Commit graph

526 commits

Author SHA1 Message Date
d90ff21454 Bug 17698: Do not send pending_checkout_notes from all circ scripts
It's safer to send what we need from C4::Auth it's needed from a whole
module.
The SELECT COUNT(*) query will only be done when needed (so not made
from scripts outside of circ)

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-23 15:23:44 +00:00
6965c58308 Bug 20879: Fix regression in shibboleth when ldap enabled
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 20:13:13 +00:00
05812dbbba Bug 20727: (QA follow-up) Remove a few use statements again
We do no longer need "use Koha::UploadedFile" in a few places.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 16:10:10 +00:00
Kyle M Hall
3ff7c27d98 Bug 20727: Move temporary_directory() to C4::Context
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 16:10:09 +00:00
Kyle M Hall
c2b0c92800 Bug 20727: Replace usage of File::Spec->tmpdir with Koha::UploadedFile->temporary_directory
As explained in bug 20428 use tmpdir can cause issues and it just makes sense to standardize our temp directory in a universal way.

Test Plan:
1) Apply this patch
2) Verify you can still log in and use Koha
3) Verify the web installer still works
4) Verify EDI module can still download files via FTP
5) Verify fines.pl still runs with -o option
6) prove t/db_dependent/Plugins.t
7) prove t/db_dependent/Sitemapper.t
8) prove t/db_dependent/Templates.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 16:10:08 +00:00
Katrin Fischer
870913b3c3 Bug 2426: Remove deprecated management permission
After review of the code it turns out that the management permission
that has been marked as deprecated a long time ago, does not have
any function.

The patch removes all remaining code related to it.

To test:
- Make sure you have a patron with the management permission
- Apply patch
- Run database update
- Check everything still works as expected

Bonus:
borrowers.flags is recalculated for patrons with management
permission.

To check:
- Create some 'permission twins' with and without management
  permission
- Note the value in borrowers.flags
- Apply patch, don't run database update
- Save permissions from GUI for one of the twins
- Note the newly calculated value
- Run database update
- Now both twins should have the same borrowers.flags value

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 12:17:25 +00:00
421746dd63 Bug 20877: Do not consider DB user has permissions
Test plan:
0/ Do not apply the patch
1/ Confirm the new test fails
2/ Apply the patch
3/ Confirm the new test passes
4/ Test the installation process

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 10:43:37 +00:00
3d68ab447e Bug 18821: (QA follow-up) Last tweaks for performance
[1] passing unsafe has no use since it is a scalar, removed it to unconfuse
[2] remove caching when pref is disabled
[3] caching userid removes the need for calling Patron->find each time
[4] subsequent changes in unit test
[5] cosmetic renames to move from session to daily basis (changed dev angle)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
First call going thru Koha::Patron takes about 0.0150 sec.
Subsequent calls only use caching and take about 0.0006 sec.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 10:30:17 +00:00
495512f6ea Bug 18821: Convert to using cache with date checking
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 10:30:16 +00:00
6491ba0233 Bug 18821: TrackLastPatronActivity is a performance killer
Test Plan:
1) Apply this patch
2) Start a new session ( a private browser window works well )
3) Note the lastseen column in the borrowers table is updated
4) Browse a few pages, not the lastseen column is not updated again
5) Close the browser window and repeat steps 2-4
6) prove t/db_dependent/Auth.t

Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 10:30:16 +00:00
046f1f3401 Bug 20284: (QA follow-up) superlibrarian has ill permissions
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-05-07 11:55:01 -03:00
Katrin Fischer
9c0d403586 Bug 20400: (follow-up) Several fixes from RM review
- "your routing lists" tab is now highlighted when active
- get_routinglists was renamed to get_routing_lists
- Koha::Patron->get_routing_lists returns the ->search result
  directly
- Koha::Subscription::RoutingList->subscription uses DBIC
  relationship
- Undo changes to C4/Auth.pm

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-20 17:59:06 -03:00
Katrin Fischer
9af0b9de7d Bug 20400: Add routing list tab in OPAC
This patch adds the base for the new feature:
Show a list of the serial titles a patron is on routing
lists for in the OPAC.

Test plan applies to the complete patch set:

To test:
- Apply all patches
- Make sure RoutingSerials is not activated
- Check patron account in OPAC - no tab should appear
- Activate RoutingSerials
- Create subscriptions and different routing lists, test with:
  - Patron with no routing list entries = no tab
  - Patron with one or more routing list entries = tab appears

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: Rewrite using Koha::Objects

Adds
- Koha::Subscription::Routinglist
- Koha::Subscription::Routinglists

Adds 2 methods
- Koha::Patron::get_routinglists
- Koha::Routinglist::subscription

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: Add unit tests

prove t/db_dependent/Koha/Subscription/Routinglists.t
prove t/db_dependent/Koha/Patrons.t

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: Display new tab in OPAC only for patrons with routing lists

The visibility of the routing list tab in the OPAC depends
on the system preference RoutingSerials and the existence
of routing list entries for the patron.

Some libraries only offer routing lists to certain user groups and
would not want it generally visible. As there are currently no
actions you can perform from the list, this appears to be a
reasonable behaviour.

See test plan in first patch.

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: (follow-up) Use Asset TT plugin on opac-routing-lists.tt

Patch applies and functions as described.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 20400: (QA follow-up) Redirect to 404 if routing is disabled

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-20 13:34:41 -03:00
d68fe07bf8 Bug 20489: Prevent DB user login
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-20 12:24:00 -03:00
7aac30428f Bug 20479: Ease readability - do not enter the block if not logged in
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:39:21 -03:00
24f25369a5 Bug 20479: Use $flag instead of fetching patron
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:39:21 -03:00
d8b3497368 Bug 20479: (follow-up) Don't try to get flags for database user
Login will still break in opac-user.pl, but that seems a bigger problem
not from SCI module

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:39:21 -03:00
51d7a02726 Bug 20479: Don't kick superlibrarians out of the opac
To test:
1 - Try to log in to opac with a superlibrarian
2 - Everythign goes wrong
3 - Apply patch
4 - Try to log in with superlibrarian
5 - You can sign in

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:39:21 -03:00
b03ce512c4 Bug 20480: Make KOHA_VERSION available to all templates in all circumstances
This patch makes C4::Templates::gettemplate set the KOHA_VERSION param
for the template. This way this template parameter, which is required by
(probably) all pages that include CSS/JS content is available in all
circumstances.

A noticeable problem with the current approach is when using the SCO and
SCI modules with wrong/forbidden users: C4::Auth short-circuits and
redirects to the login page, without setting the KOHA_VERSION param.
This patch solves it for good.

To test:
- Enable the SCI module
- Open the browser at
  http://localhost:8080/cgi-bin/koha/sci/sci-main.pl
- Login with the db user (koha_kohadev / password)
=> FAIL: Login failure, but styling is broken
- Apply this patch
- Retry
=> SUCCESS: Everything looks as it should!
- Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-27 13:38:57 -03:00
d6e8e88249 Bug 15492: Make existing code aware of new self_check* permissions
This patch makes the existing code for SCO use the new permissions schema
for self check modules. Specifically addresses this change:

  circulate  => self_checkout
becomes
  slef_check => self_checkout_module

about.pl checks are dejusted too.

get_template_and_user gets refactored to avoid code duplication and the
conditions are adjusted for the new permissions.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-26 17:31:18 -03:00
9bf68c8c3e Bug 15492: Add SCI module
This patch adds the SCI module, and adapts C4::Auth to know about it.

The current behaviour is:
- Requires admin user initialization/login
- Uses the logged users' library
- A form allows to scan multiple barcodes
- A button sends the barcode list to the controller
  to batch perform the checkins
- Successful and failed checkins are sent to the template
- Results are displayed
- Logout link

To test:
- Apply this patches
- Make sure you upgrade:
  $ kshell
 k$ perl installer/data/mysql/updatedatabase.pl
- Have 'SelfCheckInModule' disabled
- Go to http://kohadev.myDNSname.org:8080/cgi-bin/koha/sci/sci-main.pl [1]
=> SUCCESS: You are rejected because the feature is disabled
- Enable 'SelfCheckInModule'
- Go to the previous URL
=> SUCCESS: You are required to login
- Login with a user WITHOUT self_checkout permissions
=> SUCCESS: You are not allowed to log into the Self check-in module.
- Login with a user WITH self_checkour permissions
=> SUCCESS: You gain access, and are presented the UI
- Go through the several options
=> SUCCESS: All works as it should
- Click the 'Help' link
=> SUCCESS: A help text is displayed on a modal
- Sign off :-D

- Bonus points:
  $ kshell
 k$ qa -c 2 -v 2
=> SUCCESS: All tests green

[1] Adjust to your dev's OPAC setup

Signed-off-by: David Bourgault <david.bourgault@inlibro.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-26 17:31:18 -03:00
Ulrich Kleiber
84ca0487a0 Bug 19160: (follow-up) Fix problems introduced by renaming logout_required to logout_if_required
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-23 11:45:37 -03:00
9c0be579fe Bug 19160: Isolate CAS code into its own module
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-23 11:45:37 -03:00
b85f8c9e2a Bug 19160: Move the code from controller to C4::Auth_with_cas
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-23 11:45:37 -03:00
e8857894bd Bug 19160: Move duplicated code to its own private subroutine
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-23 11:45:37 -03:00
Chris Cormack
61c9f0c5a0 Bug 19160: CAS Single logout
CAS supports single logout, where if you logout of one application it
logs you out of all of them.

This bug implements this

You will need a CAS server (with single logout configure),
and at least 2 applications (one being Koha)

1/ In Koha login via CAS
2/ Login to the other application via CAS
3/ Logout of the other application
4/ Notice you are still logged into Koha
5/ Log out of Koha
6/ Apply patch
7/ Login to Koha via CAS, login to other app via CAS
8/ Log out of other app
9/ Notice you are logged out of Koha

If you dont have CAS, this patch should be a no op, you could test that
1/ Login and logout normally
2/ Apply patch
3/ Login and logout still work fine

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Patch works as described, local login still works correctly.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-23 11:45:37 -03:00
c5dcfcd6b3 Bug 20189: Fix style on the authentication page
Needed when logging out and in again..

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Victor Grousset <victor.grousset@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-13 12:57:21 -03:00
e7aa94b782 Bug 20157: Do not display OPAC groups on the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:42:22 -03:00
f353a6caac Bug 20157: Use group 'features' to decide which groups to use for group searching functionality
Instead of basing the group searches on the group name, which is an
inherently touchy system, we should use the same checkbox style that
Jonathan introduced for the patron limits by group feature.

Test Plan:
1) Check to ensure existing group searches still show as they used to

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:58 -03:00
a037b80ee3 Bug 18403: Deal with the DB user
On first login, Koha explodes before the logged in user does not exist
in DB.
This patch deals with that by adding several checks when it's needed.

Test plan:
Use the DB user to create a superlibrarian user.
The DB user should no be allowed to do anything else.

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Bug 18403: Fix patron creation

memberentry.pl can be called to create a new patron, in that case the
patron does not exist yet.

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:42 -03:00
d2f2590c89 Bug 18403: Send logged_in_user to template from C4::Auth
Technical note:
To ease future changes we are passing a logged_in_user variable to templates.
It contains the Koha::Patron object representing the logged in patron.
This will be very useful for this patch and even after (for instance we will be
able to replace easily loggedinusername and loggedinusernumber).

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:37 -03:00
2059f7d801 Bug 16735: Migrate library search groups into the new hierarchical groups
Test Plan:
1) Apply this patch set
2) Note your existing search groups have been ported over to the new
   __SEARCH_GROUPS__ group if you had any
3) Create the group __SEARCH_GROUPS__ if one does not already exist
4) Add some first level subgroups to this group, add libraries to those groups
5) Search the library group searching in the intranet and opac
6) Note you get the same results as pre-patch

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:25 -03:00
0f43bdd641 Bug 12904: Pass KOHA_VERSION in C4::Auth
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
2018-02-08 14:53:23 -03:00
5359488528 Bug 12227: Remove the demo functionality
This is a legacy mode that did not really work.

Test plan:
Play with frameworks and sysprefs and confirm the changes
(add/del/update) are taken into account.

Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-12-11 11:34:20 -03:00
8c510e1a92 Bug 17989: Include full path logic in _get_template_file
Similar to the full path test in sub themelanguage, this patch makes a
change in _get_template_file. This allows you to pass a template
outside the modules directory to get_template_and_user. (Note: the sub
badtemplatecheck already blocks bad paths.)

Especially, this would be helpful for plugins using templates. As can be
seen in Templates.pm, a change was made earlier to overwrite the filename
for a plugin in sub gettemplate. This exception can now be removed.

Also note the small change in Koha/Plugin/Base.pm; mbf_path is already
absolute and if we pass a full path, we do not need it. This allows use of
a regular Koha template or a shared template between plugins (as long as
badtemplatecheck allows the path).

What are the side-effects of this change?
[1] We should not pass absolute paths if we mean relative ones.
    A follow-up patch deals with one occurrence in the codebase.
    No regressions for regular use.
[2] Plugins can call get_template_and_user directly or go via get_template
    in Koha/Plugin/Base (absolute paths don't go via mbf_path).

Note: replaced two single quotes in Auth.pm to show template name in test
description.

Test plan:
[1] Open some page on OPAC or staff client to trigger a template.
[2] Run t/db_dependent/Auth.t to verify not allowing some bad templates.
[3] Run t/db_dependent/Templates.t to verify an absolute path.
[4] Run t/db_dependent/Plugins.t to verify using templates in a plugin.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-11-01 13:10:17 -03:00
411d0cf8ea Bug 17989: Centralize bad template check
The bad template check in get_template_and_user can be removed, since
this check has been added in gettemplate on bug 18010.

The check moves here to a new sub in C4::Templates. And will be extended
in a follow-up.

Removed unused variable $path in gettemplatefile.

Test plan:
[1] Run t/db_dependent/Auth.t (get_template_and_user bad calls).
[2] Run t/db_dependent/Templates.t (bad call to gettemplate).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-11-01 13:10:17 -03:00
ec4e666bc5 Bug 18298: minPaswordLength should not be < 3
Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-10-16 09:44:32 -03:00
313e1f2f27 Bug 18880: [QA Follow-up] Finishing touch
Do not fill @return if retval == -1 for LDAP (see cfc484b17).
No need to call store after an DBIx update. Rearranged the if statement.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-14 12:05:31 -03:00
d852b33266 Bug 18880: Fix authentication fallback for external authentications
A regression in commit cfc484b17 / bug #18314 breaks the local
authentication fallback for all external authentications like LDAP, CAS
and Shibboleth.

The regression itself is a logical error as "@return = (0)" is
considered to be "false" when checked with "unless" (line 1814). That's
wrong as "unless" tests the number of elements in a list.

This patch tries to simplify the logic by adding a $passwd_ok and
$check_internal_as_fallback flags to be more verbose and hopefully more
understandable.
The goal here is simply to restore back the same logic as before cfc484b17

Signed-off-by: Lee Jamison <ldjamison@marywood.edu>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-14 12:04:57 -03:00
2b90ea2cb0 Bug 17829: Move GetMember to Koha::Patron
GetMember returned a patron given a borrowernumber, cardnumber or
userid.
All of these 3 attributes are defined as a unique key at the DB level
and so we can use Koha::Patrons->find to replace this subroutine.
Additionaly GetMember set category_type and description.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-10 13:14:19 -03:00
60e55c857c Bug 17554: (followup) Shibboleth check should use ->find too
There was a remaining use of C4::Members::GetBorrowersWithEmail in Auth.pm.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2017-07-05 13:43:21 -03:00
69ddc09434 Bug 17554: Koha::Patrons - Remove GetBorrowersWithEmail
C4::Members::GetBorrowersWithEmail can be easily replaced with
Koha::Patrons->search({ email => $email });

Test plan:
Confirm that you are still able to use PKI authentication

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2017-07-05 13:43:21 -03:00
a5e84d45c0 Bug 18314: Fix reset number of login attempts on login success
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-12 10:59:00 -04:00
cfc484b173 Bug 18314: Account lockout
To prevent brute force attacks on Koha accounts, staff and opac, we need to
implement an account lockout process to Koha.

After a number of failed login attempts a users account would become locked.
The user would then need to use the reset password functionality to send a reset
token to their email account. After a successful password reset the lockout flag
would be removed.

The number of failed login attempts before lockout is configurable using a new
system preference 'FailedLoginAttempts'.

How does it work?
When a patron enter an invalid password, the borrowers.login_attempts value
for this patron is incremented. When this value reach the value of the
pref FailedLoginAttempts, the password comparison is not done and the
authentication is rejected.
This login_attempts field is reset when a patron correctly logs in. When
the account is locked the patron has to reset his/her password using
the OpacResetPassword feature or ask a staff member to generate a new
password.
If the pref is not set (0, or '') the feature is considered as disabled,
but the failed login attempts are stored anyway.

Test plan:
0/ Apply patch and execute the update DB entry
1/ Switch on the feature by setting FailedLoginAttempts to 3
2/ Use an invalid password to login at the staff or OPAC interface
3/ After the third consecutive failures, you will be asked to reset your
password if OpacResetPassword is set, or contact a staff member
4/ Switch on OpacResetPassword and reset your password
5/ Confirm that you are able to login
6/ Play with the different combinations

QA details: The trick happens in C4::Auth::checkpw, to make things clear
I had to create a return value (note the awesome name: @return) and
replace the 3 successives if statements with elsif. Indeed if one of
the condition is reached, it will return inside the given block.

Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-12 10:58:44 -04:00
9bf8142ee7 Bug 18442: Add a test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-08 08:29:13 -04:00
416029ff2f Bug 18442: Fix DB user loggin
Test plan:
1. Drop and recreate your db

2. Clear memcached

3. Go through the installer (to speed up this test plan install all
sample data so you dont have to create libraries, patron categories etc. later)

4. On the installer page login as the database user and notice that it
does not work on the first attempt ( you get 'Error: You do not have
permission to access this page')

5. Try logging in as database user for a second time and notice you are
logged in successfully this time

4. In staff interface create a patron account with superlibrarian permissions

5. Logout of the staff interface

6. Login as database user

7. Notice you cant log in. You get the 'Error:: You do not have permission to access this
page' error

8. Try a second attempt and notice you get the same error

9. Open the URL in a new tab and notice the staff interface appears
showing that you are logged in

10. log out and log back in as the superlibrarian user you created and
notice it works on first login attempt

11. Apply patch

12. Log out and try logging back in as database user and notice that you
can login successfully on first attempt

13. Repeat steps 1,2,3 and login as database user and notice the login
works on first attempt

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-08 08:29:13 -04:00
95429af685 Bug 12461 - Add patron clubs feature
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
   * Here you can add fields that can be filled out at the time
     a new club is created based on the template, or a new enrollment
     is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-28 08:37:44 -04:00
Marc Véron
7cbd956127 Bug 18443: Get rid of warning 'uninitialized value $user' in C4/Auth.pm
When logging out from OPAC, plack-error.log log and/or opac-error.log
complain about 'uninitialized value $user' in C4/Auth.pm line 187. The
warning is not necessary, this patch removes it.

To test:
- try to trigger warning
- apply patch
- verify that warning no longer occurs
- prove t/db_dependent/Auth.t
- verifiy that SCO still behaves like before (especially if
  you break out from sco path)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-21 10:57:50 -04:00
Chris Cormack
da172a560f Bug 18432 : Follow up - Updating to use they/them
Updating to use they/them and skipping the ones changed to it

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-21 10:56:43 -04:00
phette23
553ce38225 Bug 18432: code comments assume male gender
Comments throughout the Koha codebase assume that
all librarians or borrowers are male by using the
pronoun 'he' universally. This patch changes to
'he or she' / 'him or hers'.

Testing plan:

- ensuring modifying tests still pass:
	+ C4/SIP/t/06patron_enable.t
	+ t/db_dependent/Circulation.t
	+ t/db_dependent/Koha/Patrons.t
	+ t/db_dependent/Reserves.t

Sponsored-By: California College of the Arts

No code changes detected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-21 10:56:43 -04:00