Enhanced the permission-checking functions in C4::Auth
(e.g., get_template_and_user, checkauth, check_api_auth, etc.).
If the CheckSpecificUserPermissions syspref is OFF, the behavior
of those APIs is unchanged.
If CheckSpecificUserPermissions is ON, then the value of each
key in the flagsrequired hash is considered during
the permissions check:
1. if the value is 1, the staff user must have
all privileges for the userflags flag (or module)
referred to by the hash key, e.g.,
{ flaqsrequired => { tools => 1 } }
In terms of the database, this means that the
corresponding bit must be set in borrowers.flags.
2. If the value is '*', the staff user must
have at least one of the permissions for the
userflag/module, but it doesn't matter which one.
In terms of the database, this means ether that the
corresponding bit must be set in borrowers.flags or
that there at least is one row in user_permissions
for the staff user and bit/module combination.
3. If the value is any other string, it must be
a permissions code defined in the permissions table.
The staff user must have that specific permission
or have access to all functions of the module
In terms of the database, this means ether that the
corresponding bit must be set in borrowers.flags or
that there is a matching row in user_permissions
for the staff user, bit/module, subpermission
code combination.
In addition, get_template_and_user is modified so that the
CAN_user_XXX variables that it sets also includes the
subpermissions available (CAN_user_XXX_YYY, e.g.,
CAN_user_tools_import_patrons). The template variables
for the specific permissions are set regardless of whether
CheckSpecificUserPermissions is ON or OFF so that the templates
don't have to test for that syspref explicitly.
In addition, the meaning of CAN_user_XXX has changed slightly -
CAN_user_tools, for example, is set to 1 in the template if the
user has access to *any* of the tools functions. This was done
to simply the logic for deciding whether to display a menu
item in the staff interface are not. This does mean that
when specific subpermissions are added to (say) the circulate
module, each use of CAN_user_circulate will need to be examined
to see if the intent is to allow the user to get at a circ
menu or page or if the user really should be required to have
all circulate functions.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
adding some parameters to the call to opac-auth.tmpl in C4::Auth::checkauth
This displays the additional navigational links in the masthead on the login page to unauthenticated users.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
As announced this past February, Amazon.com will no longer be
accepting web services requests to Amazon E-Commerce Service
(Amazon ECS) version 3.0 beginning on March 31, 2008.
This patch upgrades to Amazon.com's Associates Web Service 4.0
for the following components:
1. Amazon.com Locale support for: Canada, Germany, France, Japan,
UK, and US (see the new syspref called AmazonLocale)
2. Jacket Covers
3. Editorial Reviews
4. Customer Reviews
5. Amazon.com Similar Items
The following changes MUST be made to continue using Amazon.com
content:
1. Delete the system preference: AmazonDevKey (AmazonDevKeys used
with AmazonECS 3.0 are no longer valid)
2. Add the system preferences: AmazonLocale, AWSAccessKeyID
NOTE: steps 1, 2 are done by the web installer
3. Verify your AWSAccessKeyID:
You may already have an Access Key ID. You can access your Access
Key ID by going to http://aws.amazon.com, pointing to Your Web
Services Account, then clicking View Access Key Identifiers.
Depending on when you signed up for ECS 3.0, you may need to
re-register for an AWS account, which includes an Access Key ID.
4. Enter your AWSAccessKeyID in the Koha syspref called
AWSAccessKeyID
For complete details on the changes in Amazon.com Associates Web
Service 4.0, and the migration process, please see: http://tinyurl.com/ysorqy
Other changes with this patch:
* added $tabsysprefs{PatronsPerPage}="Patrons";
* Moved OPAC Features to OPAC in sysprefs
* removed experimental OPACXISBNAmazonSimilarItems and XISBNAmazonSimilarItems features
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
When using mysql and a sufficiently recent version
of DBD::mysql that actually respects the mysql_enable_utf8
option, setting the current branch to a name that
includes a diacritic causes the session to fail
and forces the user to the login screen upon
clicking another link.
This turned out to be due to the default (Data::Dumper)
serialization used by CGI::Session, which truncated the
session object at the diacritic. By enabling
that module's YAML serialization option, the problem
was resolved.
This patch introduces a dependency on the YAML::Syck
module.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Major Fix:
Fixing bug where 'expected' label existed for items that
were 'waiting'
Minor Cleanup:
Show correct statuses
Show itemtypes at correct levels depending on
global system preference
Display branch names, not branch codes
Adding in visibility option for 'canreservefromotherbranches' syspref
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Refactoring to provide single place to get CGI::Session ojbject;
fixes bug for DB storage method other than 'mysql'.
This refactoring is also part of the patch series for
handling large input files for staging and processing
MARC records.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
