From 31fca3dfd248f020cbe44be9c196eedf3a03a079 Mon Sep 17 00:00:00 2001
From: hdl <hdl>
Date: Tue, 26 Jul 2005 15:58:47 +0000
Subject: [PATCH] Bug Fixing for independantBranches support. Addign a Cookie
 containing user specific vars such as : branch, firstname, surname,
 cardnumber... may be criticized from a lawyer point of view, since name and
 surname are given. But the real need is for userid and branch. And it is
 achieved. Auth passes now TWO cookies : a session cookie And an environment
 cookie.

---
 C4/Auth.pm    | 113 ++++++++++++++++++++++++++++++++++----------------
 C4/Context.pm |  42 ++++++++++++-------
 2 files changed, 104 insertions(+), 51 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index d9588b5e25..8daa6e1196 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -285,7 +285,7 @@ sub checkauth {
 	# state variables
 	my $loggedin = 0;
 	my %info;
-	my ($userid, $cookie, $sessionID, $flags);
+	my ($userid, $cookie, $sessionID, $flags, $envcookie);
 	my $logout = $query->param('logout.x');
 	if ($userid = $ENV{'REMOTE_USER'}) {
 		# Using Basic Authentication, no cookies required
@@ -294,8 +294,18 @@ sub checkauth {
 				-expires => '');
 		$loggedin = 1;
 	} elsif ($sessionID=$query->cookie('sessionID')) {
-		warn "NEWUSERENV : ".$sessionID;
 		C4::Context->_new_userenv($sessionID);
+		if (my %hash=$query->cookie('userenv')){
+				C4::Context::set_userenv(
+					$hash{number},
+					$hash{id},
+					$hash{cardnumber},
+					$hash{firstname},
+					$hash{surname},
+					$hash{branch},
+					$hash{flags}
+				);
+		}
 		my ($ip , $lasttime);
 		($userid, $ip, $lasttime) = $dbh->selectrow_array(
 				"SELECT userid,ip,lasttime FROM sessions WHERE sessionid=?",
@@ -357,34 +367,65 @@ sub checkauth {
 	unless ($userid) {
 		$sessionID=int(rand()*100000).'-'.time();
 		$userid=$query->param('userid');
-		warn "NEWUSERENV : ".$sessionID;
 		C4::Context->_new_userenv($sessionID);
 		my $password=$query->param('password');
 		my ($return, $cardnumber) = checkpw($dbh,$userid,$password);
 		if ($return) {
-		$dbh->do("DELETE FROM sessions WHERE sessionID=? AND userid=?",
-			undef, ($sessionID, $userid));
-		$dbh->do("INSERT INTO sessions (sessionID, userid, ip,lasttime) VALUES (?, ?, ?, ?)",
-			undef, ($sessionID, $userid, $ENV{'REMOTE_ADDR'}, time()));
-		open L, ">>/tmp/sessionlog";
-		my $time=localtime(time());
-		printf L "%20s from %16s logged in  at %30s.\n", $userid, $ENV{'REMOTE_ADDR'}, $time;
-		close L;
-		$cookie=$query->cookie(-name => 'sessionID',
-					-value => $sessionID,
-					-expires => '');
-		
-		if ($flags = haspermission($dbh, $userid, $flagsrequired)) {
-			$loggedin = 1;
-		} else {
-			$info{'nopermission'} = 1;
-			C4::Context->_unset_userenv($sessionID);
-		}
+			$dbh->do("DELETE FROM sessions WHERE sessionID=? AND userid=?",
+				undef, ($sessionID, $userid));
+			$dbh->do("INSERT INTO sessions (sessionID, userid, ip,lasttime) VALUES (?, ?, ?, ?)",
+				undef, ($sessionID, $userid, $ENV{'REMOTE_ADDR'}, time()));
+			open L, ">>/tmp/sessionlog";
+			my $time=localtime(time());
+			printf L "%20s from %16s logged in  at %30s.\n", $userid, $ENV{'REMOTE_ADDR'}, $time;
+			close L;
+			$cookie=$query->cookie(-name => 'sessionID',
+						-value => $sessionID,
+						-expires => '');
+			
+			if ($flags = haspermission($dbh, $userid, $flagsrequired)) {
+				$loggedin = 1;
+			} else {
+				$info{'nopermission'} = 1;
+				C4::Context->_unset_userenv($sessionID);
+			}
+			if ($return == 1){
+				my $sth=$dbh->prepare(
+					"select cardnumber,borrowernumber,userid,firstname,surname,flags,branchcode
+					from borrowers where userid=?"
+				);
+				$sth->execute($userid);
+				my ($cardnumber,$bornum,$userid,$firstname,$surname,$userflags,$branchcode) = $sth->fetchrow;
+				my $hash = C4::Context::set_userenv(
+					$bornum,
+					$userid,
+					$cardnumber,
+					$firstname,
+					$surname,
+					$branchcode,
+					$userflags
+				);
+				$envcookie=$query->cookie(-name => 'userenv',
+						-value => $hash,
+						-expires => '');
+			} elsif ($return == 2) {
+			#We suppose the user is the superlibrarian
+				my $hash = C4::Context::set_userenv(
+					0,0,
+					C4::Context->config('user'),
+					C4::Context->config('user'),
+					C4::Context->config('user'),
+					"",1
+				);
+				$envcookie=$query->cookie(-name => 'userenv',
+						-value => $hash,
+						-expires => '');
+			}
 		} else {
-		if ($userid) {
-			$info{'invalid_username_or_password'} = 1;
-			C4::Context->_unset_userenv($sessionID);
-		}
+			if ($userid) {
+				$info{'invalid_username_or_password'} = 1;
+				C4::Context->_unset_userenv($sessionID);
+			}
 		}
 	}
 	my $insecure = C4::Context->boolean_preference('insecure');
@@ -396,7 +437,12 @@ sub checkauth {
 					-value => '',
 					-expires => '');
 		}
-		return ($userid, $cookie, $sessionID, $flags);
+		if ($envcookie){
+			warn "envcookie set";
+			return ($userid, [$cookie,$envcookie], $sessionID, $flags)
+		} else {
+			return ($userid, $cookie, $sessionID, $flags);
+		}
 	}
 	# else we have a problem...
 	# get the inputs from the incoming query
@@ -412,7 +458,7 @@ sub checkauth {
 	$template->param(loginprompt => 1) unless $info{'nopermission'};
 
 	my $self_url = $query->url(-absolute => 1);
-	$template->param(url => $self_url, LibraryName=> => C4::Context->preference("LibraryName"),);
+	$template->param(url => $self_url, LibraryName=> C4::Context->preference("LibraryName"),);
 	$template->param(\%info);
 	$cookie=$query->cookie(-name => 'sessionID',
 					-value => $sessionID,
@@ -431,30 +477,25 @@ sub checkpw {
 
 	my ($dbh, $userid, $password) = @_;
 # INTERNAL AUTH
-	my $sth=$dbh->prepare("select password,cardnumber,borrowernumber,userid,firstname,surname,flags,branchcode  from borrowers where userid=?");
+	my $sth=$dbh->prepare("select password,cardnumber from borrowers where userid=?");
 	$sth->execute($userid);
 	if ($sth->rows) {
-		my ($md5password,$cardnumber,$bornum,$userid,$firstname,$surname,$userflags,$branchcode) = $sth->fetchrow;
+		my ($md5password,$cardnumber) = $sth->fetchrow;
 		if (md5_base64($password) eq $md5password) {
-			warn "setuserenv1 $bornum,$userid,$cardnumber,$firstname,$surname,$branchcode,$userflags";
-			C4::Context->set_userenv($bornum,$userid,$cardnumber,$firstname,$surname,$branchcode,$userflags);
 			return 1,$cardnumber;
 		}
 	}
-	my $sth=$dbh->prepare("select password,cardnumber,borrowernumber,userid,firstname,surname,flags,branchcode from borrowers where cardnumber=?");
+	my $sth=$dbh->prepare("select password from borrowers where cardnumber=?");
 	$sth->execute($userid);
 	if ($sth->rows) {
-		my ($md5password,$cardnumber,$bornum,$userid,$firstname,$surname,$userflags,$branchcode) = $sth->fetchrow;
+		my ($md5password) = $sth->fetchrow;
 		if (md5_base64($password) eq $md5password) {
-			warn "setuserenv2 $bornum,$userid,$cardnumber,$firstname,$surname,$branchcode,$userflags";
-			C4::Context->set_userenv($bornum,$userid,$cardnumber,$firstname,$surname,$branchcode,$userflags);
 			return 1,$userid;
 		}
 	}
 	if ($userid eq C4::Context->config('user') && $password eq C4::Context->config('pass')) {
 		# Koha superuser account
 			warn "setuserenv3";
-		C4::Context->set_userenv(0,0,C4::Context->config('user'),C4::Context->config('user'),C4::Context->config('user'),"",1);
 		return 2;
 	}
 	if ($userid eq 'demo' && $password eq 'demo' && C4::Context->config('demo')) {
diff --git a/C4/Context.pm b/C4/Context.pm
index b8d6b5e7b3..091febe0f8 100644
--- a/C4/Context.pm
+++ b/C4/Context.pm
@@ -233,7 +233,7 @@ sub new
 	$self->{"stopwords"} = undef; # stopwords list
 	$self->{"marcfromkohafield"} = undef; # the hash with relations between koha table fields and MARC field/subfield
 	$self->{"userenv"} = undef;		# User env
-	$self->{"context"} = undef;		# current active user
+	$self->{"activeuser"} = undef;		# current active user
 
 	bless $self, $class;
 	return $self;
@@ -611,19 +611,29 @@ C<C4::Context-E<gt>userenv> twice, you will get the same hash without real DB ac
 Returns Null if userenv is not set.
 userenv is set in _new_userenv, called in Auth.pm
 
+=cut
+#'
+
+=item userenv
+
+  C4::Context->userenv;
+
+Builds a hash for user environment variables.
+
+This hash shall be cached for future use: if you call
+C<C4::Context-E<gt>userenv> twice, you will get the same hash without real DB access
+
+set_userenv is called in Auth.pm
+
 =cut
 #'
 sub userenv
 {
-	warn "activeuser : ".$context->{"activeuser"}."hash :".$context->{$context->{"activeuser"}};
-	my $var = $context->{$context->{"activeuser"}};
-	foreach my $key (sort keys %$context){
-		warn "key : ".$key;
-	}
-	return $context->{$context->{"activeuser"}};
+	my $var = $context->{"activeuser"};
+	return $context->{"userenv"}->{$var} if (defined $context->{"userenv"}->{$var});
 }
 
-=item set_userenv
+=item userenv
 
   C4::Context->set_userenv;
 
@@ -636,11 +646,10 @@ set_userenv is called in Auth.pm
 
 =cut
 #'
-sub set_userenv
-{
+sub set_userenv{
 	my ($usernum, $userid, $usercnum, $userfirstname, $usersurname, $userbranch, $userflags)= @_;
-	warn "SETTING :  $usernum, $userid, $usercnum, $userfirstname, $usersurname, $userbranch, $userflags";
-	$context->{$context->{"activeuser"}}=\{
+	my $var=$context->{"activeuser"};
+	my $cell = {
 		"number"     => $usernum,
 		"id"         => $userid,
 		"cardnumber" => $usercnum,
@@ -649,6 +658,8 @@ sub set_userenv
 		"branch"     => $userbranch,
 		"flags"      => $userflags
 	};
+	$context->{userenv}->{$var} = $cell;
+	return $cell;
 }
 
 =item _new_userenv
@@ -666,9 +677,9 @@ _new_userenv is called in Auth.pm
 #'
 sub _new_userenv
 {
+	shift;
 	my ($sessionID)= @_;
-	$context->{"activeuser"} = \$sessionID;
-	$context->{$sessionID}=\();
+ 	$context->{"activeuser"}=$sessionID;
 }
 
 =item _unset_userenv
@@ -683,8 +694,9 @@ Destroys the hash for activeuser user environment variables.
 sub _unset_userenv
 {
 	my ($sessionID)= @_;
-	undef $context->{$sessionID};
+#	undef $context->{$sessionID};
 	undef $context->{"activeuser"} if ($context->{"activeuser"} eq $sessionID);
+# 	$context->{"activeuser"}--;
 }
 
 
-- 
2.39.5