From aa0e914e81e1e4dbb134b3608c4b245df607ebe7 Mon Sep 17 00:00:00 2001 From: Sam Lau Date: Fri, 7 Jun 2024 18:44:54 +0000 Subject: [PATCH] Bug 33462: Add ability to force password change for new patrons entered by staff This patch attempts to force a password change for new staff created patrons. This is done by setting the password_expiration_date to an expired date when adding a new patron. This patch adds a new system preference 'ForcePasswordResetWhenSetByStaff' and a new column to the categories table 'force_password_reset_when_set_by_staff. To test: 1) Apply patch, restart_all, updatedatabase, and also be sure to update schema. 2) Visit Administration->Sytem Preferences and search for 'EnableExpiredPasswordReset'. Make sure this is set to enable. Now search for 'ForcePasswordResetWhenSetByStaff'. This should be defaulted to 'Don't force'. 3) Keep that tab open and visit Administration->Patron categories. Click on edit on the Board category. Noitce that there is a now a 'Force new patron password reset' section. Notice that the by default, this is set to follow the ForcePasswordResetWhenSetByStaff system preference (currently set to don't force). Click on the dropdown and change it to 'Force'. Save changes 4) Click on the Patrons tab to visit members-home.pl and then click 'New Patron'. Select on Patron. Fill in the required information and also enter a password. 5) Submit this form and notice that the patron's password expiration date is set to never. This should be the case because the default for 'Force new patron password reset' follows the sys. pref. which is still set to 'Don't force' (You could have some expiry date in this step, but it should at least be set to a date that is not expired. this depends on whether or not you have a defalut password expiration date set in patron categories ) 6) Log into the OPAC with this patron and notice it works as expected and log in was successful. 7) Go back to the patron home page and click to add a new patron. This time select 'Board'. Once again fill out the required info, enter a password, and then save the form. 8) Notice that for this patron, the password expiration date is set for today's date. This is because we changed the setting for the 'Board' patron category to force. 9) Log into the OPAC with this patron. You should be redirected to a page with an error that says: "It's your first login! You need to reset your password." Click on the reset password link below this message. 10) You should be sent to a page where you can reset your password. Fill in the form and click 'Update password'. Attempt to sign into the OPAC with this new password. Everything works as expected. 11) Go back to the staff interface and view this patron's detail page. Notice the password expiration date is now set to what the default is in the patron category. 12) Edit this patrons information and set their password expiration date to yesterday. Go back to the OPAC and try to sign in with this patron again. Note that this time, you are also redirected but the message says "Error: Your password has expired!" 13) Go back to the staff interface and visit the sys. pref tab we left open. Set it to the 'Force' option and save changes. 14) Visit the patron home page and click add patron, now select the patron category again. Fill in required info and enter password. Submit form and note that the patron's password expiration date is set to today. Try to login to the OPAC with this patron, you should be redirected to the page with the error that says "Error: It's your first login! You need to reset your password." 15) Sign-off :) Signed-off-by: Laura_Escamilla Signed-off-by: Olivier V Signed-off-by: Kyle M Hall Signed-off-by: Katrin Fischer --- C4/Auth.pm | 2 ++ Koha/Patron.pm | 15 +++++--- Koha/Patron/Category.pm | 16 +++++++++ admin/categories.pl | 4 +++ .../prog/en/modules/admin/categories.tt | 35 +++++++++++++++++++ .../en/modules/admin/preferences/patrons.pref | 2 +- .../bootstrap/en/modules/opac-auth.tt | 12 +++++-- 7 files changed, 77 insertions(+), 9 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index d4b83bb75e..75b699456e 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1457,6 +1457,8 @@ sub checkauth { too_many_login_attempts => ( $patron and $patron->account_locked ), password_has_expired => ( $patron and $patron->password_expired ), is_anonymous_patron => ( $is_anonymous_patron ), + password_expiration_date => ( $patron and $patron->password_expiration_date ), + date_enrolled => ( $patron and $patron->dateenrolled ), auth_error => $auth_error, ); diff --git a/Koha/Patron.pm b/Koha/Patron.pm index d95e5fc4ab..af1484de47 100644 --- a/Koha/Patron.pm +++ b/Koha/Patron.pm @@ -291,11 +291,16 @@ sub store { # Make a copy of the plain text password for later use $self->plain_text_password( $self->password ); - $self->password_expiration_date( - $self->password - ? $self->category->get_password_expiry_date || undef - : undef - ); + if($self->category->effective_force_password_reset_when_set_by_staff and ($self->categorycode ne C4::Context->preference("PatronSelfRegistrationDefaultCategory"))){ + $self->password_expiration_date(dt_from_string); + } + else { + $self->password_expiration_date( + $self->password + ? $self->category->get_password_expiry_date || undef + : undef + ); + } # Create a disabled account if no password provided $self->password( diff --git a/Koha/Patron/Category.pm b/Koha/Patron/Category.pm index 70ebc00705..179397cb05 100644 --- a/Koha/Patron/Category.pm +++ b/Koha/Patron/Category.pm @@ -229,6 +229,22 @@ sub effective_require_strong_password { return $self->require_strong_password // C4::Context->preference('RequireStrongPassword'); } +=head3 effective_force_password_reset_when_set_by_staff + + $category->effective_force_password_reset_when_set_by_staff() + +Returns if new staff created patrons in this category are forced to reset their password. If set in $self->force_password_reset_when_set_by_staff +or, if undef, falls back to the ForcePasswordResetWhenSetByStaff system preference. + +=cut + +sub effective_force_password_reset_when_set_by_staff { + my ($self) = @_; + + return $self->force_password_reset_when_set_by_staff // C4::Context->preference('ForcePasswordResetWhenSetByStaff'); +} + + =head3 override_hidden_items if ( $patron->category->override_hidden_items ) { diff --git a/admin/categories.pl b/admin/categories.pl index 8fdaaf9d76..60d14a76b0 100755 --- a/admin/categories.pl +++ b/admin/categories.pl @@ -84,11 +84,13 @@ elsif ( $op eq 'cud-add_validate' ) { my @branches = grep { $_ ne q{} } $input->multi_param('branches'); my $can_be_guarantee = $input->param('can_be_guarantee'); + my $force_password_reset_when_set_by_staff = $input->param('force_password_reset_when_set_by_staff'); $reset_password = undef if $reset_password eq -1; $change_password = undef if $change_password eq -1; $min_password_length = undef unless length($min_password_length); $require_strong_password = undef if $require_strong_password eq -1; + $force_password_reset_when_set_by_staff = undef if $force_password_reset_when_set_by_staff eq -1; my $is_a_modif = $input->param("is_a_modif"); @@ -119,6 +121,7 @@ elsif ( $op eq 'cud-add_validate' ) { $category->noissuescharge($noissuescharge); $category->noissueschargeguarantees($noissueschargeguarantees); $category->noissueschargeguarantorswithguarantees($noissueschargeguarantorswithguarantees); + $category->force_password_reset_when_set_by_staff($force_password_reset_when_set_by_staff); eval { $category->store; $category->replace_library_limits( \@branches ); @@ -157,6 +160,7 @@ elsif ( $op eq 'cud-add_validate' ) { noissuescharge => $noissuescharge, noissueschargeguarantees => $noissueschargeguarantees, noissueschargeguarantorswithguarantees => $noissueschargeguarantorswithguarantees, + force_password_reset_when_set_by_staff => $force_password_reset_when_set_by_staff, } ); eval { diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt index 16d8c87542..440da9eade 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt @@ -341,6 +341,41 @@ [% END %] +
  • + + +
    + Choose whether staff created patrons of this category be forced into resetting their password after their first OPAC login. +
    +