Commit graph

700 commits

Author SHA1 Message Date
0e6537d199
Bug 36098: Add Koha::Session module to ease session handling
This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.

Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:30 +01:00
7d95c64048
Bug 36092: Pass sessionID at the end of get_template_and_user
It seems safer to pass the logged in user and session info at the end of
the sub.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:28 +01:00
3a053ebdf9
Bug 36092: Pass the sessionID from checkauth if we hit auth
If we hit the auth page we were not passing sessionID to the template

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:27 +01:00
c0d5013f2e
Bug 35918: Fix auto library connect (AutoLocation)
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.

To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
  branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
  branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
  branchip: 172.18.0.4

Connect and select CPL. Randomly FFL will be picked instead.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:26 +01:00
e59623bfc2
Bug 35890: Reject login if IP is not valid
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:23 +01:00
8fb9b814aa
Bug 35904: (QA follow-up): tidy up code
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:22 +01:00
a82772d7ec
Bug 35904: Make C4::Auth::checkauth testable easily
This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.

We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.

There are still 3 left:
1.
733         # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace

2.
806         # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.

3.
828         # Patron does not have the borrowers permission
Same as 2.

2. and 3. should be investigated a bit more.

This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.

Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:21 +01:00
16a648e9ca
Bug 35904: Remove var loggedin
It is never used and add confusion

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:21 +01:00
Andreas Jonsson
5f9e9e5df2
Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw
Adapt code to the change of return value type of checkpw
introduced in bug 34893

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 10:27:47 +00:00
12b6c0e67d
Bug 34893: Unit tests for C4::Auth::checkpw
This patch introduces some tests on the current (and new) behavior for
the `checkpw` function.

I needed it to better understand if an edge case was actually possible
(it wasn't).

Found a really minor annoyance for the internal check with expired
password not returning the $patron object for consistency with the other
use cases.

I think this method deserves (at least) changing the return value to a
sane data structure. But that's not target for backporting to stable
releases. So a separate bug.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 17:31:48 +01:00
2b54d3c82b
Bug 34893: (QA follow-up) Tidy code for qa script
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 17:31:47 +01:00
c1b94fc011
Bug 34893: ILS-DI can return the wrong patron for AuthenticatePatron
Imagine we have a set of users. Some of those users have a NULL userid. We then call AuthenticatePatron from ILS-DI for a patron with a NULL userid, but a valid cardnumber. We call checkpw, which returns the cardnumber and userid. We then call Koha::Patrons->find on the userid *which is null*, meaning the borrowernumber returned is not the correct one, but instead the earliest patron inserted into the database that has a NULL userid.

Test Plan:
1) Give three patrons a userid and a password
2) From the database cli, set all patrons's userid to null
   Run this query: update borrowers set userid = null;
3) Call AuthenticatePatron with username being the 1st patron cardnumber,
   and password being the password you set for that patron
   http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=AuthenticatePatron&username=kohacard&password=koha
4) Note you get back a borrowernumber for a different patron. Refresh the page and the number is correct.
5) Do the same with the 2nd patron. Same issue at 1st and correct number after.
6) Apply this patch
7) Restart all the things!
8) Do the same with the 3rd patron.
9) Note you get the correct borrowernumber! :D
10) prove t/Auth.t t/db_dependent/Auth_with_ldap.t t/Auth_with_shibboleth.t t/db_dependent/Auth_with_cas.t

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 17:31:46 +01:00
Aleisha Amohia
eb130f559e
Bug 35008: Make ILS-DI not require auth when OpacPublic disabled
To test, disable OpacPublic and ensure a call to ilsdi.pl will still return expected results from a private browser, not logged into the OPAC.

Sponsored-by: Auckland University of Technology
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-11-10 10:59:28 -03:00
53ccbc7b61
Bug 35231: Resolve crash on unexisting patron in Auth
Test plan:
Without this patch:
Logout from OPAC. Crash.
Try to login. Crash.

With this patch:
Enable login in tracking triggers. Clear lastseen.
Flush memcache.
Login. Check lastseen.
Logout.
Login.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-11-03 12:04:42 -03:00
75f68914be
Bug 15504: (follow-up) Migrate to one clear method
We were using a series of similarly named methods spread in distinct places
around the codebase. This combines the logic of C4::Auth::track_login_daily
and Koha::Patron->track_login into a new Koha::Patron->update_lastseen method.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-10-24 10:05:15 -03:00
68f1154f6d
Bug 15504: Add triggers to instances of track_login_daily
This patch adds a trigger to every instance of track_login_daily

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-10-24 10:05:13 -03:00
6b20144bbb
Bug 15504: Update track_login_daily to accept triggers
This patch adds triggers to track_login_daily so that it only tracks activity when that trigger is active

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-10-24 10:05:12 -03:00
cdf18a0015
Bug 31357: Separate holds history from intranetreadinghistory
Currently the system preference intranetreadinghistory determines visibility of both circulation history and holds history tabs in the patron record.  It would be helpful to allow the option of setting each of those independently.

Specifically, libraries have requested the option of being able to view the holds history in a patron record without having to enable viewing of the circulation history.

Test Plan:
1) Apply this patch
2) Restart all the things!
3) Run updatadatabase.pl
4) Verify the new syspref intranetReadingHistoryHolds has the same value
   as the existing syspref intranetreadinghistory
5) Disable intranetreadinghistory, enable intranetReadingHistoryHolds
6) Verify you can view a patron's holds history but not reading history

Signed-off-by: Sam Lau <samalau@gmail.com>

JD amended patch:
* renamed syspref intranetReadingHistoryHolds => IntranetReadingHistoryHolds
* tidy

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-10-20 16:31:16 -03:00
c48421e6ff
Bug 32721: (QA follow-up) Drop fields from API response
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 32721: (QA follow-up) Rename fields to opac*

This patch updates the field names to reflect that they're OPAC
related.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 32721: (QA follow-up) Fix rebase errors

We let some superflous template params creep back in during a rebase
somewhere.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-10-19 16:00:56 -03:00
6deab09c13
Bug 32721: (QA follow up) - fix QA issues
This patches addresses issues raised by the QA tests. It also adds a missed import of the Branches file in the document head

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 32721: (QA follow-up) Add missing imports

Missing imports added in three template files
Exec flag added to atomic update file
Tinymce imports removed

A new bug will be created to move codemirror into an inc file at latest
version

Test plan as before

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 32721: Tidy up - duplicate fetching of userjs and css

Currently UserJS and UserCSS is injected into the template as a parameter through Auth.pm but is then fetched using Koha.Preference() in the template. This patch tidies this up by removing the parameters from Auth.pm

Test plan as per first commit

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-10-19 16:00:54 -03:00
16da12cbbc
Bug 34513: Set auth state correctly when changing auth sessions
This patch sets the $auth_state to failed when changing auth sessions,
so that the new login attempt gets processed correctly (instead
of skipping the authorization step).

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?tab=&op=search&searchfield=baseurl
3. Log in as an OPAC user with 0 permissions
4. Note the auth screen "Error: You do not have permission to access this page"
5. Click "Log in"
6. Note that you're still shown a login screen (and that you've been logged out of
your previous authenticated session)

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-09-25 18:18:35 -03:00
6a0955946e
Bug 30843: Add mfa_range configuration option for TOTP
This change adds a mfa_range configuration option for TOTP
to koha-conf.xml, and overrides the "verify" method from
Auth::GoogleAuth in order to provide a new default for "range"

Test plan:
0. Apply the patch
1. koha-plack --restart kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication
3. Change the syspref to "Enable"
4. Go to
http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51
5. Click "More" and "Manage two-factor authentication"
6. Register using an app
7. In an Incognito window, go to
http://localhost:8081/cgi-bin/koha/mainpage.pl
8. Sign in with the "koha" user
9. Note down a code from your Authenticator app
10. Wait until after 60 seconds and try it
11. Note it says "Invalid two-factor code"
12. Try a new code from the app
13. Note that it works

14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml
15. Clear memcached and koha-plack --restart kohadev
16. Sign in with the "koha" user
17. Note down a code from your Authenticator app
18. Wait 4 minutes and then try it
19. Note that it works

20. Disable your two-factor authentication and click to re-enable it
21. Use a code older than 60 seconds when registering for the two
factor authentication
22. Note that the code works

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-09-25 10:53:51 -03:00
bbe1bffd9e
Bug 33881: Clear self-check JWT during auth kick out
This patch clears the JWT cookie during auth kick out (ie
when a web user navigates from the self-check out/in to
the rest of Koha).

Test plan:
0. Apply patch and koha-plack --reload kohadev
1. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
2. Log in as the "koha" user
3. In another tab, go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
4. Go to http://localhost:8080/cgi-bin/koha/opac-search.pl?idx=&q=a&weight_search=1
5. Note that you are prompted to "Log in to your account" via the normal Koha prompt
6. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
7. Note that you are prompted to "Log in to your account" within the "Self checkout system",
and note that your self-checkout session for the "koha" user has *not* persisted like
it did before the patch was applied

Signed-off-by: Andrew Fuerste-Henry <andrewfh@dubcolib.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-08-07 21:00:08 -03:00
98a4b52be1
Bug 30524: (QA follow-up) Only generate CSRF token if it will be used
This patch avoids generating CSRF tokens unless the csrf-token.inc file
is included in the template.

Passed token doesn't need HTML escaped. The docs for WWW::CSRF state:
  The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option).

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-08-07 21:00:06 -03:00
0221fec5ac
Bug 30524: Core CSRF checking code
Split out from bug 22990 as requested.

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-08-07 20:59:58 -03:00
8e545cff75
Bug 34288: (follow-up) Tidy block
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-07-18 12:46:54 -03:00
0db60995a8
Bug 34288: Allow access to the cataloguing module with tools permission
Bug 31162 moved the cataloguing tools to a new cataloguing module home
page. This prevents people without cataloguing permissions, but with
some tools permissions to access things like the labels creator tool.

I tracked all permissions on the cataloging-home.tt template, including
the Stock Rotation ones which I initially missed because I was focusing
on tools.

This patch makes the cataloging-home.pl page require either
'cataloguing' or any relevant 'tools' permission to allow access. the
page.

The staff interface main page and the top bar dropdown are updated using
the same logic to display the cataloguing module link.

For that purpose, I wrapped the permissions on a sub in `C4::Auth`.

To test:
1. Have a patron with only 'catalogue' and some of this permissions:

* inventory
* items_batchdel
* items_batchmod
* items_batchmod
* label_creator
* manage_staged_marc
* marc_modification_templates
* records_batchdel
* records_batchmod
* stage_marc_import
* upload_cover_images
* stockrotation => manage_rotas

2. Log in
=> FAIL: No link to the cataloguing module, neither in the dropdown
3. Apply this patch
4. Repeat 2
=> SUCCESS: You have the link!
5. Play with the different combinations and notice things are sound and
   correct
6. Sign off :-D

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-07-18 12:46:53 -03:00
68aeaf5c4c
Bug 33879: Do no longer overwrite interface in check_cookie_auth
This will only have effect on installations running OPAC and staff
on the same domain name. In that case an OPAC cookie still allows
you to access intranet, and v.v.

Test plan:
Repeat the following steps WITHOUT this patch and WITH it.
Login via OPAC.
Go to staff. Perform an action that logs the interface in e.g. the
statistics table, like a checkout.
Inspect interface in the corresponding table. Observe difference
that this patch makes.

With this patch:
Run t/db_dependent/Auth.t. Should pass again.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Björn Nylén <bjorn.nylen@ub.lu.se>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-07-05 12:17:25 -03:00
5da81cde99
Bug 33815: Do not explode if logged in user modify their own userid
If the logged in librarian modifies their own userid they will get the
following error when submitting the form:
Can't call method "password_expired" on an undefined value at /kohadevbox/koha/C4/Auth.pm line 1780

We could handle this situation and flag the session as expired. Better
would be to deal with this specific user case and update the cookie (?)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-05-26 09:50:05 -03:00
63bc731fd4
Bug 33663: Pass 'suggestion' to the OPAC templates only
We don't need it for the staff interface. The previous patch is removing
the only occurrence using it.

Signed-off-by: Michaela Sieber <michaela.sieber@kit.edu>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-05-23 16:53:58 -03:00
Katrin Fischer
bd75309933
Bug 33197: Rename GDPR_Policy system preference
GDPR is a European Union (and, at time of writing, UK) law.
The GDPR_Policy system preference is about a patron
giving consent to their personal data being processed in
line with the library's privacy policy.

The name of the preference is vague: there could be
many policies implemented by libraries to comply with
GDPR. It also makes the preference look irrelevant for
libraries outside the areas where GDPR applies, while
it may be useful for libraries anywhere.

This renames GDPR_Policy to PrivacyPolicyConsent and
adjusts the system preference descriptions.

To test:
* Apply the patch
* Run database update
* Search for GDPR_Policy in the system preference
  - you should not find anything.
* Search for DataPrivacyConsent in the system preferences
  - you should find it and be able to activate it
* Verify the feature works as expected
  - If the preference is set to "enforced", you will be
    asked to give consent to the data privacy agreement
    in the OPAC when you log in
* Verify the page is now phrased neutrally using 'privacy policy'

Bonus: Consent date is now formatted according to DateFormat
       system preference.
Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-05-05 10:18:54 -03:00
e6c49d642f
Bug 30624: Add loggedinlibrary permission and DB update
To test:
1. Apply patch, updatedatabase, restart_all
2. Have a user with superlibrarian privileges ( User1 )
3. Have a user who has staff access and circulate privileges but is not a super librarian. ( User2 ) Make note of this users home library
4. Turn on the system preference 'CircSidebar'.

-MAIN log in ( auth.tt )
5. As User1, go to the main login screen and try logging in. You should be able to log in AND you should be able to properly chnage your branch BEFORE logging in.
6. As User2, to to the main login screnn amd try logging in. You should be able to but if you try and switch your libraray to anything beside the user's home branch it will not work. You will be logged in at your home branch.
7. For User2, set the new top level permission 'Allow staff to change logged in library (loggedinlibrary).
8. Now you should be able to successfully switch libraries before log in.
9. Turn the 'loggedinlibrary' permission back off for User2.

-AFTER log in-
10. With User1, click on your name/branch in the top right, you should see the the link 'Set library' at the top. If you turn on 'UseCirculationDesks' the link will be 'Set library and desk'.
11. With User2, click on your name/branch in the top right. If you have 'UseCirculationDesks' on, you should see 'Set desk', otherwise you should see nothing.
12. Repeat step 7.
13. NOw if you click on your name/branch in the top right, you should see the the link 'Set library' at the top. If you turn on 'UseCirculationDesks' the link will be 'Set library and desk'.
14. Repeat Step 9.

-CircSideBar-
15. With 'CircSideBar' turned on, go to any ciculation page (Holds queue, Holds to pull, Holds awaiting pickup) with User1. You will see the 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set library and desk'.
16. Try with User2 and you will not see a 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set desk' link.
17. Repeat step 7.
18. For with User2 you go to any ciculation page (Holds queue, Holds to pull, Holds awaiting pickup). You will see the 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set library and desk'.
19. Repeat step 9.

-Set library page-
20. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User1. You will see a dropdown for 'Set library'. Make sure you can change your library successfully.
21. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User2. You should NOT see see a dropdown for 'Set library'.
22. Repeat step 7.
23. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User2. Now you should see a dropdown for 'Set library'.

Signed-off by: Bob Bennhoff/AspenCat Team

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-03-13 15:22:59 -03:00
60e7c99165
Bug 32205: Remove unnecessary syspref template params for failed OPAC auth
This patch removes some unnecessary syspref template params for
failed OPAC auth. The templates handle these syspref using the
Koha.Preference() TT plugin function, so they're completely redundant
and just make checkauth() longer than it needs to be.

Test plan:
1) Apply patch
2) Enable OpacCloud, OpacBrowser, and OpacTopissue sysprefs
3) koha-plack --restart kohadev
4) Log out of Koha if you're logged in
5) Go to http://localhost:8080/cgi-bin/koha/opac-user.pl
6) Note that you can see the Cart as well as links for the following:
Browse by hierarchy, Authority search, Tag cloud, Subject cloud,
Most popular

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Solene Ngamga <solene.ngamga@inLibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-02-27 11:38:33 -03:00
16ce9086e3
Bug 32208: Adjust Auth.pm for relogin without perms
If a second login on top of a current session fails on
permissions, we should not grant access without context.

Test plan:
[1] Run t/db../Auth.t, it should pass now.
[2] Test interface with/without this patch:
    Pick two users: A has perms, B has not.
    Put two staff login forms in two tabs.
    Login as A in tab1. Login as B in tab2.
    Without this patch, B gets in and crashes.
    With this patch, B does not get in ('no perms').
    Bonus: Go to opac if on same domain. You are still
    logged in as B.

NOTE: I added a FIXME here, since you could argue about filling
the session info or otoh deleting the session. We present an
authorization failure; people may not realize that they are
still logged in (see test plan - bonus).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-01-10 18:19:55 -03:00
43c7607fa1
Bug 31908: Resolve second login with another userid
Somewhere the line undef $userid got removed.
We need it to resolve the second login situation.

Test plan:
Login in staff with user missing privileges.
On the login form login again with another staff user.
Note that you do no longer crash.

Run t/db../Auth.t
Run t/db../Koha/Auth/TwoFactorAuth.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-01-10 18:19:01 -03:00
c70977f5fe
Bug 31908: Replace an exit by a safe_exit in Auth.pm L1314
No change in user experience. But since we can mock safe_exit,
we can enhance test results.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-01-10 18:18:56 -03:00
Agustin Moyano
937b7114d0
Bug 32178: (follow-up) Transform 'staff' interface to 'intranet'
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-11-15 18:43:50 -03:00
Agustin Moyano
ca57674700
Bug 32178: Remove security breach introduced in bug 31378
This patch removes a security breach in C4::Auth::check_api_auth introduced by bug 31378, where when someone called an api with the parameters userid and auth_client_login, check_api_auth would automatically asume the user calling was that userid.

This patch also introduces C4::Auth::create_basic_session(), a function that creates a session and adds the minimum basic parameters.

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-11-15 18:43:45 -03:00
Agustin Moyano
208b9b5ba7
Bug 31378: Add the API-based auth mechanism to C4::Auth::check_api_auth
Signed-off-by: Lukasz Koszyk <lukasz.koszyk@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-11-08 14:30:46 -03:00
68d5b50c62
Bug 32066: Check 2FA pref in check_cookie_auth
Test plan:

Without this patch:
1. Set the syspref TwoFactorAuthentication (enforce or enabled)
2. Configure 2FA for a patron
3. Logout
4. Authenticate but don't enter the 2FA code
5. Switch off the syspref (disabled) [via another browser or so]
6. Patron is stuck on the [original] login screen. [Only removing
   the session cookie would resolve it.]

With this patch:
1. Follow the steps above again. But note that you can refresh
   your browser window to get in now.
2. Verify that Auth.t passes now too.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-11-04 19:02:38 -03:00
54d7f8b174
Bug 31495: Allow opac-page when enforcing GDPR policy
Test plan:
Add some page under Additional contents.
Enforce GDPR policy.
Test with user that has no consent (yet or anymore).
Check if you can reach additional contents with opac-page.pl.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-24 17:29:45 -03:00
ad6530b914
Bug 30588: (QA follow-up) Clear waiting-for-2FA-setup in session
If we do not clear this session, the first login directly after setup
does not really enhances user experience ;)

Test plan:
Make sure 2FA is enforced.
Test the above. Disable your 2FA, logout and login.
Verify that you can access pages with this patch now. Without this
patch you could not.
Run these tests to provide more confidence:
t/db_dependent/Auth.t
t/db_dependent/api/v1/two_factor_auth.t
t/db_dependent/Koha/Auth/TwoFactorAuth.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-21 11:37:02 -03:00
316355e8d5
Bug 30588: (QA follow-up) Auth - remove two warns and second logout
Resolves:
Use of uninitialized value $request_method in string eq at /usr/share/koha/C4/Auth.pm line 1122.
Use of uninitialized value $return in numeric gt (>) at /usr/share/koha/C4/Auth.pm line 1155.

We also remove the double logout from Auth.t

Test plan:
Run t/db_dependent/Auth.t
Check if you do not see the warns anymore.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-21 11:37:00 -03:00
b93e15c235
Bug 30588: Add the option to require 2FA setup on first staff login
Bug 28786 added the ability to turn on a two-factor authentication,
using a One Time Password (OTP).
Once enabled on the system, librarian had the choice to enable or
disable it for themselves.
For security reason an administrator could decide to force the
librarians to use this second authentication step.

This patch adds a third option to the existing syspref, 'Enforced', for
that purpose.

QA notes: the code we had in the members/two_factor_auth.pl controller
has been moved to REST API controller methods (with their tests and
swagger specs), for reusability reason. Code from template has been
moved to an include file for the same reason.

Test plan:
A. Regression tests
As we modified the code we need first to confirm the existing features
are still working as expected.
1. Turn off TwoFactorAuthentication (disabled) and confirm that you are not able to
enable and access the second authentication step
2. Turn it on (enabled) and confirm that you are able to enable it in your account
3. Logout and confirm then that you are able to login into Koha

B. The new option
1. Set the pref to "enforced"
2. You are not logged out, logged in users stay logged in
3. Pick a user that does not have 2FA setup, login
4. Notice the new screen (UI is a bit ugly, suggestions welcomed)
5. Try to access Koha without enabling 2FA, you shouldn't be able to
access any pages
6. Setup 2FA and confirm that you are redirected to the login screen
7. Login, send the correct pin code
=> You are fully logged in!

Note that at 6 we could redirect to the mainpage, without the need to
login again, but I think it's preferable to reduce the change to
C4::Auth. If it's considered mandatory by QA I could have a look on
another bug report.

Sponsored-by: Rijksmuseum, Netherlands

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-21 11:36:57 -03:00
8511750de9
Bug 30588: Adjust existing occurrences of TwoFactorAuthentication
We need to replace 0 with 'disabled', and 1 with 'enabled'

Sponsored-by: Rijksmuseum, Netherlands

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-21 11:36:56 -03:00
9c999293ef
Bug 31333: (follow-up) Handle anonymous patrons making suggestions
Test plan:
1. Enable suggestion & AnonSuggestions sysprefs and set AnonymousPatron = 1
2. Visit the OPAC without logging in
3. Confirm you can successfully create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
4. Disable the AnonSuggestions syspref
5. Confirm you cannot see links to make purchase suggestions on the
following pages:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
6. Confirm if you try visiting /cgi-bin/koha/opac-suggestions.pl page
you are re-directed to a login page
7. Select the category of your user in the suggestionPatronCategoryExceptions syspref
8. Log into the OPAC
9. Confirm you cannot see links to make purchase suggestions on the
following pages:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
10. Confirm if you try visiting /cgi-bin/koha/opac-suggestions.pl page
you are re-directed to a 404 error page
11. Enable AnonSuggestions syspref
12. Confirm you can successfully create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
13. Disable AnonSuggestions syspref and un-check your category from
suggestionPatronCategoryExeptions syspref
14. Confirm you can create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page

Sponsored-by: Catalyst IT, New Zealand

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-04 08:44:26 -03:00
146a897731 Bug 31333: Add ability to make purchase suggestions by borrower type
Introduce a suggestionPatronCategoryExceptions system preference.

If the suggestion syspref is enabled then libraries can stop specific
borrower types from making suggestions by ticking the type in the
suggestionPatronCategoryExceptions syspref.

Test plan:
1. Apply patches, update database, re-start services

2. Set 'suggestion' syspref = 'Allow'

3. Confirm you can view the purchase suggestion links on OPAC biblio detail
page & 'your summary' page. As well as successfully submit a suggestion.

4. Select the patron category you're logged in as in
suggestionPatronCategoryExceptions syspref

5. Confirm the purchase suggestion links are hidden in the OPAC biblio
detail page & 'your summary' page

6. In your browser enter the link: <OPAC base URL>/cgi-bin/koha/opac-suggestions.pl
e.g. http://localhost:8080/cgi-bin/koha/opac-suggestions.pl

7. Confirm a 404 page loads

8. Confirm you can view/moderate suggestions in the staff
client - even though your patron is selected in the
suggestionPatronCategoryExceptions syspref

9. Untick your patron category in the suggestionPatronCategoryExceptions syspref

10. Confirm you can view the purchase suggestion links on the OPAC, as
well as successfully submit a suggestion.

11. Set 'suggestion' syspref = "Don't allow"

12. Confirm the purchase suggestion links are hidden in the OPAC

13. Select all patron categories in suggestPatronCategoryExceptions
syspref. View the OPAC without logging in and confirm you can perform
searches and view OPAC biblio detail pages.

Sponsored-by: Catalyst IT, New Zealand

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-04 08:44:16 -03:00
897fe20683
Bug 31389: Calculate user permissions in separate function
This patch refactors the setting of user permissions for templates into
a new function, which can be easily unit tested and reduces the amount
of code in C4::Auth::get_template_and_user(). It also aids in the
re-usability of permission checking code.

Test plan:
0) Apply patch and koha-plack --restart kohadev
1) prove t/Koha/Auth/Permissions.t
2) As koha superlibrarian, go to
http://localhost:8081/cgi-bin/koha/tools/tools-home.pl
3) Go to http://localhost:8081/cgi-bin/koha/members/members-home.pl
4) Create new test user with "Staff access..." and "Remaining circulation permissions"
5) Logout of koha superlibrarian
6) Login as test user
7) Note you can only see a limited view of the staff interface
(i.e. no administration, no tools, no reports, etc.)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-09-22 08:39:21 -03:00
97b1bd1dae
Bug 29744: Remove unnecessary condition in C4::Auth::safe_exit
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Adding David's comments from Bugzilla to safe_exit here.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-09-22 08:11:57 -03:00
0b80172a49
Bug 29744: Harmonize psgi/plack detection methods
This patch updates and moves the existing psgi_env method out of Auth
and into Context and then replaces any manual references of the same
code to use the new method.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-09-22 08:11:57 -03:00