Working on bug 31791, I found myself wondering if our current recursive
code in C4::Auth::haspermission() would allow checking AND on
subpermissions.
As it is not documented in the POD or tested, I decided to write some
unit tests for it.
It turned out it was well supported, so I decided to submit the tests,
and a small tweak in the POD to reflect that.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/Auth/haspermission.t
=> SUCCESS: Tests pass! The code supports AND on subpermissions!
3. Sign off :-D
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit aa1049fdd3)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.
Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0e6537d199)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
It seems safer to pass the logged in user and session info at the end of
the sub.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 199b47e51220a22110436a2357481dc89d498537)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
If we hit the auth page we were not passing sessionID to the template
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 95098d23e0c0bfc5291464a625ff6422b8288888)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.
To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
branchip: 172.18.0.4
Connect and select CPL. Randomly FFL will be picked instead.
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4efe74fe12075298680965db3605f717f1da10d0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 94e570d6af38c0061aeaad2ea25ab26bed2186f5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
It is never used and add confusion
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0ce8cc4c05bc96503172018775ba574e41b40ecb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.
We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.
There are still 3 left:
1.
733 # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace
2.
806 # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.
3.
828 # Patron does not have the borrowers permission
Same as 2.
2. and 3. should be investigated a bit more.
This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.
Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit db173d3276455a43939dca68ccc6502839fa2a55)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Adapt code to the change of return value type of checkpw
introduced in bug 34893
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 5f9e9e5df2)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch introduces some tests on the current (and new) behavior for
the `checkpw` function.
I needed it to better understand if an edge case was actually possible
(it wasn't).
Found a really minor annoyance for the internal check with expired
password not returning the $patron object for consistency with the other
use cases.
I think this method deserves (at least) changing the return value to a
sane data structure. But that's not target for backporting to stable
releases. So a separate bug.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5476b18e7ea34e08d9dd163e2c446d5b223cf032)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit a19a1d2079e562d62d766aa9f996a7586d73882d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Imagine we have a set of users. Some of those users have a NULL userid. We then call AuthenticatePatron from ILS-DI for a patron with a NULL userid, but a valid cardnumber. We call checkpw, which returns the cardnumber and userid. We then call Koha::Patrons->find on the userid *which is null*, meaning the borrowernumber returned is not the correct one, but instead the earliest patron inserted into the database that has a NULL userid.
Test Plan:
1) Give three patrons a userid and a password
2) From the database cli, set all patrons's userid to null
Run this query: update borrowers set userid = null;
3) Call AuthenticatePatron with username being the 1st patron cardnumber,
and password being the password you set for that patron
http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=AuthenticatePatron&username=kohacard&password=koha
4) Note you get back a borrowernumber for a different patron. Refresh the page and the number is correct.
5) Do the same with the 2nd patron. Same issue at 1st and correct number after.
6) Apply this patch
7) Restart all the things!
8) Do the same with the 3rd patron.
9) Note you get the correct borrowernumber! :D
10) prove t/Auth.t t/db_dependent/Auth_with_ldap.t t/Auth_with_shibboleth.t t/db_dependent/Auth_with_cas.t
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 9ba199c2acc33873154c167e73e86a5e786084cb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
To test, disable OpacPublic and ensure a call to ilsdi.pl will still return expected results from a private browser, not logged into the OPAC.
Sponsored-by: Auckland University of Technology
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Without this patch:
Logout from OPAC. Crash.
Try to login. Crash.
With this patch:
Enable login in tracking triggers. Clear lastseen.
Flush memcache.
Login. Check lastseen.
Logout.
Login.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We were using a series of similarly named methods spread in distinct places
around the codebase. This combines the logic of C4::Auth::track_login_daily
and Koha::Patron->track_login into a new Koha::Patron->update_lastseen method.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch adds a trigger to every instance of track_login_daily
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch adds triggers to track_login_daily so that it only tracks activity when that trigger is active
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Currently the system preference intranetreadinghistory determines visibility of both circulation history and holds history tabs in the patron record. It would be helpful to allow the option of setting each of those independently.
Specifically, libraries have requested the option of being able to view the holds history in a patron record without having to enable viewing of the circulation history.
Test Plan:
1) Apply this patch
2) Restart all the things!
3) Run updatadatabase.pl
4) Verify the new syspref intranetReadingHistoryHolds has the same value
as the existing syspref intranetreadinghistory
5) Disable intranetreadinghistory, enable intranetReadingHistoryHolds
6) Verify you can view a patron's holds history but not reading history
Signed-off-by: Sam Lau <samalau@gmail.com>
JD amended patch:
* renamed syspref intranetReadingHistoryHolds => IntranetReadingHistoryHolds
* tidy
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Bug 32721: (QA follow-up) Rename fields to opac*
This patch updates the field names to reflect that they're OPAC
related.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Bug 32721: (QA follow-up) Fix rebase errors
We let some superflous template params creep back in during a rebase
somewhere.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patches addresses issues raised by the QA tests. It also adds a missed import of the Branches file in the document head
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 32721: (QA follow-up) Add missing imports
Missing imports added in three template files
Exec flag added to atomic update file
Tinymce imports removed
A new bug will be created to move codemirror into an inc file at latest
version
Test plan as before
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 32721: Tidy up - duplicate fetching of userjs and css
Currently UserJS and UserCSS is injected into the template as a parameter through Auth.pm but is then fetched using Koha.Preference() in the template. This patch tidies this up by removing the parameters from Auth.pm
Test plan as per first commit
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch sets the $auth_state to failed when changing auth sessions,
so that the new login attempt gets processed correctly (instead
of skipping the authorization step).
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?tab=&op=search&searchfield=baseurl
3. Log in as an OPAC user with 0 permissions
4. Note the auth screen "Error: You do not have permission to access this page"
5. Click "Log in"
6. Note that you're still shown a login screen (and that you've been logged out of
your previous authenticated session)
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This change adds a mfa_range configuration option for TOTP
to koha-conf.xml, and overrides the "verify" method from
Auth::GoogleAuth in order to provide a new default for "range"
Test plan:
0. Apply the patch
1. koha-plack --restart kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication
3. Change the syspref to "Enable"
4. Go to
http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51
5. Click "More" and "Manage two-factor authentication"
6. Register using an app
7. In an Incognito window, go to
http://localhost:8081/cgi-bin/koha/mainpage.pl
8. Sign in with the "koha" user
9. Note down a code from your Authenticator app
10. Wait until after 60 seconds and try it
11. Note it says "Invalid two-factor code"
12. Try a new code from the app
13. Note that it works
14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml
15. Clear memcached and koha-plack --restart kohadev
16. Sign in with the "koha" user
17. Note down a code from your Authenticator app
18. Wait 4 minutes and then try it
19. Note that it works
20. Disable your two-factor authentication and click to re-enable it
21. Use a code older than 60 seconds when registering for the two
factor authentication
22. Note that the code works
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch clears the JWT cookie during auth kick out (ie
when a web user navigates from the self-check out/in to
the rest of Koha).
Test plan:
0. Apply patch and koha-plack --reload kohadev
1. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
2. Log in as the "koha" user
3. In another tab, go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
4. Go to http://localhost:8080/cgi-bin/koha/opac-search.pl?idx=&q=a&weight_search=1
5. Note that you are prompted to "Log in to your account" via the normal Koha prompt
6. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
7. Note that you are prompted to "Log in to your account" within the "Self checkout system",
and note that your self-checkout session for the "koha" user has *not* persisted like
it did before the patch was applied
Signed-off-by: Andrew Fuerste-Henry <andrewfh@dubcolib.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch avoids generating CSRF tokens unless the csrf-token.inc file
is included in the template.
Passed token doesn't need HTML escaped. The docs for WWW::CSRF state:
The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option).
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Split out from bug 22990 as requested.
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 31162 moved the cataloguing tools to a new cataloguing module home
page. This prevents people without cataloguing permissions, but with
some tools permissions to access things like the labels creator tool.
I tracked all permissions on the cataloging-home.tt template, including
the Stock Rotation ones which I initially missed because I was focusing
on tools.
This patch makes the cataloging-home.pl page require either
'cataloguing' or any relevant 'tools' permission to allow access. the
page.
The staff interface main page and the top bar dropdown are updated using
the same logic to display the cataloguing module link.
For that purpose, I wrapped the permissions on a sub in `C4::Auth`.
To test:
1. Have a patron with only 'catalogue' and some of this permissions:
* inventory
* items_batchdel
* items_batchmod
* items_batchmod
* label_creator
* manage_staged_marc
* marc_modification_templates
* records_batchdel
* records_batchmod
* stage_marc_import
* upload_cover_images
* stockrotation => manage_rotas
2. Log in
=> FAIL: No link to the cataloguing module, neither in the dropdown
3. Apply this patch
4. Repeat 2
=> SUCCESS: You have the link!
5. Play with the different combinations and notice things are sound and
correct
6. Sign off :-D
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This will only have effect on installations running OPAC and staff
on the same domain name. In that case an OPAC cookie still allows
you to access intranet, and v.v.
Test plan:
Repeat the following steps WITHOUT this patch and WITH it.
Login via OPAC.
Go to staff. Perform an action that logs the interface in e.g. the
statistics table, like a checkout.
Inspect interface in the corresponding table. Observe difference
that this patch makes.
With this patch:
Run t/db_dependent/Auth.t. Should pass again.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Björn Nylén <bjorn.nylen@ub.lu.se>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
If the logged in librarian modifies their own userid they will get the
following error when submitting the form:
Can't call method "password_expired" on an undefined value at /kohadevbox/koha/C4/Auth.pm line 1780
We could handle this situation and flag the session as expired. Better
would be to deal with this specific user case and update the cookie (?)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We don't need it for the staff interface. The previous patch is removing
the only occurrence using it.
Signed-off-by: Michaela Sieber <michaela.sieber@kit.edu>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
GDPR is a European Union (and, at time of writing, UK) law.
The GDPR_Policy system preference is about a patron
giving consent to their personal data being processed in
line with the library's privacy policy.
The name of the preference is vague: there could be
many policies implemented by libraries to comply with
GDPR. It also makes the preference look irrelevant for
libraries outside the areas where GDPR applies, while
it may be useful for libraries anywhere.
This renames GDPR_Policy to PrivacyPolicyConsent and
adjusts the system preference descriptions.
To test:
* Apply the patch
* Run database update
* Search for GDPR_Policy in the system preference
- you should not find anything.
* Search for DataPrivacyConsent in the system preferences
- you should find it and be able to activate it
* Verify the feature works as expected
- If the preference is set to "enforced", you will be
asked to give consent to the data privacy agreement
in the OPAC when you log in
* Verify the page is now phrased neutrally using 'privacy policy'
Bonus: Consent date is now formatted according to DateFormat
system preference.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
To test:
1. Apply patch, updatedatabase, restart_all
2. Have a user with superlibrarian privileges ( User1 )
3. Have a user who has staff access and circulate privileges but is not a super librarian. ( User2 ) Make note of this users home library
4. Turn on the system preference 'CircSidebar'.
-MAIN log in ( auth.tt )
5. As User1, go to the main login screen and try logging in. You should be able to log in AND you should be able to properly chnage your branch BEFORE logging in.
6. As User2, to to the main login screnn amd try logging in. You should be able to but if you try and switch your libraray to anything beside the user's home branch it will not work. You will be logged in at your home branch.
7. For User2, set the new top level permission 'Allow staff to change logged in library (loggedinlibrary).
8. Now you should be able to successfully switch libraries before log in.
9. Turn the 'loggedinlibrary' permission back off for User2.
-AFTER log in-
10. With User1, click on your name/branch in the top right, you should see the the link 'Set library' at the top. If you turn on 'UseCirculationDesks' the link will be 'Set library and desk'.
11. With User2, click on your name/branch in the top right. If you have 'UseCirculationDesks' on, you should see 'Set desk', otherwise you should see nothing.
12. Repeat step 7.
13. NOw if you click on your name/branch in the top right, you should see the the link 'Set library' at the top. If you turn on 'UseCirculationDesks' the link will be 'Set library and desk'.
14. Repeat Step 9.
-CircSideBar-
15. With 'CircSideBar' turned on, go to any ciculation page (Holds queue, Holds to pull, Holds awaiting pickup) with User1. You will see the 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set library and desk'.
16. Try with User2 and you will not see a 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set desk' link.
17. Repeat step 7.
18. For with User2 you go to any ciculation page (Holds queue, Holds to pull, Holds awaiting pickup). You will see the 'Set library' link. If 'UseCirculationDesks' is on you will see a 'Set library and desk'.
19. Repeat step 9.
-Set library page-
20. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User1. You will see a dropdown for 'Set library'. Make sure you can change your library successfully.
21. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User2. You should NOT see see a dropdown for 'Set library'.
22. Repeat step 7.
23. Go to the set library page (http://localhost:8081/cgi-bin/koha/circ/set-library.pl) with User2. Now you should see a dropdown for 'Set library'.
Signed-off by: Bob Bennhoff/AspenCat Team
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch removes some unnecessary syspref template params for
failed OPAC auth. The templates handle these syspref using the
Koha.Preference() TT plugin function, so they're completely redundant
and just make checkauth() longer than it needs to be.
Test plan:
1) Apply patch
2) Enable OpacCloud, OpacBrowser, and OpacTopissue sysprefs
3) koha-plack --restart kohadev
4) Log out of Koha if you're logged in
5) Go to http://localhost:8080/cgi-bin/koha/opac-user.pl
6) Note that you can see the Cart as well as links for the following:
Browse by hierarchy, Authority search, Tag cloud, Subject cloud,
Most popular
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Solene Ngamga <solene.ngamga@inLibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
If a second login on top of a current session fails on
permissions, we should not grant access without context.
Test plan:
[1] Run t/db../Auth.t, it should pass now.
[2] Test interface with/without this patch:
Pick two users: A has perms, B has not.
Put two staff login forms in two tabs.
Login as A in tab1. Login as B in tab2.
Without this patch, B gets in and crashes.
With this patch, B does not get in ('no perms').
Bonus: Go to opac if on same domain. You are still
logged in as B.
NOTE: I added a FIXME here, since you could argue about filling
the session info or otoh deleting the session. We present an
authorization failure; people may not realize that they are
still logged in (see test plan - bonus).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Somewhere the line undef $userid got removed.
We need it to resolve the second login situation.
Test plan:
Login in staff with user missing privileges.
On the login form login again with another staff user.
Note that you do no longer crash.
Run t/db../Auth.t
Run t/db../Koha/Auth/TwoFactorAuth.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
No change in user experience. But since we can mock safe_exit,
we can enhance test results.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch removes a security breach in C4::Auth::check_api_auth introduced by bug 31378, where when someone called an api with the parameters userid and auth_client_login, check_api_auth would automatically asume the user calling was that userid.
This patch also introduces C4::Auth::create_basic_session(), a function that creates a session and adds the minimum basic parameters.
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lukasz Koszyk <lukasz.koszyk@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Without this patch:
1. Set the syspref TwoFactorAuthentication (enforce or enabled)
2. Configure 2FA for a patron
3. Logout
4. Authenticate but don't enter the 2FA code
5. Switch off the syspref (disabled) [via another browser or so]
6. Patron is stuck on the [original] login screen. [Only removing
the session cookie would resolve it.]
With this patch:
1. Follow the steps above again. But note that you can refresh
your browser window to get in now.
2. Verify that Auth.t passes now too.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Add some page under Additional contents.
Enforce GDPR policy.
Test with user that has no consent (yet or anymore).
Check if you can reach additional contents with opac-page.pl.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
If we do not clear this session, the first login directly after setup
does not really enhances user experience ;)
Test plan:
Make sure 2FA is enforced.
Test the above. Disable your 2FA, logout and login.
Verify that you can access pages with this patch now. Without this
patch you could not.
Run these tests to provide more confidence:
t/db_dependent/Auth.t
t/db_dependent/api/v1/two_factor_auth.t
t/db_dependent/Koha/Auth/TwoFactorAuth.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Resolves:
Use of uninitialized value $request_method in string eq at /usr/share/koha/C4/Auth.pm line 1122.
Use of uninitialized value $return in numeric gt (>) at /usr/share/koha/C4/Auth.pm line 1155.
We also remove the double logout from Auth.t
Test plan:
Run t/db_dependent/Auth.t
Check if you do not see the warns anymore.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 28786 added the ability to turn on a two-factor authentication,
using a One Time Password (OTP).
Once enabled on the system, librarian had the choice to enable or
disable it for themselves.
For security reason an administrator could decide to force the
librarians to use this second authentication step.
This patch adds a third option to the existing syspref, 'Enforced', for
that purpose.
QA notes: the code we had in the members/two_factor_auth.pl controller
has been moved to REST API controller methods (with their tests and
swagger specs), for reusability reason. Code from template has been
moved to an include file for the same reason.
Test plan:
A. Regression tests
As we modified the code we need first to confirm the existing features
are still working as expected.
1. Turn off TwoFactorAuthentication (disabled) and confirm that you are not able to
enable and access the second authentication step
2. Turn it on (enabled) and confirm that you are able to enable it in your account
3. Logout and confirm then that you are able to login into Koha
B. The new option
1. Set the pref to "enforced"
2. You are not logged out, logged in users stay logged in
3. Pick a user that does not have 2FA setup, login
4. Notice the new screen (UI is a bit ugly, suggestions welcomed)
5. Try to access Koha without enabling 2FA, you shouldn't be able to
access any pages
6. Setup 2FA and confirm that you are redirected to the login screen
7. Login, send the correct pin code
=> You are fully logged in!
Note that at 6 we could redirect to the mainpage, without the need to
login again, but I think it's preferable to reduce the change to
C4::Auth. If it's considered mandatory by QA I could have a look on
another bug report.
Sponsored-by: Rijksmuseum, Netherlands
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We need to replace 0 with 'disabled', and 1 with 'enabled'
Sponsored-by: Rijksmuseum, Netherlands
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
1. Enable suggestion & AnonSuggestions sysprefs and set AnonymousPatron = 1
2. Visit the OPAC without logging in
3. Confirm you can successfully create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
4. Disable the AnonSuggestions syspref
5. Confirm you cannot see links to make purchase suggestions on the
following pages:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
6. Confirm if you try visiting /cgi-bin/koha/opac-suggestions.pl page
you are re-directed to a login page
7. Select the category of your user in the suggestionPatronCategoryExceptions syspref
8. Log into the OPAC
9. Confirm you cannot see links to make purchase suggestions on the
following pages:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
10. Confirm if you try visiting /cgi-bin/koha/opac-suggestions.pl page
you are re-directed to a 404 error page
11. Enable AnonSuggestions syspref
12. Confirm you can successfully create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
13. Disable AnonSuggestions syspref and un-check your category from
suggestionPatronCategoryExeptions syspref
14. Confirm you can create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
Sponsored-by: Catalyst IT, New Zealand
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Introduce a suggestionPatronCategoryExceptions system preference.
If the suggestion syspref is enabled then libraries can stop specific
borrower types from making suggestions by ticking the type in the
suggestionPatronCategoryExceptions syspref.
Test plan:
1. Apply patches, update database, re-start services
2. Set 'suggestion' syspref = 'Allow'
3. Confirm you can view the purchase suggestion links on OPAC biblio detail
page & 'your summary' page. As well as successfully submit a suggestion.
4. Select the patron category you're logged in as in
suggestionPatronCategoryExceptions syspref
5. Confirm the purchase suggestion links are hidden in the OPAC biblio
detail page & 'your summary' page
6. In your browser enter the link: <OPAC base URL>/cgi-bin/koha/opac-suggestions.pl
e.g. http://localhost:8080/cgi-bin/koha/opac-suggestions.pl
7. Confirm a 404 page loads
8. Confirm you can view/moderate suggestions in the staff
client - even though your patron is selected in the
suggestionPatronCategoryExceptions syspref
9. Untick your patron category in the suggestionPatronCategoryExceptions syspref
10. Confirm you can view the purchase suggestion links on the OPAC, as
well as successfully submit a suggestion.
11. Set 'suggestion' syspref = "Don't allow"
12. Confirm the purchase suggestion links are hidden in the OPAC
13. Select all patron categories in suggestPatronCategoryExceptions
syspref. View the OPAC without logging in and confirm you can perform
searches and view OPAC biblio detail pages.
Sponsored-by: Catalyst IT, New Zealand
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch refactors the setting of user permissions for templates into
a new function, which can be easily unit tested and reduces the amount
of code in C4::Auth::get_template_and_user(). It also aids in the
re-usability of permission checking code.
Test plan:
0) Apply patch and koha-plack --restart kohadev
1) prove t/Koha/Auth/Permissions.t
2) As koha superlibrarian, go to
http://localhost:8081/cgi-bin/koha/tools/tools-home.pl
3) Go to http://localhost:8081/cgi-bin/koha/members/members-home.pl
4) Create new test user with "Staff access..." and "Remaining circulation permissions"
5) Logout of koha superlibrarian
6) Login as test user
7) Note you can only see a limited view of the staff interface
(i.e. no administration, no tools, no reports, etc.)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Adding David's comments from Bugzilla to safe_exit here.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
