We're doing this in the registering stage and at disabling.
Test plan:
Ënable two-factor auth but logout/login on another tab. You should
get the Wrong CSRF token when submitting.
Do similar thing while disabling.
Verify that you can register / disable when in the same session.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
FAIL members/two_factor_auth.pl
FAIL file permissions
File must have the exec flag
FAIL koha-tmpl/intranet-tmpl/prog/en/modules/members/two_factor_auth.tt
FAIL filters
missing_filter at line 42 ( <p>Account: [% issuer %]</p>)
missing_filter at line 43 ( <p>Key: [% key_id %]</p>)
missing_filter at line 54 ( <input type="hidden" name="secret32" value="[% secret32 %]" />)
missing_filter at line 58 ( <img id="qr_code" src="[% qr_code_url %]" />)
FAIL Koha/Auth/TwoFactorAuth.pm
FAIL pod coverage
POD is missing for 'new'
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patchset introduces the Two-factor authentication (2FA) idea in
Koha.
It is far for complete, and only implement one way of doing it, but at
least it's a first step.
The idea here is to offer the librarian user the ability to
enable/disable 2FA when logging in to Koha.
It will use time-based, one-time passwords (TOTP) as the second factor,
an application to handle that will be required.
https://en.wikipedia.org/wiki/Time-based_One-Time_Password
More developements are possible on top of this:
* Send a notice (sms or email) with the code
* Force 2FA for librarians
* Implementation for OPAC
* WebAuthn, FIDO2, etc. - https://fidoalliance.org/category/intro-fido/
Test plan:
0.
a. % apt install -y libauth-googleauth-perl && updatedatabase && restart_all
b. To test this you will need an app to generate the TOTP token, you can
use FreeOTP that is open source and easy to use.
1. Turn on TwoFactorAuthentication
2. Go to your account, click 'More' > 'Manage Two-Factor authentication'
3. Click Enable, scan the QR code with the app, insert the pin code and
register
4. Your account now requires 2FA to login!
5. Notice that you can browse until you logout
6. Logout
7. Enter the credential and the pincode provided by the app
8. Logout
9. Enter the credential, no pincode
10. Confirm that you are stuck on the second auth form (ie. you cannot
access other Koha pages)
11. Click logout => First login form
12. Enter the credential and the pincode provided by the app
Sponsored-by: Orex Digital
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
To test:
1. Make some new serial subscriptions and connect them to biblios that contain subtitles.
2. Do a serial search that will return your newly created subscription.
3. Notice the subtitle doesn't appear.
4. Apply patch and restart_all
5. Again try step 2.
6. Notice the subtitle appears alongside the title now.
7. Make sure it still sorts that column correctly.
Signed-off-by: shiyao <shiyao@inlibro.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
To test:
1. Make some new serial subscriptions and connect them to biblios that contain subtitles.
2. Do a serial search that will return your newly created subscription.
3. Click on one of those subscription to be taken to the subscription detail page.
4. Look at the main heading (h1) and the "Biblio:" line. Notice there is no subtitle in either place
5. Apply patch, restart_all, and reload the subscription detail page.
6. You should now see the subtitle on both the main heading (h1) and on the 'Biblio:' line.
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
To test:
--Create a circulation rule with a value in "Overdue fines cap (amount), or edit an existing rule to add it
-Save the new (or edited) rule.
-Edit the same rule again to change any other field. Note that "Overdue fines cap (amount)" is now blank
-Save your edited rule - "Overdue fines cap (amount)" will save as blank.
Apply patch
--Create a circ rule with a value in Overdue fines cap (amount) and check "Cap fine at replacement price" for that same rule.
-Save the rule
-Try ediding the rule and make sure both of those values now save correctly.
-Add several more rules and try playing with both "Cap fine at replacement price" and "Overdue fines cap (amount)". Make sure everything saves right.
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
To test:
1 - Define some circ rules
2 - View them, note the appearance
3 - Apply patch
4 - Reload and note change of header
5 - Use the new button to export, try various formats
6 - Test the filter and export
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch provides easy access to the OPACUserJS and OPACUserCSS
system preferences in the Additional Contents (News and HTML
customisations) sections.
To test:
1. In the staff client, go to Tools -> News. Notice there is a button to
add a New entry. Confirm this button is also there when you go to
Tools -> HTML customisations.
2. Apply the patch and refresh the page.
3. Confirm there are now two new buttons to take you to OPACUserJS and
OPACUserCSS. Confirm these buttons take you to the correct system
preference.
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 30288: (follow-up) Add permissions check
This follow-up wraps the system preference links in a check for
"parameters_manage_sysprefs" permission so that the links don't display
to those without permission to access system preferences.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
The text displayed by database update is not really helpful.
And it will be incorrect if update is run several times.
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Description and remove choices.
Set items => flag items (as in circulation.pref)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
To test:
1. Apply patch, restart the things, and run updatedatabase
2. Look for the system preference 'AllowSetAutomaticRenewal'.
3. To preserve current behavior the system preference should be set to allow by default.
4. Go to the circulation page and see that under 'Checkout settings' there is the option to set a particular item for auto renewal.
5. Set 'AllowSetAutomaticRenewal' to 'don't allow'.
6. Go back to the circulation page and under checkout settings you should no longer see the option to set an item for auto renewal.
Signed-off-by: Kelly mcElligott <kelly@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch pre-fills the 952$d (Date acquired) item subfield on page
load. Users can still click on the field to fill this subfield.
Test plan:
1. Visit a biblio. Add an item, observe on page load the 'Date acquired' subfield is
empty
2. Visit a subscription. Receive a serial, observe after setting the serial status to 'Arrived' the item form loads with an empty 'Date acquired' subfield
3. Apply patch and restart services
4. Repeat step 1 and confirm now on page load the 'Date acquired'
subfield populates with today's date
5. Delete the populated 'Date acquired' subfield value. Click in the
field and confirm the field is populated and the calendar input displays
6. Delete the 'Date acquired' subfield value again. Confirm that tabbing
from a different field into the date acquired field behaves the same as
click
7. Repeat step 2. This time confirm on page load the 'Date acquired' subfield
contains the current date
8. Delete the populated 'Date acquired' subfield value. Click in the
field and confirm it is populated
9. Delete the populated 'Date acquired' subfield value. Tab to the field
from another field and confirm it behaves the same as click
10. Visit a biblio. Edit an item with a date acquired value in
the past. Confirm the date acquired value is unchanged after saving.
Sponsored-By: Brimbank Library, Australia
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch simply adds the version number we are using
and updates the link to point to our version
To test:
1 - Confirm the About->Licenses page points to the correct Font Awesome
version
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Some libraries have certain patron categories that can only do in house checkouts via SIP self check machines.
In these cases, the items should not be demagnetized since the items cannot leave the library.
Test Plan:
1) Apply this patch
2) prove t/db_dependent/SIP/Message.t
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch adds a new 'Send welcome email' option to the 'More' dropdown
menu in the patrons toolbar.
Clicking the button will queue the welcome email again for the patron and
redirect the user to the Notices tab to view it's contents.
Signed-off-by: Kelly McElligott <kelly@bywatersolutions.com>
Signed-off-by: Jessie Zairo <jzairo@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
It's easy to forget to set the LibraryName preference.. as such we can
make this a conditional and fall back to a default of 'the library'.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch updates the sample notice as suggested by Katrin.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch replaces the AutoEmailOpacUser system preference with a new
AutoEmailNewUser preference. This makes the functionof the preference
clearer.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch updates all references to the former ACCTDETAILS notice to
use the new WELCOME email notice instead.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch drops the ACCDETAILS notice in preference to a new WELCOME
notice.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Add a unit test for the additional functionality of sending welcome
emails from Koha::Patrons::Import.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch adds welcome email for new users support to the command line
patron import tool.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch adds the ability to send the ACCTDETAILS notice for new users
added using the patron import tool.
Test plan
1. Create a valid csv for patron import that includes some new users,
ensuring you add a valid email address for which you have access.
2. Import the users using the patron import tool and select the new
'Send email to new patrons' checkbox.
3. Check that the notice appears in the new patrons notices
4. Check that you received a welcome email for the user.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
The error pages wrote a HTTP status code of 200 for all PSGI requests, even
though it should have only done it for PSGI requests from the ErrorDocument
middleware. This patch fixes that.
0) Do not apply patch
1) Open F12 dev tools and go to Network tab
2) Go to http://localhost:8081/files/blah
3) Note that the webpage is a 404 error but HTTP status code is 200
4) Go to http://localhost:8081/cgi-bin/koha/circ/blah
5) Note that the webpage is a 404 error and HTTP status code is 404
6) Apply patch
7) Go to http://localhost:8081/files/blah
8) Note that the webpage is a 404 error and HTTP status code is 404
9) Go to http://localhost:8081/cgi-bin/koha/circ/blah
10) Note that the webpage is a 404 error and HTTP status code is 404
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch modifies the CSS of the Koha logo and its container so that
it more closely matches the previous version and so that alignment is
handled better at various browser widths.
To test, apply the patch and build the staff interface CSS
(https://wiki.koha-community.org/wiki/Working_with_SCSS_in_the_OPAC_and_staff_client).
Check various pages in the staff interface to confirm that the position
of the Koha logo is correct. Adjust your browser width to confirm that
the alignment adapts at narrow widths.
Test also on pages where the header search form can be expanded, e.g.
Patrons -> [+] to expand search options. Or Acquisitions -> Orders
search -> [+]. Confirm that logo alignment is correct on these pages
too.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
