From 706a299eb671b6806efb270f287347b1ea404404 Mon Sep 17 00:00:00 2001
From: tonnesen <tonnesen>
Date: Sat, 27 Jul 2002 04:33:57 +0000
Subject: [PATCH] Beginning flags based authentication.  All of the member*pl
 scripts now require the borrower to have either the "borrowers" or
 "superlibrarian" flags set.

---
 C4/Auth.pm         | 82 +++++++++++++++++++++++++++++++++++++++++-----
 member-password.pl |  8 ++++-
 member.pl          |  6 +++-
 memberentry.pl     |  7 +++-
 members-home.pl    |  4 ++-
 5 files changed, 94 insertions(+), 13 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index eaffa41d60..058d031f69 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -19,11 +19,28 @@ $VERSION = 0.01;
 );
 
 
+sub getuserflags {
+    my $cardnumber=shift;
+    my $dbh=shift;
+    my $userflags;
+    my $sth=$dbh->prepare("select flags from borrowers where cardnumber=?");
+    $sth->execute($cardnumber);
+    my ($flags) = $sth->fetchrow;
+    $sth=$dbh->prepare("select bit,flag from userflags");
+    $sth->execute;
+    while (my ($bit, $flag) = $sth->fetchrow) {
+	if ($flags & (2**$bit)) {
+	    $userflags->{$flag}=1;
+	}
+    }
+    return $userflags;
+}
 
 sub checkauth {
     my $query=shift;
     # $authnotrequired will be set for scripts which will run without authentication
     my $authnotrequired=shift;
+    my $flagsrequired=shift;
     if (my $userid=$ENV{'REMOTE_USER'}) {
 	# Using Basic Authentication, no cookies required
 	my $cookie=$query->cookie(-name => 'sessionID',
@@ -63,7 +80,29 @@ sub checkauth {
 				      -expires => '+1y');
 	    my $sti=$dbh->prepare("update sessions set lasttime=? where sessionID=?");
 	    $sti->execute(time(), $sessionID);
-	    return ($userid, $cookie, $sessionID);
+	    my $sth=$dbh->prepare("select cardnumber from borrowers where userid=?");
+	    $sth->execute($userid);
+	    my ($cardnumber) = $sth->fetchrow;
+	    my $flags=getuserflags($cardnumber,$dbh);
+	    foreach (keys %$flagsrequired) {
+		warn "Checking required flag $_";
+		unless ($flags->{superlibrarian}) {
+		    unless ($flags->{$_}) {
+			print qq|Content-type: text/html
+
+<html>
+<body>
+REJECTED
+<hr>
+You do not have access to this portion of Koha
+</body>
+</html>
+|;
+			exit;
+		    }
+		}
+	    }
+	    return ($userid, $cookie, $sessionID, $flags);
 	}
     }
 
@@ -78,12 +117,13 @@ sub checkauth {
 	($sessionID) || ($sessionID=int(rand()*100000).'-'.time());
 	my $userid=$query->param('userid');
 	my $password=$query->param('password');
-	if (checkpw($dbh, $userid, $password)) {
+	my ($return, $cardnumber) = checkpw($dbh,$userid,$password);
+	if ($return) {
 	    my $sti=$dbh->prepare("delete from sessions where sessionID=? and userid=?");
 	    $sti->execute($sessionID, $userid);
 	    $sti=$dbh->prepare("insert into sessions (sessionID, userid, ip,lasttime) values (?, ?, ?, ?)");
 	    $sti->execute($sessionID, $userid, $ENV{'REMOTE_ADDR'}, time());
-	    $sti=$dbh->prepare("select value from sessionqueries where sessionID=? and userid=?");
+	    $sti=$dbh->prepare("select url from sessionqueries where sessionID=? and userid=?");
 	    $sti->execute($sessionID, $userid);
 	    if ($sti->rows) {
 		my ($selfurl) = $sti->fetchrow;
@@ -100,7 +140,31 @@ sub checkauth {
 	    my $cookie=$query->cookie(-name => 'sessionID',
 				      -value => $sessionID,
 				      -expires => '+1y');
-	    return ($userid, $cookie, $sessionID);
+	    my $flags;
+	    if ($return==2) {
+		$flags->{'superlibrarian'}=1;
+	    } else {
+		$flags=getuserflags($cardnumber, $dbh);
+	    }
+	    foreach (keys %$flagsrequired) {
+		warn "Checking required flag $_";
+		unless ($flags->{superlibrarian}) {
+		    unless ($flags->{$_}) {
+			print qq|Content-type: text/html
+
+<html>
+<body>
+REJECTED
+<hr>
+You do not have access to this portion of Koha
+</body>
+</html>
+|;
+			exit;
+		    }
+		}
+	    }
+	    return ($userid, $cookie, $sessionID, $flags);
 	} else {
 	    if ($userid) {
 		$message="Invalid userid or password entered.";
@@ -169,12 +233,12 @@ sub checkpw {
 #
 
     my ($dbh, $userid, $password) = @_;
-    my $sth=$dbh->prepare("select password from borrowers where userid=?");
+    my $sth=$dbh->prepare("select password,cardnumber from borrowers where userid=?");
     $sth->execute($userid);
     if ($sth->rows) {
-	my ($md5password) = $sth->fetchrow;
+	my ($md5password,$cardnumber) = $sth->fetchrow;
 	if (md5_base64($password) eq $md5password) {
-	    return 1;
+	    return 1,$cardnumber;
 	}
     }
     my $sth=$dbh->prepare("select password from borrowers where cardnumber=?");
@@ -182,13 +246,13 @@ sub checkpw {
     if ($sth->rows) {
 	my ($md5password) = $sth->fetchrow;
 	if (md5_base64($password) eq $md5password) {
-	    return 1;
+	    return 1,$userid;
 	}
     }
     my $configfile=configfile();
     if ($userid eq $configfile->{'user'} && $password eq $configfile->{'pass'}) {
         # Koha superuser account
-	return 1;
+	return 2;
     }
     return 0;
 }
diff --git a/member-password.pl b/member-password.pl
index 79b269d5f1..626eb12ba0 100755
--- a/member-password.pl
+++ b/member-password.pl
@@ -10,11 +10,17 @@ use C4::Search;
 use CGI;
 use Digest::MD5 qw(md5_base64);
 use C4::Output;
+use C4::Auth;
 use C4::Database;
 use C4::Circulation::Circ2;
 #use C4::Acquisitions;
 
 my $input = new CGI;
+
+my $flagsrequired;
+$flagsrequired->{borrowers}=1;
+my ($loggedinuser, $cookie, $sessionID) = checkauth($input, 0, $flagsrequired);
+
 #print $input->header;
 my $member=$input->param('member');
 my %env;
@@ -54,7 +60,7 @@ if ($input->param('newpassword')) {
     $spellitout=~s/\004/ <b>oh<\/b> /g;
     $spellitout=~s/\005/ <b>zero<\/b> /g;
 
-    print $input->header;
+    print $input->header(-cookie => $cookie);
     print startpage();
     print startmenu('member');
     print qq|
diff --git a/member.pl b/member.pl
index ec47bc6c78..a20604d2a1 100755
--- a/member.pl
+++ b/member.pl
@@ -7,12 +7,16 @@ use strict;
 use C4::Output;
 use CGI;
 use C4::Search;
+use C4::Auth;
 
 
 my $input = new CGI;
+my $flagsrequired;
+$flagsrequired->{borrowers}=1;
+my ($loggedinuser, $cookie, $sessionID) = checkauth($input, 0, $flagsrequired);
 my $member=$input->param('member');
 $member=~ s/\,//g;
-print $input->header;
+print $input->header(-cookie => $cookie);
 #start the page and read in includes
 print startpage();
 print startmenu('member');
diff --git a/memberentry.pl b/memberentry.pl
index 0ca9ae8f24..4fa22b6e62 100755
--- a/memberentry.pl
+++ b/memberentry.pl
@@ -8,9 +8,14 @@ use C4::Output;
 use CGI;
 use C4::Search;
 use C4::Database;
+use C4::Auth;
 use C4::Koha;
 
 my $input = new CGI;
+my $flagsrequired;
+$flagsrequired->{borrowers}=1;
+my ($loggedinuser, $cookie, $sessionID) = checkauth($input, 0, $flagsrequired);
+
 my $member=$input->param('bornum');
 if ($member eq ''){
   $member=NewBorrowerNumber();
@@ -24,7 +29,7 @@ if ($delete){
 } elsif ($password) {
   print $input->redirect("/cgi-bin/koha/member-password.pl?member=$member");
 } else {
-print $input->header;
+print $input->header(-cookie => $cookie);
 print startpage();
 print startmenu('member');
 
diff --git a/members-home.pl b/members-home.pl
index b12cc92821..4f767b45da 100755
--- a/members-home.pl
+++ b/members-home.pl
@@ -6,7 +6,9 @@ use C4::Auth;
 use C4::Output;
 
 my $query = new CGI;
-my ($loggedinuser, $cookie, $sessionID) = checkauth($query);
+my $flagsrequired;
+$flagsrequired->{borrowers}=1;
+my ($loggedinuser, $cookie, $sessionID) = checkauth($query, 0, $flagsrequired);
 
 print $query->header(-cookie => $cookie);
 
-- 
2.39.5