From 376d1a70232e7c0e96adbd7c5300ce593c0e120a Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Thu, 31 Jan 2019 16:29:30 -0300 Subject: [PATCH] Bug 21890: Allow restricting password resets by patron category This patch makes the templates relying on the OpacResetPassword syspref use the introduced TT plugin method instead by changing: [% IF Koha.Preference('OpacResetPassword') %] => [% IF Categories.can_any_reset_password %] To test: - Verify that all the places in which the 'forgot password' link is displayed in OPAC keep working, provided there's at least one category that has the flag set - Attempt to recover the password for a patron that belong to a valid category (i.e. that has the flag set) => SUCCESS: You can go through the normal process - Attempt to recover the password for a patron that belongs to a category with the flag unset. => SUCCESS: Once Koha identifies your category, you are told you are not allowed to do it - Sign off :-D Signed-off-by: Liz Rea Signed-off-by: Martin Renvoize Signed-off-by: Nick Clemens --- admin/categories.pl | 8 ++- .../prog/en/modules/admin/categories.tt | 34 ++++++++--- .../intranet-tmpl/prog/en/modules/auth.tt | 3 +- .../bootstrap/en/includes/masthead.inc | 3 +- .../bootstrap/en/modules/opac-auth.tt | 3 +- .../bootstrap/en/modules/opac-main.tt | 3 +- .../en/modules/opac-password-recovery.tt | 5 +- opac/opac-password-recovery.pl | 57 +++++++++++-------- 8 files changed, 78 insertions(+), 38 deletions(-) diff --git a/admin/categories.pl b/admin/categories.pl index ba0d11e012..b824b9b6b6 100755 --- a/admin/categories.pl +++ b/admin/categories.pl @@ -92,9 +92,11 @@ elsif ( $op eq 'add_validate' ) { my $BlockExpiredPatronOpacActions = $input->param('BlockExpiredPatronOpacActions'); my $checkPrevCheckout = $input->param('checkprevcheckout'); my $default_privacy = $input->param('default_privacy'); - my $can_reset_password = $input->param('can_reset_password'); + my $reset_password = $input->param('reset_password'); my @branches = grep { $_ ne q{} } $input->multi_param('branches'); + $reset_password = undef if $reset_password eq -1; + my $is_a_modif = $input->param("is_a_modif"); if ($enrolmentperioddate) { @@ -123,7 +125,7 @@ elsif ( $op eq 'add_validate' ) { $category->BlockExpiredPatronOpacActions($BlockExpiredPatronOpacActions); $category->checkprevcheckout($checkPrevCheckout); $category->default_privacy($default_privacy); - $category->can_reset_password($can_reset_password); + $category->reset_password($reset_password); eval { $category->store; $category->replace_branch_limitations( \@branches ); @@ -150,7 +152,7 @@ elsif ( $op eq 'add_validate' ) { BlockExpiredPatronOpacActions => $BlockExpiredPatronOpacActions, checkprevcheckout => $checkPrevCheckout, default_privacy => $default_privacy, - can_reset_password => $can_reset_password, + reset_password => $reset_password, }); eval { $category->store; diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt index ff48b74927..5cc99d7a0b 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt @@ -166,15 +166,35 @@
  • - - + [% IF category.reset_password.defined %] + [% IF category.reset_password %] + [% IF Koha.Preference('OpacResetPassword') %] + + [% ELSE %] + + [% END %] + + [% ELSE %] - - + [% IF Koha.Preference('OpacResetPassword') %] + + [% ELSE %] + + [% END %] + + [% END %] + [% ELSE %] + [% IF Koha.Preference('OpacResetPassword') %] + + [% ELSE %] + + [% END %] + + + [% END %]
  • diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt index 19548caf57..7533b0cb8b 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt @@ -1,6 +1,7 @@ [% USE raw %] [% USE Koha %] [% USE Branches %] +[% USE Categories %] [% SET footerjs = 1 %] [% INCLUDE 'doc-head-open.inc' %] Koha › @@ -42,7 +43,7 @@ [% IF too_many_login_attempts %] <div id="login_error"><strong>Error: </strong>This account has been locked!</div> - [% IF Koha.Preference('OpacResetPassword') && Koha.Preference('OpacBaseURL') %] + [% IF Categories.can_any_reset_password && Koha.Preference('OpacBaseURL') %] <a href="[% Koha.Preference('OpacBaseURL') | url %]/cgi-bin/koha/opac-password-recovery.pl">You must reset your password</a>. [% END %] [% ELSIF invalid_username_or_password %] diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc index 9466c2d9c6..3b5e9d9b8b 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc +++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc @@ -1,6 +1,7 @@ [% USE raw %] [% USE Koha %] [% USE Branches %] +[% USE Categories %] [% SET OpacLangSelectorMode = Koha.Preference('OpacLangSelectorMode') %] <div id="wrap"> <div id="header-region" class="noprint"> @@ -324,7 +325,7 @@ [% Koha.Preference( 'OpacLoginInstructions' ) | $raw %] </div> [% END %] - [% IF Koha.Preference('OpacPasswordChange') && Koha.Preference('OpacResetPassword') %] + [% IF Koha.Preference('OpacPasswordChange') && Categories.can_any_reset_password %] <div id="forgotpassword-modal" class="forgotpassword"> <a href="/cgi-bin/koha/opac-password-recovery.pl">Forgot your password?</a> </div> diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt index d8aeabec78..8bb82f56df 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt @@ -1,5 +1,6 @@ [% USE raw %] [% USE Koha %] +[% USE Categories %] [% INCLUDE 'doc-head-open.inc' %] <title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle | html %][% ELSE %]Koha online[% END %] catalog › [% IF Koha.Preference( 'opacuserlogin' ) == 1 %] @@ -169,7 +170,7 @@ <input type="submit" value="Log in" class="btn" /> <p/> - [% IF Koha.Preference('OpacPasswordChange') && Koha.Preference('OpacResetPassword') %] + [% IF Koha.Preference('OpacPasswordChange') && Categories.can_any_reset_password %] <div id="forgotpassword"> <a href="/cgi-bin/koha/opac-password-recovery.pl">Forgot your password?</a> </div> diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-main.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-main.tt index 46768ca7d5..bd9fb86d25 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-main.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-main.tt @@ -2,6 +2,7 @@ [% USE Koha %] [% USE KohaDates %] [% USE Branches %] +[% USE Categories %] [% USE Price %] [% INCLUDE 'doc-head-open.inc' %] <title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle | html %][% ELSE %]Koha online[% END %] catalog @@ -172,7 +173,7 @@ [% Koha.Preference( 'OpacLoginInstructions' ) | $raw %] [% END %] - [% IF Koha.Preference('OpacPasswordChange') && Koha.Preference('OpacResetPassword') %] + [% IF Koha.Preference('OpacPasswordChange') && Categories.can_any_reset_password %] diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt index c30309e392..6ecaab0b6b 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt @@ -1,4 +1,5 @@ [% USE Koha %] +[% USE Categories %] [% INCLUDE 'doc-head-open.inc' %] [% IF ( LibraryNameTitle ) %][% LibraryNameTitle | html %][% ELSE %]Koha online[% END %] catalog › Forgotten password recovery [% INCLUDE 'doc-head-close.inc' %] @@ -54,6 +55,8 @@
    Please try again later. [% ELSIF (errNoBorrowerFound) %] No account was found with the provided information. + [% ELSIF errResetForbidden %] + You are not allowed to reset your password. Contact library staff for assistance. [% ELSIF (errMultipleAccountsForEmail) %] Account identification with this email address only is ambiguous.
    Please use the field 'Login' as well. @@ -83,7 +86,7 @@ [% END %]
    -[% IF (!Koha.Preference('OpacResetPassword')) %] +[% IF (! Categories.can_any_reset_password ) %]
    You can't reset your password.
    [% ELSIF (password_recovery) %]
    diff --git a/opac/opac-password-recovery.pl b/opac/opac-password-recovery.pl index e4b5a91953..8563e2551e 100755 --- a/opac/opac-password-recovery.pl +++ b/opac/opac-password-recovery.pl @@ -43,6 +43,7 @@ my $errMultipleAccountsForEmail; my $errAlreadyStartRecovery; my $errTooManyEmailFound; my $errBadEmail; +my $errResetForbidden; #new password form error my $errLinkNotValid; @@ -74,36 +75,45 @@ if ( $query->param('sendEmail') || $query->param('resendEmail') ) { $errMultipleAccountsForEmail = 1; } elsif ( $borrower = $search_results->next() ) { # One matching borrower - my @emails = grep { $_ } ( $borrower->email, $borrower->emailpro, $borrower->B_email ); - my $firstNonEmptyEmail; - $firstNonEmptyEmail = $emails[0] if @emails; + if ( $borrower->category->effective_reset_password ) { - # Is the given email one of the borrower's ? - if ( $email && !( grep /^$email$/i, @emails ) ) { - $hasError = 1; - $errNoBorrowerFound = 1; - } + my @emails = grep { $_ } ( $borrower->email, $borrower->emailpro, $borrower->B_email ); - # If there is no given email, and there is no email on record - elsif ( !$email && !$firstNonEmptyEmail ) { - $hasError = 1; - $errNoBorrowerEmail = 1; - } + my $firstNonEmptyEmail; + $firstNonEmptyEmail = $emails[0] if @emails; + + # Is the given email one of the borrower's ? + if ( $email && !( grep /^$email$/i, @emails ) ) { + $hasError = 1; + $errNoBorrowerFound = 1; + } + + # If there is no given email, and there is no email on record + elsif ( !$email && !$firstNonEmptyEmail ) { + $hasError = 1; + $errNoBorrowerEmail = 1; + } -# Check if a password reset already issued for this borrower AND we are not asking for a new email - elsif ( not $query->param('resendEmail') ) { - if ( ValidateBorrowernumber( $borrower->borrowernumber ) ) { - $hasError = 1; - $errAlreadyStartRecovery = 1; + # Check if a password reset already issued for this + # borrower AND we are not asking for a new email + elsif ( not $query->param('resendEmail') ) { + if ( ValidateBorrowernumber( $borrower->borrowernumber ) ) { + $hasError = 1; + $errAlreadyStartRecovery = 1; + } + else { + DeleteExpiredPasswordRecovery( $borrower->borrowernumber ); + } } - else { - DeleteExpiredPasswordRecovery( $borrower->borrowernumber ); + # Set the $email, if we don't have one. + if ( !$hasError && !$email ) { + $email = $firstNonEmptyEmail; } } - # Set the $email, if we don't have one. - if ( !$hasError && !$email ) { - $email = $firstNonEmptyEmail; + else { + $hasError = 1; + $errResetForbidden = 1; } } else { # 0 matching borrower @@ -119,6 +129,7 @@ if ( $query->param('sendEmail') || $query->param('resendEmail') ) { errBadEmail => $errBadEmail, errNoBorrowerEmail => $errNoBorrowerEmail, errMultipleAccountsForEmail => $errMultipleAccountsForEmail, + errResetForbidden => $errResetForbidden, password_recovery => 1, email => HTML::Entities::encode($email), username => $username -- 2.39.5