Commit graph

555 commits

Author SHA1 Message Date
3640130d1f
Bug 22929: Allow SCI/SCO logins independent of GDPR_Policy
This patch makes Auth skip the GDPR policy check when get_template_and_user
is called for sci/sco (self checkin, checkout).
I do not really like the change in this form but the nature of self checkin
and checkout kind of dictate it (double hack).
I wanted to add a test but since that asks for mocking CGI, checkauth, etc.
the time needed for that is just too much for this simple change.

Test plan:
Enable GDPR_Policy and self checkin/checkout.
Verify that using patrons without consent is not blocking sci/sco.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-09-09 11:15:11 +01:00
f9572dd1ac
Bug 23253: Fix OpacNavRight for self reg by email
The code expects to display OpacNavRight content at the bottom of the
login form when a user just registered.

Test plan:
- Turn PatronSelfRegistrationVerifyByEmail on
- Register a patron
- Confirm by clicking on the link you received by email (or see the
message_queue table)
=> The OpacNavRight content should be displayed

QA Note: This code smells, the code in the pl should not be needed.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-08-15 09:19:28 +01:00
b558895898
Bug 23078: (follow-up) Update self checkout help page
This patch takes care of some preference instances I missed in the self
checkout module's help page. It also removes some obsolete lines from
Auth.pm.

To test, apply the patch and re-test based on the previous test plan.
Also test in the self-checkout module by logging into self checkout and
clicking the "Help" link in the upper right of the screen.

The settings of the following preferences should be shown correctly:

 - OpacFavicon
 - OPACUserCSS

Signed-off-by: frederik chenier <frederik.chenier@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-07-19 15:58:48 +01:00
6a222fa2af
Bug 23078: Use Koha.Preference in OPAC global header include
This patch updates the OPAC's doc-head-close.inc so that it uses
'Koha.Preference' syntax to output system preference data. The patch
removes handling of two preferences from Auth.pm which which are covered
by this template change.

This patch also makes some minor changes to consolidate multiple
template checks for "bidi"

To test, apply the patch and test the affected OPAC system preferences:

 - OpacFavicon
 - opaclayoutstylesheet
 - OPACUserCSS
 - OPACBaseURL

Confirm that changes made to these preferences are reflected in the
OPAC.

Signed-off-by: frederik <frederik@inlibro.com>
Signed-off-by: Nadine Pierre <nadine.pierre@inLibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-07-19 15:58:26 +01:00
Mark Tompsett
a4f5cc4d66 Bug 14407: Follow up to add test case and clean noise
Comment #28 has a /36 which is invalid CIDR.
This triggers a crash and noise.
This cleans up the crash and noise, and adds
test cases to check for them.

prove t/Auth.t
-- before missing null case, and /36 case.
-- after null case, and /36 with/without warnings.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-10 11:39:50 +00:00
Nicholas can Oudtshoorn
30f0e7fec9 Bug 14407: Allow restricting SCO to IP or IP range
Converted this to actual applicable patches.
I think the test plan is comment #28. -- Mark Tompsett

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-10 11:39:50 +00:00
456a7ae6d4 Bug 22692: Check for patron using cardnumber and userid
TO test:
1 - Set failed login attempts to 1
2 - Attempt a login with a userid and bad password, no success
3 - Attempt a login with userid and correct password, prevented because
locked
4 - Attempt a login with cardnumber and right password, you are logged
in
5 - Log out, try again with userid and correct password, prevented
because locked?
6 - Apply patch
7 - Repeat 1-3 to lock account
8 - Attempt logging in with cardnumber, you are prevented

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-02 13:39:06 +00:00
4c01891613 Bug 20128: (QA follow-up) Corrections to haspermission
The haspermission routine wrongly assumed that get_user_subpermissions
would return a list of all subpermissions if the user had the top level
permission, but instead if just returns 1.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-17 12:25:26 +00:00
71f17b35ee Bug 21336: Do not increase login_attempts after locking
If an account has been locked, there is no use to keep increasing this
number. It is not true too; after the pref number has been reached,
we can not really speak of login attempts anymore. The credentials are
just ignored.

Adding a dbrev to put existing values in line. And a simple test in
Auth.t to confirm that login_attempts stop increasing.

Note: It feels safe to keep the '>=' condition in account_locked. But it
could obviously be changed to '=='. (Added a test for that.)

Note: Adding a mock_preference in Auth.t too for GDPR_Policy. Since not all
tests will pass when the pref is enabled (though disabled by default).

Test plan:
Run dbrev with updatedatabase.pl.
Run t/db_dependent/Koha/Patrons.t
Run t/db_dependent/Auth.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-17 12:25:23 +00:00
Liz Rea
8c038b9eab Bug 18387: (QA Follow up) adding specificity to error template.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-12 01:47:23 +00:00
2ecca43004 Bug 18387: Allow sco-user to access errors templates
To test:
 1 - Enable AuthoSelfCheck prefs
 2 - In opacuserjs or scouserjs add a fetch of an unreachable resources
 3 - Visit the SCO
 4 - Sign in as a patron then click 'finish'
 5 - Say 'yes' to receipt
 6 - Note you are directed to log in
 7 - Apply patch
 8 - Restart all the things
 9 - Repeat 4 & 5
10 - Sucess, receipt prints

Signed-off-by: Liz Rea <wizzyrea@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-12 01:47:21 +00:00
c5bc2563a8 Bug 22600: Add 'api' to interface types and set appropriately
This patch adds 'api' as a valid interface and sets it appropriately for
both the new REST api and previous /svc/ api's.  Handling to keep the
interface of a logged in session is included such that if the OPAC or
Intranet use the API's internally via a Cookie we will maintain the
interface throughout the session.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-10 19:43:11 +00:00
4cffd7e267 Bug 22483: Restore exact behaviour of undef
Passing undef (or nothing) as $flagsrequired to haspermission simply
returned the return from fetchrow prior to this patch. Restoring that
behaviour.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-09 05:16:40 -03:00
088e0243bf Bug 22483: Restore undef behaviour
Turns out that we rely heavily on the side effect that passing undef
to haspermission would always return true no matter what permissions
or lack of permissions you had.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:53:10 -03:00
6b457885cd Bug 22483: (QA follow-up) Corrections to logic in check_cookie_auth
check_cookie_auth needs to allow for cases where we wish to check for
ANY permission and cases where we wish to skip the permissions check
entirely and just authenticate the session.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:26:05 -03:00
32551fffdb Bug 22483: (follow-up) Improve POD as requested in bug 22031
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:26:04 -03:00
cc67ff26aa Bug 22483: Explicitly ban 'undef' as a valid $flagsrequired
Before bug 22031 the haspermission subroutine signature allowed for
passing 'undef' to mean 'any permission' in $flagsrequired.  This feels
like a mistake and was only in practical use in two places in the
codebase.

This patch explicitly forbids this practice (`*` may be used to the same
result and is more explicit in it's nature) and replaces the two
instances of it's use.

Test Plan
1. Before this patch, the API tests are all failing with authentication
errors
2. After this patch the API tests should now all pass.
3. t/db_dependent/Auth/haspermission.t should continue to pass (with one
addition subtest added herin)
3. /svc/members/search is not unit tested. Please check that patron
searching still yields results in the UI after this patch.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:26:04 -03:00
a8be1966f3 Bug 22031: Add SQL::Abstract like syntax to haspermission
This patch adds an SQL::Abstract inspired query syntax to the
haspermission method in C4::Auth.  One can now pass Arrayrefs to denote
an OR list of flags, a Hashref to denote a AND list of flags.

Structures can be nested at arbitrary depth.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-03-07 20:50:26 +00:00
4c0682f559 Bug 21911: Fix OPAC scoping to work with new group system
To test:

0 - Apply patch
1 - Create a library group enabled for opac search limits and add some
libraries
2 - Check the DB (or advanced search dropdown) to get the id of the
group (using 7 as example below)
3 - Add to apache configuration (OPAC virtualhost)
   SetEnv OPAC_SEARCH_LIMIT branch:multibranchlimit-7
   SetEnv OPAC_LIMIT_OVERRIDE 1
   RequestHeader add X-Koha-SetEnv "OPAC_SEARCH_LIMIT
   branch:multibranchlimit-7"
   RequestHeader add X-Koha-SetEnv "OPAC_LIMIT_OVERRIDE 1"
4 - Ensure OpacAddMastheadLibraryPulldown is disabled
5 - Restart all the things
6 - Visit the opac
7 - Perform a search, confirm it is scoped to the branches in the group

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-12-11 19:12:39 +00:00
b2ff7223b7 Bug 11897: 'superlibrarian' has 'stockrotation' perms
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-09 15:46:07 +00:00
4febf0656c Bug 17776: (QA follow-up) Remove shibboleth package variables
This is about $shib and $shib_login.
We move in the right direction by calling get_login_shib in
get_template_and_user and checkauth. In the same line we can do the
shib_ok check at that time (just checking cached values). This paves
the way for the third subroutine using the two package vars: checkpw.
Note that checkpw is also called outside Auth.pm. So I would be more
comfortable if we do the same calls like in checkauth and remove both
variables from the package level (especially under Plack of course).

The former changes actually justify a 'use C4::Auth_with_shibboleth'
instead of the current require and import.

Note: When calling checkpw from checkauth, we are calling get_login_shib
twice now. But the time involved for doing so is around zero (cache), so
not really an argument for extra parameters and complexer code.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-09 15:02:50 +00:00
ea74ed5766 Bug 17776: Enable Shibboleth for Plack
https://bugs.koha-community.org/show_bug.cgi?id=17776

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-09 15:02:48 +00:00
Julian Maurice
cee35f3a78 Bug 12027: (QA follow-up) Fix spelling and tab characters
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-01 13:56:31 +00:00
9df099dc11 Bug 12027: Added shibboleth authentication to the staff client
- This patch adds shibboleth authentication to the staff client.
- Depending upon how your url structure works, you may or may not need a
  second native shibboleth service provider profile configured for this
  to work.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-01 13:56:30 +00:00
c6a26d2c9e Bug 21323: Handle multi params in redirect after login
Multi params are not handle correctly after login

Test plan:
[0] Use staff interface
[1] Use advance search and tick itemtype more than one checkbox
[2] Copy result url
[3] Logout
[4] Paste url in browser
[5] Type username and password
[6] In search result page, results limit description under breadcrumbs
will show all limits

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-09-26 15:43:58 +00:00
6f2a0acc2d Bug 20819: Add check in get_template_and_user to enforce GDPR
If you choose to enforce GDPR policy, a user needs to give consent for
data processing before he does something else in the OPAC while being
logged in.

Test plan:
[1] Set GDPR_Policy to Disabled or Permissive. Usual behavior.
[2] Set to Enforced. Save a refusal on your consents. Notice that
    you are logged out when saving. When you login again, all OPAC
    requests are redirected to your consents tab.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-09-20 13:45:26 +00:00
331af8521b Bug 13779: sessionID declared twice in C4::Auth::checkauth()
The bug is that $sessionID is declared twice in C4::Auth::checkauth().
At the moment, this doesn't actually create a problem, because no
one seems to be using the $sessionID which is returned by checkauth(),
except in the case of opac/external/overdrive/auth.pl which skips
the second declartion as it doesn't require auth.

This patch removes the redefining of the $sessionID variable.

In terms of testing, try logging in with a username and password
and see if it works. The only risk this patch would pose is breaking
auth I would think, since nothing is actually using the return value
from checkauth() for $sessionID.

NOTE:
It was initially defined near the top of the function (~line 791).
I believe the scoping would mean the correct version of $sessionID
would be used in the latter lines for the unset'ing.
I have skimmed code to see if the sessionID return value is used.
I did not test overdrive, as I do not know how. However, this is
the only area, I think this could possibly break. This change makes
sense to me.

QA: Please test overdrive.
opac/external/overdrive/auth.pl only checks if the value is set, so
   this patch might fix/break something there?
opac/svc/overdrive same kind of check.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
This is a (tiny) code improvement. Now we consistently return the session
id that is also stored in the returned cookie. (Which can be an 'anon'
session.)
Fact is that Koha almost everywhere ignores the returned session id and
sometimes gets the session from the cookie (obviously). The session id is
also passed to the template by get_template_and_user but never used in
templates.
As mentioned, the two overdrive scripts are the exception. But since both
test on both $user && $sessionID, they will not choke on an anynonomous
session id without userid. So theoretically fine, but not tested.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-09-14 17:27:28 +00:00
be691d86e3 Bug 21096: Do not display loggedinusername in template
This patch is a little fix for a much bigger hidden issues.

The original issue:
1. Set the firstname and surname values of a paontr to utf-8 characters
("wide characters"), for instance 月月
2. Use this patron to login at the staff interface
=> In the header the logged in patron's info (concat of firstname and
surname) are displayed correctly
3. Hit whatever link
=> In the header the info are now displayed incorrectly
("ææ")

What happens?
After that the user loggin, loggedinusername is set with the value from
the DB (borrowers.userid)
On next hits it is picked from the session (which contains the decoded
utf8 value, see first lines of C4::Context->set_userenv)
From C4::Auth::checkauth:
834             $s_userid = $session->param('id') // ''

The quick fix is to use the logged_in_user variable in the template, but
it seems that issues may occurred if external authentication is used
(ldap, shib, cas). Could someone test this?

Test plan:
Make sure the original issue is fixed

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-30 13:40:31 +00:00
889f148e4e Bug 21137: Replace USER_INFO with logged_in_user
This patch set does several things:
- it removes USER_INFO and BORROWER_INFO
These 2 variables contained logged-in patron's info. They must be
accessed from logged_in_user
- Use patron-title.inc for the breadcrumb at the OPAC, for consistencies

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-14 12:43:10 +00:00
d90ff21454 Bug 17698: Do not send pending_checkout_notes from all circ scripts
It's safer to send what we need from C4::Auth it's needed from a whole
module.
The SELECT COUNT(*) query will only be done when needed (so not made
from scripts outside of circ)

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-23 15:23:44 +00:00
6965c58308 Bug 20879: Fix regression in shibboleth when ldap enabled
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 20:13:13 +00:00
05812dbbba Bug 20727: (QA follow-up) Remove a few use statements again
We do no longer need "use Koha::UploadedFile" in a few places.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 16:10:10 +00:00
Kyle M Hall
3ff7c27d98 Bug 20727: Move temporary_directory() to C4::Context
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 16:10:09 +00:00
Kyle M Hall
c2b0c92800 Bug 20727: Replace usage of File::Spec->tmpdir with Koha::UploadedFile->temporary_directory
As explained in bug 20428 use tmpdir can cause issues and it just makes sense to standardize our temp directory in a universal way.

Test Plan:
1) Apply this patch
2) Verify you can still log in and use Koha
3) Verify the web installer still works
4) Verify EDI module can still download files via FTP
5) Verify fines.pl still runs with -o option
6) prove t/db_dependent/Plugins.t
7) prove t/db_dependent/Sitemapper.t
8) prove t/db_dependent/Templates.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 16:10:08 +00:00
Katrin Fischer
870913b3c3 Bug 2426: Remove deprecated management permission
After review of the code it turns out that the management permission
that has been marked as deprecated a long time ago, does not have
any function.

The patch removes all remaining code related to it.

To test:
- Make sure you have a patron with the management permission
- Apply patch
- Run database update
- Check everything still works as expected

Bonus:
borrowers.flags is recalculated for patrons with management
permission.

To check:
- Create some 'permission twins' with and without management
  permission
- Note the value in borrowers.flags
- Apply patch, don't run database update
- Save permissions from GUI for one of the twins
- Note the newly calculated value
- Run database update
- Now both twins should have the same borrowers.flags value

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 12:17:25 +00:00
421746dd63 Bug 20877: Do not consider DB user has permissions
Test plan:
0/ Do not apply the patch
1/ Confirm the new test fails
2/ Apply the patch
3/ Confirm the new test passes
4/ Test the installation process

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 10:43:37 +00:00
3d68ab447e Bug 18821: (QA follow-up) Last tweaks for performance
[1] passing unsafe has no use since it is a scalar, removed it to unconfuse
[2] remove caching when pref is disabled
[3] caching userid removes the need for calling Patron->find each time
[4] subsequent changes in unit test
[5] cosmetic renames to move from session to daily basis (changed dev angle)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
First call going thru Koha::Patron takes about 0.0150 sec.
Subsequent calls only use caching and take about 0.0006 sec.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 10:30:17 +00:00
495512f6ea Bug 18821: Convert to using cache with date checking
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 10:30:16 +00:00
6491ba0233 Bug 18821: TrackLastPatronActivity is a performance killer
Test Plan:
1) Apply this patch
2) Start a new session ( a private browser window works well )
3) Note the lastseen column in the borrowers table is updated
4) Browse a few pages, not the lastseen column is not updated again
5) Close the browser window and repeat steps 2-4
6) prove t/db_dependent/Auth.t

Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 10:30:16 +00:00
046f1f3401 Bug 20284: (QA follow-up) superlibrarian has ill permissions
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-05-07 11:55:01 -03:00
Katrin Fischer
9c0d403586 Bug 20400: (follow-up) Several fixes from RM review
- "your routing lists" tab is now highlighted when active
- get_routinglists was renamed to get_routing_lists
- Koha::Patron->get_routing_lists returns the ->search result
  directly
- Koha::Subscription::RoutingList->subscription uses DBIC
  relationship
- Undo changes to C4/Auth.pm

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-20 17:59:06 -03:00
Katrin Fischer
9af0b9de7d Bug 20400: Add routing list tab in OPAC
This patch adds the base for the new feature:
Show a list of the serial titles a patron is on routing
lists for in the OPAC.

Test plan applies to the complete patch set:

To test:
- Apply all patches
- Make sure RoutingSerials is not activated
- Check patron account in OPAC - no tab should appear
- Activate RoutingSerials
- Create subscriptions and different routing lists, test with:
  - Patron with no routing list entries = no tab
  - Patron with one or more routing list entries = tab appears

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: Rewrite using Koha::Objects

Adds
- Koha::Subscription::Routinglist
- Koha::Subscription::Routinglists

Adds 2 methods
- Koha::Patron::get_routinglists
- Koha::Routinglist::subscription

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: Add unit tests

prove t/db_dependent/Koha/Subscription/Routinglists.t
prove t/db_dependent/Koha/Patrons.t

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: Display new tab in OPAC only for patrons with routing lists

The visibility of the routing list tab in the OPAC depends
on the system preference RoutingSerials and the existence
of routing list entries for the patron.

Some libraries only offer routing lists to certain user groups and
would not want it generally visible. As there are currently no
actions you can perform from the list, this appears to be a
reasonable behaviour.

See test plan in first patch.

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: (follow-up) Use Asset TT plugin on opac-routing-lists.tt

Patch applies and functions as described.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: (QA follow-up) Redirect to 404 if routing is disabled

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-20 13:34:41 -03:00
d68fe07bf8 Bug 20489: Prevent DB user login
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-20 12:24:00 -03:00
7aac30428f Bug 20479: Ease readability - do not enter the block if not logged in
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:39:21 -03:00
24f25369a5 Bug 20479: Use $flag instead of fetching patron
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:39:21 -03:00
d8b3497368 Bug 20479: (follow-up) Don't try to get flags for database user
Login will still break in opac-user.pl, but that seems a bigger problem
not from SCI module

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:39:21 -03:00
51d7a02726 Bug 20479: Don't kick superlibrarians out of the opac
To test:
1 - Try to log in to opac with a superlibrarian
2 - Everythign goes wrong
3 - Apply patch
4 - Try to log in with superlibrarian
5 - You can sign in

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:39:21 -03:00
b03ce512c4 Bug 20480: Make KOHA_VERSION available to all templates in all circumstances
This patch makes C4::Templates::gettemplate set the KOHA_VERSION param
for the template. This way this template parameter, which is required by
(probably) all pages that include CSS/JS content is available in all
circumstances.

A noticeable problem with the current approach is when using the SCO and
SCI modules with wrong/forbidden users: C4::Auth short-circuits and
redirects to the login page, without setting the KOHA_VERSION param.
This patch solves it for good.

To test:
- Enable the SCI module
- Open the browser at
  http://localhost:8080/cgi-bin/koha/sci/sci-main.pl
- Login with the db user (koha_kohadev / password)
=> FAIL: Login failure, but styling is broken
- Apply this patch
- Retry
=> SUCCESS: Everything looks as it should!
- Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:38:57 -03:00
d6e8e88249 Bug 15492: Make existing code aware of new self_check* permissions
This patch makes the existing code for SCO use the new permissions schema
for self check modules. Specifically addresses this change:

  circulate  => self_checkout
becomes
  slef_check => self_checkout_module

about.pl checks are dejusted too.

get_template_and_user gets refactored to avoid code duplication and the
conditions are adjusted for the new permissions.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-26 17:31:18 -03:00
9bf68c8c3e Bug 15492: Add SCI module
This patch adds the SCI module, and adapts C4::Auth to know about it.

The current behaviour is:
- Requires admin user initialization/login
- Uses the logged users' library
- A form allows to scan multiple barcodes
- A button sends the barcode list to the controller
  to batch perform the checkins
- Successful and failed checkins are sent to the template
- Results are displayed
- Logout link

To test:
- Apply this patches
- Make sure you upgrade:
  $ kshell
 k$ perl installer/data/mysql/updatedatabase.pl
- Have 'SelfCheckInModule' disabled
- Go to http://kohadev.myDNSname.org:8080/cgi-bin/koha/sci/sci-main.pl [1]
=> SUCCESS: You are rejected because the feature is disabled
- Enable 'SelfCheckInModule'
- Go to the previous URL
=> SUCCESS: You are required to login
- Login with a user WITHOUT self_checkout permissions
=> SUCCESS: You are not allowed to log into the Self check-in module.
- Login with a user WITH self_checkour permissions
=> SUCCESS: You gain access, and are presented the UI
- Go through the several options
=> SUCCESS: All works as it should
- Click the 'Help' link
=> SUCCESS: A help text is displayed on a modal
- Sign off :-D

- Bonus points:
  $ kshell
 k$ qa -c 2 -v 2
=> SUCCESS: All tests green

[1] Adjust to your dev's OPAC setup

Signed-off-by: David Bourgault <david.bourgault@inlibro.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-26 17:31:18 -03:00