Commit graph

399 commits

Author SHA1 Message Date
Marc Véron
c0aa0f5529 Bug 13176 - Add links "My account" and "My checkouts" for logged in user to drop down in staff client header
This patch adds links to "My account" and "My checkouts" to drop down in staff client header.

To test:
Apply patch
Got to drop down of logged in user (top right)
See new links to "My account" and "My checkout" (above "Log out")
Test the links.

Signed-off-by: Magnus Enger <digitalutvikling@gmail.com>
Works as advertised. The options are not displayed when you are logged
in as the db/admin user.

Added classes "toplinks-myaccount" and "toplink-mycheckouts" to li tags to make it possible to hide them (per Kyle M $
Switching back to "Signd-off" (Hope this is OK becuause it is a tiny string addition)

Marc

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-11-11 09:48:06 -03:00
Mark Tompsett
ba3c3df6f9 Bug 13200 - Followup of Bug 12246 - noisy C4/Auth.pm
While testing a bug, warnings in the opac error log were
building up due to a particular line in C4::Auth. After
reviewing the code, it was discovered that removal of the
OpacMainUserBlockMobile system preference created this.

Since the system preference no longer exists, and is not
used, the line was deleted from C4/Auth.pm to prevent this
warning from occuring.

TEST PLAN
----------
1) Go to any OPAC page.
2) Check your opac error log.
   -- there should be something about uninitialized values
      used in C4/Auth.pm around line 443.
3) Apply the patch
4) Refresh the page.
   -- that same error should not be triggered.
5) prove -v t/db_dependent/Auth.t
   -- this runs the get_template_and_user function
      which had the parameter removed.
6) run the koha qa test tools

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-11-07 15:06:47 -03:00
075e9a64f9 Bug 12245 - PROG/CCSR deprecation: Remove OPACMobileUserCSS system preference
With CCSR now deprecated there is no longer a need for the
OPACMobileUserCSS system preference. This patch removes it.

To test, apply the patch and run updatedatabase. Check that the
preference can no longer be found in system preferences.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Preference removed, no koha-qa errors.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2014-10-30 09:35:12 +13:00
236e815b6c Bug 12513 - PROG/CCSR deprecation: Remove OpacShowLibrariesPulldownMobile system preference
With CCSR having been deprecated there is no longer a use for the
OpacShowLibrariesPulldownMobile system preference. This patch removes
it.

To test, apply the patch and run updatedatabase. Check that the
preference can no longer be found in system preferences.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Preference removed, no koha-qa errors.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2014-10-30 09:35:12 +13:00
5dfc026fad Bug 13114: Prevent Shibboleth Patches from spamming logs
- The shibboleth patch introduced an undefined message into the error
  logs, when shiboleth is disabled.

Testplan

1. Ensure shibboleth is disabled.
2. Refresh any opac page
3. See 'Use of uninitialized value $ENV{"REMOTE_USER"} in string ne at
/home/koha/kohaclone/C4/Auth.pm line 711.' popup in the opac-error.log
4. Apply patch
5. Refresh opac page
6. Error should no longer appear

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-21 21:10:48 -03:00
fb90f71f71 BUG8446, QA Followup: Use DBIx::Class
- Convert Auth_with_shibboleth to use dbic stanzas.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-16 12:28:01 -03:00
31878e1973 BUG8446, QA Followup: Minor Code Tidies
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-16 12:27:59 -03:00
89ee1aeab7 BUG8446, QA Followup: Cleanup tabs and license
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-16 12:27:57 -03:00
ca86375872 BUG8446, Follow up: Refactor to clean up bad practice
- A number of issues were highlighted whilst writing sensible unit tests
  for this module.
  - Removed unnessesary call to context->new();
  - Global variables are BAD!
  - Croaking is a wimps way out, we should handle errors early and
    properly.

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-16 12:27:53 -03:00
3c9004357d BUG8446, Follow up: Improve local login fallback
- Local fallback was not very well implemented, this patch adds
  better handling for such cases allowing clearer failure messages
- This patch also adds the ability to use single sign on via the
  top bar menu in the bootstrap theme.

BUG8446, Follow up: Adds perldoc documentation

- Add some documentation to the Auth_with_Shibboleth module
  including some guidance as to configuration.

BUG8446, Follow up: Correct filenames to match guidlines

- Moved Auth_with_Shibboleth.pm to Auth_with_shibboleth.pm to match
  other files present on the system.

BUG8446, Follow up: Correct paths after file rename

BUG8446, Follow up: Implemented single sign out

- This follow up rebases the code against 3.16+ which managed to break
  some of the original logic.
- As a side effect of the rebasing, we've also implemented the single
  sign out element. Upon logout, koha will request that the shibboleth
  session is destroyed, and then clear the local koha session upon
  return to koha.  Due to the nature of shibboleth however, you will
  only truly be signed out of the IdP if they properly support Single
  Sign Out (which many do not). As a consequence, although you may
  appear to be logged out in koha, you might find that upon clicking
  'login' the IdP does NOT request your login details again, but instead
  logs you silently back into your koha session. This is NOT a koha bug,
  but a shibboleth implementation issue that is well known.

BUG8446, Follow up: Fixed bootstrap login via modal

- The bootstrap theme enable login from any opac page via modal. To
  enable this with shibboleth we had to make some template parameters
  globally accessible when shibboleth is enabled.

BUG8446, Follow up: Add template rules for Shibboleth and CAS

- Add template rules so that CAS and Shibboleth can coexist.

BUG8446, Follow up: Added default config to config file

BUG8446, Follow up: Embellished perldoc documentation

- Updated perldoc to correct detail about configuring shibboleth
  authentication.
- Updated perldoc to include subroutines and their respective functions.

BUG8446, Follow up: Enable configuration of match field

- Added clearer, more flexible, configuration of shibboleth attribute to
  koha borrower field matching for authentication
- Correcting of documentation to make it more clear to the current
  implementation
- Minor refactoring of code to reduce some code duplication

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-16 12:27:51 -03:00
Jesse Weaver
244cfaba71 BUG8446, Follow up: Remove unnecessary sysprefs, move to config
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-16 12:27:49 -03:00
Matthias Meusburger
400b538078 BUG8446: Adds Shibboleth authentication
- Use the shibbolethAuthentication syspref to enable Shibboleth authentication
 - Configure the shibbolethLoginAttribute to specify which shibboleth user
   attribute matches the koha login
 - Make sure the OPACBaseURL is correctly set

BUG8446, Follow-up: Adds Shibboleth authentication

 - Fix logout bug: shibboleth logout now occurs only when
   the session is a shibboleth one.
 - Do some refactoring: getting shibboleth username is now
   done in C4::Auth_with_Shibboleth.pm (get_login_shib function)

BUG8446, Follow-up: Adds Shibboleth authentication

 - Adds redirect to opac after logout

BUG8446, Follow-up: Adds Shibboleth authentication

 - Shibboleth is not compatible with basic http authentication
   in C4/Auth.pm. This patch fixes that.

BUG8446, Follow-up: Adds Shibboleth authentication

 - Use ENV{'SERVER_NAME'} instead of syspref OpacBaseURL in order to work with
   multiple vhosts.

BUG8446, Follow-up: Adds Shibboleth authentication

 - Adds missing protocol for $ENV{'SERVER_NAME'}

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jesse Weaver <pianohacker@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Tested with the feide idp.
- LDAP login and logout are working
- local login/logout are still working
- CAS login/logout are still working

Instructions for setup can be found on the wiki:
http://wiki.koha-community.org/wiki/Shibboleth_Configuration

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-16 12:27:42 -03:00
85c387f848 Bug 12683: (followup) use the Koha.Preference plugin and add ids
It is kosher now to use the Koha template toolkit plugin for retrieving
system preferences values. This followup does that.

It also changes the class for ids, for people considering this patch
introduces too much noise on the home screen being able to control
its visibility.

Regards
To+

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-08-15 10:50:06 -03:00
simith
eb6d44d5a2 Bug 12683: Use NoLoginInstructions to customize text for OPAC user/pass information
Enable staff to setting a text for OPAC user/pass information

Modified:

C4/Auth.pm
koha-tmpl/opac-tmpl/bootstrap/en/includes/usermenu.inc   -add a text to the popup login page
koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-main.tt   -add a text to the main login page

Testing:

I Apply the patch

0) Search NoLoginInstructions preference
1) Add/modify a text
2) Open OPAC main page
3) Validate the text added under Login button
4) Click in "Log in to your account" link
5) Validate the text added under input password (popup)

Sponsored-by: CCSR ( http://www.ccsr.qc.ca )

Patch behaves as expected.
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-08-15 10:30:15 -03:00
Dobrica Pavlinusic
c9351807e9 Bug 8148 - LDAP auth_by_bind doesn't fallback to local auth
This patch covers LDAP auth_by_bind configuration so that wrong
LDAP password will return -1 to C4::Auth so we can abort local auth
and prevent users logging in with stale database passwords.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-08-07 16:22:49 -03:00
Frédérick
56f3b542bd Bug 8148: Prevent local authentification fallback if an invalid LDAP password was entered.
http://bugs.koha-community.org/show_bug.cgi?id=8148
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-08-07 16:22:21 -03:00
243fd9fd38 Bug 12512 - PROG/CCSR deprecation: Remove OpacShowFiltersPulldownMobile system preference
CCSR having been deprecated there is no longer a use for the
OpacShowFiltersPulldownMobile system preference. This patch removes
it.

To test, apply the patch and run updatedatabase. Check that the
preference can no longer be found in system preferences.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Preference removed, no koha-qa errors

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2014-08-07 14:01:36 +12:00
9a77c4a38c Bug 11347 - PROG/CCSR deprecation: Remove opacsmallimage system-preference
The opacsmallimage system preference is unused in the bootstrap theme.
It can be removed now that prog and ccsr are deprecated. This patch does
so.

To test, apply the patch and run updatedatabase. Confirm that the OPAC
works properly and the preference can no longer be found.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Preference removed, no koha-qa errors

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2014-07-22 09:57:17 +12:00
afd2418d73 Bug 11349: Change .tmpl -> .tt in scripts using templates
Since we switched to Template Toolkit we don't need to stick with the
sufix we used for HTML::Template::Pro.

This patch changes the occurences of '.tmpl' in favour of '.tt'.

To test:
- Apply the patch
- Install koha, and verify that every page can be accesed

Regards
To+

P.S. a followup will remove the glue code.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-17 11:05:49 -03:00
d9749756ca Bug 11575 - OPACBaseURL sometimes set by ENV variable and not system preference
This patch changes how the OPACBaseURL parameter gets set in the subroutine
get_template_and_user in Auth.pm.

Currently, it's being set by the $ENV{'SERVER_NAME'} variable. In many
cases, this will probably match the URL that the user uses to access a
page. However, this causes problems with reverse proxies.

There are ways to compensate for proxy servers (such as inspecting
other variables set by the web server), but such a solution seems
a bit convoluted...especially since we already use the system preference
OPACBaseURL in many other parts of Koha.

We probably shouldn't be passing OPACBaseURL from Auth.pm at all, and
instead use the Koha TT plugin and using_https param to determine
protocol. However, that's outside the scope of this bug/patch.

This patch is just meant to fix an existing bug.

I did leave the $ENV{'SERVER_NAME'} as a full back if OPACBaseURL isn't
set, but that's it.

_TEST PLAN_

Before applying:

1) Clear your OPACBaseURL preference
2) Perform a search in the OPAC
3) Click on or hover over the orange RSS icon
4) Note that the URL used for the RSS links is either:
  a) The same URL you used to access Koha (no reverse proxy)
  b) The ServerName from your Koha apache conf which isn't the
  same URL you used to access Koha (reverse proxy)
5) Add an OPACBaseURL that isn't the same as the actual OPAC URL
6) Note that the OPACBaseURL system preference has no effect here

After applying the patch:

7) Refresh the page
8) Note that the URL you see now is actually the OPACBaseURL system
preference that you set
9) Clear your OPACBaseURL system preference
10) Refresh your search page
11) Note that the URL has reverted back to the URL that you saw before
(either the original Koha site URL or the Koha ServerName defined
in Apache and not the URL of the proxy)

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-15 10:33:47 -03:00
Jonathan Druart
7b161b5bbe Bug 11715: Update POD for get_template_and_user
If flagsrequired is set, authnotrequired should be 0.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-06-25 12:27:24 -03:00
Chris Cormack
0599c9b6e9 Bug 11715: Set the default of authnotrequired = 0 in get_template_and_user
To test:

Verify that pages in the OPAC and staff interface display correctly.

Note that there are cases where 'authnotrequired' was not passed
at all to get_template_and_user, so there may be pages that start
requiring authentication.  Whether that is correct or not depends
on context.

Follow up patches are to remove all the unnessecary setting of this
value, so that the only places we set are when we do want
authnotrequired=1

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-06-25 12:26:33 -03:00
Bernardo Gonzalez Kriegel
cb878c35a1 Bug 12226 - A user with the database username/userid can access staff with full permissions
This patch implements 2 suggestions on comment #3

- Prevents creation of a new user with same userid
of database user

- When checking password, if userid matches database user,
only check against pass on config file

To test:
1. Create a new user with same login as database user
any password different from real db user
2. Check that you can login on staff using this user/pass
and you are superlibrarian

3. Apply the patch

4. Login again using new pass, it must fail
5. Login again using db pass, you are now superuser,
but system does not warn you :( No problem, that's
for having one borrower with that login
6. Delete user with same login as db user
7. Try to create one again as in 1, system must return
an error of duplicate login!

8. Check for no regressions on user/pass authentication

Resubmited, has an error

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script.
This works nicely and as described.
Also editing the former 'superuser' will force you to
change the userid in order to save any other change.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-06-20 21:13:10 -03:00
Paul Poulain
2626311e5e Bug 10798: (follow-up) replace tabs by spaces
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-05 22:13:31 +00:00
b2484b22f7 Bug 10798: make OPAC_SEARCH_LIMIT behaves better with search groups
Since the addition of search groups to Koha, the branch limiting
parameter in multiple PAC by URL support should also support
limiting by these search groups.  This patch adds this ability.

Signed-off-by: Srdjan <srdjan@catalyst.net.nz>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-05 22:13:02 +00:00
Fridolyn SOMERS
c8a18f5eef Bug 11219: make CAS authentication work with URL parameters
Bug 10029 tries to fix the use of URL parameters in CAS authentication.
But is does not work.
The full URL must be used in all methods of C4::Auth_with_cas.
Also, in checkpw_cas(), the 'ticket' parameter must be removed to find
the original URL.

This patch removes the 'ticket' parameter from query before calling
checkpw_cas() since the ticket is passed as method arguemnt.
In C4::Auth_with_cas, many methods use the same code to get the CAS
handler and the service URI. This patch adds a private method
_get_cas_and_service() to do the job.

Test plan:
- Enable CAS
- Go to opac without been logged-in
- Try to place hold on a record
=> You get to /cgi-bin/koha/opac-reserve.pl?biblionumber=XXX showing
   authentication page
=> Check that CAS link contains query param "biblionumber"
- Click on CAS link and log in
=> Check you return well logged-in to reserve page with biblionumber
   param
- Check CAS loggout
- Check Proxy CAS auth

Signed-off-by: Koha team AMU <koha.aixmarseille@gmail.com>

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests in t, xt, and t/db_dependent/Auth.t.
Also passes QA script.

As I have no working CAS server, I focused on regression testing:
Activated Persona and casAuthentication.
- Verified normal login against database still works.
- Verified Persona login works.
  Note: With Persona you are always forwarded to the patron
  account - so you have to search for the record again before
  you can place a hold.
- Verified that the CAS URL contains the biblionumber when
  logging in while placing a hold.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Retested 2014-04-12

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-05 05:15:11 +00:00
Julian Maurice
76e39750b7 Bug 11848: Move language detection function in C4::Languages
Also store interface (intranet, opac) in context to not have to pass it
as parameter.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No koha-qa errors

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Comments on last patch.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-05 04:29:34 +00:00
Jonathan Druart
3070650200 Bug 8952: (follow-up) using_https does not deal with Plack
When using Plack, the https method returns 'OFF'.
We have to test this value before sending the value to templates.

Test plan:
1/ Fill your OPACBaseUrl

2/ Configure apache for using http
3/ Check the social networks links (should be http://OPACBaseUrl)

4/ Launch Plack
5/ Check the social networks link (should be http://OPACBaseUrl)
6/ Stop Plack

7/ Configure apache for using https
  sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -out
/etc/apache2/server.crt -keyout /etc/apache2/server.key
and add in you virtualhost (with :443)
    SSLEngine on
    SSLCertificateFile /etc/apache2/server.crt
    SSLCertificateKeyFile /etc/apache2/server.key
  a2enmod ssl
  service apache2 restart
8/ Check the social networks links (should be https://OPACBaseUrl)

FIXME: Under Plack, with ssl actived, the CGI->https() method always
returns 'OFF'.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-05 04:01:28 +00:00
Jonathan Druart
a6a954efa8 Bug 10862: Add search history to the intranet interface
Like OPAC, the search history is now available for intranet.  This
is controlled by the EnableSearchHistory system preference.

Test plan:
 1/ Switch on the 'EnableSearchHistory' syspref.
 3/ Launch some biblio and authority searches.
 4/ Go on your search history page (top right, under "Set library").
 5/ Check that all yours searches are displayed.
 6/ Click on some links and check that results are consistent.
 7/ Delete your biblio history searches.
 8/ Delete your authority searches history searches.
 9/ Launch some biblio and authority searches
10/ Play with the 4 delete links (current / previous and biblio /
authority).

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-05 03:06:33 +00:00
Galen Charlton
18cce456d9 Bug 10807: (follow-up) use 24-hour time when storing search times to session
This ensures that if an anonymous session is converted to a logged-in
session, that search history times from the anonymous session get
stored corectly.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-05 02:55:41 +00:00
Jonathan Druart
ba41b7da79 Bug 10807: Add an authority search history for the OPAC
Like biblio, this feature provides an authority search history.
This history is available for connected and disconnected user.
If the user is not logged in Koha, the history is stored in an
anonymous user sessin.

The search history feature is now factorized in a new module.

This patch adds:
- 1 new db field search_history.type. It permits to distinguish the
  search type (biblio or authority).
- 1 new module C4::Search::History. It deals with 2 different storages:
  DB or cookie
- 2 new UT files: t/Search/History.t and t/db_dependent/Search/History.t
- 1 new behavior: the 'Search history' link (on the top-right corner of
  the screen) is always displayed.

Test plan:
 1/ Switch on the 'EnableOpacSearchHistory' syspref.
 2/ Go on the opac and log out.
 3/ Launch some biblio and authority searches.
 4/ Go on your search history page.
 5/ Check that all yours searches are displayed.
 6/ Click on some links and check that results are consistent.
 7/ Delete your biblio history searches.
 8/ Delete your authority searches history searches.
 9/ Launch some biblio and authority searches
10/ Delete all your history (cross on the top-right corner)
11/ Check that all your history search is empty.
12/ Launch some biblio and authority searches.
13/ Login to your account.
14/ Check that all previous searches are displayed.
15/ Launch some biblio and authority searches.
16/ Check that these previous searches are displayed under "Current
session".
17/ Play with the 4 delete links (current / previous and biblio /
authority).

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All patches together pass QA script and tests.
Also, new tests in t/db_dependent/ pass.

Tested in all 4 OPAC themes, being logged in and anonymous.
Anonymous search history will be appended to personal search
history after logging in.
Also verified that cleanup_database still purges search history,
now also including the authority searchs.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-05 02:32:27 +00:00
Galen Charlton
08fe85950a Bug 10951: (follow-up) use Koha.Preference() template function
This patch uses the TT helper function Koha.Preference() to
retrieve the value of NoLoginInstructions rather than passing
it to all templates as a template variable.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-04-19 16:53:26 +00:00
blou
c67b397236 Bug 10951 - Adding NoLoginInstructions to system preferences
On a failed login, the default message is harcorded into opac-auth.tt.

     It would be preferable to allow for a preference to override that message (for example: ...Please bring an ID to t
     The changes modify
         -opac-auth.tt to allow for custom value
         -admin/preferences/opac.pref to add it to the preferences with a description
         -C4/Auth.pm for the loading of the preference
         -sysprefs.sql
         -updatedatabase.pl

     TESTING
         1) in OPAC, logged out, try login in by entering no or wrong credentials.  Acknowledge the "Don't have a p
         2) Apply the patch
         3) Regression Test: Redo step 1.  Same (default) message should appear.
         4) Log in to intranet,
             - select NoLoginInstructions in system preferences.
             - Enter new (xml) message.  Possible:
             <h5>Welcome to Koha, please bring your passport to the front office</h5>
            - and save
         5) refresh the OPAC, try login again with invalid credentials.  The new message should appear.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
2014-04-19 16:26:50 +00:00
Galen Charlton
914515202d Bug 10952: (follow-up) clear seach history from session after saving it to DB
This patch makes sure that the search history from an
anonymous session is cleared from the session after a user
logs in (and the session history is saved to that user's
record in the database).  This fixes a problem where the
search history from the session got repeatedly added to the
database each time the user did something while logged
into the OPAC.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-01-10 16:49:01 +00:00
Julian Maurice
939d68ea7b Bug 10952: (follow-up) Always flush session after deletion
This is recommended in CGI::Session documentation.

Signed-off-by: Charlene Criton <charlene.criton@univ-lyon2.fr>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-01-10 16:21:45 +00:00
Julian Maurice
bbf7cd6876 Bug 10952: (follow-up) comments fixes and unit tests
- Remove unit tests for ParseSearchHistoryCookie, which doesn't exist
  anymore
- Add unit tests for ParseSearchHistorySession and
  SetSearchHistorySession
- Remove/Modify comments about search history cookie

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Tests fixed and moved, and comments tidied up

Signed-off-by: Charlene Criton <charlene.criton@univ-lyon2.fr>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-01-10 16:21:18 +00:00
Julian Maurice
d07df7d512 Bug 10952: Store anonymous search history in session
Storing search history into cookie can cause problems, due to the size
limitation of 4KB.

The solution here is to store search history into the CGI::Session
object, so there is no size limitation (but anonymous search history
still remember up to 15 requests max.)

Test plan:
- Go to OPAC in anonymous mode.
- Check that the "Search history" link is *not* shown in the top right
  corner of the page
- Make some searches on /cgi-bin/koha/opac-search.pl
- The "Search history" link should appear. Click.
- Your search history should be displayed.
- Try to log in with invalid username/password
- Go back to search history, it's still there
- Now log in with valid username/password
- Your anonymous search history should be saved into your own search
  history.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Restoring original sign offs and comments below

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described. No koha-qa errors

Well, search history saving is similar before and after patch.
i.e. anonmymous search is saved when user logs in, but cookie
KohaOpacRecentSearches is empty.
Shows current an previous session searches

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
All tests and QA script pass, works as described.

Signed-off-by: Charlene Criton <charlene.criton@univ-lyon2.fr>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-01-10 16:20:16 +00:00
Srdjan
a0b00e4c8b Bug 11077: Correct more warnings in C4/Auth.pm
This gets rid of some more warnings.

It also corrects a noisy ne condition.
    $userid = $retuserid if ( $retuserid ne '');
became
    $userid = $retuserid if ( $retuserid );

It also integrates Srdjan Jankovic's patch with Petter Goksoyrsen's
patch, while correcting the problems found.

This includes:
    my $q_userid = $query->param('userid') // '';
along with:
    my $s_userid = '';
and:
    my $s_userid = $session->param('id') // '';
Indentation does not reflect actual scoping.

A missing system preference would have triggered a ubiquitous
undef compare check failure message. This makes the flooding
message more useful, so as to help correct it.
The change to accomplish this was:
        my $pki_field = C4::Context->preference('AllowPKIAuth');
        if (!defined($pki_field)) {
            print STDERR "Error: Missing AllowPKIAuth System Preference!\n";
            $pki_field = 'None';
        }

Signed-off-by: Srdjan <srdjan@catalyst.net.nz>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-12-05 15:17:33 +00:00
ce5ab3b314 Bug 11077: remove uninitialized value $pki_field warning
During login at the Staff interface you get warnings in the logs
regarding an uninitialized value for the $pki_field variable.

To test:
- tail -f /path/to/your-intranet-logs
- Point your browser to your staff login page
- Login
- Three warnings are showed
- Apply the patch
- Log out
- Log in
- No new warnings, and you can still log in.

Sponsored-by: Universidad Nacional de Cordoba
Signed-off-by: Petter Goksoyr Asen <boutrosboutrosboutros@gmail.com>

Followed test plan; it works as advertised.
Also works when I deleted AllowPKIAuth system pref.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-12-05 15:15:07 +00:00
Jonathan Druart
de5d977c49 Bug 11132: don't clear the results list upon adding a biblio to a list
A "busc" param is cleared if the template name is not opac-.*detail.tt.
So if a user adds a biblio to a list, he cannot continue to browse
results.

Test plan:
- launch a search at the OPAC (opac-search.pl).
- click on a result and browse results (using previous/next links).
- a title attract your attention and you add it to a list
  ("Save to yours lists" link on the right).
- save the list.
- browse again results.

Signed-off-by: Joy Nelson <joy@bywatersolutions.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Tested according to test plan, also checked some other pages and actions
accessible from the detail page.
Passes all tests and QA script.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-11-01 00:39:30 +00:00
Jonathan Druart
d2052311cb Bug 8435: add permission to enable editing other library's serials if IndependantBranches is on
In the serial module, we want to hide serials from others libraries.
However, to permit central serials manage, this patch introduces a
new permission, 'superserials'. If a staff member has this permission,
that person can override the restriction.

Test plan:
- Switch on the IndependantBranches syspref
- Add the permission 'superserials' for a patron and test you can
  navigate and see all serials
- Remove this permission and test you cannot manage/view subscriptions
  from others libraries

Signed-off-by: Frederic Durand <frederic.durand@unilim.fr>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-31 15:27:19 +00:00
Galen Charlton
0f5dc609e0 Bug 10309: (follow-up) restore setting some OPAC template variables in C4::Auth
These variables still need to be exported to the template by default for
the 'prog' OPAC template to work correctly.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-15 15:27:59 +00:00
eb92d94be1 Bug 10309 - New OPAC theme based on Bootstrap
The goal of this theme is to provide a fully-responsive OPAC which
offers a high level of functionality across multiple devices with varied
viewport sizes. Its style is based on the CCSR theme, with elements of
the Bootstrap framework providing default styling of buttons, menus,
modals, etc.

The Bootstrap grid is used everywhere, but Bootstrap's default
responsive breakpoints have been expanded to allow for better
flexibility for our needs.

All non-translation-depended files are in the root directory of this new
theme:

css, images, itemtypeimg, js, less, and lib. Languages.pm has been
modified to ignore the new directories when parsing the theme language
directories.

This theme introduces the use of LESS (http://lesscss.org/) to build
CSS. Three LESS files can be found in the "less" directory: mixins.less,
opac.less, and responsive.less. These three files are compiled into one
CSS file for production: opac.css. "Base" theme styles are found in
opac.less. A few "mixins" (http://lesscss.org/#-mixins) are found in
mixins.less. Any CSS which is conditional on specific media queries is
found in responsive.less.

At the template level some general sturctural changes have been made.
For the most part JavaScript is now at the end of each template as is
recommended for performance reasons. JavaScript formerly in
doc-head-close.inc is now in opac-bottom.inc.

In order to be able to maintain this structure and accommodate
page-specific scripts at the same time the use of BLOCK and PROCESS are
added. By default opac-bottom.inc will PROCESS a "jsinclude" block:

[% PROCESS jsinclude %]

Each page template in the theme must contain this block, even if it is
empty:

[% BLOCK jsinclude %][% END %]

Pages which require that page-specific JavaScript be inserted can add it
to the jsinclude block and it will appear correctly at the bottom of the
rendered page.

The same is true for page-specific CSS. Each page contains a cssinclude
block:

[% BLOCK cssinclude %][% END %]

...which is processed in doc-head-close.inc:

[% PROCESS cssinclude %]

Using these methods helps us maintain a strict separation of CSS links
and blocks (at the top of each page) and JavaScript (at the bottom). A
few exceptions are made for some JavaScript which must be processed
sooner: respond.js (https://github.com/scottjehl/Respond, conditionally
applied to Internet Explorer versions < 9 to allow for layout
responsiveness), the _() function required for JS translatability, and
Modernizr (http://modernizr.com/, a script which detects browser
features and allows us to conditionally load JavaScript based on
available features--or lack thereof).

Another new JavaScript dependency in this theme is enquire.js
(http://wicky.nillia.ms/enquire.js/), which lets us trigger JavaScript
events based on viewport size.

I have made an effort to re-indent the templates in a sane way,
eliminating trailing spaces and tabs. However, I have not wrapped lines
at a specific line length. In order to improve template legibility I
have also tried to insert comments indicating the origin of closing tags
like <div> or template directives like [% END %]:

</div> <!-- / .container-fluid -->

[% END # / IF ( OpacBrowseResults && busc ) %]

TESTING

Proper testing of this theme is no easy task: Every template has been
touched. Each page should work reasonable well at a variety of screen
dimensions. Pages should be tested under many conditions which are
controlled by toggling OPAC system preferences on and off. A variety of
devices, platforms, and browsers should be tested.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-14 23:13:05 +00:00
Galen Charlton
547c6d2949 Bug 9611: (follow-up) move new password hashing routines to separate module
The move avoids a problem where many modules would gain
a dependency on C4::Auth just because C4::Members needs access
to hash_password().

This patch also adds a couple unit tests for the new password
hashing code.

To test:

[1] Verify that there are no regressions on the test plan for bug
    9611.
[2] Verify that t/AuthUtils.t and t/db_dependent/Auth.t pass.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-09 03:29:22 +00:00
4cb139b9ce Bug 9735 - Build the cookie array correctly
The current implementation didn't build the cookie array correctly,
yielding login problems in some scenarios.

Sponsored-by: Universidad Nacional de Córdoba

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-04 03:26:56 +00:00
3b7c6932e5 Bug 9735 - Let the language be selected through URL parameters
Passing language=<valid_language_code> as a parameter in any Koha's URL
can be used to set the desired language.
This patch touches
 - C4::Templates
 - C4::Auth

Adds a new method getlanguagecookie that does exactly that, for use in
get_template_and_user.
Also modifies getlanguage so it checks (a) if there's a 'language'
parameter in the CGI object and (b) checks if its valid and enabled for
the desired interface.

To test:
* Without the patch
  - access any koha page
  - add ?language=code to the end of the URL (change code for a valid language code
    it needs to be installed using perl translate install code, and enabled either for
    the staff or opac interface, depending where are you testing)
  - Nothing happens with the language parameter
* With the patch
  - access any koha page
  - add ?language=code (the same as before) and hit enter
  - the language should be changed to the one you chose
  - if you browse through some links, you will see
    koha 'remembers' the language you passed as a parameter
    (i.e. the language cookie has been updated).

Sponsored-by: Universidad Nacional de Córdoba
Signed-off-by: Brendan <brendan@bywatersolutions.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Comment: Works very well. No errors.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script.
More comments on last patch.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-04 03:26:09 +00:00
Galen Charlton
419af5db00 bug 9611: (follow-up) add reference to Crypt::Eksblowfish::Bcrypt in POD
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-03 23:01:47 +00:00
Bernardo Gonzalez Kriegel
e23e8166f1 Bug 9611: (follow-up) fix POD
Small patch to make koha-qa happy.
Fixes small POD error

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-03 23:01:46 +00:00
Srdjan
4be177c1ae bug 9611: Extract checkpw_internal() and checkpw_hash() from checkpw()
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-03 22:22:32 +00:00
Srikanth Dhondi
f2162a86b0 Bug 9611: Change the password hashing algorithm from MD5 to Bcrypt
What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes
 * For password verification:
     - If the user was created before this patch was applied then use
        MD5 to hash the entered password <-- backwards compatibility
     - If the user was created after this patch was applied then use
       Bcrypt to hash the entered password
 * Any password change made via the staff interface or the OPAC will
   be automatically Bcrypt-hashed; this applies to old users whose
   passwords were stored as MD5 hashes previously

Test plan:
  1) Add new users and check whether their passwords are stored as
     Bcrypt hashes or not.
  2) To test that authentication works for both old as well as new
     users:
       a) Login as an existing user whose password is stored as a
          MD5 hash
       b) Login as an existing user whose password is stored as a
          Bcrypt hash
  3) In the staff interface, change the password of an existing user
     whose password is stored as an MD5 hash
	a) Check the new password is stored as a Bcrypt-hash in the database
	b) Try to login with the new password
  4) In the OPAC, verify that
    a) Old user with old pass can change password, new format
    b) New user with new pass can change password
    c) Old and new user with self-updated pass can login

Whitespace cleanup was contributed by  Bernardo Gonzalez Kriegel.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-03 22:22:32 +00:00