To prevent brute force attacks on Koha accounts, staff and opac, we need to
implement an account lockout process to Koha.
After a number of failed login attempts a users account would become locked.
The user would then need to use the reset password functionality to send a reset
token to their email account. After a successful password reset the lockout flag
would be removed.
The number of failed login attempts before lockout is configurable using a new
system preference 'FailedLoginAttempts'.
How does it work?
When a patron enter an invalid password, the borrowers.login_attempts value
for this patron is incremented. When this value reach the value of the
pref FailedLoginAttempts, the password comparison is not done and the
authentication is rejected.
This login_attempts field is reset when a patron correctly logs in. When
the account is locked the patron has to reset his/her password using
the OpacResetPassword feature or ask a staff member to generate a new
password.
If the pref is not set (0, or '') the feature is considered as disabled,
but the failed login attempts are stored anyway.
Test plan:
0/ Apply patch and execute the update DB entry
1/ Switch on the feature by setting FailedLoginAttempts to 3
2/ Use an invalid password to login at the staff or OPAC interface
3/ After the third consecutive failures, you will be asked to reset your
password if OpacResetPassword is set, or contact a staff member
4/ Switch on OpacResetPassword and reset your password
5/ Confirm that you are able to login
6/ Play with the different combinations
QA details: The trick happens in C4::Auth::checkpw, to make things clear
I had to create a return value (note the awesome name: @return) and
replace the 3 successives if statements with elsif. Indeed if one of
the condition is reached, it will return inside the given block.
Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
1. Drop and recreate your db
2. Clear memcached
3. Go through the installer (to speed up this test plan install all
sample data so you dont have to create libraries, patron categories etc. later)
4. On the installer page login as the database user and notice that it
does not work on the first attempt ( you get 'Error: You do not have
permission to access this page')
5. Try logging in as database user for a second time and notice you are
logged in successfully this time
4. In staff interface create a patron account with superlibrarian permissions
5. Logout of the staff interface
6. Login as database user
7. Notice you cant log in. You get the 'Error:: You do not have permission to access this
page' error
8. Try a second attempt and notice you get the same error
9. Open the URL in a new tab and notice the staff interface appears
showing that you are logged in
10. log out and log back in as the superlibrarian user you created and
notice it works on first login attempt
11. Apply patch
12. Log out and try logging back in as database user and notice that you
can login successfully on first attempt
13. Repeat steps 1,2,3 and login as database user and notice the login
works on first attempt
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.
Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
* Here you can add fields that can be filled out at the time
a new club is created based on the template, or a new enrollment
is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
When logging out from OPAC, plack-error.log log and/or opac-error.log
complain about 'uninitialized value $user' in C4/Auth.pm line 187. The
warning is not necessary, this patch removes it.
To test:
- try to trigger warning
- apply patch
- verify that warning no longer occurs
- prove t/db_dependent/Auth.t
- verifiy that SCO still behaves like before (especially if
you break out from sco path)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Updating to use they/them and skipping the ones changed to it
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Comments throughout the Koha codebase assume that
all librarians or borrowers are male by using the
pronoun 'he' universally. This patch changes to
'he or she' / 'him or hers'.
Testing plan:
- ensuring modifying tests still pass:
+ C4/SIP/t/06patron_enable.t
+ t/db_dependent/Circulation.t
+ t/db_dependent/Koha/Patrons.t
+ t/db_dependent/Reserves.t
Sponsored-By: California College of the Arts
No code changes detected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
By restoring some pieces of logic, with the name changed from $persona
to $emailaddress, the openid will work again for OPAC logins.
See https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988#c68
for an excellent test plan.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Did not test it, but trust in author and signoffer
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
- Tests are now in t/db_dependent/Search/History.t
- There were 2 differents sysprefs in sysprefs.sql and in atomicupdate => fixed
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Added a syspref LoadHistory addSearchHistoryToTheFirstLoggedUser to select if you want the system to add the history of searches performed without session when you log in as registered user.
TEST PLAN
1 - Search in the catalogue, check you are not logged
2 - Log in : your last history should appear
4 - Log out
5 - Apply the patch
6 - Repeat 1 and 2
7 - Desactivate the syspref addSearchHistoryToTheFirstLoggedUser
8 - Repeat 1 and 2 : your last history shouldn't appear
The Unit test doesn't rollback but delete the added lines : the function get_template_and_user allway sets the autocommit to 1.
https://bugs.koha-community.org/show_bug.cgi?id=8010
Tested 3 patches together, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
From opac/opac-memberentry.pl, authnotrequired is set.
That means a patron can access the page without being logged in. It is
used on this page for the self registration feature.
From C4::Auth::get_template_and_user, we have
$userid = $q_userid;
$q_userid is previously set to the 'userid' CGI param.
We end up here if authonotrequired is set AND CGISESSID does not exist.
Test plan:
- Run:
$ prove t/db_dependent/Auth.t
=> FAIL: Regression test for checkauth fails
- Apply this patch
- Run:
$ prove t/db_dependent/Auth.t
=> SUCCESS: Tests pass.
- Sign off :-D
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.
Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
* Here you can add fields that can be filled out at the time
a new club is created based on the template, or a new enrollment
is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
If a patron is not allowed to access the staff interface because its IP
address in the authorised range of IPs, the cookie should not contain
the CGISESSID.
If it is, the patron is logged in and will be able to access the staff
interface if he reload the page (or hit another one).
Test plan:
Confirm the that AutoLocation feature is now working as expected.
Note: It seems that this feature has never really worked as intended.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
At the OPAC, the AutoLocation feature should not be taken into account:
login to the OPAC from outside the IP range should work
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Those 2 prefs can be independent and it does not make sense to consider
AutoLocation only if IndependentBranches is set.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The example in branches.tt is:
Can be entered as a single IP, or a subnet such as 192.168.1.*
But actually the regex in C4::Auth does not handle subnets.
Test plan:
0/ Apply all the patches
1/ Switch AutoLocation on
2/ Define a subnet (192.168.0.* if your ip is like 192.168.0.X) in the IP
range of your library
3/ Log in on the staff interface
=> Should work
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Persona never really took off, and although many browsers currently
support it, very few services actually implement it.
This has lead to it's founders, Mozilla, to end the project. In their
own words:
=============================================================================
Persona is no longer actively developed by Mozilla. Mozilla has
committed to operational and security support of the persona.org
services until November 30th, 2016.
On November 30th, 2016, Mozilla will shut down the persona.org services.
Persona.org and related domains will be taken offline.
If you run a website that relies on Persona, you need to implement an
alternative login solution for your users before this date.
For more information, see this guide to migrating your site away from
Persona:
https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers
=============================================================================
Given the above, and that the Persona authentication methods as a whole
are no longer being actively maintained by anyone anywhere to ensure
ongoing security, we should deprecate the option from koha.
Test plan:
Apply this patch and make sure you do not find any references of Persona
Have a look at patches from bug 9587 and confirm that everything has
been reverted
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Code looks good to me.
Also ran several tests including: Auth.t, Auth_with_shibboleth.t.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
From C4::Auth:
my $patron = Koha::Patrons->search({ userid => $userid })->next;
This should be replaced with
my $patron = Koha::Patrons->find({ userid => $userid });
userid is a unique key
Caught with NYTProf:
# spent 78.9ms making 1 call to Koha::Objects::next
Test plan:
Login at the intranet
Reload the page
=> You must still be logged in
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested by enabling TrackLastPatronActivity and logging in again.
Verified lastseen column in borrowers.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Do not track when the pref has not been enabled.
This patch moves the conditional update in Auth.pm to Koha::Patron.
And adds a test for the new track_login method.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
In order to add the ability to delete patrons who have been inactive for
more than a given time, we need to track down the last time they were
active.
To do that, we need a new DB column in the borrowers table (lastseen).
Note that the borrowers.lastseen column will not be initialised for existing
installations (set to NULL) so inactive existing patrons will never be
deleted.
A workaround would be to init them at the date when the new column will
be added.
Test plan:
0/ Set the new pref TrackLastPatronActivity on
1/ Log in as a patron (staff or OPAC)
2/ Check that the borrowers.lastseen field has been updated with the
current time
Sponsored-by: BULAC - http://www.bulac.fr/
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>
https://bugs.koha-community.org/show_bug.cgi?id=12276
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
[1] Acquisition.pm
The lines filling $row in GetBasketGroupAsCSV may have side-effects when
the library name is not found. This change restores former behavior. Just
theoretically more safe.
Note that it also contained a typo: $row->{deliveryplace} should have been
$row->{$place}.
[2] Auth.pm
checkauth: $branchname = Koha::Libraries->find($branchcode)->branchname;
Should normally be fine, but I rather have an empty string here than
crashing on "Can't call method branchname on undefined value".
Same for sub check_api_auth.
Note that this holds for a larger number of calls, but I am adding a check
here because it is checkauth.
Also removed a duplicate use Koha::Libraries-statement.
[3] Search.pm
Also removed a duplicate use statement for Libraries.
[4] svc/holds
Added an (explicit) use statement for Koha::Libraries.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This is the fourth and last patch set to remove C4::Branch.
The real purpose of this patch is to standardise and refactor some code
which is related to the libraries selection/display.
Its unconfessed purpose is to remove the C4::Branch package.
Before this patch set, only 6 subroutines still existed in the C4::Branch
package:
- GetBranchName
- GetBranchesLoop
- mybranch
- onlymine
- GetBranches
- GetBranch
GetBranchName basically returns the branchname for a given branchcode.
The branchname is only used for a display purpose and we don't need to
retrieve it in package or pl scripts (unless for a few exceptions).
We have a `Branches` template plugin with a `GetName` method which does
exactly this job.
To achieve this removal, we will use this template plugin and delete the
GetBranchName from pl and pm files.
The `Branches.all()` will now select the library of the logged in user
if no `selected` parameter has been passed.
This new behavior could cause regressions, for instance there are some
places where we do not want an option preselected (batch item
modification for instance), keep that in mind when testing.
GetBranchesLoop took 3 parameters: $branch and $onlymine.
The first one was used to set a "selected" flag, for a display purpose:
select an option in the libraries dropdown lists.
The second one was useless: If not passed or set to 0, the
`C4::Branch::onlymine` subroutine was called.
This onlymine flag was use to know if the logged in user was able to see
other libraries infos.
A patron can see the infos from other libraries if IndependentBranches
is not set OR if he has the superlibrarian permission.
Prior to this patch set, the "onlymine test" was done on different
places (neworderempty.pl, additem.pl, holidays.pl, etc.), including the
Branches TT plugin. In this patch set, this test is only done on one
place (C4::Context::only_my_library, code moved from
C4::Branch::onlymine).
To accomplish the same job as this subroutine, we just need to call the
`Branches.all()` method from the `Branches` TT plugin. It already
accepts a `selected` parameter to set a flag on the option to select.
To avoid the repetitive
[% IF selected %]<option selected="selected">[% ELSE %]<option>[% END %]
pattern, a new `html_helpers` TT include file has been created, it
defines an `options_for_libraries` block, which takes a `selected`
parameter. We could imagine to use this include file for other
selects.
The 'mybranch` and `onlymine` subroutines of the C4::Branch package have
been moved to C4::Context. onlymine has been renamed with
only_my_library. There are only 4 occurrences of it, against 11 before
this patch set.
There 2 subroutines are Context-centric and it makes sense to put them
in `C4::Context` (at least it's the least worst place!)
GetBranches is the tricky part of this patch set: It retrieves all the
libraries, independently of the value of IndependentBranches.
To keep the same way as the existing calls of `Branches.all()`, I have
added a `unfiltered` parameter. If set, the `Branches.all()` will call
a usual Koha::Libraries->search method, otherwise
Koha::Libraries->search_filtered will be called. This new method will
check if the logged in user is allowed to see other libraries or only
its library.
Note that this `GetBranches` subroutine also created a `category` key:
it allowed to get the list of groups (of libraries) where this library
existed. Thanks to a previous patch set (bug 15295), this value was
not used anymore (I may have missed something!).
Note that the only use of `GetBranch` was buggy (see bug 15746).
Test plan (for the whole patch set):
The best way to test this whole patch set is to test with 2 instances: 1
with the patch set applied, 1 using master, to be sure there is no
regression.
It would be good to test the same with `IndependentBranches` and the
without `IndependentBranches`.
No difference should be found.
The tester must focus on the library dropdowns on as many forms as
possible.
You will notice changes in the order of the options: the libraries will
now be ordered by branchname (instead of branchcode in some places).
A special attention will be given to the following page:
- acqui/neworderempty.pl
- catalogue/search.pl
- members/members-home.pl (header?)
- opac/opac-topissues.pl
- tools/holidays.pl
- admin/branch_transfer_limits.pl
- admin/item_circulation_alerts.pl
- rotating_collections/transferCollection.pl
- suggestion/suggestion.pl
- tools/export.pl
Notes for QA:
- There are 2 FIXMEs in the patch set, I have kept the existing behavior,
but I am not sure it's the good one. Feel free to open a bug report and
I will fill a patch if you think it's not correct. Otherwise, remove the
FIXME lines in a follow-up patch.
- The whole patch set is huge and makes a lot of changes.
But it finally will tremendously reduce the number of lines:
716 insertions for 1910 deletions
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
TODO: Would be better to provide a better way to know if memcache is correctly set
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Mojolicious does not set $ENV{REMOTE_ADDR} (neither $ENV{HTTP_*}) as
it may share ENV between different requests.
Fortunately for us, Plack does not!
This is a dirty patch to fix this issue but it seems that there is not
lot of solutions. It adds a remote_addr parameter to
C4::Auth::check_cookie_authin order to send it from
Koha::Rest::V1::startup reading the headers sent by Mojolicious.
Test plan:
Hit /cgi-bin/koha/mainpage.pl
Hit /api/v1/patrons/42
Hit /cgi-bin/koha/mainpage.pl
With this patch applied, everything will be fine and you won't be
logged out.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
0) Have either CAS or Shibboleth authentication enabled under Plack.
1) Hover over the authentication link on the staff client or OPAC, and
notice that it has either '.../opac/...' or '.../intranet/...' instead
of '.../cgi-bin/koha/...'. (This will be a complete dealbreaker for CAS
authentication.)
2) Apply patch.
3) Check links again; they should now have the correct paths.
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Did not test CAS or Shibboleth, but no regression found.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Bug 14507 introduced the use of checkpw in C4::SIP::ILS::Patron so that
non-Koha internal authentication processes would be able to function via
SIP ( LDAP et al ).
The problem is that checkpw changes the userenv to that of the patron!
This is not usually an issue in Koha because most of the time that
patron running through checkpw is the one to be logged in.
Aside from SIP2 the only other area where this may be an issue is in SCO
when using SelfCheckoutByLogin.
Test Plan:
1) On master, check out an item to a patron via SIP2
2) Note the checkout lists the item as having been checked out
from the patron's home library not matter which library is was
supposed to be checked out from.
3) Apply this patch
4) Re-checkout the item
5) The item should now be checked out as if it was checked out from
the library as defined in the SIP configuration file.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This uses a hacky but simple method to get the correct script name under
proxied packaged Plack.
Test plan:
1) Log out of both the OPAC and staff side.
2) Try to access a page that requires login (opac-reserve.pl is a
good one for the OPAC), then log in.
3) You will be redirected back to mainpage.pl or opac-user.pl.
4) Repeat above for both staff side and OPAC.
5) Apply patch.
6) Repeat steps 1-4; you should be redirected back to the original
page you were on.
7) Repeat the above for both a traditional CGI and kohadevbox/package
Plack installation.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
There are 2 prefs to drive this feature: StaffAuthorisedValueImages and
AuthorisedValueImages. AuthorisedValueImages is not added by
sysprefs.sql and does not appear in updatedatabase.pl, we could easily
imagine that nobody uses it.
With XSLT enabled, the feature is only visible on a record detail page
at the OPAC, if AuthorisedValueImages is set. Otherwise you need to turn
the XSLT off. In this case you will see the images on the result list
(OPAC+Staff interfaces) and OPAC detail page, but not the Staff detail
page.
This patch suggests to remove completely this feature as it does not
work correctly.
The ability to assign an image to an authorised value is now always
displayed, but the image will only be displayed on the advanced search
if defined.
Test plan:
Confirm that the authorised value images are no longer visible at the
opac and the staff interfaces.
The prefs should have been removed too.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Currently if not logged in when browsing to
http://YOURCATALOG/cgi-bin/koha/sco/sco-main.pl
You are redirected to opac-auth.tt and SCOUserCSS and SCOUserJS are not
loaded. This page passes through a parameter to the template to indicate
this is an SCO login and appropriate CSS and JS should be loaded.
Additionally this patch ensure that when loggin in using the form you
are redirected to the sco-main.pl instead of the patron account page for
the user.
To test:
1 - Verify that normal login works on both staff and opac
2 - Verify that SCO link goes to login page if AutoSelfCheckAllowed is
set to "Don't allow"
3 - Enter changes into SCOUserJS and SCOUserCSS and observe these are
present on SCO log in page with AutoSelfCheck disabled
4 - Verify that a logged in opac user without permissions cannot access
the self-checkout module
5 - Verify that AutoSelfCheckAllowed and associated system preferences
function as expected
6 - Verify the AutoSelfCheck user is logged out if they attempt to visit
another page
Followed test plan.
If I go to http://YOURCATALOG/cgi-bin/koha/sco/sco-main.pl, CSS and JS trigger already on
the login form, I suppose that is intended.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
The login page should not be displayed if the page is displayed in a
frame.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
Test Plan (remains the same):
0) Back up your database
1) Apply all these patches
2) In your mysql client use your Koha database and execute:
> DELETE FROM systempreferences;
> SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql;
-- Should be no errors.
> SELECT * FROM systempreferences LIKE 'GoogleO%';
-- Should see 4 entries.
> QUIT;
3) Restore your database
4) Run ./installer/data/mysql/updatedatabase.pl;
5) In your mysql client use your Koha database and execute:
> SELECT * FROM systempreferences LIKE 'GoogleO%';
-- Should see the same 4 entries.
6) Log into the staff client
7) Home -> Koha administration -> Global system preferences
8) -> OPAC
-- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca)
9) -> Administration
-- There should be a 'Google OAuth2' section with the ability
to set those 4 system preferences.
10) In a new tab, go to https://console.developers.google.com/project
11) Click 'Create Project'
12) Type in a project name that won't freak users out, like your
library name (e.g. South Pole Library).
13) Click the 'Create' button.
14) Click the 'APIs & auth' in the left frame.
15) Click 'Credentials'
16) Click 'Create new Client ID'
17) Select 'Web application' and click 'Configure consent screen'.
18) Select the Email Address.
19) Put it a meaningful string into the Product Name
(e.g. South Pole Library Authentication)
20) Fill in the other fields as desired (or not)
21) Click 'Save'
22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL.
(http://library.yourDNS.org)
23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new
googleoauth2 script
(http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleopenidconnect)
24) Click 'Create Client ID'
25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID
system preference.
26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret
system preference.
27) Change the GoogleOpenIDConnect preference to 'Use'.
28) Click 'Save all Administration preferences'
29) In the OPAC, click 'Log in to your account'.
-- You should get a confirmation request, if you are
already logged in, OR a login screen if you are not.
-- You need to have the primary email address set to one
authenticated by Google in order to log in.
30) Run koha qa test tools
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Mainly a
perl -p -i -e 's/^.*3.07.00.049.*\n//' **/*.pm
Then some adjustements
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
perl -p -i -e 's/^(use vars .*)\$VERSION\s?(.*)/$1$2/' **/*.pm
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
The singleBranchMode system preference does not make sense.
Either the install has only 1 library defined or several. In both case,
we can easily guess the behavior to follow.
So the idea of this patch is to replace the fetch of this syspref with a
call to count the number of libraries defined in DB.
Test plan:
1/ From a fresh Koha install, execute the DB entry to remove the pref.
2/ Define only 1 library
3/ Confirm that Koha behaves the same as before (try to change your
library, look at the facets)
4/ Create another library (or more) and reinsert the pref and set it:
insert into systempreferences (variable, value)
values('singleBranchMode', 1);
5/ Execute the DB entry
You should get a warning message.
6/ Repeat 3.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Does what it says, but will change behaviour for any Koha install that
has 2 branches defined, One circulation, and this preference set.
If that is an acceptable change, we might need to make sure this is noted well in the
release notes.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Log you in!
Without this patch applied, you will get a warning
"Fetching the value or values of a single named parameter"
With this patch applied, the warning from C4::Auth line 401 should not
appear anymore in the log file.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Note: no warnings for older CGI versions.
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
If you use multiple instances on one server, you could have the situation
that instance A creates the cgisess subfolder and instance B could have a
permission problem. This patch resolves that by allowing each instance to
have its own cgisess subfolder.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
When some users want to improve performance, one suggestion is to switch the syspref "sessionstorage" to 'tmp',
which store the session info in the /tmp directory instead of the database.
Depending on the frequency of the cleaning process (or lack thereof),
this can be heavy pollution into the /tmp directory, making it unusable.
"rm cgi*" would not even work since cgi* extends to over 8000 items...
A simple fix is to modify the target directory in C4/Auth.pm to /tmp/cgisess.
Testing scenario:
1) change the syspref SessionStorage to 'tmp'
2) Log into the OPAC, validate that a file named /tmp/cgisess_(something) got created
3) Apply the patch
4) Log into the OPAC, validate that a file /tmp/cgisess/cgisess_(something) got created
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Works as advertised. Session files are created in /tmp/cgisess/ instead
of directly in /tmp. I usually store sessions in memcached, but a
couple of times memcached has died on me, and before I knew it, /tmp
was so full of sessions files, I could not easily delete them with
"rm /tmp/cgisess*". Being able to delete /tmp/cgisess/ should be a
bit easier.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Test plan
1/ enable OpacAddMastheadLibraryPulldown
2/ Defined a group of libraries as searchdomain
and tick 'show in pull down'
3/ At the OPAC, go on the advanced search form, limit by the group of
libraries you have just created.
4/ The group should be selected by default in the dropdown list
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
http://bugs.koha-community.org/show_bug.cgi?id=15294
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This is similar to bug 12877
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
While this is missing a detailed test plan, what I did to test was
1/ Login to koha .. it works
2/ Apply patch
3/ Login to koha .. it still works, no regressions. I can't test the
shibboleth part but it doesnt break anything else so I'm happy to sign
off
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
We had to implement this fix for one of our customers using Shibboleth.
Can verify that it fixes the issue (which, incidentally, breaks
stage-marc-import since that depends on a constant sessionID).
Passing QA (verified with QA tools). Thanks, Martin!
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This subroutine does a lot a processing and should only be called when
necessary.
In the get_template_and_user subroutine (so called from any pages of
Koha), it is call to pass the branchcode, title, firstname, surname and
borrowernumber values for the logged in user.
This subroutine calls GetMemberAccountRecords which retrieve the items
infos for all accountlines entries of the logged in user.
On members/members.pl, let's say you have 74 entries in the accountlines
tables, the page will execute 115 SELECT instead of 35 if you don't have any
accountlines entries.
With this patch, the number of SELECT is always 31.
To test this patch you should have technical skills to know what to do.
Note that USER_INFO was an array of... 1 element. Now it's a hashref.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch enable use of IntranetUserCss on staff client
login page.
To test:
1) Add something to IntranetUserCSS to modify login page,
for example
#login h1 a {
height:30px;
}
2) Logout from staff client, no changes on login page.
3) Apply the patch
4) Reload, now logo is cut in half :)
Bonus) Login again an try changing image, add
#login h1 {
background: url(http://example.com/img/other-logo.png) no-repeat top center;
}
and fix height. Logout and check
This also affects 3.20 and perhaps earlier versions.
Re-upload to fix examples
Works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
The SCO user should only be allowed to access to the SCO module.
This patch make the session ends if the user tries to access another
page after the SCO module.
Test plan:
0/ Configure the SCO module correctly
1/ Go on the sco main page (sco/sco-main.pl)
2/ Try to go somewhere else: you should not be logged in
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
* Extends login screen to pass along #hash
* Adds JSONP support to C4::Service
* Extends humanmsg to allow per-message classes
* Adds proper charset to results of svc/bib
Test plan:
1. C4/Auth.pm and .../intranet/.../auth.tt: verify that login/usage
works as expected, despite the change to pass on the fragment (...#blah)
from the URL.
2. C4/Service.pm and humanmsg.js: verify that editing system
preferences (the main user of these modules) works correctly despite
updates.
3. svc/bib: verify that records can be correctly downloaded with the
change of character set. This can be done in a Firebug/Chrome Devtools
console by running `$.get('/cgi-bin/koha/svc/bib/1')` and inspecting the
results (possibly replacing 1 with a different valid biblionumber).
Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
These 2 fields are not used anymore, but we want to keep them anyway.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
CGI->url does not return the correct url on install using packages.
Test plan:
1/ Try to reproduce the bug from the description of bug 15005.
You should be able to login to the intranet and the OPAC
2/ Send a basket and a list from the intranet and the OPAC.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Mubassir Ahsan asked on the Koha mailing list:
Is there any option to set Saturday as the first day of
the week? Please help me.
CalendarFirstDayOfWeek is currently either Sunday|Monday.
By converting it to 0|1|2|3|4|5|6
(Sunday, Monday, ..., Saturday), we can allow any day of the
week to be the first day of the week in the date picker.
TEST PLAN
---------
1) Backup DB
2) In mysql:
> DELETE FROM systempreferences;
> SOURCE .../installer/data/mysql/sysprefs.sql
> SELECT variable,value FROM systempreferences;
-- It should say 'CalendarFirstDayOfWeek' and '0'
May say '1' if you are using Norwegian.
3) Restore your DB
4) .../installer/data/mysql/updatedatabase.pl
-- If your previous value for 'CalendarFirstDayOfWeek' was
'Sunday', it should be '0'. For 'Monday', it should be '1'.
5) Test an installation with 'de-DE' as the language.
-- The default value should be '1'.
6) Test an installation with 'nb-NO' as the language.
-- The default value should be '1'.
7) In the staff client, confirm that any day of the week is
available in the I18N/L10N system preferences for the
CalendarFirstDayOfWeek dropdown.
-- I'm aware they aren't in order, but I'm after
functionality, not finesse.
8) In another tab, go to a staff place that has a datepicker.
For example, Home -> Tools -> Inventory/stocktaking
9) For each possible value in the CalendarFirstDayOfWeek,
go to the other tab, refresh the page after updating the
system preference, and click the datepicker icon.
-- The date picker should then start on the selected
day of the week.
10) Log into OPAC
-- This may require setting: opacuserlogin to 'Allow'.
11) Click the personal details tab on the left.
12) There is a date picker for the date of birth.
-- The date picker should then start on the selected
day of the week.
13) Run koha QA test tools.
NOTE: not an atomic update, since this is an old patch.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
In Bug 14408 first patch, the regexp used needs an escape on dot and does not need an ending "?"
Test plan :
- prove t/db_dependent/Auth.t
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc
Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist
/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search
Are vulnerable
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Most of them were found and fixed using codespell.
Fix also some related grammar issues.
In C4/Serials.pm a variable was renamed to make future codespelling
checks easier.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
http://bugs.koha-community.org/show_bug.cgi?id=14383
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This pref does not work at all, the interface let the user choose to
list all suggestions, but whatever he chooses the suggestion list is the
same.
This patch cleans a bit the suggestedby management.
There are a lot of cases to test, because linked to 2 prefs:
AnonSuggestions and OPACViewOthersSuggestions.
1/ AnonSuggestions = 0 and OPACViewOthersSuggestions = 0
- A non logged in user is not able to make a suggestion.
- A logged in user is not able to see suggestions made by someone else.
2/ AnonSuggestions = 0 and OPACViewOthersSuggestions = 1
- A non logged in user is not able to make a suggestion.
- A logged in user is able to see suggestions made by someone else.
3/ AnonSuggestions = 1 and OPACViewOthersSuggestions = 0
- A non logged in user is able to make a suggestion.
The suggestedby field will be filled with the AnonymousPatron pref value.
He is not able to see suggestions, even the ones made by AnonymousPatron.
- A logged in user is not able to see suggestions made by someone else.
4/ AnonSuggestions = 1 and OPACViewOthersSuggestions = 1
- A non logged in user is able to make a suggestion.
He is able to see all suggestions.
- A logged in user is able to see suggestions made by someone else.
In all cases a logged in user should be able to search for suggestions
(except if he is not able to see them).
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
All use cases tested, work as expected
No errors
Only comment is perhaps (in the future) a gracefull failure
when AnonymousPatron is not set, or has '0' value
Message is DBIx::Class::ResultSet::create(): Column 'suggestedby' cannot be null at ...
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
The borrow permission was used but uselessly.
For instance, at the opac, the flagsrequired parameter was set to
'borrow' but the 'authnotrequired' was set also (which means no auth
required).
At the end, this permission was used at only 1 place: for the basket,
intranet side.
This can be replaced with the catalogue permission (which is used to
search).
Test plan:
1/ Confirm that you are able to show/download/sent the cart (intranet side)
with the catalogue permission.
2/ At the OPAC, you should be able to access the same pages as before
with any other permissions.
Concretely it is quite difficult to test this patch, you should have a
look at the code.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
To reproduce:
- Allow commenting in OPAC (Syspref reviewson)
- Log in to OPAC
- Do a search with many results
- Click on a biblio in result list
- Verify that you can browse the results in detail view ("Browse results")
- Repeat teh search above
- Click on the same biblio as above
- Add a comment (Tab "Comments")
- Close commenting window
- Click on "Next" in result browser
Result: The next biblio is displayed, but result browser has disappeared.
To test:
- Apply patch
- Try to reproduce issue above, verify that result browser does no longer disappear
AMended to remove whitespace chars. / MV
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Bug & solution checked, works well. No koha-qa errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
First, it is strongly recommended to set the OPACBaseURL. But
this patch allows the inclusion of the protocol and not just
a site.
Next, C4/Auth now puts OPACBaseURL into the template parameters
regardless of OPAC or Staff clients. t/db_dependent/Auth.t was
tweaked to add a check for confirming that get_template_and_user
adds OPACBaseURL to both OPAC and Staff templates.
In the staff client, once the OPACBaseURL is set, you get a nice
OPAC View link when viewing a biblio's detail. It should reflect
the protocol used now.
Hard coded 'http://' strings were removed from the
sample_notices.sql files. This is what required also updating
the letters table in the updatedatabase.pl script.
The explanation text in the sysprefs.sql needed updating too to
reflect the inclusion of the protocol. And this was the other
update done in the updatedatabase.pl script. The opac.pref file
was similarly changed as well.
catalogue/detail.pl had no need to pass a custom OpacUrl value,
since C4/Auth passes the required OPACBaseURL, so it and the
corresponding template were modified.
Both the MARC21 and NORMARC intranet details files had 'http://'
hard coded in them. This was removed.
Both the bootstrap and prog theme opac-detail template had a
protocol parameter that was used. The logic for the parameter
was not removed, because it is used extensively in one template.
Perhaps it should be used to simplify the other. However, the
calculated current_url parameter had references to the protocol
removed, because of the changes to OPACBaseURL.
opac/opac-shareshelf.pl had a hard coded 'http://' which was
removed.
t/db_dependent/Auth_with_cas.t had 'http://' added to the value
set for OPACBaseURL.
In virtualshelves/sendshelf.pl explicit code which sent the
OPACBaseURL preference was removed, since C4/Auth sends it all
the time now.
C4::Context::set_preference was tweaked to ensure that
OPACBaseURL would always start with http.
t/db_dependent/Context.t was tweaked to specifically test this.
The Shibboleth authentication needs OPACBaseURL set, and that
it be https protocol. The _get_uri routine was tweaked to always
pass back https:// as the protocol on the OPACBaseURL.
t/Auth_with_shibboleth.t was tweaked to specifically test the
changes.
TEST PLAN
---------
This is not an easy patch to test. Difficulties include:
- configuring Koha to run under https
(tweaking apache2 isn't so hard, just tricky)
- configuring Koha to run OPAC and Staff with Plak
(since code with comments about plak were sliced out)
- configuring Koha to use CAS
(may be requires for the CAS test)
1) Apply patch
2) Make sure OPACBaseURL is set without the protocol included.
UPDATEDATABASE
3) back up your DB
4) ./installer/data/mysql/updatedatabase.pl
-- It should run without errors.
5) Look up the OPACBaseURL system preference in the staff
client
-- It should have http:// prepended.
6) Run the mysqlclient from your koha git directory
USE koha_library;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
-- There should be no prepended http:// on the
<<OPACBaseURL>>.
7) restore your DB
8) Make sure OPACBaseURL is set with the protocol included,
preferably https.
-- Using https requires a bunch of apache2 tweaks.
AUTH
9) Call up staff client.
10) Call up OPAC.
-- C4/Auth.pm doesn't barf.
11) Call up Plack staff client
12) Call up Plack OPAC.
-- C4/Auth.pm doesn't barf.
13) prove -v t/db_dependent/Auth.t
CONTEXT
14) Home -> Koha administration -> Global System Preferences
-> OPAC
15) Modify and save OPACBaseURL to not have http:// or https://
on it.
-- It should be modified to include http://
16) Modify and save another system preference.
-- It should save normally
17) prove -v t/db_dependent/Context.t
CATALOGUE/DETAIL (tt & pl)
18) Confirm the OPACBaseURL is set
19) Navigate to any biblio details in the staff client
-- There should be a "OPAC view" link which has the
correct http:// or https:// in it.
SQL (sample notices and sysprefs)
20) Run the mysqlclient from your koha git directory
USE koha_library;
DELETE FROM letter;
source installer/data/mysql/de-DE/mandatory/sample_notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
DELETE FROM letter;
source installer/data/mysql/en/mandatory/sample_notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
DELETE FROM letter;
source installer/data/mysql/nb-NO/1-Obligatorisk/sample_notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
DELETE FROM letter;
source installer/data/mysql/es-ES/mandatory/sample_notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
DELETE FROM letter;
source installer/data/mysql/fr-FR/1-Obligatoire/sample_notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
DELETE FROM letter;
source installer/data/mysql/it-IT/necessari/notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
DELETE FROM letter;
source installer/data/mysql/pl-PL/mandatory/sample_notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
DELETE FROM letter;
source installer/data/mysql/ru-RU/mandatory/sample_notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
DELETE FROM letter;
source installer/data/mysql/uk-UA/mandatory/sample_notices.sql;
SELECT content FROM letter WHERE content LIKE "%<<OPACBaseURL>>%";
-- Each of the selects should should lines that have
<<OPACBaseURL>> starting them, but no hard-coded http://
DELETE FROM systempreferences;
source installer/data/mysql/sysprefs.sql;
SELECT * FROM systempreferences WHERE variable='OPACBaseURL';
-- The explanation should reflect the new explanation.
QUIT
21) restore your DB
22) Make sure OPACBaseURL is set with the protocol included,
preferably https.
-- Using https requires a bunch of apache2 tweaks.
SLIM2INTRANETDETAIL
23) Set 'XSLTDetailsDisplay' system preference to default.
24) Set 'marcflavour' system preference to MARC21.
25) View any biblio's details.
-- the URL beside 'OPAC View' should have the appropriate
http:// or https://
26) Set 'marcflavour' system preference to NORMARC.
27) View any biblio's details.
-- the URL beside 'OPAC View' should have the appropriate
http:// or https://
OPAC-DETAIL
28) Set 'opacthemes' to bootstrap.
29) Set 'SocialNetworks' to enabled.
30) In OPAC, view any biblio's details.
-- the Share links should have the appropriate protocol on
the OPACBaseURL.
31) Set 'opacthemes' to prog.
32) In OPAC, view any biblio's details.
-- the Share links should have the appropriate protocol on
the OPACBaseURL.
AUTH_WITH_CAS
33) prove -v t/db_dependent/Auth_with_cas.t
OPAC-SHARESHELF
34) Set 'OpacAllowSharingPrivateLists' to allow.
35) In OPAC, 'Save to Lists' a search result.
36) Save it to a new private list.
37) Click the Lists button, and select the new list.
38) Click the Share button.
AUTH_WITH_SHIBBOLETH
39) prove -v t/Auth_with_shibboleth.t
-- needs to be tests on Debian, because I can't get
the Test::DBIx::Class installed in Ubuntu. :(
Rebased again on kohadevbox...
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
TEST PLAN
---------
1) $ prove t/db_dependent/Auth.t
-- warnings
2) Apply this patch
3) $ prove t/db_dependent/Auth.t
-- only one specific type of warning
4) Apply bug 5010 patch
5) $ prove t/db_dependent/Auth.t
-- noisy is eliminated
6) koha qa test tools.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
With patch only one warn
With 5010 no more warns
No errors
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Test plan:
Same as previous patch for opacuserjs
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: Worked before and after updatedatabase.pl, though after
is less confusing to the programmer unaware of case-insensitivity.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
To match IntranetUserCSS, intranetuserjs should be renamed
IntranetUserJS.
Test plan:
1/ Be sure there is no occurrence of intranetuserjs
2/ Confirm the pref still works as before
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: Worked before and after updatedatabase.pl, though after
is less confusing to the person unaware of case insensitivity.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This code causes the installer to re-check dependencies during the
upgrade process.
Test Plan
---------
1) Log in to staff client
2) Koha Administration -> Global system preferences -> Local
3) Change Version to previous version -- DO NOT HIT SAVE YET!
4) In command line: sudo apt-get purge libpdf-fromhtml-perl
NOTE: This could be ANY required library. I chose
PDF::FromHTML, because it has been a thorn in my side.
5) NOW! Hit the 'Save' button.
6) Log in, etc. etc...
-- Blows up on redirect to log in.
7) In command line, add it back (I had to compile my own so,
I used sudo dpkg -i /path/to/libpdf-fromhtml-perl...)
8) Apply patch
9) Edit the C4/Installer/PerlDependencies.pm to make
PDF::FromHTML required. See also bug 14103.
10) Log in to staff client
11) Koha Administration -> Global system preferences -> Local
12) Change Version to previous version -- DO NOT HIT SAVE YET!
13) In command line: sudo apt-get purge libpdf-fromhtml-perl
14) NOW! Hit the 'Save' button.
15) Log in, etc. etc...
16) Once warned you are missing it, add it back at the command line.
17) Click 'Recheck'
-- Proceeds as expected now.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
It will permit not to run another perl interpreter.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds:
- links to the new pages.
- syspref description
- links on the main page (intranet)
- the DISCHARGE type for debarment
Signed-off-by: Lucie <lucie.rousseaux@dracenie.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
http://bugs.koha-community.org/show_bug.cgi?id=9987
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch allows to use CAS authentication for intranet login.
It works exactly the same as the OPAC login, except that the
staffClientBaseURL syspref must be set for intranet login
(like OPACBaseURL must be set for OPAC login).
Signed-off-by: Koha Team AMU <koha.aixmarseille@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
In C4::Auth there is a use C4::VirtualShelves.
Virtualshelves are displayed in all OPAC pages, but not in intranet.
For performance, we should move this into a require only for opac pages.
This patch adds a condition to fetch virtualshelves only if opac and moves the dependancy on C4::VirtualShelves into require calls.
On my desktop, I have those compilation times for C4/Auth.pm :
- Without patch : 0,41 seconds
- With patch : 0,22 seconds
This performance improvement is very usefull for pages that only use a few as dependancy, like errors/404.pl
Test plan :
- Be sure there are some public lists
- Apply patch
- Go to opac (not logged-in)
- Click on "Lists"
- Check you see the public lists
- Login with a user
- Be sure this user has some private lists
- Click on "Lists"
- Check you see the public and private lists
- Logout
- Go to /cgi-bin/koha/opac-reserve.pl
- You see the loggin page
- Click on "Lists"
- Check you see the public lists
- Go to intranet
- Check you can loggin
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Test plan (from comment #1)
1) Apply this patch
2) Run updatedatabase.pl
3) Verify the system pref OpacColorStyleSheet still works
i.e. no change should be noted
Additionally, I changed the path to an other stylesheet and verified that it worked.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described and no more occurences of opaccolorstylesheet were found.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
If the user is already logged-in, do not trigger CAS authentication
even if there is a ticket in the parameters.
1) Authenticate to the OPAC through CAS.
2) Once redirected to your account, hit F5 or the refresh button of your browser.
3) You're logged out.
Signed-off-by: Koha Team Lyon 3 <koha@univ-lyon3.fr>
Signed-off-by: Luce Barbey <luce.barbey@cirad.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Added sign of lines according to bug.
Works as described, small change.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
C4::Reserves:
* Added OnShelfHoldsAllowed() to check issuingrules
* Added OPACItemHoldsAllowed() to check issuingrules
* IsAvailableForItemLevelRequest() changed interface, now takes
$item_record,$borrower_record; calls OnShelfHoldsAllowed()
opac/opac-reserve.pl and opac/opac-search.pl:
* rewrote hold allowed rule to use OPACItemHoldsAllowed()
* also use OnShelfHoldsAllowed() through
* IsAvailableForItemLevelRequest()
templates:
* Removed AllowOnShelfHolds and OPACItemHolds global flags, they now
only have meaning per item type
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
I have tested this patch left, right and upside down for the last
several months. All tests have passed.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
There were multiple calling conventions for C4::Context's
set_userenv routine. So the following commands were used to
find discrepancies:
grep "::set_userenv" `find .`
grep "\->set_userenv" `find .`
The first grep demonstrated that the smaller change is from
:: to -> as only C4/Auth.pm, installer/InstallAuth.pm, and
t/db_dependent/Circulation.t would need to be modified. This
patch corrects C4::Context's set_userenv routine to be object
call based (use ->) by using a shift to ignore the first
parameter, and modify the three files found with :: calls.
As the result of trying to roll a distribution,
t/Circulation_barcodedecode.t was discovered to be faulty. The
cause being incorrect parameters! This was hidden when there
was no shift in the set_userenv routine. However, with its
correction, the test broke.
This led me to read the POD documentation for the function
set_userenv in C4::Context and realize it was outdated as
well. It has been revised to match the current version of
the function.
Then intentionally bad parameters passed to the set_userenv
routine in C4::Context were hunted down. The biggest problems
were missing surnames or branch names.
Rebase required because of shibboleth change in C4/Context.pm
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
There was an instance of the pragma missed which meant the the original
patch set didn't actually solve the problem in a large number of cases
This patch adds in the relevant statement.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
To Test:
1) Enable the system preference SessionRestrictionByIP
2) Change your system IP. It will not checkout your system IP or signout.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
A failed login should not leave the user in a half logged authenticated
state, but rather return them to an anonymouse session as per the
pre-login attempt state.
To replicate error:
1. Try to log in with some nonexisting user id or wrong password in the
OPAC
2. Go directly to /opac-user.pl (e.g., enter it in the browser address
bar, or just click on the "Log in" link)
3. Observe a DBI error displayed on the screen
4. You are now in the "deadloop" of sorts (opac/opac-user.pl refuses to
display the login screen, no matter how many times you try to reload
it); to break the deadloop, one needs to:
- remove session cookie from the browser (or cause the session to
expire in some other way - closing browser window would be probably
enough for that)
- remove offending session on the server (from mysql sessions table,
..)
- log in with proper credentials using some other page (like
opac/opac-main.pl right-side panel), which does not involve
opac/opac-user.pl being called without "userid" CGI parameter.
To test:
1. Test as above, the DBI error should no longer be present
2. Check that search history works across failed and sucessful login
attempts
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Add a missing semicolon to the end of a template variable assignment
line. This patch should not affect operation.
Note: With Bug 13499 we did a non-destructive perltidy, as such we only
affected indenting and whitespace to maintain blame history. However, a
number of minor code issues were also highlighted, in this series of
patches I hope to correct other minor style issues.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Removed an uneeded semicolon from the end of an 'if' block. This should
not affect operation of the script.
Note: With Bug 13499 we did a non-destructive perltidy, as such we only
affected indenting and whitespace to maintain blame history. However, a
number of minor code issues were also highlighted, in this series of
patches I hope to correct other minor style issues.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This tidy should only change whitespace and not line breaks, thus
retaining history.
There are no code changes, and thus there should be no regressions to
test for koha wise.
To test the non-destrcutive nature of the patch, run a 'git blame -w' on
the file before and after the patch. The resulting blame should include
a comparabile history of the file, with only some additional blank
lines being attributed to this commit.
A 'git blame -wM' may also be useful for comparison purposes.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
The password should be encoded before hashing.
Test plan:
- Before applying the patch, create a user with utf-8 in password
- apply patches
- try to log in
- change the password
- log out
- try to log in
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch adds links to "My account" and "My checkouts" to drop down in staff client header.
To test:
Apply patch
Got to drop down of logged in user (top right)
See new links to "My account" and "My checkout" (above "Log out")
Test the links.
Signed-off-by: Magnus Enger <digitalutvikling@gmail.com>
Works as advertised. The options are not displayed when you are logged
in as the db/admin user.
Added classes "toplinks-myaccount" and "toplink-mycheckouts" to li tags to make it possible to hide them (per Kyle M $
Switching back to "Signd-off" (Hope this is OK becuause it is a tiny string addition)
Marc
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
While testing a bug, warnings in the opac error log were
building up due to a particular line in C4::Auth. After
reviewing the code, it was discovered that removal of the
OpacMainUserBlockMobile system preference created this.
Since the system preference no longer exists, and is not
used, the line was deleted from C4/Auth.pm to prevent this
warning from occuring.
TEST PLAN
----------
1) Go to any OPAC page.
2) Check your opac error log.
-- there should be something about uninitialized values
used in C4/Auth.pm around line 443.
3) Apply the patch
4) Refresh the page.
-- that same error should not be triggered.
5) prove -v t/db_dependent/Auth.t
-- this runs the get_template_and_user function
which had the parameter removed.
6) run the koha qa test tools
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
With CCSR now deprecated there is no longer a need for the
OPACMobileUserCSS system preference. This patch removes it.
To test, apply the patch and run updatedatabase. Check that the
preference can no longer be found in system preferences.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Preference removed, no koha-qa errors.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
With CCSR having been deprecated there is no longer a use for the
OpacShowLibrariesPulldownMobile system preference. This patch removes
it.
To test, apply the patch and run updatedatabase. Check that the
preference can no longer be found in system preferences.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Preference removed, no koha-qa errors.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
- The shibboleth patch introduced an undefined message into the error
logs, when shiboleth is disabled.
Testplan
1. Ensure shibboleth is disabled.
2. Refresh any opac page
3. See 'Use of uninitialized value $ENV{"REMOTE_USER"} in string ne at
/home/koha/kohaclone/C4/Auth.pm line 711.' popup in the opac-error.log
4. Apply patch
5. Refresh opac page
6. Error should no longer appear
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
- Convert Auth_with_shibboleth to use dbic stanzas.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
- A number of issues were highlighted whilst writing sensible unit tests
for this module.
- Removed unnessesary call to context->new();
- Global variables are BAD!
- Croaking is a wimps way out, we should handle errors early and
properly.
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
- Local fallback was not very well implemented, this patch adds
better handling for such cases allowing clearer failure messages
- This patch also adds the ability to use single sign on via the
top bar menu in the bootstrap theme.
BUG8446, Follow up: Adds perldoc documentation
- Add some documentation to the Auth_with_Shibboleth module
including some guidance as to configuration.
BUG8446, Follow up: Correct filenames to match guidlines
- Moved Auth_with_Shibboleth.pm to Auth_with_shibboleth.pm to match
other files present on the system.
BUG8446, Follow up: Correct paths after file rename
BUG8446, Follow up: Implemented single sign out
- This follow up rebases the code against 3.16+ which managed to break
some of the original logic.
- As a side effect of the rebasing, we've also implemented the single
sign out element. Upon logout, koha will request that the shibboleth
session is destroyed, and then clear the local koha session upon
return to koha. Due to the nature of shibboleth however, you will
only truly be signed out of the IdP if they properly support Single
Sign Out (which many do not). As a consequence, although you may
appear to be logged out in koha, you might find that upon clicking
'login' the IdP does NOT request your login details again, but instead
logs you silently back into your koha session. This is NOT a koha bug,
but a shibboleth implementation issue that is well known.
BUG8446, Follow up: Fixed bootstrap login via modal
- The bootstrap theme enable login from any opac page via modal. To
enable this with shibboleth we had to make some template parameters
globally accessible when shibboleth is enabled.
BUG8446, Follow up: Add template rules for Shibboleth and CAS
- Add template rules so that CAS and Shibboleth can coexist.
BUG8446, Follow up: Added default config to config file
BUG8446, Follow up: Embellished perldoc documentation
- Updated perldoc to correct detail about configuring shibboleth
authentication.
- Updated perldoc to include subroutines and their respective functions.
BUG8446, Follow up: Enable configuration of match field
- Added clearer, more flexible, configuration of shibboleth attribute to
koha borrower field matching for authentication
- Correcting of documentation to make it more clear to the current
implementation
- Minor refactoring of code to reduce some code duplication
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
- Use the shibbolethAuthentication syspref to enable Shibboleth authentication
- Configure the shibbolethLoginAttribute to specify which shibboleth user
attribute matches the koha login
- Make sure the OPACBaseURL is correctly set
BUG8446, Follow-up: Adds Shibboleth authentication
- Fix logout bug: shibboleth logout now occurs only when
the session is a shibboleth one.
- Do some refactoring: getting shibboleth username is now
done in C4::Auth_with_Shibboleth.pm (get_login_shib function)
BUG8446, Follow-up: Adds Shibboleth authentication
- Adds redirect to opac after logout
BUG8446, Follow-up: Adds Shibboleth authentication
- Shibboleth is not compatible with basic http authentication
in C4/Auth.pm. This patch fixes that.
BUG8446, Follow-up: Adds Shibboleth authentication
- Use ENV{'SERVER_NAME'} instead of syspref OpacBaseURL in order to work with
multiple vhosts.
BUG8446, Follow-up: Adds Shibboleth authentication
- Adds missing protocol for $ENV{'SERVER_NAME'}
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jesse Weaver <pianohacker@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Tested with the feide idp.
- LDAP login and logout are working
- local login/logout are still working
- CAS login/logout are still working
Instructions for setup can be found on the wiki:
http://wiki.koha-community.org/wiki/Shibboleth_Configuration
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
It is kosher now to use the Koha template toolkit plugin for retrieving
system preferences values. This followup does that.
It also changes the class for ids, for people considering this patch
introduces too much noise on the home screen being able to control
its visibility.
Regards
To+
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Enable staff to setting a text for OPAC user/pass information
Modified:
C4/Auth.pm
koha-tmpl/opac-tmpl/bootstrap/en/includes/usermenu.inc -add a text to the popup login page
koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-main.tt -add a text to the main login page
Testing:
I Apply the patch
0) Search NoLoginInstructions preference
1) Add/modify a text
2) Open OPAC main page
3) Validate the text added under Login button
4) Click in "Log in to your account" link
5) Validate the text added under input password (popup)
Sponsored-by: CCSR ( http://www.ccsr.qc.ca )
Patch behaves as expected.
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch covers LDAP auth_by_bind configuration so that wrong
LDAP password will return -1 to C4::Auth so we can abort local auth
and prevent users logging in with stale database passwords.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
http://bugs.koha-community.org/show_bug.cgi?id=8148
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
