Commit graph

638 commits

Author SHA1 Message Date
d827ee310a Bug 28786: Correctly inherit from Auth::GoogleAuth
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-20 20:43:15 -10:00
2c2c366234 Bug 28786: Improve readability in C4::Auth::checkauth
Sponsored-by: Orex Digital

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-20 20:43:15 -10:00
6eeb9bc1b3 Bug 28786: Two-factor authentication for staff client - TOTP
This patchset introduces the Two-factor authentication (2FA) idea in
Koha.

It is far for complete, and only implement one way of doing it, but at
least it's a first step.
The idea here is to offer the librarian user the ability to
enable/disable 2FA when logging in to Koha.

It will use time-based, one-time passwords (TOTP) as the second factor,
an application to handle that will be required.

https://en.wikipedia.org/wiki/Time-based_One-Time_Password

More developements are possible on top of this:
* Send a notice (sms or email) with the code
* Force 2FA for librarians
* Implementation for OPAC
* WebAuthn, FIDO2, etc. - https://fidoalliance.org/category/intro-fido/

Test plan:
 0.
  a. % apt install -y libauth-googleauth-perl && updatedatabase && restart_all
  b. To test this you will need an app to generate the TOTP token, you can
 use FreeOTP that is open source and easy to use.
 1. Turn on TwoFactorAuthentication
 2. Go to your account, click 'More' > 'Manage Two-Factor authentication'
 3. Click Enable, scan the QR code with the app, insert the pin code and
 register
 4. Your account now requires 2FA to login!
 5. Notice that you can browse until you logout
 6. Logout
 7. Enter the credential and the pincode provided by the app
 8. Logout
 9. Enter the credential, no pincode
10. Confirm that you are stuck on the second auth form (ie. you cannot
access other Koha pages)
11. Click logout => First login form
12. Enter the credential and the pincode provided by the app

Sponsored-by: Orex Digital

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-20 20:43:15 -10:00
59ff962caa Bug 26019: Koha should set SameSite attribute on cookies
This patch modifies the way Koha sets cookies so that the "sameSite"
attribute is explicitly set to "Lax." This option is chosen because it
is the value which is currently assumed by browsers when the sameSite
attribute is not set.

To test, apply the patch and restart services.

- Log in to the staff interface and open your browser's developer tools.
  - In Firefox, look for a "Storage" tab.
  - In Chrome, look for an "Application" tab.
- Under "Cookies," click the URL of the staff interface.
- You should see all the cookies which are set for that domain.
- The CGISESSID cookie should have sameSite set to "Lax."

- Go to Cataloging -> New record.
  - Check the "marcdocs" and "marctags" cookies.
- Switch to the Advanced MARC editor (you may need to enable
  theEnableAdvancedCatalogingEditor preference).
  - Check the "catalogue_editor" cookie.
- Add a new item to an existing bibliographic record.
  - Check the "LastCreatedItem" cookie which is set after you save the
    new item.
- Go to Authorities -> Authority search.
  - In authority search results, click "Merge" from the "Actions" menu
    next to one of the results..
    - Check the "auth_to_merge" cookie.
- Go to Administration -> MARC bibliographic framework
  - Choose "MARC structure" from the menu corresponding to one of the
    frameworks.
  - Check the "Display only used tags/subfields" checkbox.
    - Check the "marctagstructure_selectdisplay" cookie.
- Go to Circulation -> Check out to a patron with checkouts.
  - Check the "Always show checkouts immediately" checkbox.
    - Check the "issues-table-load-immediately-circulation" cookie.
- Go to Tools -> Patron clubs. You will need at least one active club
  with one or more patrons enrolled.
  - From the list of clubs, click Actions -> Search to hold.
    - Check the "holdforclub" cookie.
- Go to Tools -> Batch item modification and submit a batch of items.
  - Uncheck one or more checkboxes in the "Show/hide columns" area.
    - Check the "showColumns" cookie.
- View a patron -> Search to hold.
  - Check the 'holdfor' cookie.
- With WebBasedSelfCheck enabled, log in to the self-checkout page.
  - Check the "JWT" cookie.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-13 15:55:38 +02:00
62f8702206 Bug 29957: Let check_api_auth return created cookie
The cookie created on L1496 is useless, since it is not returned.
We could either remove the cookie creation (unchanged behavior).
But since check_api_auth is expected to return a cookie when it is ok,
I opt for returning the cookie here (corrected behavior).

Test plan:
Logout in staff.
Check on staff: /cgi-bin/koha/svc/localization?id=1
You should have a 400 response.
Login with staff credentials (incl. manage_itemtypes)
Revisit same URL.
You should see a JSON response.
Check if you can hit other staff pages.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-12 11:40:17 +02:00
832756a184 Bug 29957: Adjust push @$cookie statements in Auth
We can now use $cookie_mgr->replace_in_list instead. This
effectively removes duplicates and keeps the newest cookie.

Note: In the test plan below we are just verifying if
this patch did not change behavior. The replace_in_list
routine has been tested already in a unit test.

Test plan:
Run t/db_dependent/Auth.t
Login at OPAC.
Hit some opac and staff pages.
Perform an Advanced search on OPAC.
Check cookies in browser.
Logout.
Check cookies again. Verify with your do_not_remove_cookie lines
in koha-conf.xml.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-12 11:40:17 +02:00
a13b004db8 Bug 29957: Replace clear_all_cookies in Auth.pm
Test plan:
Enable language selection and have two languages.
Change language.
Check cookie value in browser for KohaOpacLanguage.
Logout.
Verify that cookie has been cleared in browser.

Add do_not_remove_cookie line for KohaOpacLanguage in koha-conf.
Restart, flush.
Login again.
Change language.
Check cookie value in browser for KohaOpacLanguage.
Logout.
Verify that cookie still contains the language.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-12 11:40:17 +02:00
ed8a9cff24 Bug 29957: Clear cookies on logout
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: Reverted the change to $cookies to minimize changes.
Fixed Auth.t where checkauth is being mocked.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-12 11:40:17 +02:00
051dd6bf0b Bug 29609: Centralized code to build the link to a biblio detail page
There are 2 prefs that control the default view of biblio detail pages:
IntranetBiblioDefaultView for staff and BiblioDefaultView for OPAC.
There are as well viewISBD, viewLabeledMARC and viewMARC to allow/don't
allow access to those page for staff members.

This code need to be in a single place to avoid discrepancy.

Test plan:
Play with BiblioDefaultView and IntranetBiblioDefaultView and confirm
that the links of biblio point to the correct view.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-08 15:49:16 +02:00
0b71d861eb Bug 29915: Prevent bad cookie from corrupted session
If there is deleted session info but no session->id, a wrong cookie
with empty name could be generated containing expired session id.

Test plan:
Run t/db_dependent/Auth.t
Login. Check cookies in browser.
Logout. Check cookies in browser.
Without this patch, you should see an invalid cookie.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-24 14:22:09 -10:00
3eb3739c6b Bug 29915: (QA follow-up) Add a comment in checkauth on $flags
This is quite a misleading call.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
66a9eca571 Bug 29915: (QA follow-up) Fix POD typo
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
5d1daf20ea Bug 29915: Tiny session adjustments
It may be that we need a few additional flushes.
And checking the returned session before clearing busc.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
89b9c441fa Bug 29915: Changes for get_session and check_cookie_auth
If we look for an existing session, do not create a new one.
Found a bug in the unset_userenv calls. For this moment
changing the calls in Auth here. Later fix goes to bug
29954.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
6300c6023f Bug 29915: Don't generate a new session ID for anonymous navigation
When a user is not logged in, a new session ID is generated every time a
new page is hit.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-22 10:17:33 -10:00
Aleisha Amohia
53aa7b523b Bug 19532: Database and installer stuff
- Add recalls table
- Add recalls circulation rules - recalls allowed, recalls per record, on shelf recalls, recall due date interval, recall overdue fine, recall shelf time
- Add system preferences - useRecalls, RecallsMaxPickUpDelay, RecallsLog
- Add email notices (RETURN_RECALLED_ITEM, PICKUP_RECALLED_ITEM)
- Add print notice (RECALL_REQUESTER_DET)
- Add user permission - recalls, manage_recalls
- Add Recall and CancelRecall enum options for branchtransfers reason

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-14 22:45:50 -10:00
d43eea51dd Bug 28955: (follow-up) Set to fall back
This patch updates the original fix to only set the template parameter
for opac sessions and updates all occurences in templats to check first
for logged_in_user.branchcode before falling back to default_branch

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-24 14:35:36 -10:00
e940c8ab02 Bug 28955: Add OPAC_BRANCH_DEFAULT
This patch adds support for OPAC_BRANCH_DEFAULT as an environment option
that can be passed via apache with either SetEnv or as a header for
plack.  It allows setting a default branch for the anonymous opac
session such that you can display the right opac content blocks prior to
login if you have set up per branch URI's.

To test (on top of bug 29691)
1 - Add to apache conf (/etc/apache2/sites-available/kohadev.conf)
    SetEnv OPAC_BRANCH_DEFAULT "CPL"
    RequestHeader add X-Koha-SetEnv "OPAC_BRANCH_DEFAULT CPL"
2 - Restart all
3 - Confirm that news for all and CPL show on opac mainpage
4 - Sign in as a different library
5 - Confirm users library news shows

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-24 14:35:36 -10:00
e53667105d Bug 29844: Fix ->search occurrences
and some more...

There are lot of inconsistencies in our ->search calls. We could
simplify some of them, but not in this patch. Here we want to prevent
regressions as much as possible and so don't add unecessary changes.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-09 15:36:23 -10:00
393efc7b73 Bug 29914: (QA follow-up) Add comment to explain last case
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

JD amended patch: remove ref to line number

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-02 21:05:30 -10:00
95097d1cc2 Bug 29914: Make check_cookie_auth compare the userid
check_cookie_auth is assuming that the user is authenticated if a cookie exists
and that the login/username exists in the DB.

So basically if you hit the login page, fill the login input with a
valid username, click "login"
=> A cookie will be generated, and the sessions table will contain a
line with this session id.
On the second hit, if the username is in the DB, it will be enough to be
considered authenticated.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-02 21:05:29 -10:00
2e5d59d902 Bug 28735: Self-checkout users can access opac-user.pl for sco user when not using AutoSelfCheckID
This patch makes the sandboxing of the selfcheckout more robust by
adding a "sco_user" session variable which is turned on when
logging into the self-checkout (either by AutoSelfCheckAllowed or manually).

If a user with this session variable turned on tries to access
other parts of the system (like the rest of the OPAC), it will
"kick out", so that the browser user will lose the authenticated session.

Test plan:
1) Apply the patch
2) koha-plack --restart kohadev
3) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
4) Note that you are logged into the self-checkout
     So you see the login screen specific to the self-checkout.
     To log with the actual patron. It's a nested auth.
5) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
6) Note that you are not logged into the OPAC
7) Log into the staff interface and disable the
system preference AutoSelfCheckAllowed
8) Log out of the staff interface (this step is very important)
9) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
10) Note that you are prompted to log into Koha
11) Login using the "koha" user (when using koha-testing-docker)
12) Note that you are logged into the self-checkout
13) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
14) Note that you are not logged into the OPAC
      Without the patch you would still be logged as "koha"
15) Go back to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
16) Note that you will need to log in again as you've lost your
session cookie
      Without the patch you will still be logged in the self-checkout
Voila!

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-02 21:05:29 -10:00
8473254ec3 Bug 24224: Convert OpacNavBottom system preference to additional content
This patch builds on Bug 22318 to move the OpacNavBottom system
preference into the "Additional contents" system, making it possible to
have language- and library-specific content.

To test you should have some content in the OpacNavBottom system
preference. To make testing easier it's also a good idea to have content
in the OpacNav preference.

- Apply the patch and run the database update process.
- In the staff client, go to Tools -> HTML customizations and verify
  that the content from OpacNavBottom is now stored there. When you
  edit the entry you should see content from the OpacNavBottom system
  preference under the "default" tab.
  - The publication date for the entry should be today's date.
  - Confirm that the previous contents of OpacNavBottom were added
    correctly.
- Go to Administration -> System preferences -> OPAC and verify that
  the OpacNavBottom preference has been removed.
- Update and reinstall active translations (for instance fr-FR):
  - cd misc/translator/
  - perl translate update fr-FR
  - perl translate install fr-FR
- View the OPAC and confirm that the contents of the OpacNavBottom
  system preference displays in the left-hand sidebar.
- Test as many pages as possible to confirm that wherever the
  OpacNavBottom content is displayed, OpacNavBottom is also displayed.
- Test also using the updated translation.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-11-08 11:41:48 +01:00
4577950900 Bug 24223: Convert OpacNav system preference to additional content
This patch builds on Bug 22318 to move the OpacNav system
preference into the "Additional contents" system, making it possible to
have language- and library-specific content.

To test you should have some content in the OpacNav system
preference. To make testing easier it's also a good idea to have content
in the OpacNavBottom preference.

 - Apply the patch and run the database update process.
 - In the staff client, go to Tools -> HTML customizations and verify
   that the content from OpacNav is now stored there. When you
   edit the entry you should see content for each of the enabled
   translations in your system under each tab.
   - Confirm that the previous contents of OpacNav were added
     correctly.
 - Go to Administration -> System preferences -> OPAC and verify that
   the OpacNav preference has been removed.
 - Update and reinstall active translations (for instance fr-FR):
   - cd misc/translator/
   - perl translate update fr-FR
   - perl translate install fr-FR
 - View the OPAC and confirm that the contents of the OpacNav system
   preference displays in the left-hand sidebar.
 - Test as many pages as possible to confirm that wherever the
   OpacNavBottom content is displayed, OpacNav is also displayed.
 - Test also using the updated translation.

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 24223: (follow-up) Add date to OpacNav additional content entries

This follow-up modifies the atomic update so that it inserts today's
date as the "Published on" date. Without that information the system
considers the item unpublished and will not display the content.

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 24223: (follow-up) Make logged-in user's branchcode available to template

This patch makes a couple of corrections for problems I discovered
while working on Bug 24224: The variables required for correct display
of news items by branch and language were not consistently available to
the templates.

In opac-readingrecord.pl, the "lang" variable was being overwritten. On
this and other pages the logged-in patron's brachcode was not made
available. I've corrected instances of KohaNews.get() to use the
globally-available "logged_in_user.branchcode" instead.

To test, apply the patch and follow the original test plan, with the
addition of instances of the OpacNav additional contents item which
have a specific library selected.

Confirm that such items are correctly displayed according to the
logged-in user's home library. If there is no logged-in user the
library-specific OpacNav should not display.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 24223: (follow-up) Updates to conform to new practices

- The patch now works with new "Additional contents" system
- The database update follows new skeleton.pl
- Add "OpacNav" option to the additional contents template

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 24223: (follow-up) Add missing "return" to atomicupdate

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 24223: (QA follow-up) Link OpacNav to HTML customizations now

In the pref description of OpacNavBottom. (Before obsoleting that
one too somewhere soon.)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-11-08 11:18:39 +01:00
70485bf1cc Bug 29180: Rename syspref RequestOnOpac with OPACHoldRequests
It is a confusing name because we have 'Article Request' as a feature,
and this does not follow Koha terminology.

Test plan:
`updatedatabase` and confirm that the syspref has been renamed
`git grep RequestOnOpac` => No occurrence in the code

QA: The syspref's value is always retrieved using Koha.Preference from
.tt files, we don't need to send it from controllers or C4::Auth

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-11-05 12:13:25 +01:00
37005486d3 Bug 28417: Don't require C4::Auth_with_cas from opac-user if not needed
Note that without the use URI::QueryParam statement in C4::Auth we get:
Can't locate object method "query_param_delete" via package "URI::_generic" at /kohadevbox/koha/C4/Auth.pm line 1254

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-11-03 15:40:52 +01:00
bf1c4c2431 Bug 28417: Don't use C4::Auth_with_cas if CAS is not used
We should follow the same pattern as ldap and not use C4::Auth_with_cas
if the cas syspref is not turned on.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-11-03 15:40:52 +01:00
adc3772204 Bug 28959: (follow-up) Adjust all places in which 'category' was used
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-28 17:47:38 +02:00
b271e9f9db Bug 28785: Don't send SessionRestrictionByIP to template
It's not used.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-18 11:28:41 +02:00
1a216186ff Bug 28785: Add skip_version_check for checkauth
We could have this patch but we also could decide to skip it. The idea
is to avoid 2 checks of the version when we are coming from checkauth.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-18 11:28:41 +02:00
6545259bbf Bug 28785: Centralize cookie auth check in check_cookie_auth
This code is duplicated in 3 different places, we must call
check_cookie_auth instead.

It makes check_cookie_auth returns a 'restricted' when
SessionRestrictionByIP is set and the IP changed.
It also returns a third parameters contained the old and new IP, to fill
the "info" hash in checkauth but apparently the oldip and newip
variables are not even used from the template. We may want to remove it
completely.

No change is expected with this patch, the different authentication
methods should still work as before.

Test plan:
Log in the staff and OPAC interfaces, logout.
Log in and call script that call the 3 different subroutines modified by
this patch. For instance you can list checkouts (that is using
check_cookie_auth) and display a patron's image (using check_api_auth).

QA with good knowledge of the C4::Auth module and the different
authentication methods is required.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-18 11:28:41 +02:00
065ec4e726 Bug 28847: Cleanup of branch limitsand fix OPAC_SEARCH_LIMIT
The opac had 'branch_group_limit' parameters which can be simplified to more
closely match intranet code.

Adjust C4::Auth for chaneg above to ensure dropdowns correctly populate

Expand JS to prevent selection of single and multibranch limits

To test:
1 - Enable OpacAddMastheadLibraryPulldown system preference
2 - Ensure branches and groups show as before patch
3 - Ensure single and multibranch limits from masthead apply as expected
4 - Test advanced search page, ensure you cannot select both single and multibranch limit
5 - Follow test plan on 28845 - ensure multibranch limit still correctly pre-selected

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>

Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-09-20 14:04:48 +02:00
56c2856e26 Bug 12561: Remove non-XSLT views
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-08-16 09:57:04 +02:00
09e0799a8d Bug 28660: (bug 21325 follow-up) Fix auto self check
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Works as expected.
The need for an additional check of pref WebBasedSelfCheck is
merely theoretical.

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-22 08:12:51 +02:00
9d6d641d1f Bug 17600: Standardize our EXPORT_OK
On bug 17591 we discovered that there was something weird going on with
the way we export and use subroutines/modules.
This patch tries to standardize our EXPORT to use EXPORT_OK only.

That way we will need to explicitely define the subroutine we want to
use from a module.

This patch is a squashed version of:
Bug 17600: After export.pl
Bug 17600: After perlimport
Bug 17600: Manual changes
Bug 17600: Other manual changes after second perlimports run
Bug 17600: Fix tests

And a lot of other manual changes.

export.pl is a dirty script that can be found on bug 17600.

"perlimport" is:
git clone https://github.com/oalders/App-perlimports.git
cd App-perlimports/
cpanm --installdeps .
export PERL5LIB="$PERL5LIB:/kohadevbox/koha/App-perlimports/lib"
find . \( -name "*.pl" -o -name "*.pm" \) -exec perl App-perlimports/script/perlimports --inplace-edit --no-preserve-unused --filename {} \;

The ideas of this patch are to:
* use EXPORT_OK instead of EXPORT
* perltidy the EXPORT_OK list
* remove '&' before the subroutine names
* remove some uneeded use statements
* explicitely import the subroutines we need within the controllers or
modules

Note that the private subroutines (starting with _) should not be
exported (and not used from outside of the module except from tests).

EXPORT vs EXPORT_OK (from
https://www.thegeekstuff.com/2010/06/perl-exporter-examples/)
"""
Export allows to export the functions and variables of modules to user’s namespace using the standard import method. This way, we don’t need to create the objects for the modules to access it’s members.

@EXPORT and @EXPORT_OK are the two main variables used during export operation.

@EXPORT contains list of symbols (subroutines and variables) of the module to be exported into the caller namespace.

@EXPORT_OK does export of symbols on demand basis.
"""

If this patch caused a conflict with a patch you wrote prior to its
push:
* Make sure you are not reintroducing a "use" statement that has been
removed
* "$subroutine" is not exported by the C4::$MODULE module
means that you need to add the subroutine to the @EXPORT_OK list
* Bareword "$subroutine" not allowed while "strict subs"
means that you didn't imported the subroutine from the module:
  - use $MODULE qw( $subroutine list );
You can also use the fully qualified namespace: C4::$MODULE::$subroutine

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-16 08:58:47 +02:00
af7e41d114 Bug 28606: Remove warning from C4::Auth 887
[WARN] Use of uninitialized value in sprintf at /kohadevbox/koha/C4/Auth.pm line 887.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-16 08:58:45 +02:00
ce5d409cfd Bug 28571: Remove C4::Auth::_session_log
It's not used and must be removed

Test plan:
  % git grep _session_log
must not return any result.

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-24 11:53:44 +02:00
41a8005d10 Bug 28606: Remove $DEBUG and $ENV{DEBUG}
We should remove the debug statements or use Koha::Logger when we want
to keep it.

Test plan:
Confirm that occurrences of remaining occurrences of DEBUG need to be
kept (historical scripts for instance)
Confirm that the occurrences removed by this patch can be removed
Confirm that the occurrences replaced by Koha::Logger are correct

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks good to me, noting a few minor points on BZ.

JD amended patch: replace "warn #Finished" with "#warn Finished", and
put the statement on a single line

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-24 11:53:44 +02:00
512c7ba7e4 Bug 28590: Remove get_shelves_userenv and set_shelves_userenv
They are no longer used since bug 7310, now we are using
Koha::Virtualshelves->get_some_shelves

Test plan:
Create some lists, login at the OPAC and confirm that you see
the list in the navbar (top)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-22 12:04:31 +02:00
a3c5ecd0e4 Bug 28388: Preserve "Browse results" when "view plain" is clicked
This patch modifies the way search sessions are preserved in the OPAC so
that viewing the "plain MARC" view will not cause the search context to
be lost.

To test, apply the patch and make sure OpacBrowseResults is enabled.

- Perform a search in the OPAC which will return multiple search
  results.
- View the details of one of the search results.
  - You should see a "Browse results" box in the right-hand sidebar.
- Click the "MARC view" link.
  - If you click back to the "Normal view" now, the results browser
    should still appear.
  - From the MARC view, click the "view plain" link.
  - Return to the "Normal view."
    - Before the patch: The results browser is gone.
    - After the patch: The results browser is still there.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-21 12:07:28 +02:00
40089a0a53 Bug 28519: Put CGI::Session::Serialize::yamlxs in lib directory
This patch adds a "lib" directory to the source tree which gets
mapped to the same directory as "C4" and "Koha" for single and
standard installations.

CGI::Session::Serialize::yamlxs is put into this "lib" directory.

This patch also includes some changes so that dev/git installations
work as well.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-17 10:07:36 +02:00
a502ae7b68 Bug 28489: Don't deal with encoding during the serialization
Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-14 17:35:19 +02:00
Andrew Nugged
1887f3b53f Bug 28489: POD - CGI::Session::Serialize::yamlxs for CGI::Session
Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-14 17:35:19 +02:00
cb90cbf4eb Bug 28317: Use the default CGI::Session serializer
We remove YAML::Syck on bug 22824 and YAML on 27673, to use YAML::XS.
However we need one of them for CGI::Session::Serialize::yaml
It's preferable to change the serializer and use the default one instead
of writing one based on YAML::XS (or patch the existing ::yaml that does
not seem maintained).

There was an encoding bug reported on the default serializer (see commit
a858e8a8b8) but we fail to recreate it.

Test plan:
Create 3 libraries with branchcode=branchname: "CPL", "ÄÄÄ~ÄãÃ" and "✔️ ❤️ ★"
Use the 3 options of SessionStorage and switch from one logged in
library to another.
Confirm that everything is working correctly (ie. no ending issue in the
library name at the top-right corner)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-05-19 14:45:32 +02:00
da9006b20d Bug 21325: Prevent authentication when sending userid and password in querystring
This patch permits authentication via userid/password only when the
HTTP method is POST when using C4::Auth::checkauth().

The goal is to stop people from supplying userid and password in querystrings
in order to log into web pages.

Test plan:
0. Do not apply patch yet
1. Open a new browser (ie we don't want any existing CGISESSID cookies
available - opening a new tab/window isn't enough. It must be a
new instance or you can clear your cookies)
2. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
3. Note the user has been logged in and is being asked to confirm hold.

4. Apply the patch

5. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
6. Note the user is not logged in and the user is presented with a login screen

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-04-16 13:56:46 +02:00
592ab10fe5 Bug 22824: Remove C4::Boolean, true_p, boolean_preference, etc.
It seems that we don't really need all this overhead.
YesNo must be a boolean and contain 1 or 0.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-03-04 16:18:42 +01:00
b5ab335d1b Bug 18506: (QA follow-up) opacShibOnly -> OPACShibOnly
As requested

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-02-09 09:46:08 +01:00
1a81264ac1 Bug 18506: Add xShibOnly preference for Shibboleth authentication
This patch adds two system preferences to Koha, opacShibOnly and
staffShibOnly, allowing users to restrict authentication to just
one method, Shibboleth.

We do however, allow for local fallback for the SCO/SCI logins.

A system preference was chosen over a configuration file update to
allow for local override at the virtualhost level. In this way a
hosting provider can setup a 'backdoor opac' for example to allow
fallback to local logins for support operations.

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-02-09 09:46:08 +01:00
6b23c0634b Bug 14004: Set the syspref's value to an empty string
It's tested with "defined" in C4::Context->preference

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-01-27 14:36:26 +01:00
c009eeafed Bug 14004: Add OpacAdditionalStylesheet and opaclayoutstylesheet
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-01-27 14:36:26 +01:00