Enhanced the permission-checking functions in C4::Auth
(e.g., get_template_and_user, checkauth, check_api_auth, etc.).
If the CheckSpecificUserPermissions syspref is OFF, the behavior
of those APIs is unchanged.
If CheckSpecificUserPermissions is ON, then the value of each
key in the flagsrequired hash is considered during
the permissions check:
1. if the value is 1, the staff user must have
all privileges for the userflags flag (or module)
referred to by the hash key, e.g.,
{ flaqsrequired => { tools => 1 } }
In terms of the database, this means that the
corresponding bit must be set in borrowers.flags.
2. If the value is '*', the staff user must
have at least one of the permissions for the
userflag/module, but it doesn't matter which one.
In terms of the database, this means ether that the
corresponding bit must be set in borrowers.flags or
that there at least is one row in user_permissions
for the staff user and bit/module combination.
3. If the value is any other string, it must be
a permissions code defined in the permissions table.
The staff user must have that specific permission
or have access to all functions of the module
In terms of the database, this means ether that the
corresponding bit must be set in borrowers.flags or
that there is a matching row in user_permissions
for the staff user, bit/module, subpermission
code combination.
In addition, get_template_and_user is modified so that the
CAN_user_XXX variables that it sets also includes the
subpermissions available (CAN_user_XXX_YYY, e.g.,
CAN_user_tools_import_patrons). The template variables
for the specific permissions are set regardless of whether
CheckSpecificUserPermissions is ON or OFF so that the templates
don't have to test for that syspref explicitly.
In addition, the meaning of CAN_user_XXX has changed slightly -
CAN_user_tools, for example, is set to 1 in the template if the
user has access to *any* of the tools functions. This was done
to simply the logic for deciding whether to display a menu
item in the staff interface are not. This does mean that
when specific subpermissions are added to (say) the circulate
module, each use of CAN_user_circulate will need to be examined
to see if the intent is to allow the user to get at a circ
menu or page or if the user really should be required to have
all circulate functions.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
adding some parameters to the call to opac-auth.tmpl in C4::Auth::checkauth
This displays the additional navigational links in the masthead on the login page to unauthenticated users.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
As announced this past February, Amazon.com will no longer be
accepting web services requests to Amazon E-Commerce Service
(Amazon ECS) version 3.0 beginning on March 31, 2008.
This patch upgrades to Amazon.com's Associates Web Service 4.0
for the following components:
1. Amazon.com Locale support for: Canada, Germany, France, Japan,
UK, and US (see the new syspref called AmazonLocale)
2. Jacket Covers
3. Editorial Reviews
4. Customer Reviews
5. Amazon.com Similar Items
The following changes MUST be made to continue using Amazon.com
content:
1. Delete the system preference: AmazonDevKey (AmazonDevKeys used
with AmazonECS 3.0 are no longer valid)
2. Add the system preferences: AmazonLocale, AWSAccessKeyID
NOTE: steps 1, 2 are done by the web installer
3. Verify your AWSAccessKeyID:
You may already have an Access Key ID. You can access your Access
Key ID by going to http://aws.amazon.com, pointing to Your Web
Services Account, then clicking View Access Key Identifiers.
Depending on when you signed up for ECS 3.0, you may need to
re-register for an AWS account, which includes an Access Key ID.
4. Enter your AWSAccessKeyID in the Koha syspref called
AWSAccessKeyID
For complete details on the changes in Amazon.com Associates Web
Service 4.0, and the migration process, please see: http://tinyurl.com/ysorqy
Other changes with this patch:
* added $tabsysprefs{PatronsPerPage}="Patrons";
* Moved OPAC Features to OPAC in sysprefs
* removed experimental OPACXISBNAmazonSimilarItems and XISBNAmazonSimilarItems features
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
When using mysql and a sufficiently recent version
of DBD::mysql that actually respects the mysql_enable_utf8
option, setting the current branch to a name that
includes a diacritic causes the session to fail
and forces the user to the login screen upon
clicking another link.
This turned out to be due to the default (Data::Dumper)
serialization used by CGI::Session, which truncated the
session object at the diacritic. By enabling
that module's YAML serialization option, the problem
was resolved.
This patch introduces a dependency on the YAML::Syck
module.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Major Fix:
Fixing bug where 'expected' label existed for items that
were 'waiting'
Minor Cleanup:
Show correct statuses
Show itemtypes at correct levels depending on
global system preference
Display branch names, not branch codes
Adding in visibility option for 'canreservefromotherbranches' syspref
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Refactoring to provide single place to get CGI::Session ojbject;
fixes bug for DB storage method other than 'mysql'.
This refactoring is also part of the patch series for
handling large input files for staging and processing
MARC records.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
if IndependantBranches is set, then the user can't choose it's branch, it's automatically affected to it's own branch.
This fix removes the branch list & choose the branch automatically from the login
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
If the SearchMyLibraryFirst is set, then a logged user will automatically limit the search
to it's own library.
I also did some code cleaning
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
temporary files
Need to add it to a couple more places in C4::Auth
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
The kohaversion is in the code directory (in /kohaversion.pl)
C4::Context now has a new method C4::Context->KOHAVERSION
that returns the koha code version.
The systempreference Version contains the database version.
If the 2 are differents, when the user log in, he is redirected to web installer (new behaviour : before this commit, the check was done on everypage, it's too CPU costly I think)
In the web installer, we check now if we do a new setup or an upgrade and show only the appropriate link.
The updatedatabase contains a lot of new things :
* SetVersion($kohaversion), that set the kohaversion after each update
* TransformToNum($kohaversion) that returns a number (3.0000001 from 3.00.00.001 for example) for a given koha version
* DropAllForeignKeys($table) that does what is written : drop all foreign keys. A shame it's not possible directly in mySQL...
* for each database update, just :
add the following lines :
=item
Describe what it does for other developpers
=cut
$DBversion = "your.koha.version.dbnumber";
if (C4::Context->preference("Version") < TransformToNum($DBversion)) {
#
# DO YOUR UPDATE STUFF
#
print "Upgrade to $DBversion done (specify what it does if you want)\n";
SetVersion ($DBversion);
}
IMPORTANT NOTES :
in koha 2.2, a new install was done through installing a 2.2.0 database, then updating it to the installed version.
in Koha 3.0, /installer/kohaversion.sql MUST contain an uptodate version, as the installer set the DB version to kohaversion after uploading kohaversion.sql. It does NOT run updatedatabase.
The update from Koha 2.2 to Koha 3.0 must NOT be done through the webinstaller : updatedatabase is very very long to run and you'll reach Apache timeout for sure. See http://wiki.koha.org/doku.php?id=22_to_30 that contains my notes for upgrading (with some/few UNIMARC specific stuff)
Note For RM, please eyeball this change
Signed-off-by: Chris Cormack <crc@liblime.com>
So this implies quite a change for files.
Sorry about conflicts which will be caused.
directory Interface::CGI should now be dropped.
I noticed that many scripts (reports ones, but also some circ/stats.pl or opac-topissues) still use Date::Manip.
skips third party software check and mysql check to go to updatedatabase.
Adding similar check to intranet and opac.
BEWARE !!!!!
You may be linked to install if you donot have Version variable set in your systempreferences table.
If so, simply updatedatabase OR add Version 3.0 record to your systempreferences table.
adding two fields in branches table (branchip,branchprinter)
branchip : if the library enter an ip or ip range any librarian that connect from computer in this ip range will be temporarly affected to the corresponding branch .
branchprinter : the library can select a default printer for a branch
- modified userenv to add branchname
- modifier menus.inc to have the librarian name & userenv displayed on every page. they are in a librarian_information div.
* synch with rel_2_2. Probably the last non manual synch, as rel_2_2 should not be modified deeply.
* code cleaning (cleaning warnings from perl -w) continued
- Trying to get a basket not owned by so of his own branch leads to mainpage.
- Lists onlys ths baskets owned by someon of user's brach.
Auth.pm now sends a cookie with userenv informations.
Addign a Cookie containing user specific vars such as :
branch,
firstname,
surname,
cardnumber...
may be criticized from a lawyer point of view, since name and surname are given.
But the real need is for userid and branch.
And it is achieved.
Auth passes now TWO cookies :
a session cookie
And an environment cookie.
The $loggedinuser in Koha is the CODE of the logged user (result of get_user_and_template subroutine).
BTW, in get_user_and_template subroutine, the TMPL_VAR loggedinuser is replaced by the NAME of the user.
This is troubleshooting.
so, I replace the name by the "loggedinusername" template variable.
If you want to add the username somewhere, just add <TMPL_VAR name="loggedinusername"> in the template.
Fixes bug #401
in ISO-8859-1.
A new C4::Charset module (tentative name) has been created to guess the
charset of a piece of HTML markup. The CGI programs will be modified to use
this module as they are encountered during translation.
the api in pod-auth.pm has "type => 'opac' "parameter.
If called from intranet, should be type => 'intranet'.
Output.pm checked for type existed, and not it's value. Now, Output compares checks for type value.
If type='intranet', then the intranet template is called, else it's an opac template.
Finlay, please validate this commit.
after being logged out for inactivity. Also switched from crypt passwords to
md5 passwords stored in borrowers table. Used Digest::MD5 module. I ain't
gonna reinvent _that_ wheel. :)
(password). There is also a new "userid" field in the borrowers table. When
a user logs in, the userid will be checked against the userid first and the
cardnumber second, so either method will work.
Also now supports scripts that do not _require_ authentication, but might
display differently if they get an authenticated userid (might be useful for
opac pages, where pages could be tailored to meet a patron's preferences).