Signed-off-by: Lukasz Koszyk <lukasz.koszyk@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lukasz Koszyk <lukasz.koszyk@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
0. Apply patch
1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=OPACUserCSS
2. Set syspref to the following:
.local-login {
display: none;
}
3. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
3b. Note that the local login boxes are hidden
("Log in to your account:" remains so that other login options can
be supplied by OpacUserJS)
4. Click on "Log in to your account" on the top toolbar
4b. Note that the local login boxes are hidden
("Log in to your account:" remains so that other login options can
be supplied by OpacUserJS)
5. Go to http://localhost:8080/cgi-bin/koha/opac-user.pl
5b. Note that the local login boxes are hidden
("Log in to your account" remains so that other login options can be
supplied by OpacUserJS)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io>
This patch adds a new page opac-reset-password where a user cna enter their login
(userid or carndumber), current password, and new password.
If the user has a password expiration date and the current password is correct and
the new passwords match and meet requirements their password will be updated and the
expiration date reset
A patron whose password does not expire will be reidrected to login to change their password
To test:
1 - Apply patch, updatedatabase, enable new syspref EnableExpiredPasswordReset
2 - Set 'Password expiration' for a patron category
Home->Administration->Patron categories->Edit
3 - Create a new patron in this category with a userid/password set, and an email
4 - Update the patron with an expiration to be expired
UPDATE borrowers SET password_expiration='2022-01-01' WHERE borrowernumber=51;
5 - Give the borrower catalogue permission
6 - Attempt to log in to Straff interface
7 - Confirm you are signed out and notified that password must be reset
8 - Click 'Reset your password' link
9 - You should see the reset password page with fields for: login, current password, new password, conmfirm password
10 - enter invalid/incomplete credentials
11 - Confirm you are notified of invlaid credentials
12 - Fill in all fields, but enter current password as new password
13 - Confirm you are notified of no change
14 - Set minimum password length / strong password requirement for category
15 - Confirm you receive error if new password too short or not secure
16 - Enter a valid new password and submit and confirm update is successful
17 - Confirm you have buttons to go to OPAC or Staff and that both work
18 - Confirm you cna log in (i.e. expiration has been reset)
19 - Expire the users password
20 - Remove catalogue permission
21 - Reset password again and confirm only OPAC link
Signed-off-by: Bob Bennhoff <bbennhoff@clicweb.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
If the passed credentials are wrong, we shouldn't expose things like the
password is expired.
This patch takes care of that.
To test:
1. Have a known patron with password_expiration_date set so its
password is expired. Can be done like:
$ koha-mysql kohadev
> UPDATE borrowers \
SET password_expiration_date='2022-04-25' \
WHERE borrowernumber=132;
Note: change the borrowernumber
2. Attempt to login to the OPAC with wrong credentials
=> SUCCESS: You are rejected, with a message telling credentials are
wrong
=> FAIL: You are told the password is expired.
3. Apply this patch and restart Plack
4. Repeat 2
=> SUCCESS: You are rejected, credentials are wrong and no mention to
password being expired.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
- The atomicupdate didn't have "bug_number" defined.
- The "Your password has expired" message is now styled with the same
class as other OPAC login messages.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Bob Bennhoff <bbennhoff@clicweb.org>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch adds the ability to define password_expiry_days for a patron
category.
When defined a patron's password will expire after X days and they will
be required to reset their password. If OPAC resets are enabled for the
catgeory they may do so on their own, otherwise they will need to
contact the library
To test:
1 - Apply patch, updatedatabase
2 - Set 'Password expiration' for a patron category
Home-> Administration-> Patron categories-> Edit
3 - Create a new patron in this category with a userid/password set,
and an email
4 - Confirm their password_expiration_date field is set
SELECT password_expiration_date FROM borrowers WHERE borrowernumber=51;
5 - Create a new patron, do not set a password
6 - Confirm their password_expiration_date field is NULL
7 - Update the patron with an expiration to be expired
UPDATE borrowers SET password_expiration_date='2022-01-01' WHERE borrowernumber=51;
8 - Give the borrower catalogue permission
9 - Attempt to log in to Straff interface
10 - Confirm you are signed out and notified that password must be
reset
11 - Attempt to sign in to OPAC
12 - Confirm you are signed out and notified password must be reset
13 - Enable password reset for the patron's category and perform a
password reset
Note: you will have to find the link in the message_queue unless
you have emails setup on your test environment
SELECT * FROM message_queue WHERE borrowernumber=51;
14 - Confirm that you can now sign in and password_expiration_date field
is set 10 days in the future
15 - Expire the patron's password again
16 - Change the patron's password via the staff interface
17 - Confirm they can sign in and the expiration is updated
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Bob Bennhoff <bbennhoff@clicweb.org>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch updates the original fix to only set the template parameter
for opac sessions and updates all occurences in templats to check first
for logged_in_user.branchcode before falling back to default_branch
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Make masthead.inc modal and opac-auth follow the order of the login
elements on the homepage.
Test plan:
Enable prefs for reset password and self registration.
Fill additional contents for login instructions.
Logout on OPAC.
Click Login from your account on top bar.
Click Login button on the home page (right side, in the middle).
Verify that these two forms correspond with the home page login.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Bug 29458: (follow-up) Remove FIXME
With some help of Owen Leonard:
<oleonard> Regarding the <br/>, you can wrap the submit button in <fieldset class="action"></fieldset> instead.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Modified breadcrumbs to be accessible, in particular for a
screen-reader. Also ensured the breadcrumbs were all consistent.
Made the block of breadcrumbs to be a <nav id="breadcrumbs"
aria-label="Breadcrumb" class="breadcrumbs"> with an ordered list
inside. The last breadcrumb also has aria-current="page" to specify that
it is the current page.
To test, apply the patch and rebuild the OPAC CSS (https://wiki.koha-community.org/wiki/Working_with_SCSS_in_the_OPAC_and_staff_client)
- Confirm that OPAC templates are updated consistently to use
breadcrumbs markup beginning with '<nav
id="breadcrumbs" aria-label="Breadcrumb" class="breadcrumb">'
- Pages in the OPAC should look consistent, with the last breadcrumb
styled as text and with the "aria-current" attribute "page."
Sponsored-by: Catalyst IT
Signed-off-by: Henry Bolshaw <bolshawh@parliament.uk>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch makes modifications to OPAC templates to make the Google
login options more consistent.
To test, apply the patch and rebuild the OPAC CSS
(https://wiki.koha-community.org/wiki/Working_with_SCSS_in_the_OPAC_and_staff_client).
- In the staff interface, enable the GoogleOpenIDConnect preference, and
populate the GoogleOAuth2ClientID the GoogleOAuth2ClientSecret with
values (they don't need to be valid).
- On the OPAC main page you should see a "Log in with Google" button
above the Koha login form.
- If you click the "Log in to your account" link at the top of the page
you should see a "Log in with Google" button in the modal window
- If you navigate directly to /cgi-bin/koha/opac-user.pl when not logged
in you should see the same "Log in with Google" button on that page.
- In each case the Google button should point to /cgi-bin/koha/svc/auth/googleopenidconnect
- If you disable GoogleOpenIDConnect the buttons should disappear.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In most authentication forms we see :
Fields "Login:" and "Password:" with a submit button "Log in".
In some places submit button contains "Login", which is confusing for translation.
It is not correct according to terminology https://wiki.koha-community.org/wiki/Terminology#L
Also in opac-user.pl ":" is missing, it generates new translation entries.
Test plan:
1) Log out if you are logged in
2) Go to staff interface
3) Check you see button "Log in"
4) Go to OPAC page /cgi-bin/koha/opac-user.pl
5) Check you see fields "Login:" and "Password:"
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
One big patch for one big move.
The "News" feature (opac_news) has been hijacked to handle some system
preferences (bug 26050). The goal was to take profit of the UI (editor)
and the ability to translate the value.
Disclaimer: This patch is NOT offering the best implementation but, as
we still don't have bug 24975, it cannot be done now. And no, we don't
want to wait for it to move forward here. This patch is going into the
right direction anyway.
This enhancement is going to rename the "News" with a more genertic
"Additional contents". We have two different "categories" of content:
"news" and "html customizations".
What does it bring?
- A split on the UI for disambigate the two types of content (news and
syspref/html customizations)
- A simplification of the edit form: all languages will be translatable
on the same view (like the "notice templates")
- Ground will be prepared for different types of content (if needed later)
- Staff news can be translated
How was the "News" area working before this patch?
The opac_news DB table contained a (very inconsistent) 'lang' column.
The different values were:
- '' => news to display at the OPAC and staff interfaces
- 'koha' => news for staff only
- 'slip' => news for slip notices
- $lang => news for OPAC only, translated in $lang ('en', 'es-ES', etc.)
- "$location_$lang" => A syspref moved to this "news" area. The syspref
is $location, and is translated in $lang. Eg. OpacLoginInstructions_en,
OpacLoginInstructions_fr-FR, opacheader_es-ES
This patch is improving the DB structure with the following changes:
- renaming 'opac_news' with 'additional_contents'
- new 'category' column
=> 'news' or 'html_customizations'
- new 'location' column
=> For 'news': 'staff_and_opac', 'staff_only', 'slip'
=> For 'html_customizations': the old syspref name (eg. 'OpacLoginInstructions').
- new 'code' column (see later for more info)
- the 'lang' column will only contain the language code ('en', 'es-ES',
etc.). BUT a 'default' entry will ALWAYS exist for fallback behaviour.
We are getting closer to the 'notice template' table structure because
we want to match its UI. The 'code' column will bring us the ability to
group the different 'additional_contents' rows. The code for a given
news will be the same, but the (lang, title, content) will differ.
Examples:
News 1 will have, for each of the translated versions
(category, code, location, branchcode)
('news', 'News1', $location, $branchcode||undef)
And the 3 following columns will differ:
(title, content, lang)
('title for news 1', 'content for news 1', 'default')
('titulo para 1', 'contenido para 1', 'es-ES')
Note that the "category" is not strictely necessary, but it seems better
to have the ability to split the different content by category/type
easily.
Additional changes:
- Syspref 'NewsToolEditor' is renamed 'AdditionalContentsEditor'
- Koha::NewItem => Koha::AdditionalContent
- Koha::News => Koha::AdditionalContents
- Script and template renamed from koha-news to additional-contents
- Foreign keys have been renamed
- Subpermission edit_news has been renamed edit_additional_contents
- The UI can now be accessed via a "News" or "HTML customizations" link
from the tools module. The related contents will then be displayed (both
categories are now split)
Changes not done here:
- Primary key 'idnew' could be renamed 'id'
Limitations of the upgrade:
News cannot be grouped by a unique code for existing translations.
=> A given news will be now displayed several times on the translated
interface
Any ideas to improve the upgrade behaviour?
We will have to add a warning in the release notes to tell libraries to
review their news.
Test plan:
0. Don't apply the patches
1. Translate the interfaces in some languages
. Create some news for staff and OPAC
. Create some content for different entry of HTML customizations
Note that you are forced to define a 'default'.
Also note that you are only forced to fill the title (not the content).
This is certainly problematic (see FIXME in the code) as sometime only
the content is displayed.
. Play with the interface (edit, delete, filter)
. Go to the different places the news are displayed, and confirm they
are displayed correctly (staff home, opac home, opac rss)
. Create 1+ news for 'slip', check an item out and 'print slip' (from
the circulation page). You must see the news.
. Go to the different places you are expecting the HTML customizations
to be present and confirm that you see them.
. Switch the lang of the interface and confirm that you now see the
content in the translated version
. Generate the templates in another language, don't translate the
content
. Use this language for the interface and confirm that the 'default'
version is displauyed.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Moved recently
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 27610 corrected the <h1> tags in each of the OPAC files. This patch
corrects the hierarchy of the rest of the headings on each of the pages.
To test:
1) Go to the OPAC
2) Apply Bug 27610 patch
3) Apply patch (Bug 27740)
4) Go to each of the pages and check that the headings under <h1> are in
the correct order and hierarchy
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch fixes a regression which was introduced by Bug 20168, causing
the OpacLoginInstructions template code to revert back to the old system
preference behavior. This patch returns the correct markup.
To test, apply the patch and view the OPAC login page
(/cgi-bin/koha/opac-user.pl)
- With no news entry for OpacLoginInstructions you should see the
default: A block of text with two headings, "Don't have a password
yet?" and "Don't have a library card?"
- Go to Tools -> News and create an entry for OpacLoginInstructions.
- Return to the OPAC and confirm that your custom text appears.
- Try updating/installing another translation and adding a different
news entry for that language. Confirm that the correct entry appears.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Changed each of the pages in the OPAC to have one <h1> tag showing that describes the page, rather than the <h1> describing the logo.
The hierarchy of heading tags may be broken in many pages, but this will be dealt with in a follow up patch or bug.
To test:
1) Go to the OPAC
2) Apply patch
3) Go to each of the pages and check that they have an obvious and
descriptive heading
4) Ensure that the heading in the page is <h1>
Sponsored by: Catalyst IT
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz>
Signed-off-by: Henry Bolshaw <bolshawh@parliament.uk>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Changed the titles of each page on the OPAC to display the unique
information first, and the name of the website (e.g. Koha library
catalog). This is fot accessibility reasons, such as when a
screen reader user is going through tabs, they do not have to waste time
listening to the website name, they can just find the unique page title
first.
To test:
1) Go to the OPAC
2) Apply patch
3) Go to each of the pages and check that the page title has the unique
information about the page first, and the name of the website is at the
end
Sponsored by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Indentation fixes for readability
Cleaned up a few places where the ability to login otherwise was leakign through
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
JD amended patch: Remove trailing spaces
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
As requested
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds two system preferences to Koha, opacShibOnly and
staffShibOnly, allowing users to restrict authentication to just
one method, Shibboleth.
We do however, allow for local fallback for the SCO/SCI logins.
A system preference was chosen over a configuration file update to
allow for local override at the virtualhost level. In this way a
hosting provider can setup a 'backdoor opac' for example to allow
fallback to local logins for support operations.
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(Note: Must have Shibboleth and CAS added to OPAC)
1. (Before downloading patch) Go to OPAC
2. Search for an item in the search bar (i.e. type 'a')
3. On one of the items, click on 'Place hold'
4. The links should say 'If you have a Shibboleth account, please click
here to log in', 'Please click here to log in' and 'If you have a CAS
account, please click here to log in'
5. Add patch
6. Repeat steps 1-3
7. The links should now say 'Log in using a Shibboleth account', 'Log in'
and 'Log in using a CAS account'
NOTE: Also noticed on the initial log in box there was the same issue -
here is the testing for that:
1. Go to OPAC home page
2. In the top right click 'Log in to your account'
3. The link should say 'If you have a Shibboleth account, please click
here to log in.'
4. Apply patch
5. Repeat steps 1&2
6. The link should now say 'Log in using a Shibboleth account'
Sponsored-by: Catalyst IT
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch updates the version of Bootstrap in the OPAC from 2.3.1 to
4.5.0. The Bootstrap JavaScript files have been replaced with custom
builds of the 4.5.0 JavaScript source files. The Bootstrap CSS is now
built into the OPAC CSS by loading the required Bootstrap 4.5.0 SCSS
files in node_modules.
OPAC SCSS now starts with Bootstrap customizations:
/* Bootstrap variable customizations */
$headings-color: #727272;
...
Followed by loading the necessary Bootstrap SCSS files:
/* Bootstrap imports */
@import "../../../../../node_modules/bootstrap/scss/functions";
@import "../../../../../node_modules/bootstrap/scss/variables";
...
Followed by our CSS. The build process for generating compiled CSS now
creates a file which bundles Bootstrap CSS and ours. Removed from the
Koha source: Bootstrap CSS files, Bootstrap "glyphicons" images.
The upgrade to Bootstrap 4 involved a lot of markup changes to conform
with new Bootstrap classes, especially in classes related to the grid.
Besides duplicating the grid we used before, this upgrade adds some new
features made possible by Bootstrap 4.5's use of flexbox as a layout
tool. This includes custom ordering of columns based on class names:
https://getbootstrap.com/docs/4.5/layout/grid/#order-classes.
Other areas where the most changes have been made: Navigation menus,
breadcrumb menus, buttons, dropdowns.
Bootstrap's JavaScript file is now "bootstrap.bundle.min.js" to reflect
the fact that a required JavaScript asset is now distributed separately
in Bootstrap 4. The "bundle" version includes Popper.js.
Unrelated changes: Indentation corrections, removal of invalid
"//<![CDATA[" markers, removal of invalid script type attributes.
To test, apply the patch and run 'yarn install' to install Bootstrap as
an npm module. Run 'yarn build --view opac' to regenerate the OPAC CSS.
Test as many aspect of the OPAC as possible, viewing pages at various
browser widths to confirm that everything adjusts well. Test with
various OPAC interface system preferences enabled and disabled.
Test self checkout and self checkin.
Known issues: RTL support has not been updated.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch builds on Bug 22318 to move the OpacLoginInstructions system
preference into the Koha news system, making it possible to have
language- and library-specific content.
To test you should have some content in the OpacLoginInstructions system
preference. Apply the patch and run the database update process.
- Go to the OPAC and click the login link.
- In the login modal, confirm that the content which was previously in
the OpacLoginInstructions system preference displays correctly
below the login form.
- While not logged in to the OPAC, navigate directly to
/cgi-bin/koha/opac-user.pl. The OpacLoginInstructions content should
display correctly here as well.
- In the staff client, go to Tools -> News and verify that the content
from OpacLoginInstructions is now stored in news items. There
should be one entry for each of the enabled translations in your
system, for instance 'OpacLoginInstructions_en',
'OpacLoginInstructions_fr-FR', 'OpacLoginInstructions_cs-CZ'
- Go to Administration -> System preferences and confirm that the
OpacLoginInstructions preference has been removed.
- To test the correct selection of language-specific content you must
run the translation update/install process for the languages you're
updating.
Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In the previous patch we reduced the headings levels by 2, but this was
one level too many as we already have an H1 in the navbar and so all
other heading sets should start at level 2 to semantically follow the
title heading.
Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
1) Follow test plan from comment #1
2) Apply the patch
3) Reload the page, and note that is still displays fine
4) Check that the main heading is now an h1, and that the other headings
on the page make sense
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1 - Set OpacPublic syspref to 'Disable'
2 - Log in to OPAC
3 - Log out
4 - Try to log in again
5 - No error, but you get the login form again
6 - Apply patch
7 - Repeat
8 - This time you can log in again
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch removes some trivial invalid HTML from opac-auth.tt
Test plan:
1. Apply patch
2. As an unauthenticated user, try to place a hold on a search result
e.g. http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29
3. View source or use an inspector to see there is no <p></p> block
between <input type="submit" value="Log in" class="btn"> and
<div id="nologininstructions">
Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch makes the templates relying on the OpacResetPassword syspref
use the introduced TT plugin method instead by changing:
[% IF Koha.Preference('OpacResetPassword') %]
=>
[% IF Categories.can_any_reset_password %]
To test:
- Verify that all the places in which the 'forgot password' link is
displayed in OPAC keep working, provided there's at least one category
that has the flag set
- Attempt to recover the password for a patron that belong to a valid
category (i.e. that has the flag set)
=> SUCCESS: You can go through the normal process
- Attempt to recover the password for a patron that belongs to a
category with the flag unset.
=> SUCCESS: Once Koha identifies your category, you are told you are not
allowed to do it
- Sign off :-D
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
It is already escaped correctly in
C4::Auth_with_cas::_url_with_get_params using URI::Escape::uri_escape
Note that shibbolethLoginUrl is not and must be url escaped in template
("be consistent, they said")
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch was generated using codespell
Test plan:
Read through changes and confirm they make sense
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
https://bugs.koha-community.org/show_bug.cgi?id=21706
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Based on the feedback of Jonathan, Katrin, Mark and Martin (thx), adding
the general remark that if lockout is enabled, an account may be locked
out after x attempts. This does not say that the account on hand is
locked or not.
Adding a <p> tag between 'Log in'-button and 'Forgot your password' for
presentation.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
We should not expose more information than needed when someone tries
to login with invalid credentials. Saying that an account is locked
reveals that the account exists (or perhaps an email address).
Trivial fix. Keeping the var too_many_login_attempts for staff.
Note: We do not remove this distinction for the staff client here (in the
assumption that a library may well have additional security measures in
place for staff client). But it could be done too (on another report).
Test plan:
Enable lockout feature.
Enter invalid credentials until account locks out (on OPAC !!)
Note that message does no longer change to 'Account is locked'.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch is a reimplementation of the original from Indranil Das Gupta
and the QA follow-up from Julian Maurice. Original test plan:
Conformance rules for HTML5 is generating warnings for <script> element
with type="text/javascript" attribute when the OPAC page is checked
with W3C Validator. This patch removes the cause of these warnings.
Test plan
=========
1/ Paste the URL to your OPAC page (if it is hosted) to W3C Validator
and watch about 10+ warnings being generated by the validator.
2/ Apply patch and re-submit the page to the Validator. The warnings
would be gone.
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds the SCI module, and adapts C4::Auth to know about it.
The current behaviour is:
- Requires admin user initialization/login
- Uses the logged users' library
- A form allows to scan multiple barcodes
- A button sends the barcode list to the controller
to batch perform the checkins
- Successful and failed checkins are sent to the template
- Results are displayed
- Logout link
To test:
- Apply this patches
- Make sure you upgrade:
$ kshell
k$ perl installer/data/mysql/updatedatabase.pl
- Have 'SelfCheckInModule' disabled
- Go to http://kohadev.myDNSname.org:8080/cgi-bin/koha/sci/sci-main.pl [1]
=> SUCCESS: You are rejected because the feature is disabled
- Enable 'SelfCheckInModule'
- Go to the previous URL
=> SUCCESS: You are required to login
- Login with a user WITHOUT self_checkout permissions
=> SUCCESS: You are not allowed to log into the Self check-in module.
- Login with a user WITH self_checkour permissions
=> SUCCESS: You gain access, and are presented the UI
- Go through the several options
=> SUCCESS: All works as it should
- Click the 'Help' link
=> SUCCESS: A help text is displayed on a modal
- Sign off :-D
- Bonus points:
$ kshell
k$ qa -c 2 -v 2
=> SUCCESS: All tests green
[1] Adjust to your dev's OPAC setup
Signed-off-by: David Bourgault <david.bourgault@inlibro.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To prevent brute force attacks on Koha accounts, staff and opac, we need to
implement an account lockout process to Koha.
After a number of failed login attempts a users account would become locked.
The user would then need to use the reset password functionality to send a reset
token to their email account. After a successful password reset the lockout flag
would be removed.
The number of failed login attempts before lockout is configurable using a new
system preference 'FailedLoginAttempts'.
How does it work?
When a patron enter an invalid password, the borrowers.login_attempts value
for this patron is incremented. When this value reach the value of the
pref FailedLoginAttempts, the password comparison is not done and the
authentication is rejected.
This login_attempts field is reset when a patron correctly logs in. When
the account is locked the patron has to reset his/her password using
the OpacResetPassword feature or ask a staff member to generate a new
password.
If the pref is not set (0, or '') the feature is considered as disabled,
but the failed login attempts are stored anyway.
Test plan:
0/ Apply patch and execute the update DB entry
1/ Switch on the feature by setting FailedLoginAttempts to 3
2/ Use an invalid password to login at the staff or OPAC interface
3/ After the third consecutive failures, you will be asked to reset your
password if OpacResetPassword is set, or contact a staff member
4/ Switch on OpacResetPassword and reset your password
5/ Confirm that you are able to login
6/ Play with the different combinations
QA details: The trick happens in C4::Auth::checkpw, to make things clear
I had to create a return value (note the awesome name: @return) and
replace the 3 successives if statements with elsif. Indeed if one of
the condition is reached, it will return inside the given block.
Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Persona never really took off, and although many browsers currently
support it, very few services actually implement it.
This has lead to it's founders, Mozilla, to end the project. In their
own words:
=============================================================================
Persona is no longer actively developed by Mozilla. Mozilla has
committed to operational and security support of the persona.org
services until November 30th, 2016.
On November 30th, 2016, Mozilla will shut down the persona.org services.
Persona.org and related domains will be taken offline.
If you run a website that relies on Persona, you need to implement an
alternative login solution for your users before this date.
For more information, see this guide to migrating your site away from
Persona:
https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers
=============================================================================
Given the above, and that the Persona authentication methods as a whole
are no longer being actively maintained by anyone anywhere to ensure
ongoing security, we should deprecate the option from koha.
Test plan:
Apply this patch and make sure you do not find any references of Persona
Have a look at patches from bug 9587 and confirm that everything has
been reverted
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Code looks good to me.
Also ran several tests including: Auth.t, Auth_with_shibboleth.t.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch fixes translatability issues in opac-auth.tt (ugly
translations caused by sentence splitting).
It was necessary to change indentation to make the the file more
readable and to make sure that changes have no side effects.
The changes do not touch the overall functionallity.
To test:
- Review code to verify that no functionality change is introduced
and to verify that the text changes make sense.
- Apply patch, verify that OPAC login page behaves as before.
UPDATE: Amended for comment #10 / mv
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This uses a hacky but simple method to get the correct script name under
proxied packaged Plack.
Test plan:
1) Log out of both the OPAC and staff side.
2) Try to access a page that requires login (opac-reserve.pl is a
good one for the OPAC), then log in.
3) You will be redirected back to mainpage.pl or opac-user.pl.
4) Repeat above for both staff side and OPAC.
5) Apply patch.
6) Repeat steps 1-4; you should be redirected back to the original
page you were on.
7) Repeat the above for both a traditional CGI and kohadevbox/package
Plack installation.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Currently if not logged in when browsing to
http://YOURCATALOG/cgi-bin/koha/sco/sco-main.pl
You are redirected to opac-auth.tt and SCOUserCSS and SCOUserJS are not
loaded. This page passes through a parameter to the template to indicate
this is an SCO login and appropriate CSS and JS should be loaded.
Additionally this patch ensure that when loggin in using the form you
are redirected to the sco-main.pl instead of the patron account page for
the user.
To test:
1 - Verify that normal login works on both staff and opac
2 - Verify that SCO link goes to login page if AutoSelfCheckAllowed is
set to "Don't allow"
3 - Enter changes into SCOUserJS and SCOUserCSS and observe these are
present on SCO log in page with AutoSelfCheck disabled
4 - Verify that a logged in opac user without permissions cannot access
the self-checkout module
5 - Verify that AutoSelfCheckAllowed and associated system preferences
function as expected
6 - Verify the AutoSelfCheck user is logged out if they attempt to visit
another page
Followed test plan.
If I go to http://YOURCATALOG/cgi-bin/koha/sco/sco-main.pl, CSS and JS trigger already on
the login form, I suppose that is intended.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
Run Koha QA Test tools and discovered this failed because of tabs.
Rather than fail this and wait forever for it to get fixed, this
patches it, and I'll mark it as signed off anyways.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Test Plan (remains the same):
0) Back up your database
1) Apply all these patches
2) In your mysql client use your Koha database and execute:
> DELETE FROM systempreferences;
> SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql;
-- Should be no errors.
> SELECT * FROM systempreferences LIKE 'GoogleO%';
-- Should see 4 entries.
> QUIT;
3) Restore your database
4) Run ./installer/data/mysql/updatedatabase.pl;
5) In your mysql client use your Koha database and execute:
> SELECT * FROM systempreferences LIKE 'GoogleO%';
-- Should see the same 4 entries.
6) Log into the staff client
7) Home -> Koha administration -> Global system preferences
8) -> OPAC
-- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca)
9) -> Administration
-- There should be a 'Google OAuth2' section with the ability
to set those 4 system preferences.
10) In a new tab, go to https://console.developers.google.com/project
11) Click 'Create Project'
12) Type in a project name that won't freak users out, like your
library name (e.g. South Pole Library).
13) Click the 'Create' button.
14) Click the 'APIs & auth' in the left frame.
15) Click 'Credentials'
16) Click 'Create new Client ID'
17) Select 'Web application' and click 'Configure consent screen'.
18) Select the Email Address.
19) Put it a meaningful string into the Product Name
(e.g. South Pole Library Authentication)
20) Fill in the other fields as desired (or not)
21) Click 'Save'
22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL.
(http://library.yourDNS.org)
23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new
googleoauth2 script
(http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleopenidconnect)
24) Click 'Create Client ID'
25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID
system preference.
26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret
system preference.
27) Change the GoogleOpenIDConnect preference to 'Use'.
28) Click 'Save all Administration preferences'
29) In the OPAC, click 'Log in to your account'.
-- You should get a confirmation request, if you are
already logged in, OR a login screen if you are not.
-- You need to have the primary email address set to one
authenticated by Google in order to log in.
30) Run koha qa test tools
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
