Commit graph

25 commits

Author SHA1 Message Date
1f77e2aa35 Bug 18314 (QA Followup) Use OpacBaseURL for password reset link
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-12 10:59:10 -04:00
70dac35136 Bug 18314: Add link to 'reset your password' from staff
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-12 10:59:05 -04:00
cfc484b173 Bug 18314: Account lockout
To prevent brute force attacks on Koha accounts, staff and opac, we need to
implement an account lockout process to Koha.

After a number of failed login attempts a users account would become locked.
The user would then need to use the reset password functionality to send a reset
token to their email account. After a successful password reset the lockout flag
would be removed.

The number of failed login attempts before lockout is configurable using a new
system preference 'FailedLoginAttempts'.

How does it work?
When a patron enter an invalid password, the borrowers.login_attempts value
for this patron is incremented. When this value reach the value of the
pref FailedLoginAttempts, the password comparison is not done and the
authentication is rejected.
This login_attempts field is reset when a patron correctly logs in. When
the account is locked the patron has to reset his/her password using
the OpacResetPassword feature or ask a staff member to generate a new
password.
If the pref is not set (0, or '') the feature is considered as disabled,
but the failed login attempts are stored anyway.

Test plan:
0/ Apply patch and execute the update DB entry
1/ Switch on the feature by setting FailedLoginAttempts to 3
2/ Use an invalid password to login at the staff or OPAC interface
3/ After the third consecutive failures, you will be asked to reset your
password if OpacResetPassword is set, or contact a staff member
4/ Switch on OpacResetPassword and reset your password
5/ Confirm that you are able to login
6/ Play with the different combinations

QA details: The trick happens in C4::Auth::checkpw, to make things clear
I had to create a return value (note the awesome name: @return) and
replace the 3 successives if statements with elsif. Indeed if one of
the condition is reached, it will return inside the given block.

Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-12 10:58:44 -04:00
7afddcb157 Bug 9569: Update warning message
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:25:06 +00:00
acabdc87c9 Bug 9569: AutoLocation should not depend on IndependentBranches
Those 2 prefs can be independent and it does not make sense to consider
AutoLocation only if IndependentBranches is set.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:25:05 +00:00
dc915ce1f7 Bug 17859 - Move JavaScript to the footer on about and auth pages
This patch modifies the about page and the login page templates so that
JavaScript is included in the footer instead of the header.

To test, apply the patch and test each page to confirm that
JavaScript-based interactions are unaffected:

- On the About page tabs and header menu dropdowns should work correctly

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 11:42:34 +00:00
df97814f30 Bug 15758: Koha::Libraries - Remove GetBranches
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 14:36:03 +00:00
9b9803b69c Bug 15758: Koha::Libraries - Remove GetBranchesLoop
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 14:36:02 +00:00
Marc Véron
b0ba45058a Bug 16620: Translatability: Fix problem with isolated word "please" in auth.tt
This patch fixes a translatability problem (syntax in different languages) with a tag-isolated word "please"
in koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt

To test:
- Verify in code that there is no sentence spliting by a-tags (lines 80/84).

Signed-off-by: Srdjan <srdjan@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-10 17:50:59 +00:00
Jesse Weaver
bc707baf02 Bug 15816: Redirect back to correct page after login
This uses a hacky but simple method to get the correct script name under
proxied packaged Plack.

Test plan:
  1) Log out of both the OPAC and staff side.
  2) Try to access a page that requires login (opac-reserve.pl is a
good one for the OPAC), then log in.
  3) You will be redirected back to mainpage.pl or opac-user.pl.
  4) Repeat above for both staff side and OPAC.
  5) Apply patch.
  6) Repeat steps 1-4; you should be redirected back to the original
     page you were on.
  7) Repeat the above for both a traditional CGI and kohadevbox/package
     Plack installation.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-05-13 12:38:14 +00:00
a8942c2884 Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues
Revert "DBRev to make notes of the XSS patches and the new important dependency."

This reverts commit e140603a59.

Revert "Bug 13618: Specific for branches.opac_info"

This reverts commit 06e4a50f00.

Revert "Bug 13618: (follow-up) Specific for other prefs"

This reverts commit d6475a111f.

Revert "Bug 13618: Fix for debarredcomment and patron messages"

This reverts commit dd98c9df92.

Revert "Bug 13618: Do not display html tags in patron's notices"

This reverts commit a065b243fe.

Revert "Bug 13618: Do not display &nbsp; and html tags in item fields content"

This reverts commit baeeaffbf8.

Revert "Bug 13618: Fix for system preference description"

This reverts commit a967a09261.

Revert "Bug 13618: Remove html filters for newly pushed code"

This reverts commit 0e98662b10.

Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"

This reverts commit fc2fb605e5.

Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"

This reverts commit bc308fdd9c.

Revert "Bug 13618: Fix for edit biblios and items"

This reverts commit 811c4e8402.

Revert "Bug 13618: followup to remove tabs"

This reverts commit ca8e8c397c.

Revert "Bug 13618: Fix last occurrences recently introduced to master"

This reverts commit bb417b256b.

Revert "Bug 13618: Fix for news"

This reverts commit ae5b98020a.

Revert "Bug 13618: Fix escape on sending baskets or shelves by email"

This reverts commit a7731ffe25.

Revert "Bug 13618: Specific for XSLTBloc"

This reverts commit 11fa38dc29.

Revert "Bug 13618: Specific for Salutation on editing a patron"

This reverts commit 36c07ad6d3.

Revert "Bug 13618: Specific for other prefs"

This reverts commit e6ea281a3b.

Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"

This reverts commit 7824874557.

Revert "Bug 13618: Specific for ColumnsSettings"

This reverts commit 1834da3da3.

Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"

This reverts commit 21ae62b253.

Revert "Bug 13618: Fix error 'Not a GLOB reference'"

This reverts commit 602bdbab4c.

Revert "Bug 13618: Specific for the ISBD view"

This reverts commit d254362435.

Revert "Bug 13618: Specific for pagination_bar"

This reverts commit 8837a8ae68.

Revert "Bug 13618: Specific places where we don't need to escape variables - intra"

This reverts commit 00eff140b3.

Revert "Bug 13618: Remove html filters at the intranet"

This reverts commit 7db851ff03.

Revert "Bug 13618: Specific places where we don't need to escape variables"

This reverts commit 49a3738b8d.

Revert "Bug 13618: Remove html filters at the OPAC"

This reverts commit cedaa0e23e.

Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"

This reverts commit 01b38d3b13.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-11 19:39:53 +00:00
Jonathan Druart
7db851ff03 Bug 13618: Remove html filters at the intranet
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala@gmail.com>

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-01-29 17:54:12 +00:00
Jesse Weaver
ed0ff59152 Bug 11559: Supporting changes for Rancor
* Extends login screen to pass along #hash
  * Adds JSONP support to C4::Service
  * Extends humanmsg to allow per-message classes
  * Adds proper charset to results of svc/bib

Test plan:

  1. C4/Auth.pm and .../intranet/.../auth.tt: verify that login/usage
     works as expected, despite the change to pass on the fragment (...#blah)
     from the URL.
  2. C4/Service.pm and humanmsg.js: verify that editing system
     preferences (the main user of these modules) works correctly despite
     updates.
  3. svc/bib: verify that records can be correctly downloaded with the
     change of character set. This can be done in a Firebug/Chrome Devtools
     console by running `$.get('/cgi-bin/koha/svc/bib/1')` and inspecting the
     results (possibly replacing 1 with a different valid biblionumber).

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-27 12:16:05 -03:00
912f238c5e Bug 15005: Replace CGI->url with the corresponding url
CGI->url does not return the correct url on install using packages.

Test plan:
1/ Try to reproduce the bug from the description of bug 15005.
You should be able to login to the intranet and the OPAC
2/ Send a basket and a list from the intranet and the OPAC.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-19 09:36:43 -03:00
9bdd33de21 Bug 14671: Allow correct translation of CAS authentication
In authentication pages with CAS, the use of acronym or abbr tags does not allow a correct translation of the text.
See http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5983#c7

It does not help a lot end users to know that CAS is Central Authentication Service, I think. Now one can custom the login page with NoLoginInstructions syspref to describe how to use the authentication.

This patch removes the use of acronym and abbr is authentication pages.

Test plan (example with fr-FR locale) :
- Without patch
- Update translation files : cd misc/translator ; perl translate update fr-FR
- You see in fr-FR-opac-bootstrap.po : msgid "If you have a "
- Is is translated in : msgstr "Si vous avez un compte "
- Apply patch
- Update translation files : cd misc/translator ; perl translate update fr-FR
- You see in fr-FR-opac-bootstrap.po : msgid "If you have a CAS account, %s please "
- You can now translate it : msgstr "Si vous avez un compte CAS, %s veuillez "
- Same test for intranet authentication page
- Install the translation : cd misc/translator ; perl translate install fr-FR
- Look at the result

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised. Tranlated OK, tested in spanish es-ES

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-02 15:07:58 -03:00
Matthias Meusburger
bb63ef6a2e Bug 13507: Add intranet support for CAS authentication
This patch allows to use CAS authentication for intranet login.

 It works exactly the same as the OPAC login, except that the
 staffClientBaseURL syspref must be set for intranet login
 (like OPACBaseURL must be set for OPAC login).

Signed-off-by: Koha Team AMU <koha.aixmarseille@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-08 12:04:26 -03:00
Marc Véron
66c9e7a183 Bug 11400 - Follow-up for nicer design
This patch tries to get the Bug out of "In discussion" by changing the design a little bit.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-03-07 22:09:45 +01:00
9b56ae7627 Bug 11400: Show "Log in as a different user" in the error message instead of the "Logout" button
Bug 11146 introduced a way to go back, and have a logout link for the
"Not enough permissions" message page. I belive the logout button is redundant. And
also "Log in as a different user" tells the user more about its options on the scenario.

Simple and disputable usability/string change.
Regards
To+

Sponsored-by: Universidad Nacional de Cordoba
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-03-07 22:09:38 +01:00
Fridolyn SOMERS
d1bec84142 Bug 11146: Show a go back link on no permission page
When a user does not have permissions for a page or module, the
authentication page is displayed with message

  "Error: You do not have permission to access this page.".

Most librarians uses the "previous page" button of their browser to
come back on the page they were before trying to get to the
non-permitted page.

This patch adds a button to help coming back to previous page.
It also changes the "Click to log out" link as a button.

Test plan :
- Define a user with staff permissions but no permission on tools module
- Login with this user
=> You get to intranet home page
- Edit URL to go to tools module : cgi-bin/koha/tools/tools-home.pl
=> You get a page with a red error message and 2 buttons "Previous page"
   and "Log out"
- Click on "Previous page"
=> Go get to intranet home page
- Edit URL to go to tools module : cgi-bin/koha/tools/tools-home.pl
- Click on "Log out" button
=> You are logged-out and get to authentication page : cgi-bin/koha/mainpage.pl?logout.x=1

Signed-off-by: Garming Sam <garming@catalyst.net.nz>

Works as intended.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-11-23 19:43:37 +00:00
b00ec06968 Bug 10080 - Change system pref IndependantBranches to IndependentBranches
Test Plan:
1) Enable IndependantBranches
2) Apply this patch
3) Run updatedatabase.pl
4) Verify that the system preference still functions correctly

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-05-22 07:58:23 -07:00
Katrin Fischer
bdf3453512 Bug 2780 - Capitalize strings consistently (home, about, login)
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-04-10 11:10:02 +02:00
Katrin Fischer
18149078e9 Bug 7760: More ids and classes for the staff interface
Owen pointed out that I missed 3 files - this corrects my omission.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
2012-03-26 16:21:06 +02:00
Gaetan Boisson
d500929cfd Bug 7731 - Library should be used instead of branch and site
standardized the use of the term "library" instead of "Branch" accross the interface and opac

Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-03-20 15:17:08 +01:00
Chris Cormack
afaf7eaffa Bug 6895 : First attempt at fixing the diacritics bug
This is a fairly hacky solution, a counter patch would be more than
welcome

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Updated, translated and installed German po files after applying this patch.
No problems found.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2011-11-04 08:02:55 +01:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
Renamed from koha-tt/intranet-tmpl/prog/en/modules/auth.tt (Browse further)