From 9d31145bf212a0be95981112fe0ebd56a046f5d7 Mon Sep 17 00:00:00 2001 From: tipaul Date: Thu, 10 Oct 2002 10:07:34 +0000 Subject: [PATCH] merging 1.2 and bugfixes for auth and login --- C4/Auth.pm | 344 +++++++++--------- .../default/en/user/userpage.tmpl | 137 +++---- logout.pl | 11 +- userpage.pl | 2 +- 4 files changed, 254 insertions(+), 240 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 112e8ecd8b..31c05ea82b 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -116,146 +116,154 @@ has authenticated. # table could be removed. sub checkauth { - my $query=shift; - # $authnotrequired will be set for scripts which will run without authentication - my $authnotrequired=shift; - if (my $userid=$ENV{'REMOTE_USERNAME'}) { - # Using Basic Authentication, no cookies required - my $cookie=$query->cookie(-name => 'sessionID', - -value => '', - -expires => '+1y'); - return ($userid, $cookie, ''); - } - - # Get session ID from cookie. - my $sessionID=$query->cookie('sessionID'); - # FIXME - Error-checking: if the user isn't allowing cookies, - # $sessionID will be undefined. Don't confuse this with an - # expired cookie. - - my $message=''; - - # Make sure the session ID is (still) good. - my $dbh = C4::Context->dbh; - my $sth=$dbh->prepare("select userid,ip,lasttime from sessions where sessionid=?"); - $sth->execute($sessionID); - if ($sth->rows) { - my ($userid, $ip, $lasttime) = $sth->fetchrow; - # FIXME - Back door for tonnensen - if ($lasttime45 seconds, and - # doesn't belong to user tonnensen. It has expired. - $message="You have been logged out due to inactivity."; - - # Remove this session ID from the list of active sessions. - # FIXME - Ought to have a cron job clean this up as well. - my $sti=$dbh->prepare("delete from sessions where sessionID=?"); - $sti->execute($sessionID); - - # Add an entry to sessionqueries, so that we can restart - # the script once the user has authenticated. - my $scriptname=$ENV{'SCRIPT_NAME'}; # FIXME - Unused - my $selfurl=$query->self_url(); - $sti=$dbh->prepare("insert into sessionqueries (sessionID, userid, value) values (?, ?, ?)"); - $sti->execute($sessionID, $userid, $selfurl); - - # Log the fact that someone tried to use an expired session ID. - # FIXME - Ought to have a better logging mechanism, - # ideally some wrapper that logs either to a - # user-specified file, or to syslog, as determined by - # either an entry in /etc/koha.conf, or a system - # preference. - open L, ">>/tmp/sessionlog"; - my $time=localtime(time()); - printf L "%20s from %16s logged out at %30s (inactivity).\n", $userid, $ip, $time; - close L; - } elsif ($ip ne $ENV{'REMOTE_ADDR'}) { - # This session is coming from an IP address other than the - # one where it was set. The user might be doing something - # naughty. - my $newip=$ENV{'REMOTE_ADDR'}; - - $message="ERROR ERROR ERROR ERROR
Attempt to re-use a cookie from a different ip address.
(authenticated from $ip, this request from $newip)"; - } else { - # This appears to be a valid session. Update the time - # stamp on it and return. - my $cookie=$query->cookie(-name => 'sessionID', - -value => $sessionID, - -expires => '+1y'); - my $sti=$dbh->prepare("update sessions set lasttime=? where sessionID=?"); - $sti->execute(time(), $sessionID); - return ($userid, $cookie, $sessionID); + my $query=shift; + # $authnotrequired will be set for scripts which will run without authentication + my $authnotrequired=shift; + if (my $userid=$ENV{'REMOTE_USERNAME'}) { + # Using Basic Authentication, no cookies required + my $cookie=$query->cookie(-name => 'sessionID', + -value => '', + -expires => '+1y'); + return ($userid, $cookie, ''); } - } - - # If we get this far, it's because we haven't received a cookie - # with a valid session ID. Need to start a new session and set a - # new cookie. - - if ($authnotrequired) { - # This script doesn't require the user to be logged in. Return - # just the cookie, without user ID or session ID information. - my $cookie=$query->cookie(-name => 'sessionID', - -value => '', - -expires => '+1y'); - return('', $cookie, ''); - } else { - # This script requires authorization. Assume that we were - # given user and password information; generate a new session. - - # Generate a new session ID. - ($sessionID) || ($sessionID=int(rand()*100000).'-'.time()); - my $userid=$query->param('userid'); - my $password=$query->param('password'); - if (checkpw($dbh, $userid, $password)) { - # The given password is valid - - # Delete any old copies of this session. - my $sti=$dbh->prepare("delete from sessions where sessionID=? and userid=?"); - $sti->execute($sessionID, $userid); - - # Add this new session to the 'sessions' table. - $sti=$dbh->prepare("insert into sessions (sessionID, userid, ip,lasttime) values (?, ?, ?, ?)"); - $sti->execute($sessionID, $userid, $ENV{'REMOTE_ADDR'}, time()); - - # See if there's an entry for this session ID and user in - # the 'sessionqueries' table. If so, then use that entry - # to generate an HTTP redirect that'll take the user to - # where ve wanted to go in the first place. - $sti=$dbh->prepare("select value from sessionqueries where sessionID=? and userid=?"); - # FIXME - There is no sessionqueries.value - $sti->execute($sessionID, $userid); - if ($sti->rows) { - my $stj=$dbh->prepare("delete from sessionqueries where sessionID=?"); - $stj->execute($sessionID); - my ($selfurl) = $sti->fetchrow; - print $query->redirect($selfurl); - exit; - } - open L, ">>/tmp/sessionlog"; - my $time=localtime(time()); - printf L "%20s from %16s logged in at %30s.\n", $userid, $ENV{'REMOTE_ADDR'}, $time; - close L; - my $cookie=$query->cookie(-name => 'sessionID', - -value => $sessionID, - -expires => '+1y'); - return ($userid, $cookie, $sessionID); + warn "passe 1"; + # Get session ID from cookie. + my $sessionID=$query->cookie('sessionID'); + warn "sessionId = $sessionID"; + # FIXME - Error-checking: if the user isn't allowing cookies, + # $sessionID will be undefined. Don't confuse this with an + # expired cookie. + + my $message=''; + + # Make sure the session ID is (still) good. + my $dbh = C4::Context->dbh; + my $sth=$dbh->prepare("select userid,ip,lasttime from sessions where sessionid=?"); + $sth->execute($sessionID); + if ($sth->rows) { + warn "IF 1"; + my ($userid, $ip, $lasttime) = $sth->fetchrow; + # FIXME - Back door for tonnensen + if ($lasttime45 seconds, and + # doesn't belong to user tonnensen. It has expired. + $message="You have been logged out due to inactivity."; + + # Remove this session ID from the list of active sessions. + # FIXME - Ought to have a cron job clean this up as well. + my $sti=$dbh->prepare("delete from sessions where sessionID=?"); + $sti->execute($sessionID); + + # Add an entry to sessionqueries, so that we can restart + # the script once the user has authenticated. + my $scriptname=$ENV{'SCRIPT_NAME'}; # FIXME - Unused + my $selfurl=$query->self_url(); + $sti=$dbh->prepare("insert into sessionqueries (sessionID, userid, value) values (?, ?, ?)"); + $sti->execute($sessionID, $userid, $selfurl); + + # Log the fact that someone tried to use an expired session ID. + # FIXME - Ought to have a better logging mechanism, + # ideally some wrapper that logs either to a + # user-specified file, or to syslog, as determined by + # either an entry in /etc/koha.conf, or a system + # preference. + open L, ">>/tmp/sessionlog"; + my $time=localtime(time()); + printf L "%20s from %16s logged out at %30s (inactivity).\n", $userid, $ip, $time; + close L; + } elsif ($ip ne $ENV{'REMOTE_ADDR'}) { + warn "ELSE1"; + # This session is coming from an IP address other than the + # one where it was set. The user might be doing something + # naughty. + my $newip=$ENV{'REMOTE_ADDR'}; + + $message="ERROR ERROR ERROR ERROR
Attempt to re-use a cookie from a different ip address.
(authenticated from $ip, this request from $newip)"; + } else { + warn "ELSE2"; + # This appears to be a valid session. Update the time + # stamp on it and return. + my $cookie=$query->cookie(-name => 'sessionID', + -value => $sessionID, + -expires => '+1y'); + my $sti=$dbh->prepare("update sessions set lasttime=? where sessionID=?"); + $sti->execute(time(), $sessionID); + return ($userid, $cookie, $sessionID); + } + } + warn "AFTER"; + # If we get this far, it's because we haven't received a cookie + # with a valid session ID. Need to start a new session and set a + # new cookie. + + if ($authnotrequired) { + warn "authnotrequired"; + # This script doesn't require the user to be logged in. Return + # just the cookie, without user ID or session ID information. + my $cookie=$query->cookie(-name => 'sessionID', + -value => '', + -expires => '+1y'); + return('', $cookie, ''); } else { - # Either we weren't given a user id and password, or else - # the password was invalid. - - if ($userid) { - $message="Invalid userid or password entered."; - } - my $parameters; - foreach (param $query) { - $parameters->{$_}=$query->{$_}; - } - my $cookie=$query->cookie(-name => 'sessionID', - -value => $sessionID, - -expires => '+1y'); - print $query->header(-cookie=>$cookie); - print qq| + warn "ELSE3"; + # This script requires authorization. Assume that we were + # given user and password information; generate a new session. + + # Generate a new session ID. + ($sessionID) || ($sessionID=int(rand()*100000).'-'.time()); + my $userid=$query->param('userid'); + my $password=$query->param('password'); + warn "calling checkpw"; + if (checkpw($dbh, $userid, $password)) { + # The given password is valid + warn "VALID"; + # Delete any old copies of this session. + my $sti=$dbh->prepare("delete from sessions where sessionID=? and userid=?"); + $sti->execute($sessionID, $userid); + + # Add this new session to the 'sessions' table. + $sti=$dbh->prepare("insert into sessions (sessionID, userid, ip,lasttime) values (?, ?, ?, ?)"); + $sti->execute($sessionID, $userid, $ENV{'REMOTE_ADDR'}, time()); + + # See if there's an entry for this session ID and user in + # the 'sessionqueries' table. If so, then use that entry + # to generate an HTTP redirect that'll take the user to + # where ve wanted to go in the first place. + $sti=$dbh->prepare("select value from sessionqueries where sessionID=? and userid=?"); + # FIXME - There is no sessionqueries.value + $sti->execute($sessionID, $userid); + if ($sti->rows) { + my $stj=$dbh->prepare("delete from sessionqueries where sessionID=?"); + $stj->execute($sessionID); + my ($selfurl) = $sti->fetchrow; + print $query->redirect($selfurl); + exit; + } + open L, ">>/tmp/sessionlog"; + my $time=localtime(time()); + printf L "%20s from %16s logged in at %30s.\n", $userid, $ENV{'REMOTE_ADDR'}, $time; + close L; + my $cookie=$query->cookie(-name => 'sessionID', + -value => $sessionID, + -expires => '+1y'); + return ($userid, $cookie, $sessionID); + } else { + # Either we weren't given a user id and password, or else + # the password was invalid. + warn "INVALID"; + if ($userid) { + $message="Invalid userid or password entered."; + } + my $parameters; + foreach (param $query) { + $parameters->{$_}=$query->{$_}; + } + my $cookie=$query->cookie(-name => 'sessionID', + -value => $sessionID, + -expires => '+1y'); + return ("",$cookie,$sessionID); + print $query->header(-cookie=>$cookie); + print qq|
@@ -271,7 +279,7 @@ sub checkauth { Password: - + @@ -295,9 +303,9 @@ sub checkauth { |; - exit; + exit; + } } - } } # checkpw @@ -307,33 +315,37 @@ sub checkauth { # Returns 1 if the password is good, or 0 otherwise. sub checkpw { -# This should be modified to allow a select of authentication schemes (ie LDAP) -# as well as local authentication through the borrowers tables passwd field -# - my ($dbh, $userid, $password) = @_; - my $sth; - - # Try the user ID. - $sth = $dbh->prepare("select password from borrowers where userid=?"); - $sth->execute($userid); - if ($sth->rows) { - my ($md5password) = $sth->fetchrow; - if (md5_base64($password) eq $md5password) { - return 1; # The password matches + # This should be modified to allow a select of authentication schemes (ie LDAP) + # as well as local authentication through the borrowers tables passwd field + # + my ($dbh, $userid, $password) = @_; + my $sth; + + # Try the user ID. + $sth = $dbh->prepare("select password from borrowers where userid=?"); + $sth->execute($userid); + if ($sth->rows) { + my ($md5password) = $sth->fetchrow; + if (md5_base64($password) eq $md5password) { + return 1; # The password matches + } + } + + # Try the card number. + $sth = $dbh->prepare("select password from borrowers where cardnumber=?"); + $sth->execute($userid); + if ($sth->rows) { + my ($md5password) = $sth->fetchrow; + if (md5_base64($password) eq $md5password) { + return 1; # The password matches + } } - } - - # Try the card number. - $sth = $dbh->prepare("select password from borrowers where cardnumber=?"); - $sth->execute($userid); - if ($sth->rows) { - my ($md5password) = $sth->fetchrow; - if (md5_base64($password) eq $md5password) { - return 1; # The password matches + if ($userid eq C4::Context->config('user') && $password eq C4::Context->config('pass')) { + # Koha superuser account + return 2; } - } - return 0; # Either there's no such user, or the password - # doesn't match. + return 0; # Either there's no such user, or the password + # doesn't match. } diff --git a/koha-tmpl/intranet-tmpl/default/en/user/userpage.tmpl b/koha-tmpl/intranet-tmpl/default/en/user/userpage.tmpl index 99456f95e5..2ae7067353 100644 --- a/koha-tmpl/intranet-tmpl/default/en/user/userpage.tmpl +++ b/koha-tmpl/intranet-tmpl/default/en/user/userpage.tmpl @@ -1,78 +1,89 @@ -

Logged in as: [Log Out]

- -
-

+

Logged in as: [Log Out]

+

+

+

This page is just a mock up

+
+ -
-
-

This page is just a mock up

+ + + +
Reserves
+ You have the following books waiting to be picked up: +
    +
  • The Great Mom Swap by Betsy Hanes at Main Library +
  • Between Brothers by Irene Morck at Main Library +
+

+ You have the following requests for items on loan: +

    +
  • The Amazing Apple Book by Paulette Bourgeois +
  • Tracey the Great by Alan Cliburn +
  • The biography of a grizzly by Ernest Thompson Seton +
+
- - +
+ - - - -
Reserves
- You have the following books waiting to be picked up: -
    -
  • The Great Mom Swap by Betsy Hanes at Main Library -
  • Between Brothers by Irene Morck at Main Library -
-

- You have the following requests for items on loan: -

    -
  • The Amazing Apple Book by Paulette Bourgeois -
  • Tracey the Great by Alan Cliburn -
  • The biography of a grizzly by Ernest Thompson Seton -
-
+
+ + + +
User Preferences
+ + + + + + + +
Language + +
E-mail Address@mylibrary.com>
Preferred Branch
for reserve pickups
+ +
+ Notify me about Special Events by email
+ Notify me about overdues by email
+ Keep a record of books I have read
+ Allow library staff to see my reading record
+
+ +
+
+
-
+
-
- - - -
User Preferences
- - - - - + + +
+ +
Language - -
E-mail Address@mylibrary.com>
Preferred Branch
for reserve pickups
- -
- Notify me about Special Events by email
- Notify me about overdues by email
- Keep a record of books I have read
- Allow library staff to see my reading record
-
+ + +
User Preferences
Name:
Password:
- +
-
-
- -
- -
+ + + diff --git a/logout.pl b/logout.pl index abac2e6c21..13a7341ac4 100755 --- a/logout.pl +++ b/logout.pl @@ -69,16 +69,7 @@ my $cookie=$query->cookie(-name => 'sessionID', # Should redirect to intranet home page after logging out -print $query->redirect("mainpage.pl"); - +print $query->redirect("userpage.pl"); exit; -if ($sessionID) { - print "Logged out of $sessionID
\n"; - print "Login"; -} else { - print "Not logged in.
\n"; - print "Login"; -} - diff --git a/userpage.pl b/userpage.pl index 3e6b99156d..79b08ebe6c 100755 --- a/userpage.pl +++ b/userpage.pl @@ -27,7 +27,7 @@ use C4::Search; use C4::Auth; my $query=new CGI; -my ($loggedinuser, $cookie, $sessionID) = checkauth($query, 1); +my ($loggedinuser, $cookie, $sessionID) = checkauth($query, 0); my $template = gettemplate("user/userpage.tmpl",0); -- 2.39.5