Commit graph

670 commits

Author SHA1 Message Date
Katrin Fischer
bd75309933
Bug 33197: Rename GDPR_Policy system preference
GDPR is a European Union (and, at time of writing, UK) law.
The GDPR_Policy system preference is about a patron
giving consent to their personal data being processed in
line with the library's privacy policy.

The name of the preference is vague: there could be
many policies implemented by libraries to comply with
GDPR. It also makes the preference look irrelevant for
libraries outside the areas where GDPR applies, while
it may be useful for libraries anywhere.

This renames GDPR_Policy to PrivacyPolicyConsent and
adjusts the system preference descriptions.

To test:
* Apply the patch
* Run database update
* Search for GDPR_Policy in the system preference
  - you should not find anything.
* Search for DataPrivacyConsent in the system preferences
  - you should find it and be able to activate it
* Verify the feature works as expected
  - If the preference is set to "enforced", you will be
    asked to give consent to the data privacy agreement
    in the OPAC when you log in
* Verify the page is now phrased neutrally using 'privacy policy'

Bonus: Consent date is now formatted according to DateFormat
       system preference.
Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-05-05 10:18:54 -03:00
e6c49d642f
Bug 30624: Add loggedinlibrary permission and DB update
To test:
1. Apply patch, updatedatabase, restart_all
2. Have a user with superlibrarian privileges ( User1 )
3. Have a user who has staff access and circulate privileges but is not a super librarian. ( User2 ) Make note of this users home library
4. Turn on the system preference 'CircSidebar'.

-MAIN log in ( auth.tt )
5. As User1, go to the main login screen and try logging in. You should be able to log in AND you should be able to properly chnage your branch BEFORE logging in.
6. As User2, to to the main login screnn amd try logging in. You should be able to but if you try and switch your libraray to anything beside the user's home branch it will not work. You will be logged in at your home branch.
7. For User2, set the new top level permission 'Allow staff to change logged in library (loggedinlibrary).
8. Now you should be able to successfully switch libraries before log in.
9. Turn the 'loggedinlibrary' permission back off for User2.

-AFTER log in-
10. With User1, click on your name/branch in the top right, you should see the the link 'Set library' at the top. If you turn on 'UseCirculationDesks' the link will be 'Set library and desk'.
11. With User2, click on your name/branch in the top right. If you have 'UseCirculationDesks' on, you should see 'Set desk', otherwise you should see nothing.
12. Repeat step 7.
13. NOw if you click on your name/branch in the top right, you should see the the link 'Set library' at the top. If you turn on 'UseCirculationDesks' the link will be 'Set library and desk'.
14. Repeat Step 9.

-CircSideBar-
15. With 'CircSideBar' turned on, go to any ciculation page (Holds queue, Holds to pull, Holds awaiting pickup) with User1. You will see the 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set library and desk'.
16. Try with User2 and you will not see a 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set desk' link.
17. Repeat step 7.
18. For with User2 you go to any ciculation page (Holds queue, Holds to pull, Holds awaiting pickup). You will see the 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set library and desk'.
19. Repeat step 9.

-Set library page-
20. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User1. You will see a dropdown for 'Set library'. Make sure you can change your library successfully.
21. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User2. You should NOT see see a dropdown for 'Set library'.
22. Repeat step 7.
23. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User2. Now you should see a dropdown for 'Set library'.

Signed-off by: Bob Bennhoff/AspenCat Team

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-03-13 15:22:59 -03:00
60e7c99165
Bug 32205: Remove unnecessary syspref template params for failed OPAC auth
This patch removes some unnecessary syspref template params for
failed OPAC auth. The templates handle these syspref using the
Koha.Preference() TT plugin function, so they're completely redundant
and just make checkauth() longer than it needs to be.

Test plan:
1) Apply patch
2) Enable OpacCloud, OpacBrowser, and OpacTopissue sysprefs
3) koha-plack --restart kohadev
4) Log out of Koha if you're logged in
5) Go to http://localhost:8080/cgi-bin/koha/opac-user.pl
6) Note that you can see the Cart as well as links for the following:
Browse by hierarchy, Authority search, Tag cloud, Subject cloud,
Most popular

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Solene Ngamga <solene.ngamga@inLibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-02-27 11:38:33 -03:00
16ce9086e3
Bug 32208: Adjust Auth.pm for relogin without perms
If a second login on top of a current session fails on
permissions, we should not grant access without context.

Test plan:
[1] Run t/db../Auth.t, it should pass now.
[2] Test interface with/without this patch:
    Pick two users: A has perms, B has not.
    Put two staff login forms in two tabs.
    Login as A in tab1. Login as B in tab2.
    Without this patch, B gets in and crashes.
    With this patch, B does not get in ('no perms').
    Bonus: Go to opac if on same domain. You are still
    logged in as B.

NOTE: I added a FIXME here, since you could argue about filling
the session info or otoh deleting the session. We present an
authorization failure; people may not realize that they are
still logged in (see test plan - bonus).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-01-10 18:19:55 -03:00
43c7607fa1
Bug 31908: Resolve second login with another userid
Somewhere the line undef $userid got removed.
We need it to resolve the second login situation.

Test plan:
Login in staff with user missing privileges.
On the login form login again with another staff user.
Note that you do no longer crash.

Run t/db../Auth.t
Run t/db../Koha/Auth/TwoFactorAuth.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-01-10 18:19:01 -03:00
c70977f5fe
Bug 31908: Replace an exit by a safe_exit in Auth.pm L1314
No change in user experience. But since we can mock safe_exit,
we can enhance test results.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-01-10 18:18:56 -03:00
Agustin Moyano
937b7114d0
Bug 32178: (follow-up) Transform 'staff' interface to 'intranet'
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-11-15 18:43:50 -03:00
Agustin Moyano
ca57674700
Bug 32178: Remove security breach introduced in bug 31378
This patch removes a security breach in C4::Auth::check_api_auth introduced by bug 31378, where when someone called an api with the parameters userid and auth_client_login, check_api_auth would automatically asume the user calling was that userid.

This patch also introduces C4::Auth::create_basic_session(), a function that creates a session and adds the minimum basic parameters.

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-11-15 18:43:45 -03:00
Agustin Moyano
208b9b5ba7
Bug 31378: Add the API-based auth mechanism to C4::Auth::check_api_auth
Signed-off-by: Lukasz Koszyk <lukasz.koszyk@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-11-08 14:30:46 -03:00
68d5b50c62
Bug 32066: Check 2FA pref in check_cookie_auth
Test plan:

Without this patch:
1. Set the syspref TwoFactorAuthentication (enforce or enabled)
2. Configure 2FA for a patron
3. Logout
4. Authenticate but don't enter the 2FA code
5. Switch off the syspref (disabled) [via another browser or so]
6. Patron is stuck on the [original] login screen. [Only removing
   the session cookie would resolve it.]

With this patch:
1. Follow the steps above again. But note that you can refresh
   your browser window to get in now.
2. Verify that Auth.t passes now too.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-11-04 19:02:38 -03:00
54d7f8b174
Bug 31495: Allow opac-page when enforcing GDPR policy
Test plan:
Add some page under Additional contents.
Enforce GDPR policy.
Test with user that has no consent (yet or anymore).
Check if you can reach additional contents with opac-page.pl.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-24 17:29:45 -03:00
ad6530b914
Bug 30588: (QA follow-up) Clear waiting-for-2FA-setup in session
If we do not clear this session, the first login directly after setup
does not really enhances user experience ;)

Test plan:
Make sure 2FA is enforced.
Test the above. Disable your 2FA, logout and login.
Verify that you can access pages with this patch now. Without this
patch you could not.
Run these tests to provide more confidence:
t/db_dependent/Auth.t
t/db_dependent/api/v1/two_factor_auth.t
t/db_dependent/Koha/Auth/TwoFactorAuth.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-21 11:37:02 -03:00
316355e8d5
Bug 30588: (QA follow-up) Auth - remove two warns and second logout
Resolves:
Use of uninitialized value $request_method in string eq at /usr/share/koha/C4/Auth.pm line 1122.
Use of uninitialized value $return in numeric gt (>) at /usr/share/koha/C4/Auth.pm line 1155.

We also remove the double logout from Auth.t

Test plan:
Run t/db_dependent/Auth.t
Check if you do not see the warns anymore.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-21 11:37:00 -03:00
b93e15c235
Bug 30588: Add the option to require 2FA setup on first staff login
Bug 28786 added the ability to turn on a two-factor authentication,
using a One Time Password (OTP).
Once enabled on the system, librarian had the choice to enable or
disable it for themselves.
For security reason an administrator could decide to force the
librarians to use this second authentication step.

This patch adds a third option to the existing syspref, 'Enforced', for
that purpose.

QA notes: the code we had in the members/two_factor_auth.pl controller
has been moved to REST API controller methods (with their tests and
swagger specs), for reusability reason. Code from template has been
moved to an include file for the same reason.

Test plan:
A. Regression tests
As we modified the code we need first to confirm the existing features
are still working as expected.
1. Turn off TwoFactorAuthentication (disabled) and confirm that you are not able to
enable and access the second authentication step
2. Turn it on (enabled) and confirm that you are able to enable it in your account
3. Logout and confirm then that you are able to login into Koha

B. The new option
1. Set the pref to "enforced"
2. You are not logged out, logged in users stay logged in
3. Pick a user that does not have 2FA setup, login
4. Notice the new screen (UI is a bit ugly, suggestions welcomed)
5. Try to access Koha without enabling 2FA, you shouldn't be able to
access any pages
6. Setup 2FA and confirm that you are redirected to the login screen
7. Login, send the correct pin code
=> You are fully logged in!

Note that at 6 we could redirect to the mainpage, without the need to
login again, but I think it's preferable to reduce the change to
C4::Auth. If it's considered mandatory by QA I could have a look on
another bug report.

Sponsored-by: Rijksmuseum, Netherlands

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-21 11:36:57 -03:00
8511750de9
Bug 30588: Adjust existing occurrences of TwoFactorAuthentication
We need to replace 0 with 'disabled', and 1 with 'enabled'

Sponsored-by: Rijksmuseum, Netherlands

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-21 11:36:56 -03:00
9c999293ef
Bug 31333: (follow-up) Handle anonymous patrons making suggestions
Test plan:
1. Enable suggestion & AnonSuggestions sysprefs and set AnonymousPatron = 1
2. Visit the OPAC without logging in
3. Confirm you can successfully create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
4. Disable the AnonSuggestions syspref
5. Confirm you cannot see links to make purchase suggestions on the
following pages:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
6. Confirm if you try visiting /cgi-bin/koha/opac-suggestions.pl page
you are re-directed to a login page
7. Select the category of your user in the suggestionPatronCategoryExceptions syspref
8. Log into the OPAC
9. Confirm you cannot see links to make purchase suggestions on the
following pages:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
10. Confirm if you try visiting /cgi-bin/koha/opac-suggestions.pl page
you are re-directed to a 404 error page
11. Enable AnonSuggestions syspref
12. Confirm you can successfully create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
13. Disable AnonSuggestions syspref and un-check your category from
suggestionPatronCategoryExeptions syspref
14. Confirm you can create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page

Sponsored-by: Catalyst IT, New Zealand

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-04 08:44:26 -03:00
146a897731 Bug 31333: Add ability to make purchase suggestions by borrower type
Introduce a suggestionPatronCategoryExceptions system preference.

If the suggestion syspref is enabled then libraries can stop specific
borrower types from making suggestions by ticking the type in the
suggestionPatronCategoryExceptions syspref.

Test plan:
1. Apply patches, update database, re-start services

2. Set 'suggestion' syspref = 'Allow'

3. Confirm you can view the purchase suggestion links on OPAC biblio detail
page & 'your summary' page. As well as successfully submit a suggestion.

4. Select the patron category you're logged in as in
suggestionPatronCategoryExceptions syspref

5. Confirm the purchase suggestion links are hidden in the OPAC biblio
detail page & 'your summary' page

6. In your browser enter the link: <OPAC base URL>/cgi-bin/koha/opac-suggestions.pl
e.g. http://localhost:8080/cgi-bin/koha/opac-suggestions.pl

7. Confirm a 404 page loads

8. Confirm you can view/moderate suggestions in the staff
client - even though your patron is selected in the
suggestionPatronCategoryExceptions syspref

9. Untick your patron category in the suggestionPatronCategoryExceptions syspref

10. Confirm you can view the purchase suggestion links on the OPAC, as
well as successfully submit a suggestion.

11. Set 'suggestion' syspref = "Don't allow"

12. Confirm the purchase suggestion links are hidden in the OPAC

13. Select all patron categories in suggestPatronCategoryExceptions
syspref. View the OPAC without logging in and confirm you can perform
searches and view OPAC biblio detail pages.

Sponsored-by: Catalyst IT, New Zealand

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-04 08:44:16 -03:00
897fe20683
Bug 31389: Calculate user permissions in separate function
This patch refactors the setting of user permissions for templates into
a new function, which can be easily unit tested and reduces the amount
of code in C4::Auth::get_template_and_user(). It also aids in the
re-usability of permission checking code.

Test plan:
0) Apply patch and koha-plack --restart kohadev
1) prove t/Koha/Auth/Permissions.t
2) As koha superlibrarian, go to
http://localhost:8081/cgi-bin/koha/tools/tools-home.pl
3) Go to http://localhost:8081/cgi-bin/koha/members/members-home.pl
4) Create new test user with "Staff access..." and "Remaining circulation permissions"
5) Logout of koha superlibrarian
6) Login as test user
7) Note you can only see a limited view of the staff interface
(i.e. no administration, no tools, no reports, etc.)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-09-22 08:39:21 -03:00
97b1bd1dae
Bug 29744: Remove unnecessary condition in C4::Auth::safe_exit
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Adding David's comments from Bugzilla to safe_exit here.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-09-22 08:11:57 -03:00
0b80172a49
Bug 29744: Harmonize psgi/plack detection methods
This patch updates and moves the existing psgi_env method out of Auth
and into Context and then replaces any manual references of the same
code to use the new method.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-09-22 08:11:57 -03:00
Katrin Fischer
aa90b60ea2
Bug 31401: Update administration sidebar to match entries on administration start page
This makes sure that all entries on the administration start page
have a matching entry in the administration sidebar that shows
on the left side if you are on any of the administration sub pages.

Changes made:
* Rename 'Classification sources' to 'Classification configuration'
* Make Plugins entry show and appear in correct spot
  This relied on the variable plugins_enabled that wasn't available
  in all the different templates. I therefore moved it to Auth.pm
  and cleaned up the code for the admin start page.
* Move 'MARC overlay rules' and rename to 'Record overlay rules'

To test:
* Make sure plugins are enabled and visible on admin start page
* Compare admin start page and sidebar
  * Sequence should be the same
  * All entries should appear on both pages
  * Naming should be the same

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-09-07 13:55:32 -07:00
218419ce2c
Bug 31382: Pass password_has_expired param to templte
This patch restores the param, while still leaving the check against invalid
login credentials to ensure we don't leak information.

To test:
 1 - enable  EnableExpiredPasswordReset
 2 - Edit a patron to set password to expire in the past
 3 - Attempt opac login as patron
 4 - It fails, but you are redirected to login screen with no info
 5 - Apply patch
 6 - Attempt login
 7 - You are notified password expired and given reset link
 8 - Go back to login screen
 9 - Login with correct username,, wrong password
10 - You are notified of incorrect credentials, not password expiration

Signed-off-by: Andrew Fuerste-Henry <andrewfh@dubcolib.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-08-17 15:52:07 -03:00
1b92fd78fd
Bug 27342: Remove dbh from C4::Auth
We must not pass $dbh but retrieve it when needed instead

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-08-16 10:45:41 -03:00
4c44dd5eb4
Bug 27342: Improve test for OPAC
We don't need to build allowed_scripts_for_private_opac for staff

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-08-16 10:45:41 -03:00
c52eb53c69
Bug 28787: Don't request a token if no email address defined
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Sponsored-by: Rijksmuseum, Netherlands

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-08-09 13:38:44 -03:00
e7bb0d2a5e
Bug 31247: Fix OPAC authentication when 2FA is enabled
Silly mistake from bug 28786, the $type should be compared to "opac"
instead of "OPAC", erk!

Test plan:
Turn 2FA on
Set it up for an user
Login at the OPAC
=> Without this patch you keep being redirected to the auth form screen
=> With this patch applied you are able to successfully login

Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-07-29 15:41:10 -03:00
1ae5454b01
Bug 31244: Fix 500 if logout and not logged in
Can't use an undefined value as a HASH reference at /kohadevbox/koha/C4/Auth.pm line 985
        C4::Auth::checkauth('CGI=HASH(0x5603b7dc4300)', 0, 'HASH(0x5603b2633238)', 'intranet', undef, 'intranet-main.tt') called at /kohadevbox/koha/C4/Auth.pm line 186
        C4::Auth::get_template_and_user('HASH(0x5603b7b83d08)') called at /kohadevbox/koha/mainpage.pl line 40

Test plan:
Open a private window
Hit /cgi-bin/koha/mainpage.pl?logout.x=1

Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-07-28 10:13:54 -03:00
f6110ce417
Bug 30842: 2FA - Allow at least one old TOTP
We allow one old token when we are setting the two-factor auth, we
should reuse the same settings when validation the authentication
itself.

Test plan:
Setup 2FA for your logged-in user
Logout/Login
Have a look at the code and wait for 30 sec before using it (< 1min
however)

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-06-01 16:14:42 -03:00
c7d37248a6 Bug 29925: (follow-up) Allow password reset when OpacPublic not set
Signed-off-by: Bob Bennhoff <bbennhoff@clicweb.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-05-06 10:33:09 -10:00
6fba85d23b Bug 29924: Avoid leaking information on wrong credentials
If the passed credentials are wrong, we shouldn't expose things like the
password is expired.

This patch takes care of that.

To test:
1. Have a known patron with password_expiration_date set so its
   password is expired. Can be done like:
   $ koha-mysql kohadev
   > UPDATE borrowers \
     SET password_expiration_date='2022-04-25' \
     WHERE borrowernumber=132;
   Note: change the borrowernumber
2. Attempt to login to the OPAC with wrong credentials
=> SUCCESS: You are rejected, with a message telling credentials are
            wrong
=> FAIL: You are told the password is expired.
3. Apply this patch and restart Plack
4. Repeat 2
=> SUCCESS: You are rejected, credentials are wrong and no mention to
            password being expired.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-05-06 10:33:09 -10:00
9047dfce55 Bug 29924: Update ILSDI to be aware of expired passwords
To test:
1 - Enable ILSDI
2 - Set a patron password with expired password
3 - http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=AuthenticatePatron&username=usernam&password=password
4 - Confirm 'PasswordExpired' returned

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-05-06 10:33:09 -10:00
a732138d9d Bug 29924: Add password expiration feature
This patch adds the ability to define password_expiry_days for a patron
category.

When defined a patron's password will expire after X days and they will
be required to reset their password. If OPAC resets are enabled for the
catgeory they may do so on their own, otherwise they will need to
contact the library

To test:
 1 - Apply patch, updatedatabase
 2 - Set 'Password expiration' for a patron category
     Home-> Administration-> Patron categories-> Edit
 3 - Create a new patron in this category with a userid/password set,
     and an email
 4 - Confirm their password_expiration_date field is set
     SELECT password_expiration_date FROM borrowers WHERE borrowernumber=51;
 5 - Create a new patron, do not set a password
 6 - Confirm their password_expiration_date field is NULL
 7 - Update the patron with an expiration to be expired
     UPDATE borrowers SET password_expiration_date='2022-01-01' WHERE borrowernumber=51;
 8 - Give the borrower catalogue permission
 9 - Attempt to log in to Straff interface
10 - Confirm you are signed out and notified that password must be
     reset
11 - Attempt to sign in to OPAC
12 - Confirm you are signed out and notified password must be reset
13 - Enable password reset for the patron's category and perform a
     password reset
     Note: you will have to find the link in the message_queue unless
     you have emails setup on your test environment
     SELECT * FROM message_queue WHERE borrowernumber=51;
14 - Confirm that you can now sign in and password_expiration_date field
     is set 10 days in the future
15 - Expire the patron's password again
16 - Change the patron's password via the staff interface
17 - Confirm they can sign in and the expiration is updated

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Bob Bennhoff <bbennhoff@clicweb.org>

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-05-06 10:33:09 -10:00
d827ee310a Bug 28786: Correctly inherit from Auth::GoogleAuth
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-20 20:43:15 -10:00
2c2c366234 Bug 28786: Improve readability in C4::Auth::checkauth
Sponsored-by: Orex Digital

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-20 20:43:15 -10:00
6eeb9bc1b3 Bug 28786: Two-factor authentication for staff client - TOTP
This patchset introduces the Two-factor authentication (2FA) idea in
Koha.

It is far for complete, and only implement one way of doing it, but at
least it's a first step.
The idea here is to offer the librarian user the ability to
enable/disable 2FA when logging in to Koha.

It will use time-based, one-time passwords (TOTP) as the second factor,
an application to handle that will be required.

https://en.wikipedia.org/wiki/Time-based_One-Time_Password

More developements are possible on top of this:
* Send a notice (sms or email) with the code
* Force 2FA for librarians
* Implementation for OPAC
* WebAuthn, FIDO2, etc. - https://fidoalliance.org/category/intro-fido/

Test plan:
 0.
  a. % apt install -y libauth-googleauth-perl && updatedatabase && restart_all
  b. To test this you will need an app to generate the TOTP token, you can
 use FreeOTP that is open source and easy to use.
 1. Turn on TwoFactorAuthentication
 2. Go to your account, click 'More' > 'Manage Two-Factor authentication'
 3. Click Enable, scan the QR code with the app, insert the pin code and
 register
 4. Your account now requires 2FA to login!
 5. Notice that you can browse until you logout
 6. Logout
 7. Enter the credential and the pincode provided by the app
 8. Logout
 9. Enter the credential, no pincode
10. Confirm that you are stuck on the second auth form (ie. you cannot
access other Koha pages)
11. Click logout => First login form
12. Enter the credential and the pincode provided by the app

Sponsored-by: Orex Digital

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-20 20:43:15 -10:00
59ff962caa Bug 26019: Koha should set SameSite attribute on cookies
This patch modifies the way Koha sets cookies so that the "sameSite"
attribute is explicitly set to "Lax." This option is chosen because it
is the value which is currently assumed by browsers when the sameSite
attribute is not set.

To test, apply the patch and restart services.

- Log in to the staff interface and open your browser's developer tools.
  - In Firefox, look for a "Storage" tab.
  - In Chrome, look for an "Application" tab.
- Under "Cookies," click the URL of the staff interface.
- You should see all the cookies which are set for that domain.
- The CGISESSID cookie should have sameSite set to "Lax."

- Go to Cataloging -> New record.
  - Check the "marcdocs" and "marctags" cookies.
- Switch to the Advanced MARC editor (you may need to enable
  theEnableAdvancedCatalogingEditor preference).
  - Check the "catalogue_editor" cookie.
- Add a new item to an existing bibliographic record.
  - Check the "LastCreatedItem" cookie which is set after you save the
    new item.
- Go to Authorities -> Authority search.
  - In authority search results, click "Merge" from the "Actions" menu
    next to one of the results..
    - Check the "auth_to_merge" cookie.
- Go to Administration -> MARC bibliographic framework
  - Choose "MARC structure" from the menu corresponding to one of the
    frameworks.
  - Check the "Display only used tags/subfields" checkbox.
    - Check the "marctagstructure_selectdisplay" cookie.
- Go to Circulation -> Check out to a patron with checkouts.
  - Check the "Always show checkouts immediately" checkbox.
    - Check the "issues-table-load-immediately-circulation" cookie.
- Go to Tools -> Patron clubs. You will need at least one active club
  with one or more patrons enrolled.
  - From the list of clubs, click Actions -> Search to hold.
    - Check the "holdforclub" cookie.
- Go to Tools -> Batch item modification and submit a batch of items.
  - Uncheck one or more checkboxes in the "Show/hide columns" area.
    - Check the "showColumns" cookie.
- View a patron -> Search to hold.
  - Check the 'holdfor' cookie.
- With WebBasedSelfCheck enabled, log in to the self-checkout page.
  - Check the "JWT" cookie.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-13 15:55:38 +02:00
62f8702206 Bug 29957: Let check_api_auth return created cookie
The cookie created on L1496 is useless, since it is not returned.
We could either remove the cookie creation (unchanged behavior).
But since check_api_auth is expected to return a cookie when it is ok,
I opt for returning the cookie here (corrected behavior).

Test plan:
Logout in staff.
Check on staff: /cgi-bin/koha/svc/localization?id=1
You should have a 400 response.
Login with staff credentials (incl. manage_itemtypes)
Revisit same URL.
You should see a JSON response.
Check if you can hit other staff pages.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-12 11:40:17 +02:00
832756a184 Bug 29957: Adjust push @$cookie statements in Auth
We can now use $cookie_mgr->replace_in_list instead. This
effectively removes duplicates and keeps the newest cookie.

Note: In the test plan below we are just verifying if
this patch did not change behavior. The replace_in_list
routine has been tested already in a unit test.

Test plan:
Run t/db_dependent/Auth.t
Login at OPAC.
Hit some opac and staff pages.
Perform an Advanced search on OPAC.
Check cookies in browser.
Logout.
Check cookies again. Verify with your do_not_remove_cookie lines
in koha-conf.xml.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-12 11:40:17 +02:00
a13b004db8 Bug 29957: Replace clear_all_cookies in Auth.pm
Test plan:
Enable language selection and have two languages.
Change language.
Check cookie value in browser for KohaOpacLanguage.
Logout.
Verify that cookie has been cleared in browser.

Add do_not_remove_cookie line for KohaOpacLanguage in koha-conf.
Restart, flush.
Login again.
Change language.
Check cookie value in browser for KohaOpacLanguage.
Logout.
Verify that cookie still contains the language.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-12 11:40:17 +02:00
ed8a9cff24 Bug 29957: Clear cookies on logout
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: Reverted the change to $cookies to minimize changes.
Fixed Auth.t where checkauth is being mocked.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-12 11:40:17 +02:00
051dd6bf0b Bug 29609: Centralized code to build the link to a biblio detail page
There are 2 prefs that control the default view of biblio detail pages:
IntranetBiblioDefaultView for staff and BiblioDefaultView for OPAC.
There are as well viewISBD, viewLabeledMARC and viewMARC to allow/don't
allow access to those page for staff members.

This code need to be in a single place to avoid discrepancy.

Test plan:
Play with BiblioDefaultView and IntranetBiblioDefaultView and confirm
that the links of biblio point to the correct view.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-08 15:49:16 +02:00
0b71d861eb Bug 29915: Prevent bad cookie from corrupted session
If there is deleted session info but no session->id, a wrong cookie
with empty name could be generated containing expired session id.

Test plan:
Run t/db_dependent/Auth.t
Login. Check cookies in browser.
Logout. Check cookies in browser.
Without this patch, you should see an invalid cookie.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-24 14:22:09 -10:00
3eb3739c6b Bug 29915: (QA follow-up) Add a comment in checkauth on $flags
This is quite a misleading call.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
66a9eca571 Bug 29915: (QA follow-up) Fix POD typo
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
5d1daf20ea Bug 29915: Tiny session adjustments
It may be that we need a few additional flushes.
And checking the returned session before clearing busc.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
89b9c441fa Bug 29915: Changes for get_session and check_cookie_auth
If we look for an existing session, do not create a new one.
Found a bug in the unset_userenv calls. For this moment
changing the calls in Auth here. Later fix goes to bug
29954.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
6300c6023f Bug 29915: Don't generate a new session ID for anonymous navigation
When a user is not logged in, a new session ID is generated every time a
new page is hit.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
Aleisha Amohia
53aa7b523b Bug 19532: Database and installer stuff
- Add recalls table
- Add recalls circulation rules - recalls allowed, recalls per record, on shelf recalls, recall due date interval, recall overdue fine, recall shelf time
- Add system preferences - useRecalls, RecallsMaxPickUpDelay, RecallsLog
- Add email notices (RETURN_RECALLED_ITEM, PICKUP_RECALLED_ITEM)
- Add print notice (RECALL_REQUESTER_DET)
- Add user permission - recalls, manage_recalls
- Add Recall and CancelRecall enum options for branchtransfers reason

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-14 22:45:50 -10:00
d43eea51dd Bug 28955: (follow-up) Set to fall back
This patch updates the original fix to only set the template parameter
for opac sessions and updates all occurences in templats to check first
for logged_in_user.branchcode before falling back to default_branch

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-24 14:35:36 -10:00
e940c8ab02 Bug 28955: Add OPAC_BRANCH_DEFAULT
This patch adds support for OPAC_BRANCH_DEFAULT as an environment option
that can be passed via apache with either SetEnv or as a header for
plack.  It allows setting a default branch for the anonymous opac
session such that you can display the right opac content blocks prior to
login if you have set up per branch URI's.

To test (on top of bug 29691)
1 - Add to apache conf (/etc/apache2/sites-available/kohadev.conf)
    SetEnv OPAC_BRANCH_DEFAULT "CPL"
    RequestHeader add X-Koha-SetEnv "OPAC_BRANCH_DEFAULT CPL"
2 - Restart all
3 - Confirm that news for all and CPL show on opac mainpage
4 - Sign in as a different library
5 - Confirm users library news shows

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-24 14:35:36 -10:00