This is quite a misleading call.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
It may be that we need a few additional flushes.
And checking the returned session before clearing busc.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
If we look for an existing session, do not create a new one.
Found a bug in the unset_userenv calls. For this moment
changing the calls in Auth here. Later fix goes to bug
29954.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
When a user is not logged in, a new session ID is generated every time a
new page is hit.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch updates the original fix to only set the template parameter
for opac sessions and updates all occurences in templats to check first
for logged_in_user.branchcode before falling back to default_branch
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch adds support for OPAC_BRANCH_DEFAULT as an environment option
that can be passed via apache with either SetEnv or as a header for
plack. It allows setting a default branch for the anonymous opac
session such that you can display the right opac content blocks prior to
login if you have set up per branch URI's.
To test (on top of bug 29691)
1 - Add to apache conf (/etc/apache2/sites-available/kohadev.conf)
SetEnv OPAC_BRANCH_DEFAULT "CPL"
RequestHeader add X-Koha-SetEnv "OPAC_BRANCH_DEFAULT CPL"
2 - Restart all
3 - Confirm that news for all and CPL show on opac mainpage
4 - Sign in as a different library
5 - Confirm users library news shows
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
and some more...
There are lot of inconsistencies in our ->search calls. We could
simplify some of them, but not in this patch. Here we want to prevent
regressions as much as possible and so don't add unecessary changes.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
JD amended patch: remove ref to line number
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
check_cookie_auth is assuming that the user is authenticated if a cookie exists
and that the login/username exists in the DB.
So basically if you hit the login page, fill the login input with a
valid username, click "login"
=> A cookie will be generated, and the sessions table will contain a
line with this session id.
On the second hit, if the username is in the DB, it will be enough to be
considered authenticated.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch makes the sandboxing of the selfcheckout more robust by
adding a "sco_user" session variable which is turned on when
logging into the self-checkout (either by AutoSelfCheckAllowed or manually).
If a user with this session variable turned on tries to access
other parts of the system (like the rest of the OPAC), it will
"kick out", so that the browser user will lose the authenticated session.
Test plan:
1) Apply the patch
2) koha-plack --restart kohadev
3) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
4) Note that you are logged into the self-checkout
So you see the login screen specific to the self-checkout.
To log with the actual patron. It's a nested auth.
5) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
6) Note that you are not logged into the OPAC
7) Log into the staff interface and disable the
system preference AutoSelfCheckAllowed
8) Log out of the staff interface (this step is very important)
9) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
10) Note that you are prompted to log into Koha
11) Login using the "koha" user (when using koha-testing-docker)
12) Note that you are logged into the self-checkout
13) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
14) Note that you are not logged into the OPAC
Without the patch you would still be logged as "koha"
15) Go back to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
16) Note that you will need to log in again as you've lost your
session cookie
Without the patch you will still be logged in the self-checkout
Voila!
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch builds on Bug 22318 to move the OpacNavBottom system
preference into the "Additional contents" system, making it possible to
have language- and library-specific content.
To test you should have some content in the OpacNavBottom system
preference. To make testing easier it's also a good idea to have content
in the OpacNav preference.
- Apply the patch and run the database update process.
- In the staff client, go to Tools -> HTML customizations and verify
that the content from OpacNavBottom is now stored there. When you
edit the entry you should see content from the OpacNavBottom system
preference under the "default" tab.
- The publication date for the entry should be today's date.
- Confirm that the previous contents of OpacNavBottom were added
correctly.
- Go to Administration -> System preferences -> OPAC and verify that
the OpacNavBottom preference has been removed.
- Update and reinstall active translations (for instance fr-FR):
- cd misc/translator/
- perl translate update fr-FR
- perl translate install fr-FR
- View the OPAC and confirm that the contents of the OpacNavBottom
system preference displays in the left-hand sidebar.
- Test as many pages as possible to confirm that wherever the
OpacNavBottom content is displayed, OpacNavBottom is also displayed.
- Test also using the updated translation.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch builds on Bug 22318 to move the OpacNav system
preference into the "Additional contents" system, making it possible to
have language- and library-specific content.
To test you should have some content in the OpacNav system
preference. To make testing easier it's also a good idea to have content
in the OpacNavBottom preference.
- Apply the patch and run the database update process.
- In the staff client, go to Tools -> HTML customizations and verify
that the content from OpacNav is now stored there. When you
edit the entry you should see content for each of the enabled
translations in your system under each tab.
- Confirm that the previous contents of OpacNav were added
correctly.
- Go to Administration -> System preferences -> OPAC and verify that
the OpacNav preference has been removed.
- Update and reinstall active translations (for instance fr-FR):
- cd misc/translator/
- perl translate update fr-FR
- perl translate install fr-FR
- View the OPAC and confirm that the contents of the OpacNav system
preference displays in the left-hand sidebar.
- Test as many pages as possible to confirm that wherever the
OpacNavBottom content is displayed, OpacNav is also displayed.
- Test also using the updated translation.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Bug 24223: (follow-up) Add date to OpacNav additional content entries
This follow-up modifies the atomic update so that it inserts today's
date as the "Published on" date. Without that information the system
considers the item unpublished and will not display the content.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Bug 24223: (follow-up) Make logged-in user's branchcode available to template
This patch makes a couple of corrections for problems I discovered
while working on Bug 24224: The variables required for correct display
of news items by branch and language were not consistently available to
the templates.
In opac-readingrecord.pl, the "lang" variable was being overwritten. On
this and other pages the logged-in patron's brachcode was not made
available. I've corrected instances of KohaNews.get() to use the
globally-available "logged_in_user.branchcode" instead.
To test, apply the patch and follow the original test plan, with the
addition of instances of the OpacNav additional contents item which
have a specific library selected.
Confirm that such items are correctly displayed according to the
logged-in user's home library. If there is no logged-in user the
library-specific OpacNav should not display.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Bug 24223: (follow-up) Updates to conform to new practices
- The patch now works with new "Additional contents" system
- The database update follows new skeleton.pl
- Add "OpacNav" option to the additional contents template
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Bug 24223: (follow-up) Add missing "return" to atomicupdate
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Bug 24223: (QA follow-up) Link OpacNav to HTML customizations now
In the pref description of OpacNavBottom. (Before obsoleting that
one too somewhere soon.)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It is a confusing name because we have 'Article Request' as a feature,
and this does not follow Koha terminology.
Test plan:
`updatedatabase` and confirm that the syspref has been renamed
`git grep RequestOnOpac` => No occurrence in the code
QA: The syspref's value is always retrieved using Koha.Preference from
.tt files, we don't need to send it from controllers or C4::Auth
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Note that without the use URI::QueryParam statement in C4::Auth we get:
Can't locate object method "query_param_delete" via package "URI::_generic" at /kohadevbox/koha/C4/Auth.pm line 1254
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We should follow the same pattern as ldap and not use C4::Auth_with_cas
if the cas syspref is not turned on.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It's not used.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We could have this patch but we also could decide to skip it. The idea
is to avoid 2 checks of the version when we are coming from checkauth.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This code is duplicated in 3 different places, we must call
check_cookie_auth instead.
It makes check_cookie_auth returns a 'restricted' when
SessionRestrictionByIP is set and the IP changed.
It also returns a third parameters contained the old and new IP, to fill
the "info" hash in checkauth but apparently the oldip and newip
variables are not even used from the template. We may want to remove it
completely.
No change is expected with this patch, the different authentication
methods should still work as before.
Test plan:
Log in the staff and OPAC interfaces, logout.
Log in and call script that call the 3 different subroutines modified by
this patch. For instance you can list checkouts (that is using
check_cookie_auth) and display a patron's image (using check_api_auth).
QA with good knowledge of the C4::Auth module and the different
authentication methods is required.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The opac had 'branch_group_limit' parameters which can be simplified to more
closely match intranet code.
Adjust C4::Auth for chaneg above to ensure dropdowns correctly populate
Expand JS to prevent selection of single and multibranch limits
To test:
1 - Enable OpacAddMastheadLibraryPulldown system preference
2 - Ensure branches and groups show as before patch
3 - Ensure single and multibranch limits from masthead apply as expected
4 - Test advanced search page, ensure you cannot select both single and multibranch limit
5 - Follow test plan on 28845 - ensure multibranch limit still correctly pre-selected
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Works as expected.
The need for an additional check of pref WebBasedSelfCheck is
merely theoretical.
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
On bug 17591 we discovered that there was something weird going on with
the way we export and use subroutines/modules.
This patch tries to standardize our EXPORT to use EXPORT_OK only.
That way we will need to explicitely define the subroutine we want to
use from a module.
This patch is a squashed version of:
Bug 17600: After export.pl
Bug 17600: After perlimport
Bug 17600: Manual changes
Bug 17600: Other manual changes after second perlimports run
Bug 17600: Fix tests
And a lot of other manual changes.
export.pl is a dirty script that can be found on bug 17600.
"perlimport" is:
git clone https://github.com/oalders/App-perlimports.git
cd App-perlimports/
cpanm --installdeps .
export PERL5LIB="$PERL5LIB:/kohadevbox/koha/App-perlimports/lib"
find . \( -name "*.pl" -o -name "*.pm" \) -exec perl App-perlimports/script/perlimports --inplace-edit --no-preserve-unused --filename {} \;
The ideas of this patch are to:
* use EXPORT_OK instead of EXPORT
* perltidy the EXPORT_OK list
* remove '&' before the subroutine names
* remove some uneeded use statements
* explicitely import the subroutines we need within the controllers or
modules
Note that the private subroutines (starting with _) should not be
exported (and not used from outside of the module except from tests).
EXPORT vs EXPORT_OK (from
https://www.thegeekstuff.com/2010/06/perl-exporter-examples/)
"""
Export allows to export the functions and variables of modules to user’s namespace using the standard import method. This way, we don’t need to create the objects for the modules to access it’s members.
@EXPORT and @EXPORT_OK are the two main variables used during export operation.
@EXPORT contains list of symbols (subroutines and variables) of the module to be exported into the caller namespace.
@EXPORT_OK does export of symbols on demand basis.
"""
If this patch caused a conflict with a patch you wrote prior to its
push:
* Make sure you are not reintroducing a "use" statement that has been
removed
* "$subroutine" is not exported by the C4::$MODULE module
means that you need to add the subroutine to the @EXPORT_OK list
* Bareword "$subroutine" not allowed while "strict subs"
means that you didn't imported the subroutine from the module:
- use $MODULE qw( $subroutine list );
You can also use the fully qualified namespace: C4::$MODULE::$subroutine
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
[WARN] Use of uninitialized value in sprintf at /kohadevbox/koha/C4/Auth.pm line 887.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It's not used and must be removed
Test plan:
% git grep _session_log
must not return any result.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We should remove the debug statements or use Koha::Logger when we want
to keep it.
Test plan:
Confirm that occurrences of remaining occurrences of DEBUG need to be
kept (historical scripts for instance)
Confirm that the occurrences removed by this patch can be removed
Confirm that the occurrences replaced by Koha::Logger are correct
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks good to me, noting a few minor points on BZ.
JD amended patch: replace "warn #Finished" with "#warn Finished", and
put the statement on a single line
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
They are no longer used since bug 7310, now we are using
Koha::Virtualshelves->get_some_shelves
Test plan:
Create some lists, login at the OPAC and confirm that you see
the list in the navbar (top)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the way search sessions are preserved in the OPAC so
that viewing the "plain MARC" view will not cause the search context to
be lost.
To test, apply the patch and make sure OpacBrowseResults is enabled.
- Perform a search in the OPAC which will return multiple search
results.
- View the details of one of the search results.
- You should see a "Browse results" box in the right-hand sidebar.
- Click the "MARC view" link.
- If you click back to the "Normal view" now, the results browser
should still appear.
- From the MARC view, click the "view plain" link.
- Return to the "Normal view."
- Before the patch: The results browser is gone.
- After the patch: The results browser is still there.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a "lib" directory to the source tree which gets
mapped to the same directory as "C4" and "Koha" for single and
standard installations.
CGI::Session::Serialize::yamlxs is put into this "lib" directory.
This patch also includes some changes so that dev/git installations
work as well.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We remove YAML::Syck on bug 22824 and YAML on 27673, to use YAML::XS.
However we need one of them for CGI::Session::Serialize::yaml
It's preferable to change the serializer and use the default one instead
of writing one based on YAML::XS (or patch the existing ::yaml that does
not seem maintained).
There was an encoding bug reported on the default serializer (see commit
a858e8a8b8) but we fail to recreate it.
Test plan:
Create 3 libraries with branchcode=branchname: "CPL", "ÄÄÄ~ÄãÃ" and "✔️❤️ ★"
Use the 3 options of SessionStorage and switch from one logged in
library to another.
Confirm that everything is working correctly (ie. no ending issue in the
library name at the top-right corner)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch permits authentication via userid/password only when the
HTTP method is POST when using C4::Auth::checkauth().
The goal is to stop people from supplying userid and password in querystrings
in order to log into web pages.
Test plan:
0. Do not apply patch yet
1. Open a new browser (ie we don't want any existing CGISESSID cookies
available - opening a new tab/window isn't enough. It must be a
new instance or you can clear your cookies)
2. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
3. Note the user has been logged in and is being asked to confirm hold.
4. Apply the patch
5. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
6. Note the user is not logged in and the user is presented with a login screen
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It seems that we don't really need all this overhead.
YesNo must be a boolean and contain 1 or 0.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
As requested
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds two system preferences to Koha, opacShibOnly and
staffShibOnly, allowing users to restrict authentication to just
one method, Shibboleth.
We do however, allow for local fallback for the SCO/SCI logins.
A system preference was chosen over a configuration file update to
allow for local override at the virtualhost level. In this way a
hosting provider can setup a 'backdoor opac' for example to allow
fallback to local logins for support operations.
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It's tested with "defined" in C4::Context->preference
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It would be *super* handy if intranetuserjs and/or opacuserjs could be
temporarily disabled via a check-box or syspref.
Right now, debugging issues in intranetuserjs usuaally starts with
copying the contents into a text file, blanking the syspref and re-testing.
This patch adds this feature by setting syspref via ENV
OVERRIDE_SYSPREF like override via Apache config.
Implemented only for preferences :
OPACUserCSS OPACUserJS IntranetUserCSS IntranetUserJS
=> replaced with ' '
intranetcolorstylesheet intranetstylesheet
=> replaced with 0
Test plan :
1) Set some CSS in IntranetUserCSS like : #breadcrumbs{color:red}
2) Go to staff interface home page like : /cgi-bin/koha/mainpage.pl
3) See CSS impact is visible
4) Edit URL : /cgi-bin/koha/mainpage.pl?DISABLE_SYSPREF_IntranetUserCSS=1
5) See CSS impact is not visible
6) Check with the other preferences
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch removes references to intranetbookbag from Auth.pm. Now that
the templates use Koha.Preference("intranetbookbag") everywhere it is
unnecessary.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
When a superlibrarian is logged in, C4::Auth::get_template_and_user pass the CAN_user_$flag to the template, but some are missing:
suggestions, lists, cash_management
So far they are not used in the template but it will avoid a developer to spend time on it if we fix it now.
Test plan:
Compare with installer/data/mysql/mandatory/userflags.sql
Note that we don't need selfcheck
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If no branch is selected (i.e. 'My library') then we should default to
'branch default' if one is defined for the users library at login.
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This leads to one DB hit less per page load in the staff client when
cash registers are enabled.
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds the ability to set a register for the current session
from the 'set library' page.
Upon entering the page, the current selection will be displayed.
Changing the branch will trigger the register select list to update to
display only those registers associated with the updated branch and will
automatically select either 'no register' or the 'branch default'
register. The user can then override that selection to choose a
different register for the session.
Test plan
1/ Enable cash registers with the 'UseCashRegisters' system preference
2/ Select the 'Set library' option from the top right menu
3/ Note that you can now select a cash register from the subsequent page
4/ Change the branch and note that the cash register selection is
updated to reflect the change
5/ Note that the 'branch default' register is auto-selected upon branch
selection if one has been defined, otherwise '-- None --' is selected
6/ You can then alter the selection before submitting the form
7/ Once submitted note that you are returned to the page you were on
prior to attempting to change the library and register
8/ Note the present of the register name next to the library name at the
top of the screen.
9/ Signoff
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Our docs shouldn't suggest indirect object notation is accepted or
encouraged.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If the timeout syspref did not contain an integer, or was not matching
integer.'d|D', then it "fallback" to 0
We can easily add support for hours and fallback to 600 if the value is
not correct.
It will prevent the session to timeout immediately
Test plan:
0. Do not apply the patches
1. Fill the timeout syspref with "5h"
2. Login
3. Click somewhere
=> Notice that the session timed out
4. Apply the patches, restart_all
5. Login
6. Click somewhere
=> You have 5 hours to enjoy Koha
7. Fill the pref with an incorrect value ("5x" for instance)
8. Logout, login
9. There is a warning in the log, and you have 10 minutes (600 secondes) to enjoy Koha
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This is a leftover from bug 22543.
Trivial move.
Test plan:
Do not apply this patch.
Pick a user that has not yet logged in today.
Only login via the opac and immediately check if borrowers.datelastseen did not change.
Apply this patch, restart, flush etc.
Only login via the opac and verify again rightaway (no further opac actions).
Now datelastseen should have been changed already.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The password recovery and self-registration features need to be
accessible at the OPAC even if not public.
Test plan:
Self register a new account, then ask for a new password with OpacPublic
turned off
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Prior to this patchset there were 3 different calls to
get_template_and_user (or checkauth) with the authnotrequired param:
* authnotrequired => 0
* authnotrequired => 1
* authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 )
The first one says that an unauthenticated user can access the page, the
second that the user has to be authenticated, and the last one that it
depends on the OpacPublic syspref.
Actually we must replace the first one with the third one, if the OPAC
is not public, the authentication must be forced.
To do so we are going to remove the "authnotrequired => 0" occurrences,
and check the OpacPublic syspref's value in C4::Auth
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The FIXME is no longer valid since we fixed the X-Forwarded headers
for Plack. And since we do not even use using_https anymore in
the templates (see bug 21094).
Test plan:
Run Auth.t
Git grep for using_https
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds the secure flag to the CGISESSID cookie when using HTTPS.
This prevents the cookie being used again over a normal HTTP
request.
Bug 25360: [Follow-up] Test for "on" or "ON" value for HTTPS env var
This patch tests for HTTPS "on" or "ON" before setting the secure
cookie.
Bug 25360: [Follow-up] Fix typo in C4/InstallAuth.pm
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Amended number of tests in Context.t
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
One call to set_userenv had been implimented incorrectly with the
parameters out of order.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
You should be able to add desk choice when you are logging in or
changing library.
Test plan:
1. apply patch
2. have at least three libraries, one without desk, one with one and
one with a few.
3. At login, when choosing a library, it should enable all desks it
has. Pick one.
4. the desk id and name should be set in your session and appear in
the top right, next to the library name.
5. change library and desks from intranet (at the set-library.pl page)
6. you should have the same behaviours
7. if you have a library without a desk, it should prompt you a '---'
option and no desks will be attached to the session.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch updates the templates to use the new TT plugin instead of
adding additional variables to the already crouded get_template_and_user.
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
When Desks are defined, a librarian can attach a desk to its session.
Test plan:
1. apply 13881 and create some desks
2. you should see “NO DESK SET” in the intranet header
3. go to circulation > Set desk
4. you should see your desk name in the header, whatever the page
5. you can also set desk with the header menu
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch builds on Bug 22318 to move the opaccredits system
preference into the Koha news system, making it possible to have
language- and library-specific content.
To test you should have some content in the opaccredits system
preference. Apply the patch and run the database update process.
- Go to the OPAC and confirm that the content which was previously in
the opaccredits system preference now displays correctly where
it was before.
- In the staff client, go to Tools -> News and verify that the content
from opaccredits is now stored in news items. There should be
one entry for each of the enabled translations in your system, for
instance 'opaccredits_en', 'opaccredits_fr-FR',
'opaccredits_cs-CZ'
- Go to Administration -> System preferences and confirm that the
opaccredits preference has been removed.
Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The template plugin Branches contains a method GetLoggedInBranchcode that returns current branch code.
This patch adds GetLoggedInBranchname to get current branch name.
It is used to replace vars LoginBranchname and LoginBranchcode sent to all templates in C4/Auth.pm.
In labels and patrons cards modules, I choose to remove a unseless display of
current branch in a hint.
In acqui/acqui-home.tt, I choose to remove a useless display of current
branch and also because table of founds contains a filter on library.
Test plan:
Check pages source code to see branch code or name is correct.
list of the pages:
/cgi-bin/koha/acqui/acqui-home.pl
/cgi-bin/koha/catalogue/detail.pl?biblionumber=XXX
/cgi-bin/koha/circ/branchoverdues.pl
/cgi-bin/koha/circ/set-library.pl
/cgi-bin/koha/circ/offline.pl
/cgi-bin/koha/labels/label-edit-batch.pl?op=new
/cgi-bin/koha/labels/label-manage.pl
/cgi-bin/koha/patroncards/edit-batch.pl
/cgi-bin/koha/patroncards/manage.pl
OPAC:
/cgi-bin/koha/opac-detail.pl?biblionumber=XXX
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch builds on Bug 22318 to move the OpacMainUserBlock system
preference into the Koha news system, making it possible to have
language- and library-specific content.
To test you should have some content in the OpacMainUserBlock system
preference. Apply the patch and run the database update process.
- Go to the OPAC and confirm that the content which was previously in
the OpacMainUserBlock system preference now displays correctly where
it was before.
- In the staff client, go to Tools -> News and verify that the content
from OpacMainUserBlock is now stored in news items. There should be
one entry for each of the enabled translations in your system, for
instance 'opacmainuserblock_en', 'opacmainuserblock_fr-FR',
'opacmainuserblock_cs-CZ'
- Go to Administration -> System preferences and confirm that the
OpacMainUserBlock preference has been removed.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The wrong password might belong to an existing user. If that is the case,
we have a $patron.
Note that logaction will save the object info but has no user in the
context environment for a failure.
Test plan:
Login with good user, bad pw and bad user, bad pw. Check logviewer.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Add optional logging for successful and failing login attempts in
checkpw.
Test plan:
Enable the preferences
Perform a good login and a bad attempt
Check action_logs
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Owen Leonard 2018-03-16 10:47:47 UTC :
<<
I don't think the system preference adds any security. There are already multiple permissions required for working with plugins:
- Configure plugins
- Manage plugins ( install / uninstall )
- Use report plugins
- Use tool plugins
And even with those permissions your server must be configured to allow the use of plugins.
>>
Test plan :
1) Install kitchen sink plugin https://github.com/bywatersolutions/koha-plugin-kitchen-sink
2) Run misc/devel/install_plugins.pl
3) Set config enable_plugins=1
4) Check all parts of the plugin are working
5) Set config enable_plugins=0
6) Check all parts of the plugin are disabled
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Bug 14407 introduced a new system preference to allow limiting the
online self checkout system to an IP or IP Range. The function that
handles this is called in_ipset, which is the name of a linux tool. To
stop confusion, this patch renames the function to 'in_iprange', and the
variable 'ipset' within it to 'iprange'.
To test, follow the test plans outlined in Bug 14407 and confirm that
everything works as expected.
Sponsored-by: Catalyst IT
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
There is some quite old and unused code in Koha related
to printer configuration and network printing. These code
hasn't been functional in a long time and should be removed.
This patch:
- Removes printcirculationslips system preference
- Removes table printers
- Removes branchprinter column from branches
Check that:
- Go to administration
- Open any age there, but change the last bit to: printers.pl
- Apply patch, run the database update
- Verify the hidden page no longer exists
- Verify that logging in and out still works correctly
- Verify that checkout and returns work correctly
- Switch to another branch using the "Set library" option
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To reproduce and test:
- Log into the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click "Back", you are taken to /cgi-bin/koha/opac-user.pl
- Reload the page, you see an error like "Confirm new submission
of form"
- Reload the page again and confirm the submission of the form
- You are now logged in to the OPAC again!
- Log out again
- Apply this patch
- Log in to the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click back, you are taken to /cgi-bin/koha/opac-user.pl
- No matter how many times you reload /cgi-bin/koha/opac-user.pl,
you should not see anything other than the login form.
- Check that Self Check Out still works as it should, by making
sure you have a user with self_check permissions, then setting
WebBasedSelfCheck, AutoSelfCheckAllowed, AutoSelfCheckID and
AutoSelfCheckPass appropriately. Then visit
/cgi-bin/koha/sco/sco-main.pl and verify everything works as
expected.
The messages and errors pages you see related to resubmitting the
form might differ from the ones described here, depending on what
browser you use. I tested in Chromium 76.0.x.
This fix was originally proposed by LMSCloud:
74a7fe0f0c
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Koha has a number of features that rely on knowing the IP address of the connecting client. If that server is behind a proxy these features do not work.
This patch adds a module to automatically convert the X-Forwarded-For header into the REMOTE_ADDR environment variable for both CGI and Plack processes.
TEST PLAN:
1) Apply this patch set
2) Install Plack::Middleware::RealIP via cpanm or your favorite utility
3) Update your plack.psgi with the changes you find in this patch set ( this process differs based on your testing environment )
4) Restart plack
5) Tail the plack error log for your instance
6) Use curl to access the OPAC, adding an X-Forwarded-For header: curl --header "X-Forwarded-For: 32.32.32.32" http://127.0.0.1:8080
7) Note the logs output this address if you are unproxied
8) If you are proxied, restart plack using a command like below, where the ip you see in the logs ("REAL IP) is what you put in the koha conf:
<koha_trusted_proxies>172.22.0.1 1.1.1.1</koha_trusted_proxies>
9) Restart all the things!
10) Repeat step 6
11) You should now see "REAL IP: 32.32.32.32" in the plack logs as the remote address in your plack-error.log logs!
12) Disable plack so you are running in cgi mode, repeat step 6 again
13) You should see "REAL IP: 32.32.32.32" as the remove address in your opac-error.log logs!
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Ed Veal <eveal@mckinneytexas.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
While the code requires external auth to test, the change is simple enough I
think a good read would suffice
To test:
1 - You either need Shib or CAS enabled and setup
2 - Add two users with blank.null cardnumbers
3 - Lock those user accounts
Set failedloginattempts to 1
Try a bad login with the userid
Or set via the DB
4 - Try a good login via the external auth
5 - Note it fails
6 - Apply patch
7 - Login now succeeds
Signed-off-by: Mike Somers - Bridgewater State University <msomers@bridgew.edu>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Just a find and replace on the changed system preference name.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
- Rename CircAutocompl system preference to PatronAutocompletion
- Take this system preference into consideration for patron search
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch makes Auth skip the GDPR policy check when get_template_and_user
is called for sci/sco (self checkin, checkout).
I do not really like the change in this form but the nature of self checkin
and checkout kind of dictate it (double hack).
I wanted to add a test but since that asks for mocking CGI, checkauth, etc.
the time needed for that is just too much for this simple change.
Test plan:
Enable GDPR_Policy and self checkin/checkout.
Verify that using patrons without consent is not blocking sci/sco.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The code expects to display OpacNavRight content at the bottom of the
login form when a user just registered.
Test plan:
- Turn PatronSelfRegistrationVerifyByEmail on
- Register a patron
- Confirm by clicking on the link you received by email (or see the
message_queue table)
=> The OpacNavRight content should be displayed
QA Note: This code smells, the code in the pl should not be needed.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch takes care of some preference instances I missed in the self
checkout module's help page. It also removes some obsolete lines from
Auth.pm.
To test, apply the patch and re-test based on the previous test plan.
Also test in the self-checkout module by logging into self checkout and
clicking the "Help" link in the upper right of the screen.
The settings of the following preferences should be shown correctly:
- OpacFavicon
- OPACUserCSS
Signed-off-by: frederik chenier <frederik.chenier@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch updates the OPAC's doc-head-close.inc so that it uses
'Koha.Preference' syntax to output system preference data. The patch
removes handling of two preferences from Auth.pm which which are covered
by this template change.
This patch also makes some minor changes to consolidate multiple
template checks for "bidi"
To test, apply the patch and test the affected OPAC system preferences:
- OpacFavicon
- opaclayoutstylesheet
- OPACUserCSS
- OPACBaseURL
Confirm that changes made to these preferences are reflected in the
OPAC.
Signed-off-by: frederik <frederik@inlibro.com>
Signed-off-by: Nadine Pierre <nadine.pierre@inLibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Comment #28 has a /36 which is invalid CIDR.
This triggers a crash and noise.
This cleans up the crash and noise, and adds
test cases to check for them.
prove t/Auth.t
-- before missing null case, and /36 case.
-- after null case, and /36 with/without warnings.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Converted this to actual applicable patches.
I think the test plan is comment #28. -- Mark Tompsett
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
TO test:
1 - Set failed login attempts to 1
2 - Attempt a login with a userid and bad password, no success
3 - Attempt a login with userid and correct password, prevented because
locked
4 - Attempt a login with cardnumber and right password, you are logged
in
5 - Log out, try again with userid and correct password, prevented
because locked?
6 - Apply patch
7 - Repeat 1-3 to lock account
8 - Attempt logging in with cardnumber, you are prevented
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
The haspermission routine wrongly assumed that get_user_subpermissions
would return a list of all subpermissions if the user had the top level
permission, but instead if just returns 1.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
If an account has been locked, there is no use to keep increasing this
number. It is not true too; after the pref number has been reached,
we can not really speak of login attempts anymore. The credentials are
just ignored.
Adding a dbrev to put existing values in line. And a simple test in
Auth.t to confirm that login_attempts stop increasing.
Note: It feels safe to keep the '>=' condition in account_locked. But it
could obviously be changed to '=='. (Added a test for that.)
Note: Adding a mock_preference in Auth.t too for GDPR_Policy. Since not all
tests will pass when the pref is enabled (though disabled by default).
Test plan:
Run dbrev with updatedatabase.pl.
Run t/db_dependent/Koha/Patrons.t
Run t/db_dependent/Auth.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test:
1 - Enable AuthoSelfCheck prefs
2 - In opacuserjs or scouserjs add a fetch of an unreachable resources
3 - Visit the SCO
4 - Sign in as a patron then click 'finish'
5 - Say 'yes' to receipt
6 - Note you are directed to log in
7 - Apply patch
8 - Restart all the things
9 - Repeat 4 & 5
10 - Sucess, receipt prints
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds 'api' as a valid interface and sets it appropriately for
both the new REST api and previous /svc/ api's. Handling to keep the
interface of a logged in session is included such that if the OPAC or
Intranet use the API's internally via a Cookie we will maintain the
interface throughout the session.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Passing undef (or nothing) as $flagsrequired to haspermission simply
returned the return from fetchrow prior to this patch. Restoring that
behaviour.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Turns out that we rely heavily on the side effect that passing undef
to haspermission would always return true no matter what permissions
or lack of permissions you had.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
check_cookie_auth needs to allow for cases where we wish to check for
ANY permission and cases where we wish to skip the permissions check
entirely and just authenticate the session.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Before bug 22031 the haspermission subroutine signature allowed for
passing 'undef' to mean 'any permission' in $flagsrequired. This feels
like a mistake and was only in practical use in two places in the
codebase.
This patch explicitly forbids this practice (`*` may be used to the same
result and is more explicit in it's nature) and replaces the two
instances of it's use.
Test Plan
1. Before this patch, the API tests are all failing with authentication
errors
2. After this patch the API tests should now all pass.
3. t/db_dependent/Auth/haspermission.t should continue to pass (with one
addition subtest added herin)
3. /svc/members/search is not unit tested. Please check that patron
searching still yields results in the UI after this patch.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch adds an SQL::Abstract inspired query syntax to the
haspermission method in C4::Auth. One can now pass Arrayrefs to denote
an OR list of flags, a Hashref to denote a AND list of flags.
Structures can be nested at arbitrary depth.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test:
0 - Apply patch
1 - Create a library group enabled for opac search limits and add some
libraries
2 - Check the DB (or advanced search dropdown) to get the id of the
group (using 7 as example below)
3 - Add to apache configuration (OPAC virtualhost)
SetEnv OPAC_SEARCH_LIMIT branch:multibranchlimit-7
SetEnv OPAC_LIMIT_OVERRIDE 1
RequestHeader add X-Koha-SetEnv "OPAC_SEARCH_LIMIT
branch:multibranchlimit-7"
RequestHeader add X-Koha-SetEnv "OPAC_LIMIT_OVERRIDE 1"
4 - Ensure OpacAddMastheadLibraryPulldown is disabled
5 - Restart all the things
6 - Visit the opac
7 - Perform a search, confirm it is scoped to the branches in the group
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This is about $shib and $shib_login.
We move in the right direction by calling get_login_shib in
get_template_and_user and checkauth. In the same line we can do the
shib_ok check at that time (just checking cached values). This paves
the way for the third subroutine using the two package vars: checkpw.
Note that checkpw is also called outside Auth.pm. So I would be more
comfortable if we do the same calls like in checkauth and remove both
variables from the package level (especially under Plack of course).
The former changes actually justify a 'use C4::Auth_with_shibboleth'
instead of the current require and import.
Note: When calling checkpw from checkauth, we are calling get_login_shib
twice now. But the time involved for doing so is around zero (cache), so
not really an argument for extra parameters and complexer code.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
https://bugs.koha-community.org/show_bug.cgi?id=17776
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
- This patch adds shibboleth authentication to the staff client.
- Depending upon how your url structure works, you may or may not need a
second native shibboleth service provider profile configured for this
to work.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Multi params are not handle correctly after login
Test plan:
[0] Use staff interface
[1] Use advance search and tick itemtype more than one checkbox
[2] Copy result url
[3] Logout
[4] Paste url in browser
[5] Type username and password
[6] In search result page, results limit description under breadcrumbs
will show all limits
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
If you choose to enforce GDPR policy, a user needs to give consent for
data processing before he does something else in the OPAC while being
logged in.
Test plan:
[1] Set GDPR_Policy to Disabled or Permissive. Usual behavior.
[2] Set to Enforced. Save a refusal on your consents. Notice that
you are logged out when saving. When you login again, all OPAC
requests are redirected to your consents tab.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
The bug is that $sessionID is declared twice in C4::Auth::checkauth().
At the moment, this doesn't actually create a problem, because no
one seems to be using the $sessionID which is returned by checkauth(),
except in the case of opac/external/overdrive/auth.pl which skips
the second declartion as it doesn't require auth.
This patch removes the redefining of the $sessionID variable.
In terms of testing, try logging in with a username and password
and see if it works. The only risk this patch would pose is breaking
auth I would think, since nothing is actually using the return value
from checkauth() for $sessionID.
NOTE:
It was initially defined near the top of the function (~line 791).
I believe the scoping would mean the correct version of $sessionID
would be used in the latter lines for the unset'ing.
I have skimmed code to see if the sessionID return value is used.
I did not test overdrive, as I do not know how. However, this is
the only area, I think this could possibly break. This change makes
sense to me.
QA: Please test overdrive.
opac/external/overdrive/auth.pl only checks if the value is set, so
this patch might fix/break something there?
opac/svc/overdrive same kind of check.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
This is a (tiny) code improvement. Now we consistently return the session
id that is also stored in the returned cookie. (Which can be an 'anon'
session.)
Fact is that Koha almost everywhere ignores the returned session id and
sometimes gets the session from the cookie (obviously). The session id is
also passed to the template by get_template_and_user but never used in
templates.
As mentioned, the two overdrive scripts are the exception. But since both
test on both $user && $sessionID, they will not choke on an anynonomous
session id without userid. So theoretically fine, but not tested.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>