449 accorded to the user.  An example return is
1450
1451 {
1452     tools => {
1453         export_catalog => 1,
1454         import_patrons => 1,
1455     }
1456 }
1457
1458 The top-level hash-key is a module or function code from
1459 userflags.flag, while the second-level key is a code
1460 from permissions.
1461
1462 The results of this function do not give a complete picture
1463 of the functions that a staff user can access; it is also
1464 necessary to check borrowers.flags.
1465
1466 =cut
1467
1468 sub get_user_subpermissions {
1469     my $userid = shift;
1470
1471     my $dbh = C4::Context->dbh;
1472     my $sth = $dbh->prepare("SELECT flag, user_permissions.code
1473                              FROM user_permissions
1474                              JOIN permissions USING (module_bit, code)
1475                              JOIN userflags ON (module_bit = bit)
1476                              JOIN borrowers USING (borrowernumber)
1477                              WHERE userid = ?");
1478     $sth->execute($userid);
1479
1480     my $user_perms = {};
1481     while (my $perm = $sth->fetchrow_hashref) {
1482         $user_perms->{$perm->{'flag'}}->{$perm->{'code'}} = 1;
1483     }
1484     return $user_perms;
1485 }
1486
1487 =item get_all_subpermissions
1488
1489 =over 4
1490
1491 my $perm_hashref = get_all_subpermissions();
1492
1493 =back
1494
1495 Returns a hashref of hashrefs defining all specific
1496 permissions currently defined.  The return value
1497 has the same structure as that of C<get_user_subpermissions>,
1498 except that the innermost hash value is the description
1499 of the subpermission.
1500
1501 =cut
1502
1503 sub get_all_subpermissions {
1504     my $dbh = C4::Context->dbh;
1505     my $sth = $dbh->prepare("SELECT flag, code, description
1506                              FROM permissions
1507                              JOIN userflags ON (module_bit = bit)");
1508     $sth->execute();
1509
1510     my $all_perms = {};
1511     while (my $perm = $sth->fetchrow_hashref) {
1512         $all_perms->{$perm->{'flag'}}->{$perm->{'code'}} = $perm->{'description'};
1513     }
1514     return $all_perms;
1515 }
1516
1517 =item haspermission
1518
1519   $flags = ($userid, $flagsrequired);
1520
1521 C<$userid> the userid of the member
1522 C<$flags> is a hashref of required flags like C<$borrower-&lt;{authflags}> 
1523
1524 Returns member's flags or 0 if a permission is not met.
1525
1526 =cut
1527
1528 sub haspermission {
1529     my ($userid, $flagsrequired) = @_;
1530     my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?");
1531     $sth->execute($userid);
1532     my $flags = getuserflags( $sth->fetchrow(), $userid );
1533     if ( $userid eq C4::Context->config('user') ) {
1534         # Super User Account from /etc/koha.conf
1535         $flags->{'superlibrarian'} = 1;
1536     }
1537     elsif ( $userid eq 'demo' && C4::Context->config('demo') ) {
1538         # Demo user that can do "anything" (demo=1 in /etc/koha.conf)
1539         $flags->{'superlibrarian'} = 1;
1540     }
1541     return $flags if $flags->{superlibrarian};
1542     foreach my $module ( keys %$flagsrequired ) {
1543         if (C4::Context->preference('GranularPermissions')) {
1544             my $subperm = $flagsrequired->{$module};
1545             if ($subperm eq '*') {
1546                 return 0 unless ( $flags->{$module} == 1 or ref($flags->{$module}) );
1547             } else {
1548                 return 0 unless ( $flags->{$module} == 1 or
1549                                     ( ref($flags->{$module}) and
1550                                       exists $flags->{$module}->{$subperm} and
1551                                       $flags->{$module}->{$subperm} == 1
1552                                     )
1553                                 );
1554             }
1555         } else {
1556             return 0 unless ( $flags->{$module} );
1557         }
1558     }
1559     return $flags;
1560     #FIXME - This fcn should return the failed permission so a suitable error msg can be delivered.
1561 }
1562
1563
1564 sub getborrowernumber {
1565     my ($userid) = @_;
1566     my $userenv = C4::Context->userenv;
1567     if ( defined( $userenv ) && ref( $userenv ) eq 'HASH' && $userenv->{number} ) {
1568         return $userenv->{number};
1569     }
1570     my $dbh = C4::Context->dbh;
1571     for my $field ( 'userid', 'cardnumber' ) {
1572         my $sth =
1573           $dbh->prepare("select borrowernumber from borrowers where $field=?");
1574         $sth->execute($userid);
1575         if ( $sth->rows ) {
1576             my ($bnumber) = $sth->fetchrow;
1577             return $bnumber;
1578         }
1579     }
1580     return 0;
1581 }
1582
1583 END { }    # module clean-up code here (global destructor)
1584 1;
1585 __END__
1586
1587 =back
1588
1589 =head1 SEE ALSO
1590
1591 CGI(3)
1592
1593 C4::Output(3)
1594
1595 Digest::MD5(3)
1596
1597 =cut