From 30f0e7fec988393531024bcd9bfa0e4f4effb254 Mon Sep 17 00:00:00 2001 From: Nicholas can Oudtshoorn Date: Fri, 12 Jan 2018 17:28:41 +0000 Subject: [PATCH] Bug 14407: Allow restricting SCO to IP or IP range Converted this to actual applicable patches. I think the test plan is comment #28. -- Mark Tompsett Signed-off-by: Mark Tompsett Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens --- C4/Auth.pm | 26 ++++++++++++++++++- C4/Installer/PerlDependencies.pm | 5 ++++ installer/data/mysql/sysprefs.sql | 1 + .../admin/preferences/circulation.pref | 4 +++ opac/sco/help.pl | 7 ++++- opac/sco/printslip.pl | 7 ++++- opac/sco/sco-main.pl | 10 +++++-- opac/sco/sco-patron-image.pl | 6 +++++ 8 files changed, 61 insertions(+), 5 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 5b2434a585..ea3f5f1bcd 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -44,6 +44,7 @@ use POSIX qw/strftime/; use List::MoreUtils qw/ any /; use Encode qw( encode is_utf8); use C4::Auth_with_shibboleth; +use Net::CIDR; # use utf8; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout); @@ -60,7 +61,7 @@ BEGIN { @ISA = qw(Exporter); @EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions); @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &checkpw_internal &checkpw_hash - &get_all_subpermissions &get_user_subpermissions track_login_daily + &get_all_subpermissions &get_user_subpermissions track_login_daily &in_ipset ); %EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] ); $ldap = C4::Context->config('useldapserver') || 0; @@ -2107,6 +2108,29 @@ sub haspermission { #FIXME - This fcn should return the failed permission so a suitable error msg can be delivered. } +=head2 in_ipset + + $flags = ($ipset); + +C<$ipset> A space separated string describing an IP set. Can include single IPs or ranges + +Returns 1 if the remote address is in the provided ipset, or 0 otherwise. + +=cut + +sub in_ipset { + my ($ipset) = @_; + my @allowedipranges = split(' ', $ipset); + if (scalar @allowedipranges > 0) { + my @rangelist; + eval { @rangelist = Net::CIDR::range2cidr(@allowedipranges); }; return 0 if $@; + unless (Net::CIDR::cidrlookup($ENV{'REMOTE_ADDR'}, @rangelist)) { + return 0; + } + } + return 1; +} + sub getborrowernumber { my ($userid) = @_; my $userenv = C4::Context->userenv; diff --git a/C4/Installer/PerlDependencies.pm b/C4/Installer/PerlDependencies.pm index 2225463349..3a4c63ff12 100644 --- a/C4/Installer/PerlDependencies.pm +++ b/C4/Installer/PerlDependencies.pm @@ -787,6 +787,11 @@ our $PERL_DEPS = { 'required' => '0', 'min_ver' => '0.56', }, + 'Net::CIDR' => { + 'usage' => 'Core', + 'required' => '1', + 'min_ver' => '0.15', + }, 'Net::SFTP::Foreign' => { 'usage' => 'Edifact', 'required' => '0', diff --git a/installer/data/mysql/sysprefs.sql b/installer/data/mysql/sysprefs.sql index e8eefb97c9..51e6e96186 100644 --- a/installer/data/mysql/sysprefs.sql +++ b/installer/data/mysql/sysprefs.sql @@ -528,6 +528,7 @@ INSERT INTO systempreferences ( `variable`, `value`, `options`, `explanation`, ` ('SearchEngine','Zebra','Elasticsearch|Zebra','Search Engine','Choice'), ('SearchMyLibraryFirst','0',NULL,'If ON, OPAC searches return results limited by the user\'s library by default if they are logged in','YesNo'), ('SearchWithISBNVariations','0',NULL,'If enabled, search on all variations of the ISBN','YesNo'), +('SelfCheckAllowByIPRanges','',NULL,'(Leave blank if not used. Use ranges or simple ip addresses separated by spaces, like 192.168.1.1 192.168.0.0/24.)','Short'), ('SelfCheckHelpMessage','','70|10','Enter HTML to include under the basic Web-based Self Checkout instructions on the Help page','Textarea'), ('SelfCheckInMainUserBlock','','70|10','Add a block of HTML that will display on the self check-in screen.','Textarea'), ('SelfCheckInModule', 0, NULL, 'Enable the standalone self-checkin module.', 'YesNo'), diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/circulation.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/circulation.pref index a5568f78fe..ee0193a6f8 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/circulation.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/circulation.pref @@ -988,6 +988,10 @@ Circulation: yes: Show no: "Don't show" - "the print receipt popup dialog when self checkout is finished" + - + - pref: SelfCheckAllowByIPRanges + class: short + - (Leave blank if not used. Use ranges or simple ip addresses separated by spaces, like 192.168.1.1 192.168.0.0/24.) Course Reserves: - - pref: UseCourseReserves diff --git a/opac/sco/help.pl b/opac/sco/help.pl index 30003e0feb..33ff6e7a35 100755 --- a/opac/sco/help.pl +++ b/opac/sco/help.pl @@ -24,10 +24,15 @@ use Modern::Perl; use CGI qw ( -utf8 ); -use C4::Auth qw(get_template_and_user); +use C4::Auth qw(get_template_and_user in_ipset); use C4::Output qw(output_html_with_http_headers); my $query = new CGI; +unless ( in_ipset(C4::Context->preference('SelfCheckAllowByIPRanges')) ) { + print $query->redirect("/cgi-bin/koha/opac-main.pl"); + exit; +} + my ( $template, $borrowernumber, $cookie ) = get_template_and_user( { template_name => "sco/help.tt", diff --git a/opac/sco/printslip.pl b/opac/sco/printslip.pl index cd31be94c1..8234e891a5 100755 --- a/opac/sco/printslip.pl +++ b/opac/sco/printslip.pl @@ -29,12 +29,17 @@ It is called from sco-main.pl use Modern::Perl; use CGI qw ( -utf8 ); use C4::Context; -use C4::Auth qw/:DEFAULT get_session/; +use C4::Auth qw/:DEFAULT get_session in_ipset/; use C4::Output; use C4::Members; use C4::Koha; my $input = new CGI; +unless ( in_ipset(C4::Context->preference('SelfCheckAllowByIPRanges')) ) { + print $input->header(status => '403 Forbidden - functionality not available from your location'); + exit; +} + my $sessionID = $input->cookie("CGISESSID"); my $session = get_session($sessionID); diff --git a/opac/sco/sco-main.pl b/opac/sco/sco-main.pl index de7948917c..a41971d802 100755 --- a/opac/sco/sco-main.pl +++ b/opac/sco/sco-main.pl @@ -35,7 +35,7 @@ use Modern::Perl; use CGI qw ( -utf8 ); -use C4::Auth qw(get_template_and_user checkpw); +use C4::Auth qw(get_template_and_user checkpw in_ipset); use C4::Koha; use C4::Circulation; use C4::Reserves; @@ -59,7 +59,13 @@ unless (C4::Context->preference('WebBasedSelfCheck')) { exit; } -if (C4::Context->preference('AutoSelfCheckAllowed')) +unless ( in_ipset(C4::Context->preference('SelfCheckAllowByIPRanges')) ) { + # redirect to OPAC home if self-checkout not permitted from current IP + print $query->redirect("/cgi-bin/koha/opac-main.pl"); + exit; +} + +if (C4::Context->preference('AutoSelfCheckAllowed')) { my $AutoSelfCheckID = C4::Context->preference('AutoSelfCheckID'); my $AutoSelfCheckPass = C4::Context->preference('AutoSelfCheckPass'); diff --git a/opac/sco/sco-patron-image.pl b/opac/sco/sco-patron-image.pl index a0ae29a70c..b61130eda1 100755 --- a/opac/sco/sco-patron-image.pl +++ b/opac/sco/sco-patron-image.pl @@ -18,6 +18,7 @@ # along with Koha; if not, see . use Modern::Perl; +use C4::Auth qw(in_ipset); use C4::Service; use C4::Members; use Koha::Patron::Images; @@ -35,6 +36,11 @@ unless (C4::Context->preference('ShowPatronImageInWebBasedSelfCheck')) { exit; } +unless ( in_ipset(C4::Context->preference('SelfCheckAllowByIPRanges')) ) { + print $query->header(status => '403 Forbidden - functionality not available from your location'); + exit; +} + my ($borrowernumber) = C4::Service->require_params('borrowernumber'); my ($csrf_token) = C4::Service->require_params('csrf_token'); -- 2.39.5