Commit graph

578 commits

Author SHA1 Message Date
5efc27ea53 Bug 24663: Handle special cases for recovery password and selfreg
The password recovery and self-registration features need to be
accessible at the OPAC even if not public.

Test plan:
Self register a new account, then ask for a new password with OpacPublic
turned off

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
4b9475346e Bug 24663: Test OpacPublic for all OPAC scripts
Prior to this patchset there were 3 different calls to
get_template_and_user (or checkauth) with the authnotrequired param:
 * authnotrequired => 0
 * authnotrequired => 1
 * authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 )

The first one says that an unauthenticated user can access the page, the
second that the user has to be authenticated, and the last one that it
depends on the OpacPublic syspref.
Actually we must replace the first one with the third one, if the OPAC
is not public, the authentication must be forced.

To do so we are going to remove the "authnotrequired => 0" occurrences,
and check the OpacPublic syspref's value in C4::Auth

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
db55279886 Bug 25360: (follow-up) Remove the https FIXME in Auth.pm
The FIXME is no longer valid since we fixed the X-Forwarded headers
for Plack. And since we do not even use using_https anymore in
the templates (see bug 21094).

Test plan:
Run Auth.t
Git grep for using_https

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
b42d57984b Bug 25360: Use secure flag for CGISESSID cookie when using HTTPS
This patch adds the secure flag to the CGISESSID cookie when using HTTPS.
This prevents the cookie being used again over a normal HTTP
request.

Bug 25360: [Follow-up] Test for "on" or "ON" value for HTTPS env var

This patch tests for HTTPS "on" or "ON" before setting the secure
cookie.

Bug 25360: [Follow-up] Fix typo in C4/InstallAuth.pm

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Amended number of tests in Context.t
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
e9b051baf7 Bug 24201: (QA follow-up) Correct call to set_userenv
One call to set_userenv had been implimented incorrectly with the
parameters out of order.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-08-07 16:54:40 +02:00
Nicolas Legrand
4163f24014 Bug 24201: (follow-up) add desk choice with library choice
You should be able to add desk choice when you are logging in or
changing library.

Test plan:

1. apply patch
2. have at least three libraries, one without desk, one with one and
one with a few.
3. At login, when choosing a library, it should enable all desks it
has. Pick one.
4. the desk id and name should be set in your session and appear in
the top right, next to the library name.
5. change library and desks from intranet (at the set-library.pl page)
6. you should have the same behaviours
7. if you have a library without a desk, it should prompt you a '---'
option and no desks will be attached to the session.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-08-07 16:54:40 +02:00
876d95285e Bug 24201: (follow-up) Use GetLoggedInDeskName
This patch updates the templates to use the new TT plugin instead of
adding additional variables to the already crouded get_template_and_user.

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-08-07 16:54:40 +02:00
Nicolas Legrand
3fc961b7c2 Bug 24201: Attach desk to intranet session
When Desks are defined, a librarian can attach a desk to its session.

Test plan:

1. apply 13881 and create some desks
2. you should see “NO DESK SET” in the intranet header
3. go to circulation > Set desk
4. you should see your desk name in the header, whatever the page
5. you can also set desk with the header menu

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-08-07 16:54:40 +02:00
c9eb2be381 Bug 23795: Convert opaccredits system preference to news block
This patch builds on Bug 22318 to move the opaccredits system
preference into the Koha news system, making it possible to have
language- and library-specific content.

To test you should have some content in the opaccredits system
preference. Apply the patch and run the database update process.

 - Go to the OPAC and confirm that the content which was previously in
   the opaccredits system preference now displays correctly where
   it was before.
 - In the staff client, go to Tools -> News and verify that the content
   from opaccredits is now stored in news items. There should be
   one entry for each of the enabled translations in your system, for
   instance 'opaccredits_en', 'opaccredits_fr-FR',
   'opaccredits_cs-CZ'
 - Go to Administration -> System preferences and confirm that the
   opaccredits preference has been removed.

Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-07-23 11:17:27 +02:00
cbd8655157 Bug 25765: Replace LoginBranchname and LoginBranchcode with use of Branches template plugin
The template plugin Branches contains a method GetLoggedInBranchcode that returns current branch code.
This patch adds GetLoggedInBranchname to get current branch name.
It is used to replace vars LoginBranchname and LoginBranchcode sent to all templates in C4/Auth.pm.

In labels and patrons cards modules, I choose to remove a unseless display of
current branch in a hint.

In acqui/acqui-home.tt, I choose to remove a useless display of current
branch and also because table of founds contains a filter on library.

Test plan:
Check pages source code to see branch code or name is correct.
list of the pages:
/cgi-bin/koha/acqui/acqui-home.pl
/cgi-bin/koha/catalogue/detail.pl?biblionumber=XXX
/cgi-bin/koha/circ/branchoverdues.pl
/cgi-bin/koha/circ/set-library.pl
/cgi-bin/koha/circ/offline.pl
/cgi-bin/koha/labels/label-edit-batch.pl?op=new
/cgi-bin/koha/labels/label-manage.pl
/cgi-bin/koha/patroncards/edit-batch.pl
/cgi-bin/koha/patroncards/manage.pl
OPAC:
/cgi-bin/koha/opac-detail.pl?biblionumber=XXX

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-07-23 11:17:27 +02:00
4689777ba9
Bug 23794: Convert OpacMainUserBlock system preference to news block
This patch builds on Bug 22318 to move the OpacMainUserBlock system
preference into the Koha news system, making it possible to have
language- and library-specific content.

To test you should have some content in the OpacMainUserBlock system
preference. Apply the patch and run the database update process.

 - Go to the OPAC and confirm that the content which was previously in
   the OpacMainUserBlock system preference now displays correctly where
   it was before.
 - In the staff client, go to Tools -> News and verify that the content
   from OpacMainUserBlock is now stored in news items. There should be
   one entry for each of the enabled translations in your system, for
   instance 'opacmainuserblock_en', 'opacmainuserblock_fr-FR',
   'opacmainuserblock_cs-CZ'
 - Go to Administration -> System preferences and confirm that the
   OpacMainUserBlock preference has been removed.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-05-01 08:17:23 +01:00
73fd85fd02
Bug 21190: (follow-up) Save patron id in failure when available
The wrong password might belong to an existing user. If that is the case,
we have a $patron.
Note that logaction will save the object info but has no user in the
context environment for a failure.

Test plan:
Login with good user, bad pw and bad user, bad pw. Check logviewer.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-14 16:13:39 +01:00
8a04980366
Bug 21190: Add authentication logging to checkpw
Add optional logging for successful and failing login attempts in
checkpw.

Test plan:
Enable the preferences
Perform a good login and a bad attempt
Check action_logs

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-14 16:13:39 +01:00
Aleisha Amohia
c95ae98d60
Bug 4461: Adding user flags for managing OPAC problem reports
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-06 11:18:13 +01:00
21c9b685bf
Bug 20415: Remove UseKohaPlugins system preference
Owen Leonard 2018-03-16 10:47:47 UTC :
<<
I don't think the system preference adds any security. There are already multiple permissions required for working with plugins:

- Configure plugins
- Manage plugins ( install / uninstall )
- Use report plugins
- Use tool plugins

And even with those permissions your server must be configured to allow the use of plugins.
>>

Test plan :
1) Install kitchen sink plugin https://github.com/bywatersolutions/koha-plugin-kitchen-sink
2) Run misc/devel/install_plugins.pl
3) Set config enable_plugins=1
4) Check all parts of the plugin are working
5) Set config enable_plugins=0
6) Check all parts of the plugin are disabled

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-26 11:42:02 +00:00
Hayley Mapley
619d6362ce
Bug 22943: Renames the in_ipset function to in_iprange in C4::Auth
Bug 14407 introduced a new system preference to allow limiting the
online self checkout system to an IP or IP Range. The function that
handles this is called in_ipset, which is the name of a linux tool. To
stop confusion, this patch renames the function to 'in_iprange', and the
variable 'ipset' within it to 'iprange'.

To test, follow the test plans outlined in Bug 14407 and confirm that
everything works as expected.

Sponsored-by: Catalyst IT
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-16 11:00:21 +00:00
9b86077aae
Bug 17845: Remove unused code related to printers
There is some quite old and unused code in Koha related
to printer configuration and network printing. These code
hasn't been functional in a long time and should be removed.

This patch:

- Removes printcirculationslips system preference
- Removes table printers
- Removes branchprinter column from branches

Check that:
- Go to administration
- Open any age there, but change the last bit to: printers.pl
- Apply patch, run the database update
- Verify the hidden page no longer exists
- Verify that logging in and out still works correctly
- Verify that checkout and returns work correctly
- Switch to another branch using the "Set library" option

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-10 15:18:27 +00:00
18f3b83b6e
Bug 22880: (QA follow-up) Remove opacheader from C4::Auth
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-24 13:24:55 +00:00
Magnus Enger
d20c9ff588
Bug 22543: Prevent "back and refresh attack"
To reproduce and test:
- Log into the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click "Back", you are taken to /cgi-bin/koha/opac-user.pl
- Reload the page, you see an error like "Confirm new submission
  of form"
- Reload the page again and confirm the submission of the form
- You are now logged in to the OPAC again!
- Log out again
- Apply this patch
- Log in to the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click back, you are taken to /cgi-bin/koha/opac-user.pl
- No matter how many times you reload /cgi-bin/koha/opac-user.pl,
  you should not see anything other than the login form.
- Check that Self Check Out still works as it should, by making
  sure you have a user with self_check permissions, then setting
  WebBasedSelfCheck, AutoSelfCheckAllowed, AutoSelfCheckID and
  AutoSelfCheckPass appropriately. Then visit
  /cgi-bin/koha/sco/sco-main.pl and verify everything works as
  expected.

The messages and errors pages you see related to resubmitting the
form might differ from the ones described here, depending on what
browser you use. I tested in Chromium 76.0.x.

This fix was originally proposed by LMSCloud:
74a7fe0f0c

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-11-27 11:30:18 +00:00
a6838a3e35
Bug 23068: Add ability for Koha to handle X-Forwarded-For headers so REMOTE_ADDR features work behind a proxy
Koha has a number of features that rely on knowing the IP address of the connecting client. If that server is behind a proxy these features do not work.
This patch adds a module to automatically convert the X-Forwarded-For header into the REMOTE_ADDR environment variable for both CGI and Plack processes.

TEST PLAN:
1) Apply this patch set
2) Install Plack::Middleware::RealIP via cpanm or your favorite utility
3) Update your plack.psgi with the changes you find in this patch set ( this process differs based on your testing environment )
4) Restart plack
5) Tail the plack error log for your instance
6) Use curl to access the OPAC, adding an X-Forwarded-For header: curl --header "X-Forwarded-For: 32.32.32.32" http://127.0.0.1:8080
7) Note the logs output this address if you are unproxied
8) If you are proxied, restart plack using a command like below, where the ip you see in the logs ("REAL IP) is what you put in the koha conf:
    <koha_trusted_proxies>172.22.0.1 1.1.1.1</koha_trusted_proxies>
9) Restart all the things!
10) Repeat step 6
11) You should now see "REAL IP: 32.32.32.32" in the plack logs as the remote address in your plack-error.log logs!
12) Disable plack so you are running in cgi mode, repeat step 6 again
13) You should see "REAL IP: 32.32.32.32" as the remove address in your opac-error.log logs!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Ed Veal <eveal@mckinneytexas.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-31 16:10:17 +00:00
c9c6dd1016
Bug 23771: Don't look for patrons if we don't have a userid
While the code requires external auth to test, the change is simple enough I
think a good read would suffice

To test:
1 - You either need Shib or CAS enabled and setup
2 - Add two users with blank.null cardnumbers
3 - Lock those user accounts
    Set failedloginattempts to 1
    Try a bad login with the userid
    Or set via the DB
4 - Try a good login via the external auth
5 - Note it fails
6 - Apply patch
7 - Login now succeeds

Signed-off-by: Mike Somers - Bridgewater State University <msomers@bridgew.edu>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-11 14:34:10 +01:00
Katrin Fischer
30627be138
Bug 23697: (QA follow-up) Rename PatronAutocompletion to PatronAutoComplete
Just a find and replace on the changed system preference name.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-08 14:51:12 +01:00
Matthias Meusburger
e5bf671357
Bug 23697: (follow-up) Add autocompletion search in patron module
- Rename CircAutocompl system preference to PatronAutocompletion
 - Take this system preference into consideration for patron search

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-08 14:51:04 +01:00
3640130d1f
Bug 22929: Allow SCI/SCO logins independent of GDPR_Policy
This patch makes Auth skip the GDPR policy check when get_template_and_user
is called for sci/sco (self checkin, checkout).
I do not really like the change in this form but the nature of self checkin
and checkout kind of dictate it (double hack).
I wanted to add a test but since that asks for mocking CGI, checkauth, etc.
the time needed for that is just too much for this simple change.

Test plan:
Enable GDPR_Policy and self checkin/checkout.
Verify that using patrons without consent is not blocking sci/sco.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-09-09 11:15:11 +01:00
f9572dd1ac
Bug 23253: Fix OpacNavRight for self reg by email
The code expects to display OpacNavRight content at the bottom of the
login form when a user just registered.

Test plan:
- Turn PatronSelfRegistrationVerifyByEmail on
- Register a patron
- Confirm by clicking on the link you received by email (or see the
message_queue table)
=> The OpacNavRight content should be displayed

QA Note: This code smells, the code in the pl should not be needed.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-08-15 09:19:28 +01:00
b558895898
Bug 23078: (follow-up) Update self checkout help page
This patch takes care of some preference instances I missed in the self
checkout module's help page. It also removes some obsolete lines from
Auth.pm.

To test, apply the patch and re-test based on the previous test plan.
Also test in the self-checkout module by logging into self checkout and
clicking the "Help" link in the upper right of the screen.

The settings of the following preferences should be shown correctly:

 - OpacFavicon
 - OPACUserCSS

Signed-off-by: frederik chenier <frederik.chenier@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-07-19 15:58:48 +01:00
6a222fa2af
Bug 23078: Use Koha.Preference in OPAC global header include
This patch updates the OPAC's doc-head-close.inc so that it uses
'Koha.Preference' syntax to output system preference data. The patch
removes handling of two preferences from Auth.pm which which are covered
by this template change.

This patch also makes some minor changes to consolidate multiple
template checks for "bidi"

To test, apply the patch and test the affected OPAC system preferences:

 - OpacFavicon
 - opaclayoutstylesheet
 - OPACUserCSS
 - OPACBaseURL

Confirm that changes made to these preferences are reflected in the
OPAC.

Signed-off-by: frederik <frederik@inlibro.com>
Signed-off-by: Nadine Pierre <nadine.pierre@inLibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-07-19 15:58:26 +01:00
Mark Tompsett
a4f5cc4d66 Bug 14407: Follow up to add test case and clean noise
Comment #28 has a /36 which is invalid CIDR.
This triggers a crash and noise.
This cleans up the crash and noise, and adds
test cases to check for them.

prove t/Auth.t
-- before missing null case, and /36 case.
-- after null case, and /36 with/without warnings.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-10 11:39:50 +00:00
Nicholas can Oudtshoorn
30f0e7fec9 Bug 14407: Allow restricting SCO to IP or IP range
Converted this to actual applicable patches.
I think the test plan is comment #28. -- Mark Tompsett

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-10 11:39:50 +00:00
456a7ae6d4 Bug 22692: Check for patron using cardnumber and userid
TO test:
1 - Set failed login attempts to 1
2 - Attempt a login with a userid and bad password, no success
3 - Attempt a login with userid and correct password, prevented because
locked
4 - Attempt a login with cardnumber and right password, you are logged
in
5 - Log out, try again with userid and correct password, prevented
because locked?
6 - Apply patch
7 - Repeat 1-3 to lock account
8 - Attempt logging in with cardnumber, you are prevented

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-02 13:39:06 +00:00
4c01891613 Bug 20128: (QA follow-up) Corrections to haspermission
The haspermission routine wrongly assumed that get_user_subpermissions
would return a list of all subpermissions if the user had the top level
permission, but instead if just returns 1.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-17 12:25:26 +00:00
71f17b35ee Bug 21336: Do not increase login_attempts after locking
If an account has been locked, there is no use to keep increasing this
number. It is not true too; after the pref number has been reached,
we can not really speak of login attempts anymore. The credentials are
just ignored.

Adding a dbrev to put existing values in line. And a simple test in
Auth.t to confirm that login_attempts stop increasing.

Note: It feels safe to keep the '>=' condition in account_locked. But it
could obviously be changed to '=='. (Added a test for that.)

Note: Adding a mock_preference in Auth.t too for GDPR_Policy. Since not all
tests will pass when the pref is enabled (though disabled by default).

Test plan:
Run dbrev with updatedatabase.pl.
Run t/db_dependent/Koha/Patrons.t
Run t/db_dependent/Auth.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-17 12:25:23 +00:00
Liz Rea
8c038b9eab Bug 18387: (QA Follow up) adding specificity to error template.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-12 01:47:23 +00:00
2ecca43004 Bug 18387: Allow sco-user to access errors templates
To test:
 1 - Enable AuthoSelfCheck prefs
 2 - In opacuserjs or scouserjs add a fetch of an unreachable resources
 3 - Visit the SCO
 4 - Sign in as a patron then click 'finish'
 5 - Say 'yes' to receipt
 6 - Note you are directed to log in
 7 - Apply patch
 8 - Restart all the things
 9 - Repeat 4 & 5
10 - Sucess, receipt prints

Signed-off-by: Liz Rea <wizzyrea@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-12 01:47:21 +00:00
c5bc2563a8 Bug 22600: Add 'api' to interface types and set appropriately
This patch adds 'api' as a valid interface and sets it appropriately for
both the new REST api and previous /svc/ api's.  Handling to keep the
interface of a logged in session is included such that if the OPAC or
Intranet use the API's internally via a Cookie we will maintain the
interface throughout the session.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-10 19:43:11 +00:00
4cffd7e267 Bug 22483: Restore exact behaviour of undef
Passing undef (or nothing) as $flagsrequired to haspermission simply
returned the return from fetchrow prior to this patch. Restoring that
behaviour.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-09 05:16:40 -03:00
088e0243bf Bug 22483: Restore undef behaviour
Turns out that we rely heavily on the side effect that passing undef
to haspermission would always return true no matter what permissions
or lack of permissions you had.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:53:10 -03:00
6b457885cd Bug 22483: (QA follow-up) Corrections to logic in check_cookie_auth
check_cookie_auth needs to allow for cases where we wish to check for
ANY permission and cases where we wish to skip the permissions check
entirely and just authenticate the session.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:26:05 -03:00
32551fffdb Bug 22483: (follow-up) Improve POD as requested in bug 22031
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:26:04 -03:00
cc67ff26aa Bug 22483: Explicitly ban 'undef' as a valid $flagsrequired
Before bug 22031 the haspermission subroutine signature allowed for
passing 'undef' to mean 'any permission' in $flagsrequired.  This feels
like a mistake and was only in practical use in two places in the
codebase.

This patch explicitly forbids this practice (`*` may be used to the same
result and is more explicit in it's nature) and replaces the two
instances of it's use.

Test Plan
1. Before this patch, the API tests are all failing with authentication
errors
2. After this patch the API tests should now all pass.
3. t/db_dependent/Auth/haspermission.t should continue to pass (with one
addition subtest added herin)
3. /svc/members/search is not unit tested. Please check that patron
searching still yields results in the UI after this patch.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:26:04 -03:00
a8be1966f3 Bug 22031: Add SQL::Abstract like syntax to haspermission
This patch adds an SQL::Abstract inspired query syntax to the
haspermission method in C4::Auth.  One can now pass Arrayrefs to denote
an OR list of flags, a Hashref to denote a AND list of flags.

Structures can be nested at arbitrary depth.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-03-07 20:50:26 +00:00
4c0682f559 Bug 21911: Fix OPAC scoping to work with new group system
To test:

0 - Apply patch
1 - Create a library group enabled for opac search limits and add some
libraries
2 - Check the DB (or advanced search dropdown) to get the id of the
group (using 7 as example below)
3 - Add to apache configuration (OPAC virtualhost)
   SetEnv OPAC_SEARCH_LIMIT branch:multibranchlimit-7
   SetEnv OPAC_LIMIT_OVERRIDE 1
   RequestHeader add X-Koha-SetEnv "OPAC_SEARCH_LIMIT
   branch:multibranchlimit-7"
   RequestHeader add X-Koha-SetEnv "OPAC_LIMIT_OVERRIDE 1"
4 - Ensure OpacAddMastheadLibraryPulldown is disabled
5 - Restart all the things
6 - Visit the opac
7 - Perform a search, confirm it is scoped to the branches in the group

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-12-11 19:12:39 +00:00
b2ff7223b7 Bug 11897: 'superlibrarian' has 'stockrotation' perms
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-09 15:46:07 +00:00
4febf0656c Bug 17776: (QA follow-up) Remove shibboleth package variables
This is about $shib and $shib_login.
We move in the right direction by calling get_login_shib in
get_template_and_user and checkauth. In the same line we can do the
shib_ok check at that time (just checking cached values). This paves
the way for the third subroutine using the two package vars: checkpw.
Note that checkpw is also called outside Auth.pm. So I would be more
comfortable if we do the same calls like in checkauth and remove both
variables from the package level (especially under Plack of course).

The former changes actually justify a 'use C4::Auth_with_shibboleth'
instead of the current require and import.

Note: When calling checkpw from checkauth, we are calling get_login_shib
twice now. But the time involved for doing so is around zero (cache), so
not really an argument for extra parameters and complexer code.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-09 15:02:50 +00:00
ea74ed5766 Bug 17776: Enable Shibboleth for Plack
https://bugs.koha-community.org/show_bug.cgi?id=17776

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-09 15:02:48 +00:00
Julian Maurice
cee35f3a78 Bug 12027: (QA follow-up) Fix spelling and tab characters
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-01 13:56:31 +00:00
9df099dc11 Bug 12027: Added shibboleth authentication to the staff client
- This patch adds shibboleth authentication to the staff client.
- Depending upon how your url structure works, you may or may not need a
  second native shibboleth service provider profile configured for this
  to work.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-01 13:56:30 +00:00
c6a26d2c9e Bug 21323: Handle multi params in redirect after login
Multi params are not handle correctly after login

Test plan:
[0] Use staff interface
[1] Use advance search and tick itemtype more than one checkbox
[2] Copy result url
[3] Logout
[4] Paste url in browser
[5] Type username and password
[6] In search result page, results limit description under breadcrumbs
will show all limits

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-09-26 15:43:58 +00:00
6f2a0acc2d Bug 20819: Add check in get_template_and_user to enforce GDPR
If you choose to enforce GDPR policy, a user needs to give consent for
data processing before he does something else in the OPAC while being
logged in.

Test plan:
[1] Set GDPR_Policy to Disabled or Permissive. Usual behavior.
[2] Set to Enforced. Save a refusal on your consents. Notice that
    you are logged out when saving. When you login again, all OPAC
    requests are redirected to your consents tab.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-09-20 13:45:26 +00:00
331af8521b Bug 13779: sessionID declared twice in C4::Auth::checkauth()
The bug is that $sessionID is declared twice in C4::Auth::checkauth().
At the moment, this doesn't actually create a problem, because no
one seems to be using the $sessionID which is returned by checkauth(),
except in the case of opac/external/overdrive/auth.pl which skips
the second declartion as it doesn't require auth.

This patch removes the redefining of the $sessionID variable.

In terms of testing, try logging in with a username and password
and see if it works. The only risk this patch would pose is breaking
auth I would think, since nothing is actually using the return value
from checkauth() for $sessionID.

NOTE:
It was initially defined near the top of the function (~line 791).
I believe the scoping would mean the correct version of $sessionID
would be used in the latter lines for the unset'ing.
I have skimmed code to see if the sessionID return value is used.
I did not test overdrive, as I do not know how. However, this is
the only area, I think this could possibly break. This change makes
sense to me.

QA: Please test overdrive.
opac/external/overdrive/auth.pl only checks if the value is set, so
   this patch might fix/break something there?
opac/svc/overdrive same kind of check.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
This is a (tiny) code improvement. Now we consistently return the session
id that is also stored in the returned cookie. (Which can be an 'anon'
session.)
Fact is that Koha almost everywhere ignores the returned session id and
sometimes gets the session from the cookie (obviously). The session id is
also passed to the template by get_template_and_user but never used in
templates.
As mentioned, the two overdrive scripts are the exception. But since both
test on both $user && $sessionID, they will not choke on an anynonomous
session id without userid. So theoretically fine, but not tested.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-09-14 17:27:28 +00:00