Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/opac/sco/sco-main.pl
Galen Charlton 7b165794cd Bug 10016: force zero browser-side caching of SCO pages 
This patch makes the web-based self-check module pages
specify that no browser (or proxy caching) occur at all.
This prevents a security issue where letting the SCO session time out,
then hitting the back button allowed one to view the previous
patron's session.

This patch adds an optional fifth parameter to output_with_http_headers(),
and output_html_with_http_headers(), a hashref for miscellaneous
options.  One key is defined at the moment: force_no_caching, which if
if present and set to a true value, sets HTTP headers to specify no
browser caching of the page at all.

To test:

[1] Start a web-based self-check session and optionally perform
    some transactions.
[2] Allow the session to time out (it may be helpful to set
    SelfCheckTimeout to a low value such as 10 seconds).
[3] Hit the back button.  You should not see the previous patron's
    self-check session.
[4] Verify that prove -v t/Output.t passes.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-21 18:05:12 +00:00

271 lines
9.4 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
#
# This code has been modified by Trendsetters (originally from opac-user.pl)
# This code has been modified by rch
# Parts Copyright 2010-2011, ByWater Solutions (those related to username/password auth)
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
#
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with Koha; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# We're going to authenticate a self-check user. we'll add a flag to borrowers 'selfcheck'
#
# We're in a controlled environment; we trust the user.
# So the selfcheck station will accept a patronid and issue items to that borrower.
# FIXME: NOT really a controlled environment... We're on the internet!
#
# The checkout permission comes form the CGI cookie/session of a staff user.
# The patron is not really logging in here in the same way as they do on the
# rest of the OPAC. So don't confuse loggedinuser with the patron user.
#
# FIXME: inputfocus not really used in TMPL
use strict;
use warnings;
use CGI;
use Digest::MD5 qw(md5_base64);
use C4::Auth qw(get_template_and_user checkpw);
use C4::Koha;
use C4::Circulation;
use C4::Reserves;
use C4::Output;
use C4::Members;
use C4::Biblio;
use C4::Items;
my $query = new CGI;
unless (C4::Context->preference('WebBasedSelfCheck')) {
# redirect to OPAC home if self-check is not enabled
print $query->redirect("/cgi-bin/koha/opac-main.pl");
exit;
}
if (C4::Context->preference('AutoSelfCheckAllowed'))
{
my $AutoSelfCheckID = C4::Context->preference('AutoSelfCheckID');
my $AutoSelfCheckPass = C4::Context->preference('AutoSelfCheckPass');
$query->param(-name=>'userid',-values=>[$AutoSelfCheckID]);
$query->param(-name=>'password',-values=>[$AutoSelfCheckPass]);
$query->param(-name=>'koha_login_context',-values=>['sco']);
}
my ($template, $loggedinuser, $cookie) = get_template_and_user({
template_name => "sco/sco-main.tmpl",
authnotrequired => 0,
flagsrequired => { circulate => "circulate_remaining_permissions" },
query => $query,
type => "opac",
debug => 1,
});
if (C4::Context->preference('SelfCheckoutByLogin'))
{
$template->param(authbylogin => 1);
}
# Get the self checkout timeout preference, or use 120 seconds as a default
my $selfchecktimeout = 120000;
if (C4::Context->preference('SelfCheckTimeout')) {
$selfchecktimeout = C4::Context->preference('SelfCheckTimeout') * 1000;
}
$template->param(SelfCheckTimeout => $selfchecktimeout);
# Checks policy laid out by AllowSelfCheckReturns, defaults to 'on' if preference is undefined
my $allowselfcheckreturns = 1;
if (defined C4::Context->preference('AllowSelfCheckReturns')) {
$allowselfcheckreturns = C4::Context->preference('AllowSelfCheckReturns');
}
$template->param(AllowSelfCheckReturns => $allowselfcheckreturns);
my $issuerid = $loggedinuser;
my ($op, $patronid, $patronlogin, $patronpw, $barcode, $confirmed) = (
$query->param("op") || '',
$query->param("patronid") || '',
$query->param("patronlogin")|| '',
$query->param("patronpw") || '',
$query->param("barcode") || '',
$query->param("confirmed") || '',
);
my $issuenoconfirm = 1; #don't need to confirm on issue.
#warn "issuerid: " . $issuerid;
my $issuer = GetMemberDetails($issuerid);
my $item = GetItem(undef,$barcode);
if (C4::Context->preference('SelfCheckoutByLogin') && !$patronid) {
my $dbh = C4::Context->dbh;
my $resval;
($resval, $patronid) = checkpw($dbh, $patronlogin, $patronpw);
}
my $borrower = GetMemberDetails(undef,$patronid);
my $branch = $issuer->{branchcode};
my $confirm_required = 0;
my $return_only = 0;
#warn "issuer cardnumber: " . $issuer->{cardnumber};
#warn "patron cardnumber: " . $borrower->{cardnumber};
if ($op eq "logout") {
$query->param( patronid => undef, patronlogin => undef, patronpw => undef );
}
elsif ( $op eq "returnbook" && $allowselfcheckreturns ) {
my ($doreturn) = AddReturn( $barcode, $branch );
#warn "returnbook: " . $doreturn;
$borrower = GetMemberDetails(undef,$patronid);
}
elsif ( $op eq "checkout" ) {
my $impossible = {};
my $needconfirm = {};
if ( !$confirmed ) {
( $impossible, $needconfirm ) = CanBookBeIssued(
$borrower,
$barcode,
undef,
0,
C4::Context->preference("AllowItemsOnHoldCheckout")
);
}
$confirm_required = scalar keys %$needconfirm;
#warn "confirm_required: " . $confirm_required ;
if (scalar keys %$impossible) {
# warn "impossible: numkeys: " . scalar (keys(%$impossible));
#warn join " ", keys %$impossible;
my $issue_error = (keys %$impossible)[0];
# FIXME we assume only one error.
$template->param(
impossible => $issue_error,
"circ_error_$issue_error" => 1,
title => $item->{title},
hide_main => 1,
);
if ($issue_error eq 'DEBT') {
$template->param(amount => C4::Budgets->GetCurrency()->{symbol}.$impossible->{DEBT});
}
#warn "issue_error: " . $issue_error ;
if ( $issue_error eq "NO_MORE_RENEWALS" ) {
$return_only = 1;
$template->param(
returnitem => 1,
barcode => $barcode,
);
}
} elsif ( $needconfirm->{RENEW_ISSUE} ) {
if ($confirmed) {
#warn "renewing";
AddRenewal( $borrower, $item->{itemnumber} );
} else {
#warn "renew confirmation";
$template->param(
renew => 1,
barcode => $barcode,
confirm => 1,
confirm_renew_issue => 1,
hide_main => 1,
);
}
} elsif ( $confirm_required && !$confirmed ) {
#warn "failed confirmation";
my $issue_error = (keys %$needconfirm)[0];
$template->param(
impossible => (keys %$needconfirm)[0],
"circ_error_$issue_error" => 1,
hide_main => 1,
);
if ($issue_error eq 'DEBT') {
$template->param(amount => C4::Budgets->GetCurrency()->{symbol}.$needconfirm->{DEBT});
}
} else {
if ( $confirmed || $issuenoconfirm ) { # we'll want to call getpatroninfo again to get updated issues.
# warn "issuing book?";
AddIssue( $borrower, $barcode );
# ($borrower, $flags) = getpatroninformation(undef,undef, $patronid);
# $template->param(
# patronid => $patronid,
# validuser => 1,
# );
} else {
$confirm_required = 1;
#warn "issue confirmation";
$template->param(
confirm => "Issuing title: " . $item->{title},
barcode => $barcode,
hide_main => 1,
inputfocus => 'confirm',
);
}
}
} # $op
if ($borrower->{cardnumber}) {
# warn "issuer's branchcode: " . $issuer->{branchcode};
# warn "user's branchcode: " . $borrower->{branchcode};
my $borrowername = sprintf "%s %s", ($borrower->{firstname} || ''), ($borrower->{surname} || '');
my @issues;
my ($issueslist) = GetPendingIssues( $borrower->{'borrowernumber'} );
foreach my $it (@$issueslist) {
my ($renewokay, $renewerror) = CanBookBeIssued(
$borrower,
$it->{'barcode'},
undef,
0,
C4::Context->preference("AllowItemsOnHoldCheckout")
);
$it->{'norenew'} = 1 if $renewokay->{'NO_MORE_RENEWALS'};
push @issues, $it;
}
$template->param(
validuser => 1,
borrowername => $borrowername,
issues_count => scalar(@issues),
ISSUES => \@issues,
patronid => $patronid,
patronlogin => $patronlogin,
patronpw => $patronpw,
noitemlinks => 1 ,
borrowernumber => $borrower->{'borrowernumber'},
);
my $inputfocus = ($return_only == 1) ? 'returnbook' :
($confirm_required == 1) ? 'confirm' : 'barcode' ;
$template->param(
inputfocus => $inputfocus,
nofines => 1,
);
if (C4::Context->preference('ShowPatronImageInWebBasedSelfCheck')) {
my ($image, $dberror) = GetPatronImage($borrower->{borrowernumber});
if ($image) {
$template->param(
display_patron_image => 1,
cardnumber => $borrower->{cardnumber},
);
}
}
} else {
$template->param(
patronid => $patronid,
nouser => $patronid,
);
}
$template->param(
SCOUserJS => C4::Context->preference('SCOUserJS'),
SCOUserCSS => C4::Context->preference('SCOUserCSS'),
);
output_html_with_http_headers $query, $cookie, $template->output, undef, { force_no_caching => 1 };
View git blame Copy permalink