This patch clears the JWT cookie during auth kick out (ie
when a web user navigates from the self-check out/in to
the rest of Koha).
Test plan:
0. Apply patch and koha-plack --reload kohadev
1. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
2. Log in as the "koha" user
3. In another tab, go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
4. Go to http://localhost:8080/cgi-bin/koha/opac-search.pl?idx=&q=a&weight_search=1
5. Note that you are prompted to "Log in to your account" via the normal Koha prompt
6. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
7. Note that you are prompted to "Log in to your account" within the "Self checkout system",
and note that your self-checkout session for the "koha" user has *not* persisted like
it did before the patch was applied
Signed-off-by: Andrew Fuerste-Henry <andrewfh@dubcolib.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 1fa961b97b8f52d1c9920c72d9338d150deb829b)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
This patch avoids generating CSRF tokens unless the csrf-token.inc file
is included in the template.
Passed token doesn't need HTML escaped. The docs for WWW::CSRF state:
The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option).
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit ddf1eb6cef14da365675890920ff72f010c59527)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 73ca151686b682aaa2b950ccbc89fcec14514112)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Split out from bug 22990 as requested.
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit aba9e61cfbab1e915f1be4a527b5708b9ec59c35)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6d6d36f6df79d3df22ea299934073d903f86e64a)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 8e545cff75)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 7a77ea6985)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Bug 31162 moved the cataloguing tools to a new cataloguing module home
page. This prevents people without cataloguing permissions, but with
some tools permissions to access things like the labels creator tool.
I tracked all permissions on the cataloging-home.tt template, including
the Stock Rotation ones which I initially missed because I was focusing
on tools.
This patch makes the cataloging-home.pl page require either
'cataloguing' or any relevant 'tools' permission to allow access. the
page.
The staff interface main page and the top bar dropdown are updated using
the same logic to display the cataloguing module link.
For that purpose, I wrapped the permissions on a sub in `C4::Auth`.
To test:
1. Have a patron with only 'catalogue' and some of this permissions:
* inventory
* items_batchdel
* items_batchmod
* items_batchmod
* label_creator
* manage_staged_marc
* marc_modification_templates
* records_batchdel
* records_batchmod
* stage_marc_import
* upload_cover_images
* stockrotation => manage_rotas
2. Log in
=> FAIL: No link to the cataloguing module, neither in the dropdown
3. Apply this patch
4. Repeat 2
=> SUCCESS: You have the link!
5. Play with the different combinations and notice things are sound and
correct
6. Sign off :-D
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 0db60995a8)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit afacad6a2d)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
This will only have effect on installations running OPAC and staff
on the same domain name. In that case an OPAC cookie still allows
you to access intranet, and v.v.
Test plan:
Repeat the following steps WITHOUT this patch and WITH it.
Login via OPAC.
Go to staff. Perform an action that logs the interface in e.g. the
statistics table, like a checkout.
Inspect interface in the corresponding table. Observe difference
that this patch makes.
With this patch:
Run t/db_dependent/Auth.t. Should pass again.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Björn Nylén <bjorn.nylen@ub.lu.se>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 68aeaf5c4c)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit fdc49e0fb3)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
If the logged in librarian modifies their own userid they will get the
following error when submitting the form:
Can't call method "password_expired" on an undefined value at /kohadevbox/koha/C4/Auth.pm line 1780
We could handle this situation and flag the session as expired. Better
would be to deal with this specific user case and update the cookie (?)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5da81cde99)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
We don't need it for the staff interface. The previous patch is removing
the only occurrence using it.
Signed-off-by: Michaela Sieber <michaela.sieber@kit.edu>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 63bc731fd4)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
GDPR is a European Union (and, at time of writing, UK) law.
The GDPR_Policy system preference is about a patron
giving consent to their personal data being processed in
line with the library's privacy policy.
The name of the preference is vague: there could be
many policies implemented by libraries to comply with
GDPR. It also makes the preference look irrelevant for
libraries outside the areas where GDPR applies, while
it may be useful for libraries anywhere.
This renames GDPR_Policy to PrivacyPolicyConsent and
adjusts the system preference descriptions.
To test:
* Apply the patch
* Run database update
* Search for GDPR_Policy in the system preference
- you should not find anything.
* Search for DataPrivacyConsent in the system preferences
- you should find it and be able to activate it
* Verify the feature works as expected
- If the preference is set to "enforced", you will be
asked to give consent to the data privacy agreement
in the OPAC when you log in
* Verify the page is now phrased neutrally using 'privacy policy'
Bonus: Consent date is now formatted according to DateFormat
system preference.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit bd75309933)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch removes some unnecessary syspref template params for
failed OPAC auth. The templates handle these syspref using the
Koha.Preference() TT plugin function, so they're completely redundant
and just make checkauth() longer than it needs to be.
Test plan:
1) Apply patch
2) Enable OpacCloud, OpacBrowser, and OpacTopissue sysprefs
3) koha-plack --restart kohadev
4) Log out of Koha if you're logged in
5) Go to http://localhost:8080/cgi-bin/koha/opac-user.pl
6) Note that you can see the Cart as well as links for the following:
Browse by hierarchy, Authority search, Tag cloud, Subject cloud,
Most popular
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Solene Ngamga <solene.ngamga@inLibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 60e7c99165)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
If a second login on top of a current session fails on
permissions, we should not grant access without context.
Test plan:
[1] Run t/db../Auth.t, it should pass now.
[2] Test interface with/without this patch:
Pick two users: A has perms, B has not.
Put two staff login forms in two tabs.
Login as A in tab1. Login as B in tab2.
Without this patch, B gets in and crashes.
With this patch, B does not get in ('no perms').
Bonus: Go to opac if on same domain. You are still
logged in as B.
NOTE: I added a FIXME here, since you could argue about filling
the session info or otoh deleting the session. We present an
authorization failure; people may not realize that they are
still logged in (see test plan - bonus).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Somewhere the line undef $userid got removed.
We need it to resolve the second login situation.
Test plan:
Login in staff with user missing privileges.
On the login form login again with another staff user.
Note that you do no longer crash.
Run t/db../Auth.t
Run t/db../Koha/Auth/TwoFactorAuth.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
No change in user experience. But since we can mock safe_exit,
we can enhance test results.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch removes a security breach in C4::Auth::check_api_auth introduced by bug 31378, where when someone called an api with the parameters userid and auth_client_login, check_api_auth would automatically asume the user calling was that userid.
This patch also introduces C4::Auth::create_basic_session(), a function that creates a session and adds the minimum basic parameters.
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lukasz Koszyk <lukasz.koszyk@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Without this patch:
1. Set the syspref TwoFactorAuthentication (enforce or enabled)
2. Configure 2FA for a patron
3. Logout
4. Authenticate but don't enter the 2FA code
5. Switch off the syspref (disabled) [via another browser or so]
6. Patron is stuck on the [original] login screen. [Only removing
the session cookie would resolve it.]
With this patch:
1. Follow the steps above again. But note that you can refresh
your browser window to get in now.
2. Verify that Auth.t passes now too.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Add some page under Additional contents.
Enforce GDPR policy.
Test with user that has no consent (yet or anymore).
Check if you can reach additional contents with opac-page.pl.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
If we do not clear this session, the first login directly after setup
does not really enhances user experience ;)
Test plan:
Make sure 2FA is enforced.
Test the above. Disable your 2FA, logout and login.
Verify that you can access pages with this patch now. Without this
patch you could not.
Run these tests to provide more confidence:
t/db_dependent/Auth.t
t/db_dependent/api/v1/two_factor_auth.t
t/db_dependent/Koha/Auth/TwoFactorAuth.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Resolves:
Use of uninitialized value $request_method in string eq at /usr/share/koha/C4/Auth.pm line 1122.
Use of uninitialized value $return in numeric gt (>) at /usr/share/koha/C4/Auth.pm line 1155.
We also remove the double logout from Auth.t
Test plan:
Run t/db_dependent/Auth.t
Check if you do not see the warns anymore.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 28786 added the ability to turn on a two-factor authentication,
using a One Time Password (OTP).
Once enabled on the system, librarian had the choice to enable or
disable it for themselves.
For security reason an administrator could decide to force the
librarians to use this second authentication step.
This patch adds a third option to the existing syspref, 'Enforced', for
that purpose.
QA notes: the code we had in the members/two_factor_auth.pl controller
has been moved to REST API controller methods (with their tests and
swagger specs), for reusability reason. Code from template has been
moved to an include file for the same reason.
Test plan:
A. Regression tests
As we modified the code we need first to confirm the existing features
are still working as expected.
1. Turn off TwoFactorAuthentication (disabled) and confirm that you are not able to
enable and access the second authentication step
2. Turn it on (enabled) and confirm that you are able to enable it in your account
3. Logout and confirm then that you are able to login into Koha
B. The new option
1. Set the pref to "enforced"
2. You are not logged out, logged in users stay logged in
3. Pick a user that does not have 2FA setup, login
4. Notice the new screen (UI is a bit ugly, suggestions welcomed)
5. Try to access Koha without enabling 2FA, you shouldn't be able to
access any pages
6. Setup 2FA and confirm that you are redirected to the login screen
7. Login, send the correct pin code
=> You are fully logged in!
Note that at 6 we could redirect to the mainpage, without the need to
login again, but I think it's preferable to reduce the change to
C4::Auth. If it's considered mandatory by QA I could have a look on
another bug report.
Sponsored-by: Rijksmuseum, Netherlands
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We need to replace 0 with 'disabled', and 1 with 'enabled'
Sponsored-by: Rijksmuseum, Netherlands
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
1. Enable suggestion & AnonSuggestions sysprefs and set AnonymousPatron = 1
2. Visit the OPAC without logging in
3. Confirm you can successfully create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
4. Disable the AnonSuggestions syspref
5. Confirm you cannot see links to make purchase suggestions on the
following pages:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
6. Confirm if you try visiting /cgi-bin/koha/opac-suggestions.pl page
you are re-directed to a login page
7. Select the category of your user in the suggestionPatronCategoryExceptions syspref
8. Log into the OPAC
9. Confirm you cannot see links to make purchase suggestions on the
following pages:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
10. Confirm if you try visiting /cgi-bin/koha/opac-suggestions.pl page
you are re-directed to a 404 error page
11. Enable AnonSuggestions syspref
12. Confirm you can successfully create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
13. Disable AnonSuggestions syspref and un-check your category from
suggestionPatronCategoryExeptions syspref
14. Confirm you can create a suggestion from:
- Item detail page
- Search result page
- Masthead under the 'Library catalogue' search box
- opac-user.pl ('Your summary') page
Sponsored-by: Catalyst IT, New Zealand
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Introduce a suggestionPatronCategoryExceptions system preference.
If the suggestion syspref is enabled then libraries can stop specific
borrower types from making suggestions by ticking the type in the
suggestionPatronCategoryExceptions syspref.
Test plan:
1. Apply patches, update database, re-start services
2. Set 'suggestion' syspref = 'Allow'
3. Confirm you can view the purchase suggestion links on OPAC biblio detail
page & 'your summary' page. As well as successfully submit a suggestion.
4. Select the patron category you're logged in as in
suggestionPatronCategoryExceptions syspref
5. Confirm the purchase suggestion links are hidden in the OPAC biblio
detail page & 'your summary' page
6. In your browser enter the link: <OPAC base URL>/cgi-bin/koha/opac-suggestions.pl
e.g. http://localhost:8080/cgi-bin/koha/opac-suggestions.pl
7. Confirm a 404 page loads
8. Confirm you can view/moderate suggestions in the staff
client - even though your patron is selected in the
suggestionPatronCategoryExceptions syspref
9. Untick your patron category in the suggestionPatronCategoryExceptions syspref
10. Confirm you can view the purchase suggestion links on the OPAC, as
well as successfully submit a suggestion.
11. Set 'suggestion' syspref = "Don't allow"
12. Confirm the purchase suggestion links are hidden in the OPAC
13. Select all patron categories in suggestPatronCategoryExceptions
syspref. View the OPAC without logging in and confirm you can perform
searches and view OPAC biblio detail pages.
Sponsored-by: Catalyst IT, New Zealand
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch refactors the setting of user permissions for templates into
a new function, which can be easily unit tested and reduces the amount
of code in C4::Auth::get_template_and_user(). It also aids in the
re-usability of permission checking code.
Test plan:
0) Apply patch and koha-plack --restart kohadev
1) prove t/Koha/Auth/Permissions.t
2) As koha superlibrarian, go to
http://localhost:8081/cgi-bin/koha/tools/tools-home.pl
3) Go to http://localhost:8081/cgi-bin/koha/members/members-home.pl
4) Create new test user with "Staff access..." and "Remaining circulation permissions"
5) Logout of koha superlibrarian
6) Login as test user
7) Note you can only see a limited view of the staff interface
(i.e. no administration, no tools, no reports, etc.)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Adding David's comments from Bugzilla to safe_exit here.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch updates and moves the existing psgi_env method out of Auth
and into Context and then replaces any manual references of the same
code to use the new method.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This makes sure that all entries on the administration start page
have a matching entry in the administration sidebar that shows
on the left side if you are on any of the administration sub pages.
Changes made:
* Rename 'Classification sources' to 'Classification configuration'
* Make Plugins entry show and appear in correct spot
This relied on the variable plugins_enabled that wasn't available
in all the different templates. I therefore moved it to Auth.pm
and cleaned up the code for the admin start page.
* Move 'MARC overlay rules' and rename to 'Record overlay rules'
To test:
* Make sure plugins are enabled and visible on admin start page
* Compare admin start page and sidebar
* Sequence should be the same
* All entries should appear on both pages
* Naming should be the same
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch restores the param, while still leaving the check against invalid
login credentials to ensure we don't leak information.
To test:
1 - enable EnableExpiredPasswordReset
2 - Edit a patron to set password to expire in the past
3 - Attempt opac login as patron
4 - It fails, but you are redirected to login screen with no info
5 - Apply patch
6 - Attempt login
7 - You are notified password expired and given reset link
8 - Go back to login screen
9 - Login with correct username,, wrong password
10 - You are notified of incorrect credentials, not password expiration
Signed-off-by: Andrew Fuerste-Henry <andrewfh@dubcolib.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We must not pass $dbh but retrieve it when needed instead
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We don't need to build allowed_scripts_for_private_opac for staff
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Sponsored-by: Rijksmuseum, Netherlands
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Silly mistake from bug 28786, the $type should be compared to "opac"
instead of "OPAC", erk!
Test plan:
Turn 2FA on
Set it up for an user
Login at the OPAC
=> Without this patch you keep being redirected to the auth form screen
=> With this patch applied you are able to successfully login
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Can't use an undefined value as a HASH reference at /kohadevbox/koha/C4/Auth.pm line 985
C4::Auth::checkauth('CGI=HASH(0x5603b7dc4300)', 0, 'HASH(0x5603b2633238)', 'intranet', undef, 'intranet-main.tt') called at /kohadevbox/koha/C4/Auth.pm line 186
C4::Auth::get_template_and_user('HASH(0x5603b7b83d08)') called at /kohadevbox/koha/mainpage.pl line 40
Test plan:
Open a private window
Hit /cgi-bin/koha/mainpage.pl?logout.x=1
Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We allow one old token when we are setting the two-factor auth, we
should reuse the same settings when validation the authentication
itself.
Test plan:
Setup 2FA for your logged-in user
Logout/Login
Have a look at the code and wait for 30 sec before using it (< 1min
however)
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Bob Bennhoff <bbennhoff@clicweb.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
If the passed credentials are wrong, we shouldn't expose things like the
password is expired.
This patch takes care of that.
To test:
1. Have a known patron with password_expiration_date set so its
password is expired. Can be done like:
$ koha-mysql kohadev
> UPDATE borrowers \
SET password_expiration_date='2022-04-25' \
WHERE borrowernumber=132;
Note: change the borrowernumber
2. Attempt to login to the OPAC with wrong credentials
=> SUCCESS: You are rejected, with a message telling credentials are
wrong
=> FAIL: You are told the password is expired.
3. Apply this patch and restart Plack
4. Repeat 2
=> SUCCESS: You are rejected, credentials are wrong and no mention to
password being expired.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch adds the ability to define password_expiry_days for a patron
category.
When defined a patron's password will expire after X days and they will
be required to reset their password. If OPAC resets are enabled for the
catgeory they may do so on their own, otherwise they will need to
contact the library
To test:
1 - Apply patch, updatedatabase
2 - Set 'Password expiration' for a patron category
Home-> Administration-> Patron categories-> Edit
3 - Create a new patron in this category with a userid/password set,
and an email
4 - Confirm their password_expiration_date field is set
SELECT password_expiration_date FROM borrowers WHERE borrowernumber=51;
5 - Create a new patron, do not set a password
6 - Confirm their password_expiration_date field is NULL
7 - Update the patron with an expiration to be expired
UPDATE borrowers SET password_expiration_date='2022-01-01' WHERE borrowernumber=51;
8 - Give the borrower catalogue permission
9 - Attempt to log in to Straff interface
10 - Confirm you are signed out and notified that password must be
reset
11 - Attempt to sign in to OPAC
12 - Confirm you are signed out and notified password must be reset
13 - Enable password reset for the patron's category and perform a
password reset
Note: you will have to find the link in the message_queue unless
you have emails setup on your test environment
SELECT * FROM message_queue WHERE borrowernumber=51;
14 - Confirm that you can now sign in and password_expiration_date field
is set 10 days in the future
15 - Expire the patron's password again
16 - Change the patron's password via the staff interface
17 - Confirm they can sign in and the expiration is updated
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Bob Bennhoff <bbennhoff@clicweb.org>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patchset introduces the Two-factor authentication (2FA) idea in
Koha.
It is far for complete, and only implement one way of doing it, but at
least it's a first step.
The idea here is to offer the librarian user the ability to
enable/disable 2FA when logging in to Koha.
It will use time-based, one-time passwords (TOTP) as the second factor,
an application to handle that will be required.
https://en.wikipedia.org/wiki/Time-based_One-Time_Password
More developements are possible on top of this:
* Send a notice (sms or email) with the code
* Force 2FA for librarians
* Implementation for OPAC
* WebAuthn, FIDO2, etc. - https://fidoalliance.org/category/intro-fido/
Test plan:
0.
a. % apt install -y libauth-googleauth-perl && updatedatabase && restart_all
b. To test this you will need an app to generate the TOTP token, you can
use FreeOTP that is open source and easy to use.
1. Turn on TwoFactorAuthentication
2. Go to your account, click 'More' > 'Manage Two-Factor authentication'
3. Click Enable, scan the QR code with the app, insert the pin code and
register
4. Your account now requires 2FA to login!
5. Notice that you can browse until you logout
6. Logout
7. Enter the credential and the pincode provided by the app
8. Logout
9. Enter the credential, no pincode
10. Confirm that you are stuck on the second auth form (ie. you cannot
access other Koha pages)
11. Click logout => First login form
12. Enter the credential and the pincode provided by the app
Sponsored-by: Orex Digital
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch modifies the way Koha sets cookies so that the "sameSite"
attribute is explicitly set to "Lax." This option is chosen because it
is the value which is currently assumed by browsers when the sameSite
attribute is not set.
To test, apply the patch and restart services.
- Log in to the staff interface and open your browser's developer tools.
- In Firefox, look for a "Storage" tab.
- In Chrome, look for an "Application" tab.
- Under "Cookies," click the URL of the staff interface.
- You should see all the cookies which are set for that domain.
- The CGISESSID cookie should have sameSite set to "Lax."
- Go to Cataloging -> New record.
- Check the "marcdocs" and "marctags" cookies.
- Switch to the Advanced MARC editor (you may need to enable
theEnableAdvancedCatalogingEditor preference).
- Check the "catalogue_editor" cookie.
- Add a new item to an existing bibliographic record.
- Check the "LastCreatedItem" cookie which is set after you save the
new item.
- Go to Authorities -> Authority search.
- In authority search results, click "Merge" from the "Actions" menu
next to one of the results..
- Check the "auth_to_merge" cookie.
- Go to Administration -> MARC bibliographic framework
- Choose "MARC structure" from the menu corresponding to one of the
frameworks.
- Check the "Display only used tags/subfields" checkbox.
- Check the "marctagstructure_selectdisplay" cookie.
- Go to Circulation -> Check out to a patron with checkouts.
- Check the "Always show checkouts immediately" checkbox.
- Check the "issues-table-load-immediately-circulation" cookie.
- Go to Tools -> Patron clubs. You will need at least one active club
with one or more patrons enrolled.
- From the list of clubs, click Actions -> Search to hold.
- Check the "holdforclub" cookie.
- Go to Tools -> Batch item modification and submit a batch of items.
- Uncheck one or more checkboxes in the "Show/hide columns" area.
- Check the "showColumns" cookie.
- View a patron -> Search to hold.
- Check the 'holdfor' cookie.
- With WebBasedSelfCheck enabled, log in to the self-checkout page.
- Check the "JWT" cookie.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
The cookie created on L1496 is useless, since it is not returned.
We could either remove the cookie creation (unchanged behavior).
But since check_api_auth is expected to return a cookie when it is ok,
I opt for returning the cookie here (corrected behavior).
Test plan:
Logout in staff.
Check on staff: /cgi-bin/koha/svc/localization?id=1
You should have a 400 response.
Login with staff credentials (incl. manage_itemtypes)
Revisit same URL.
You should see a JSON response.
Check if you can hit other staff pages.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
We can now use $cookie_mgr->replace_in_list instead. This
effectively removes duplicates and keeps the newest cookie.
Note: In the test plan below we are just verifying if
this patch did not change behavior. The replace_in_list
routine has been tested already in a unit test.
Test plan:
Run t/db_dependent/Auth.t
Login at OPAC.
Hit some opac and staff pages.
Perform an Advanced search on OPAC.
Check cookies in browser.
Logout.
Check cookies again. Verify with your do_not_remove_cookie lines
in koha-conf.xml.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Test plan:
Enable language selection and have two languages.
Change language.
Check cookie value in browser for KohaOpacLanguage.
Logout.
Verify that cookie has been cleared in browser.
Add do_not_remove_cookie line for KohaOpacLanguage in koha-conf.
Restart, flush.
Login again.
Change language.
Check cookie value in browser for KohaOpacLanguage.
Logout.
Verify that cookie still contains the language.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: Reverted the change to $cookies to minimize changes.
Fixed Auth.t where checkauth is being mocked.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
There are 2 prefs that control the default view of biblio detail pages:
IntranetBiblioDefaultView for staff and BiblioDefaultView for OPAC.
There are as well viewISBD, viewLabeledMARC and viewMARC to allow/don't
allow access to those page for staff members.
This code need to be in a single place to avoid discrepancy.
Test plan:
Play with BiblioDefaultView and IntranetBiblioDefaultView and confirm
that the links of biblio point to the correct view.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
If there is deleted session info but no session->id, a wrong cookie
with empty name could be generated containing expired session id.
Test plan:
Run t/db_dependent/Auth.t
Login. Check cookies in browser.
Logout. Check cookies in browser.
Without this patch, you should see an invalid cookie.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This is quite a misleading call.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
