This adds a new syspref: AllowPKIAuth. It can have one of three states:
* None
* Common Name
* emailAddress
If a) this is set to something that's not "None", and b) the webserver
is passing SSL client cert details on to Koha, then the relevant field
in the user's certificate will be matched up against the field in the
database and they will be automatically logged in. This is used as a
secure form of single sign-on in some organisations.
The "Common Name" field is matched up against the userid, while
"emailAddress" is matched against the primary email.
This is an example of what might go in the Apache configuration for the
virtual host:
#SSLVerifyClient require # only allow PKI authentication
SSLVerifyClient optional
SSLVerifyDepth 2
SSLCACertificateFile /etc/apache2/ssl/test/ca.crt
SSLOptions +StdEnvVars
The last line ensures that the required details are
passed to Koha.
To test the PKI authentication, use the following curl command:
curl -k --cert client.crt --key client.key https://URL/
(look through the output to find the "Welcome," line to indicate that a user
has been authenticated or the "Log in to Your Account" to indicate that a
user has not been authenticated)
To create the certificates needed for the above command, the following series
of commands will work:
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# This is the ca.crt file that the Apache config needs to know about,
# so put the file at /etc/apache2/ssl/test/ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in
# production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
-set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own
# server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key \
-set_serial 02 -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
# In theory we can install this client.p12 file in Firefox or Chrome, but
# the exact steps for doing so are unclear, and outside the scope of this
# patch
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Tested with Common Name and E-mail authentication, as well as with PKI
authentication disabled. Regular logins continue to work in all cases when
SSL authentication is set to optional on the server.
Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
QA comment: synchronized updatedatabase.pl version of syspref with sysprefs.sql
version, to avoid divergent databases between new and upgrading users.
Branches can have their own version of notices - added branchcode to
letter table.
Support html notices - added is_html to letter table.
Support for borrower attributes in templates.
GetPreparedletter() is the interface for compiling letters (notices).
Sysprefs for notice and slips stylesheets
Added TRANSFERSLIP to the letters
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This patch adds a system preference under Patron -> BorrowerRenewalPeriodBase
Using this preference the patch allows renewal of Patron account either from todays date or from existing expiry date in the patrons account.
To test : Apply patch; Set System Preference BorrowerRenewalPeriodBase ( under Patron ) to "current membership expiry date";
Renew a patron; You will observe that patrons account expiry date has been calculated from previuos expiry date instead of today's date
( as is the default in Koha prior to this patch ).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Changed the two action names into caps no-spaces.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
* fixed documentation in C4/Auth_with_ldap.pm
* updated ILSDI/Utility.pm to work with debarred being a date
* updated Members.pm/patronflags to work with debarred being a date (copy/paste of BibLibre code that had not been backported)
* fixed opac-reserve to check correctly for debarred status
I also have removed a duplicate line on circulation.pl when the patron was restricted = the information was displayed twice
Some code coming from BibLibre has been lost in the process of inclusion in
3.4. The result is that fine in days does not work at all (you can setup rules,
but it does nothing)
Step to reproduce:
- Koha > Admin > circ rules > set 1 day fine every day of overdue for default
rule
- Issue a book return date last week
- check-in the book => no debarment is set
The following patch will fix all of those problems by :
* updating borrowers.debarred to a date field (instead of tinyint). It contains
the limit of the debarment
* changing API of DebarMember and UpdateBorrowerDebarred to pass a date
* display debarrdate where applicable. Note that a debarrdate of 31/12/9999 is
considered as unlimited and not displayed
* added a debarrcomment, usefull to explain why a patron is debarred (this is
independant from debarrdate changes and can be used when placing an unlimited
debarment too)
[2011-05-12] F. Demians. It works as described. And I can confirm this
functionality is impatiently awaited by French libraries since one year. Thanks
BibLibre for the good work and for contributing this code.
Bug 6328 Followup--update DB structure
Thanks Katrin.
Bug 6328: make comment a textbox / fix debar by notice trigger
Debarring by notice triggers was broken, because the new function
expects a date as second parameter.
The comment field in patron account details was a very long text field.
Patch changes it to be a textbox instead.
Bug 6328: Lift debarment leaves patron account
'Lift debarment' redirects to an empty circulation page.
BZ6328 follow-up 3
Fixes comment 23 from Fernando L. Canizo : when the patron was debarred and debar removed
he still could not check-out.
The changes in the IsMemberBlocked (that were on biblibre/master) were lost somewhere
The sub was still checking for old_issues instead of calling CheckBorrowerDebarred
to get a debardate if applicable
Note : this bug was appearing only is you had issuing rules defined for itemtype/categorycode/branch.
Seemed to work if you had only default rules. That's probably why it hadn't been spotted before
BZ6328 follow-up 4
Comments fron Zeno Tajoli: The patch is OK and I sign-off it. Two little changes done on
installer/data/mysql/kohastructure.sql and installer/data/mysql/updatedatabase.pl
Signed-off-by: koha <koha@kohabase.localdomain>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as advertised, doesn't affect display for non-organisational patrons.
Note: Display change in OPAC only affects the summary tab.
It would be a little bit more consistent to make the name show the
same on all tabs in OPAC patron account.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
I repeated Katrin's signoff here (with permission). The patch only changed for some minor rebasing and cosmetic QA requests. Passed QA now.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Removed SearchMembers() and replaced with more generic Search()
Amended Search() to try cardnumber first
Replaced SearchMembers() calls with Search()
Replaced SELECT with Search() where appropriate
C4::SQLHelper:
- added support for '' key for search filter.
- when passing an array to filter, join with OR (rather than AND)
- added support for key => [val1, val2] in filter
- did not document - there was no input documentation to start with,
and SQLHelper should be replaced with something better anyway
Signed-off-by: Liz Rea <lrea@nekls.org>
(again - testing merge issue)
The functionality of the patch seems to be maintained with Biblibre's changes.
I tested the following:
Extended attribute searching: works
3 part name searching: works
2 part name searching: works
1 part name searching: works
From:
mainpage.pl
members-home.pl
Patron search limited by branch: Works
Patron search limited by patron category: works
Ordering by cardnumber instead of surname: works
The "Check Out" field in the masthead.
Circ Autocomplete is not reliably functional at this time, but the problem appears to predate this patch.
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Return list was documented as being in the reverse order
to how it is returned. Correct the perldoc description
also removed comments which did not help anyone trying
to make sense of this subroutine
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Just improving text comments. No code changes involved.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Explicitly specifies which fields to return in C4::Overdues::checkoverdues
SQL: all of biblio, items, and issues, and everything in biblioitems
EXCEPT marc, marcxml and timestamp.
Bug 6801: member details page taking long time to load when many checkouts present
This patch removes the call to GetMemberDetails in build_issue_data; this heavy-weight
subroutine was being run for every single item a patron (or their relatives) have checked out.
Instead, the borrowers first name, surname and cardnumber are added to the GetPendingIssues query.
I believe this is reasonable since GetPendingIssues can now return issues for multiple borrowers.
Also corrects the $borrowernumber used for GetIssuesCharges and CanItemBeRenewed; was using the borrower whose
page we were on, NOT the borrower of that specific item (which would be different in the Relatives Checkouts tab).
Template calls to [% scope.borrowername %] are now broken up into [% scope.firstname %] [% scope.surname %].
Signed-off-by: Liz Rea <lrea@nekls.org>
On my test data, a patron with 180 checkouts (without this patch) would take more than a minute to bring back the circulation.pl and moremember.pl pages.
With this patch, the time is reduced to 5 or so seconds.
Big ups to Ian for tenaciously hunting this one down.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
If patron related logging is tuned on, log membership renewal
Signed-off-by: Amit Gupta <amit.gupta@osslabs.biz>
Signed-off-by: Nicole Engard <nengard@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
If a user is placing a reserve on the OPAC, this'll let them know that
it's going to cost them.
Author: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Change to parameter list in GetPendingIssues made it
callable by an empty list resulting in invalid sql being
sent to server. As this was occuring on most issues error log
was filling up. Put safeguard in the routine
Also don't bother calling when you have no need
Some of the processing was needlessly obscure
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
- Updates cities management (admin/cities.pl) to record a separate
state and country field.
- Updates the cities table with these new columns
- Modifies the patron entry form to populate city, state, zip
and country when the user chooses a prepopulated city entry
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
The previous patch broke the autoMemberNum feature by adding a line to fixup_cardnumber
that returned 'undef' for cardnumber in all usages of the subroutine (limited to members/memberentry.pl
and tools/import_borrowers.pl. This prevented the automatic number from being calculated in all cases.
This patch removes the offending line.
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
05eb43f5fc reverted a previous
implementation of 3674.
3674 was encoding the password field when it was meant to be disabled
(password='!'), and then, in Auth.pm we were trying to compare an
encoded '!' with '!', which will never succeed.
This gets sure we encode only provided passwords and also includes an
auto generated login.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Excluding entries in old_issues which have a NULL itemnumber
Signed-off-by: Magnus Enger <magnus@enger.priv.no>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Some spreadsheet programs use smart quotes which causes the db to throw
an error when an insert/update is attempted due to improper processing
of the CSV file. This patch adds code to check for smart quotes and change
them to "dumb" quotes.
This patch also adds more logging of errors and a notice to the user to check
the logs for errors when they occur.
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Now a blank cardnumber will get stored as a null in the database, which
is a value that allows duplicates. As such, if cardnumbers aren't
mandatory, then you can actually save a user with it being blank.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Trivial fix, now it choose surname if firstname is empty and behaves
like before (firstname.surname) if both are provided.
Signed-off-by: Frederic Demians <frederic@tamil.fr>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This patch will enable C4::Members::SearchMember to handle searching for punctuated
names (e.g. the "Jones" in "Smith-Jones" or the "Angelo" in "D'Angelo")
It is possible to add a bunch of LIKE clauses, but that adds to the search time in
a rather dramatic way. REGEXP, by itself, is also a performance killer, but I found
a suggestion of using a more-general LIKE ANDed with the specific REGEXP, and this
gives excellent performance over other approaches.
Signed-off-by: Guillaume Hatt <guillaume.hatt@enc.sorbonne.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Duplicate of '[PATCH] MT3747: Shows member relatives in issueslists' : Subject was wrong
MT3747, Follow-up: Adds siblings issues
MT3747, Follow-up: Shows member relatives in issues lists
- Now displays patron's and relatives' issues apart
MT3747, Follow-up: Shows member relatives in issues lists
- Removes renewal in circulation.pl
- Adds links to moremember.pl
MT3747, Follow-up: Shows member relatives in issues lists
- Remove unuseful warn
MT3747, Follow-up: Shows member relatives in issues lists
- Removes renewal in moremember.pl
MT3747, Follow-up: Shows member relatives in issues lists
- Adds sorting for circulation.pl
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Restores ability to search on extended borrower attributes that are configured to be searchable
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This patch adds two sysprefs to allow libraries more fine-grained control over
when fines can and can't be overridden. The two sysprefs are:
* AllFinesNeedOverride - when this syspref is set to "Require" (default) any
fine will require a staffmember to override the fine in order to check out a
book. When set to "Don't require," fines below noissuescharge will not need
any override.
* AllowFineOverride - when this syspref is set to "Allow," staff will be able to
override fines that are above noissuescharge. When set to "Don't allow"
(default), staff will not be able to check out items to patrons with fines
greater than noissuescharge.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Reimplements Paul Poulain's original OPAC Privacy patch, with some minor improvements and changes to wording
If the library enables the OPACPrivacy system preference along with the opacreadinghistory preference, and sets
an AnonymousPatron (must be a valid patron number in the database), the user will see a new tab upon login to
the OPAC, My Privacy. From there, the user can:
- Set their OPAC Privacy to one of three values
0 - Forever. This keeps their reading history unless they explicitly delete it; the bulk anonymiser won't touch it
1 - Default. Keep reading history until either they delete it or the library does
2 - Never. Instantly anonymises reading history upon item return
- Instantly delete their reading history
There is a warning and a popup to confirm. I've removed Paul's extra confirm checkbox, which seemed redundant
A note of which preference the patron has selected is added to the Patorn Details page in the staff client. This is read-only.
This patch also consolidates Privacy system preferences into the Privacy section of the OPAC tab.
Thank you to BibLibre for the original implmentation of this patch, and Los Gatos Public Library for funding and
testing the reimplementation.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
On the Check Out page, messages related to the borrower are displayed on the
right side. Message text is preceded by a date and library code. The date is
displayed in US format (mm/dd/YYY). Is should be displayed formated depending
on 'dateformat' syspref.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Should fix any remaining warnings with 'podchecker'
Signed-off-by: Andrew Elwell <Andrew.Elwell@gmail.com>
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
* Adopted wording suggested by Kyle Hall for the
USERBLOCKEDREMAINING and USERBLOCKEDOVERDUE circulation blocks
* Updated IsMemberBlocked so that if a patron has accrued
fine days, that will be tested for first before testing
to see if the patron has current overdue items; this solves
a problem introduced in the patch series for bug 4505 where
accrued fine days would be ignored if (a) the patron has
current overdue items but (b) the library has chosen to
set the OverduesBlockCirc syspref to noblock.
* Now correctly assigns the USERBLOCKEDREMAINING and USERBLOCKEDOVERDUE
blocks; prior to this patch, they had been swapped.
FIXME: IsMemberBlock ought to be split into two functions
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Garry Collum's patch correctly identified the core flaw in operation
looking closer revealed some other flaws (2 "blank" options, some vars
and documentation belonging to a superceded version, etc.
Changed GetCities to return a structure rather than the messy two returns
Let the template do the concatenation and removed the CGI::Popup
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
The ReadingHistory sytem preference is no longer used, and possibly
was used by only one library anyway. Removed references to it; note
that had it been turned on, a patron viewing checkout history would have
seen old loans showing up twice.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
