use strict;
use warnings;
+use Carp qw/croak/;
+
use Digest::MD5 qw(md5_base64);
-use File::Spec;
use JSON qw/encode_json/;
use URI::Escape;
use CGI::Session;
use C4::Context;
use C4::Templates; # to get the template
use C4::Languages;
-use C4::Branch; # GetBranches
use C4::Search::History;
use Koha;
-use Koha::AuthUtils qw(hash_password);
-use Koha::LibraryCategories;
+use Koha::Caches;
+use Koha::AuthUtils qw(get_script_name hash_password);
+use Koha::Checkouts;
+use Koha::DateUtils qw(dt_from_string);
+use Koha::Library::Groups;
use Koha::Libraries;
+use Koha::Patrons;
+use Koha::Patron::Consents;
use POSIX qw/strftime/;
use List::MoreUtils qw/ any /;
use Encode qw( encode is_utf8);
+use C4::Auth_with_shibboleth;
# use utf8;
-use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout $shib $shib_login);
+use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout);
BEGIN {
sub psgi_env { any { /^psgi\./ } keys %ENV }
@ISA = qw(Exporter);
@EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions);
@EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &checkpw_internal &checkpw_hash
- &get_all_subpermissions &get_user_subpermissions
+ &get_all_subpermissions &get_user_subpermissions track_login_daily
);
%EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] );
$ldap = C4::Context->config('useldapserver') || 0;
$cas = C4::Context->preference('casAuthentication');
- $shib = C4::Context->config('useshibboleth') || 0;
$caslogout = C4::Context->preference('casLogout');
require C4::Auth_with_cas; # no import
require C4::Auth_with_ldap;
import C4::Auth_with_ldap qw(checkpw_ldap);
}
- if ($shib) {
- require C4::Auth_with_shibboleth;
- import C4::Auth_with_shibboleth
- qw(shib_ok checkpw_shib logout_shib login_shib_url get_login_shib);
-
- # Check for good config
- if ( shib_ok() ) {
-
- # Get shibboleth login attribute
- $shib_login = get_login_shib();
- }
-
- # Bad config, disable shibboleth
- else {
- $shib = 0;
- }
- }
if ($cas) {
- import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url);
+ import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url logout_if_required);
}
}
The C<template_name> is then used to find the correct template for
the page. The authenticated users details are loaded onto the
-template in the HTML::Template LOOP variable C<USER_INFO>. Also the
+template in the logged_in_user variable (which is a Koha::Patron object). Also the
C<sessionID> is passed to the template. This can be used in templates
if cookies are disabled. It needs to be put as and input to every
authenticated page.
my $in = shift;
my ( $user, $cookie, $sessionID, $flags );
- C4::Context->interface( $in->{type} );
+ # Get shibboleth login attribute
+ my $shib = C4::Context->config('useshibboleth') && shib_ok();
+ my $shib_login = $shib ? get_login_shib() : undef;
- my $safe_chars = 'a-zA-Z0-9_\-\/';
- die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+\.tt$/ig; #sanitize input
+ C4::Context->interface( $in->{type} );
$in->{'authnotrequired'} ||= 0;
+
+ # the following call includes a bad template check; might croak
my $template = C4::Templates::gettemplate(
$in->{'template_name'},
$in->{'type'},
$in->{'query'},
- $in->{'is_plugin'}
);
if ( $in->{'template_name'} !~ m/maintenance/ ) {
);
}
+ # If we enforce GDPR and the user did not consent, redirect
+ if( $in->{type} eq 'opac' && $user &&
+ $in->{'template_name'} !~ /opac-patron-consent/ &&
+ C4::Context->preference('GDPR_Policy') eq 'Enforced' )
+ {
+ my $consent = Koha::Patron::Consents->search({
+ borrowernumber => getborrowernumber($user),
+ type => 'GDPR_PROCESSING',
+ given_on => { '!=', undef },
+ })->next;
+ if( !$consent ) {
+ print $in->{query}->redirect(-uri => '/cgi-bin/koha/opac-patron-consent.pl', -cookie => $cookie);
+ safe_exit;
+ }
+ }
+
+ if ( $in->{type} eq 'opac' && $user ) {
+ my $kick_out;
+
+ if (
+# If the user logged in is the SCO user and they try to go out of the SCO module,
+# log the user out removing the CGISESSID cookie
+ $in->{template_name} !~ m|sco/| && $in->{template_name} !~ m|errors/errorpage.tt|
+ && C4::Context->preference('AutoSelfCheckID')
+ && $user eq C4::Context->preference('AutoSelfCheckID')
+ )
+ {
+ $kick_out = 1;
+ }
+ elsif (
+# If the user logged in is the SCI user and they try to go out of the SCI module,
+# kick them out unless it is SCO with a valid permission
+# or they are a superlibrarian
+ $in->{template_name} !~ m|sci/|
+ && haspermission( $user, { self_check => 'self_checkin_module' } )
+ && !(
+ $in->{template_name} =~ m|sco/| && haspermission(
+ $user, { self_check => 'self_checkout_module' }
+ )
+ )
+ && $flags && $flags->{superlibrarian} != 1
+ )
+ {
+ $kick_out = 1;
+ }
- # If the user logged in is the SCO user and he tries to go out the SCO module, log the user out removing the CGISESSID cookie
- if ( $in->{type} eq 'opac' and $in->{template_name} !~ m|sco/| ) {
- if ( C4::Context->preference('AutoSelfCheckID') && $user eq C4::Context->preference('AutoSelfCheckID') ) {
- $template = C4::Templates::gettemplate( 'opac-auth.tt', 'opac', $in->{query} );
- my $cookie = $in->{query}->cookie(
+ if ($kick_out) {
+ $template = C4::Templates::gettemplate( 'opac-auth.tt', 'opac',
+ $in->{query} );
+ $cookie = $in->{query}->cookie(
-name => 'CGISESSID',
-value => '',
-expires => '',
$template->param(
loginprompt => 1,
- script_name => _get_script_name(),
+ script_name => get_script_name(),
);
+
print $in->{query}->header(
- { type => 'text/html',
+ {
+ type => 'text/html',
charset => 'utf-8',
cookie => $cookie,
'X-Frame-Options' => 'SAMEORIGIN'
}
),
- $template->output;
+ $template->output;
safe_exit;
}
}
my $borrowernumber;
if ($user) {
- require C4::Members;
# It's possible for $user to be the borrowernumber if they don't have a
# userid defined (and are logging in through some other method, such
# as SSL certs against an email address)
- my $borrower;
+ my $patron;
$borrowernumber = getborrowernumber($user) if defined($user);
if ( !defined($borrowernumber) && defined($user) ) {
- $borrower = C4::Members::GetMember( borrowernumber => $user );
- if ($borrower) {
+ $patron = Koha::Patrons->find( $user );
+ if ($patron) {
$borrowernumber = $user;
# A bit of a hack, but I don't know there's a nicer way
# to do it.
- $user = $borrower->{firstname} . ' ' . $borrower->{surname};
+ $user = $patron->firstname . ' ' . $patron->surname;
}
} else {
- $borrower = C4::Members::GetMember( borrowernumber => $borrowernumber );
+ $patron = Koha::Patrons->find( $borrowernumber );
+ # FIXME What to do if $patron does not exist?
}
# user info
- $template->param( loggedinusername => $user );
- $template->param( loggedinusernumber => $borrowernumber );
+ $template->param( loggedinusername => $user ); # OBSOLETE - Do not reuse this in template, use logged_in_user.userid instead
+ $template->param( loggedinusernumber => $borrowernumber ); # FIXME Should be replaced with logged_in_user.borrowernumber
+ $template->param( logged_in_user => $patron );
$template->param( sessionID => $sessionID );
if ( $in->{'type'} eq 'opac' ) {
);
}
- $template->param( "USER_INFO" => $borrower );
-
my $all_perms = get_all_subpermissions();
my @flagroots = qw(circulate catalogue parameters borrowers permissions reserveforothers borrow
- editcatalogue updatecharges management tools editauthorities serials reports acquisition);
+ editcatalogue updatecharges tools editauthorities serials reports acquisition clubs);
# We are going to use the $flags returned by checkauth
# to create the template's parameters that will indicate
$template->param( CAN_user_editcatalogue => 1 );
$template->param( CAN_user_updatecharges => 1 );
$template->param( CAN_user_acquisition => 1 );
- $template->param( CAN_user_management => 1 );
$template->param( CAN_user_tools => 1 );
$template->param( CAN_user_editauthorities => 1 );
$template->param( CAN_user_serials => 1 );
$template->param( CAN_user_staffaccess => 1 );
$template->param( CAN_user_plugins => 1 );
$template->param( CAN_user_coursereserves => 1 );
- foreach my $module ( keys %$all_perms ) {
+ $template->param( CAN_user_clubs => 1 );
+ $template->param( CAN_user_ill => 1 );
+ $template->param( CAN_user_stockrotation => 1 );
+ foreach my $module ( keys %$all_perms ) {
foreach my $subperm ( keys %{ $all_perms->{$module} } ) {
$template->param( "CAN_user_${module}_${subperm}" => 1 );
}
foreach my $module ( keys %$flags ) {
if ( $flags->{$module} == 1 or ref( $flags->{$module} ) ) {
$template->param( "CAN_user_$module" => 1 );
- if ( $module eq "parameters" ) {
- $template->param( CAN_user_management => 1 );
- }
}
}
}
# We show the link in opac
$template->param( EnableOpacSearchHistory => 1 );
}
+ if (C4::Context->preference('LoadSearchHistoryToTheFirstLoggedUser'))
+ {
+ # And if there are searches performed when the user was not logged in,
+ # we add them to the logged-in search history
+ my @recentSearches = C4::Search::History::get_from_session( { cgi => $in->{'query'} } );
+ if (@recentSearches) {
+ my $dbh = C4::Context->dbh;
+ my $query = q{
+ INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, type, total, time )
+ VALUES (?, ?, ?, ?, ?, ?, ?)
+ };
+ my $sth = $dbh->prepare($query);
+ $sth->execute( $borrowernumber,
+ $in->{query}->cookie("CGISESSID"),
+ $_->{query_desc},
+ $_->{query_cgi},
+ $_->{type} || 'biblio',
+ $_->{total},
+ $_->{time},
+ ) foreach @recentSearches;
+
+ # clear out the search history from the session now that
+ # we've saved it to the database
+ }
+ }
+ C4::Search::History::set_to_session( { cgi => $in->{'query'}, search_history => [] } );
- # And if there are searches performed when the user was not logged in,
- # we add them to the logged-in search history
- my @recentSearches = C4::Search::History::get_from_session( { cgi => $in->{'query'} } );
- if (@recentSearches) {
- my $dbh = C4::Context->dbh;
- my $query = q{
- INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, type, total, time )
- VALUES (?, ?, ?, ?, ?, ?, ?)
- };
-
- my $sth = $dbh->prepare($query);
- $sth->execute( $borrowernumber,
- $in->{query}->cookie("CGISESSID"),
- $_->{query_desc},
- $_->{query_cgi},
- $_->{type} || 'biblio',
- $_->{total},
- $_->{time},
- ) foreach @recentSearches;
-
- # clear out the search history from the session now that
- # we've saved it to the database
- C4::Search::History::set_to_session( { cgi => $in->{'query'}, search_history => [] } );
- }
} elsif ( $in->{type} eq 'intranet' and C4::Context->preference('EnableSearchHistory') ) {
$template->param( EnableSearchHistory => 1 );
}
my $https = $in->{query}->https();
my $using_https = ( defined $https and $https ne 'OFF' ) ? 1 : 0;
+ my $minPasswordLength = C4::Context->preference('minPasswordLength');
+ $minPasswordLength = 3 if not $minPasswordLength or $minPasswordLength < 3;
$template->param(
"BiblioDefaultView" . C4::Context->preference("BiblioDefaultView") => 1,
EnhancedMessagingPreferences => C4::Context->preference('EnhancedMessagingPreferences'),
LoginFirstname => ( C4::Context->userenv ? C4::Context->userenv->{"firstname"} : "Bel" ),
LoginSurname => C4::Context->userenv ? C4::Context->userenv->{"surname"} : "Inconnu",
emailaddress => C4::Context->userenv ? C4::Context->userenv->{"emailaddress"} : undef,
- loggedinpersona => C4::Context->userenv ? C4::Context->userenv->{"persona"} : undef,
TagsEnabled => C4::Context->preference("TagsEnabled"),
hide_marc => C4::Context->preference("hide_marc"),
item_level_itypes => C4::Context->preference('item-level_itypes'),
using_https => $using_https,
noItemTypeImages => C4::Context->preference("noItemTypeImages"),
marcflavour => C4::Context->preference("marcflavour"),
- persona => C4::Context->preference("persona"),
OPACBaseURL => C4::Context->preference('OPACBaseURL'),
+ minPasswordLength => $minPasswordLength,
);
if ( $in->{'type'} eq "intranet" ) {
$template->param(
UseKohaPlugins => C4::Context->preference('UseKohaPlugins'),
UseCourseReserves => C4::Context->preference("UseCourseReserves"),
useDischarge => C4::Context->preference('useDischarge'),
+ pending_checkout_notes => scalar Koha::Checkouts->search({ noteseen => 0 }),
);
}
else {
my $opac_limit_override = $ENV{'OPAC_LIMIT_OVERRIDE'};
my $opac_name = '';
if (
- ( $opac_limit_override && $opac_search_limit && $opac_search_limit =~ /branch:(\w+)/ ) ||
- ( $in->{'query'}->param('limit') && $in->{'query'}->param('limit') =~ /branch:(\w+)/ ) ||
+ ( $opac_limit_override && $opac_search_limit && $opac_search_limit =~ /branch:([\w-]+)/ ) ||
+ ( $in->{'query'}->param('limit') && $in->{'query'}->param('limit') =~ /branch:([\w-]+)/ ) ||
( $in->{'query'}->param('multibranchlimit') && $in->{'query'}->param('multibranchlimit') =~ /multibranchlimit-(\w+)/ )
) {
$opac_name = $1; # opac_search_limit is a branch, so we use it.
$opac_name = C4::Context->userenv->{'branch'};
}
- my $library_categories = Koha::LibraryCategories->search({categorytype => 'searchdomain', show_in_pulldown => 1}, { order_by => ['categorytype', 'categorycode']});
+ my @search_groups = Koha::Library::Groups->get_search_groups({ interface => 'opac' });
$template->param(
OpacAdditionalStylesheet => C4::Context->preference("OpacAdditionalStylesheet"),
AnonSuggestions => "" . C4::Context->preference("AnonSuggestions"),
- BranchesLoop => GetBranchesLoop($opac_name),
- BranchCategoriesLoop => $library_categories,
+ LibrarySearchGroups => \@search_groups,
opac_name => $opac_name,
LibraryName => "" . C4::Context->preference("LibraryName"),
LibraryNameTitle => "" . $LibraryNameTitle,
my $query = shift;
$debug and warn "Checking Auth";
+ # Get shibboleth login attribute
+ my $shib = C4::Context->config('useshibboleth') && shib_ok();
+ my $shib_login = $shib ? get_login_shib() : undef;
+
# $authnotrequired will be set for scripts which will run without authentication
my $authnotrequired = shift;
my $flagsrequired = shift;
my $type = shift;
- my $persona = shift;
+ my $emailaddress = shift;
$type = 'opac' unless $type;
my $dbh = C4::Context->dbh;
my $logout = $query->param('logout.x');
my $anon_search_history;
-
+ my $cas_ticket = '';
# This parameter is the name of the CAS server we want to authenticate against,
# when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml
my $casparam = $query->param('cas');
my $q_userid = $query->param('userid') // '';
+ my $session;
+
# Basic authentication is incompatible with the use of Shibboleth,
# as Shibboleth may return REMOTE_USER as a Shibboleth attribute,
# and it may not be the attribute we want to use to match the koha login.
);
$loggedin = 1;
}
- elsif ($persona) {
-
- # we don't want to set a session because we are being called by a persona callback
+ elsif ( $emailaddress) {
+ # the Google OpenID Connect passes an email address
}
elsif ( $sessionID = $query->cookie("CGISESSID") )
{ # assignment, not comparison
- my $session = get_session($sessionID);
+ $session = get_session($sessionID);
C4::Context->_new_userenv($sessionID);
my ( $ip, $lasttime, $sessiontype );
my $s_userid = '';
$session->param('surname'), $session->param('branch'),
$session->param('branchname'), $session->param('flags'),
$session->param('emailaddress'), $session->param('branchprinter'),
- $session->param('persona'), $session->param('shibboleth')
+ $session->param('shibboleth')
);
C4::Context::set_shelves_userenv( 'bar', $session->param('barshelves') );
C4::Context::set_shelves_userenv( 'pub', $session->param('pubshelves') );
}
# If we are in a shibboleth session (shibboleth is enabled, a shibboleth match attribute is set and matches koha matchpoint)
- if ( $shib and $shib_login and $shibSuccess and $type eq 'opac' ) {
-
- # (Note: $type eq 'opac' condition should be removed when shibboleth authentication for intranet will be implemented)
+ if ( $shib and $shib_login and $shibSuccess) {
logout_shib($query);
}
}
}
}
unless ( $userid || $sessionID ) {
-
#we initiate a session prior to checking for a username to allow for anonymous sessions...
my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
$session->param( 'search_history', $anon_search_history );
}
- my $sessionID = $session->id;
+ $sessionID = $session->id;
C4::Context->_new_userenv($sessionID);
$cookie = $query->cookie(
-name => 'CGISESSID',
-value => $session->id,
-HttpOnly => 1
);
- $userid = $q_userid;
my $pki_field = C4::Context->preference('AllowPKIAuth');
if ( !defined($pki_field) ) {
print STDERR "ERROR: Missing system preference AllowPKIAuth.\n";
$pki_field = 'None';
}
if ( ( $cas && $query->param('ticket') )
- || $userid
+ || $q_userid
|| ( $shib && $shib_login )
|| $pki_field ne 'None'
- || $persona )
+ || $emailaddress )
{
my $password = $query->param('password');
my $shibSuccess = 0;
-
my ( $return, $cardnumber );
# If shib is enabled and we have a shib login, does the login match a valid koha user
- if ( $shib && $shib_login && $type eq 'opac' ) {
+ if ( $shib && $shib_login ) {
my $retuserid;
# Do not pass password here, else shib will not be checked in checkpw.
- ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, undef, $query );
+ ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $q_userid, undef, $query );
$userid = $retuserid;
$shibSuccess = $return;
$info{'invalidShibLogin'} = 1 unless ($return);
unless ($shibSuccess) {
if ( $cas && $query->param('ticket') ) {
my $retuserid;
- ( $return, $cardnumber, $retuserid ) =
+ ( $return, $cardnumber, $retuserid, $cas_ticket ) =
checkpw( $dbh, $userid, $password, $query, $type );
$userid = $retuserid;
$info{'invalidCasLogin'} = 1 unless ($return);
}
- elsif ($persona) {
- my $value = $persona;
+ elsif ( $emailaddress ) {
+ my $value = $emailaddress;
# If we're looking up the email, there's a chance that the person
# doesn't have a userid. So if there is none, we pass along the
# borrower number, and the bits of code that need to know the user
# ID will have to be smart enough to handle that.
- require C4::Members;
- my @users_info = C4::Members::GetBorrowersWithEmail($value);
- if (@users_info) {
+ my $patrons = Koha::Patrons->search({ email => $value });
+ if ($patrons->count) {
# First the userid, then the borrowernum
- $value = $users_info[0][1] || $users_info[0][0];
- }
- else {
+ my $patron = $patrons->next;
+ $value = $patron->userid || $patron->borrowernumber;
+ } else {
undef $value;
}
$return = $value ? 1 : 0;
# doesn't have a userid. So if there is none, we pass along the
# borrower number, and the bits of code that need to know the user
# ID will have to be smart enough to handle that.
- require C4::Members;
- my @users_info = C4::Members::GetBorrowersWithEmail($value);
- if (@users_info) {
+ my $patrons = Koha::Patrons->search({ email => $value });
+ if ($patrons->count) {
# First the userid, then the borrowernum
- $value = $users_info[0][1] || $users_info[0][0];
+ my $patron = $patrons->next;
+ $value = $patron->userid || $patron->borrowernumber;
} else {
undef $value;
}
}
else {
my $retuserid;
- ( $return, $cardnumber, $retuserid ) =
- checkpw( $dbh, $userid, $password, $query, $type );
+ ( $return, $cardnumber, $retuserid, $cas_ticket ) =
+ checkpw( $dbh, $q_userid, $password, $query, $type );
$userid = $retuserid if ($retuserid);
$info{'invalid_username_or_password'} = 1 unless ($return);
}
}
- # $return: 1 = valid user, 2 = superlibrarian
+ # $return: 1 = valid user
if ($return) {
#_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
# if they specify at login, use that
if ( $query->param('branch') ) {
$branchcode = $query->param('branch');
- $branchname = GetBranchName($branchcode);
+ my $library = Koha::Libraries->find($branchcode);
+ $branchname = $library? $library->branchname: '';
}
- my $branches = GetBranches();
- if ( C4::Context->boolean_preference('IndependentBranches') && C4::Context->boolean_preference('Autolocation') ) {
+ my $branches = { map { $_->branchcode => $_->unblessed } Koha::Libraries->search };
+ if ( $type ne 'opac' and C4::Context->boolean_preference('AutoLocation') ) {
# we have to check they are coming from the right ip range
my $domain = $branches->{$branchcode}->{'branchip'};
+ $domain =~ s|\.\*||g;
if ( $ip !~ /^$domain/ ) {
$loggedin = 0;
+ $cookie = $query->cookie(
+ -name => 'CGISESSID',
+ -value => '',
+ -HttpOnly => 1
+ );
$info{'wrongip'} = 1;
}
}
- my @branchesloop;
foreach my $br ( keys %$branches ) {
# now we work with the treatment of ip
$session->param( 'emailaddress', $emailaddress );
$session->param( 'ip', $session->remote_addr() );
$session->param( 'lasttime', time() );
+ $session->param( 'interface', $type);
$session->param( 'shibboleth', $shibSuccess );
$debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map { $session->param($_) } qw(cardnumber firstname surname branch);
}
- elsif ( $return == 2 ) {
-
- #We suppose the user is the superlibrarian
- $borrowernumber = 0;
- $session->param( 'number', 0 );
- $session->param( 'id', C4::Context->config('user') );
- $session->param( 'cardnumber', C4::Context->config('user') );
- $session->param( 'firstname', C4::Context->config('user') );
- $session->param( 'surname', C4::Context->config('user') );
- $session->param( 'branch', 'NO_LIBRARY_SET' );
- $session->param( 'branchname', 'NO_LIBRARY_SET' );
- $session->param( 'flags', 1 );
- $session->param( 'emailaddress', C4::Context->preference('KohaAdminEmailAddress') );
- $session->param( 'ip', $session->remote_addr() );
- $session->param( 'lasttime', time() );
- }
- if ($persona) {
- $session->param( 'persona', 1 );
- }
+ $session->param('cas_ticket', $cas_ticket) if $cas_ticket;
C4::Context->set_userenv(
$session->param('number'), $session->param('id'),
$session->param('cardnumber'), $session->param('firstname'),
$session->param('surname'), $session->param('branch'),
$session->param('branchname'), $session->param('flags'),
$session->param('emailaddress'), $session->param('branchprinter'),
- $session->param('persona'), $session->param('shibboleth')
+ $session->param('shibboleth')
);
}
$session->param( 'lasttime', time() );
$session->param( 'ip', $session->remote_addr() );
$session->param( 'sessiontype', 'anon' );
+ $session->param( 'interface', $type);
}
- } # END if ( $userid = $query->param('userid') )
+ } # END if ( $q_userid
elsif ( $type eq "opac" ) {
# if we are here this is an anonymous session; add public lists to it and a few other items...
$session->param( 'ip', $session->remote_addr() );
$session->param( 'lasttime', time() );
$session->param( 'sessiontype', 'anon' );
+ $session->param( 'interface', $type);
}
} # END unless ($userid)
-HttpOnly => 1
);
}
+
+ track_login_daily( $userid );
+
return ( $userid, $cookie, $sessionID, $flags );
}
my @inputs = ();
foreach my $name ( param $query) {
(next) if ( $name eq 'userid' || $name eq 'password' || $name eq 'ticket' );
- my $value = $query->param($name);
- push @inputs, { name => $name, value => $value };
+ my @value = $query->multi_param($name);
+ push @inputs, { name => $name, value => $_ } for @value;
}
+ my $patron = Koha::Patrons->find({ userid => $q_userid }); # Not necessary logged in!
+
my $LibraryNameTitle = C4::Context->preference("LibraryName");
$LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
$LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
my $template_name = ( $type eq 'opac' ) ? 'opac-auth.tt' : 'auth.tt';
my $template = C4::Templates::gettemplate( $template_name, $type, $query );
$template->param(
- branchloop => GetBranchesLoop(),
OpacAdditionalStylesheet => C4::Context->preference("OpacAdditionalStylesheet"),
opaclayoutstylesheet => C4::Context->preference("opaclayoutstylesheet"),
login => 1,
INPUTS => \@inputs,
- script_name => _get_script_name(),
+ script_name => get_script_name(),
casAuthentication => C4::Context->preference("casAuthentication"),
shibbolethAuthentication => $shib,
SessionRestrictionByIP => C4::Context->preference("SessionRestrictionByIP"),
wrongip => $info{'wrongip'},
PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"),
PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"),
- persona => C4::Context->preference("Persona"),
opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'},
+ too_many_login_attempts => ( $patron and $patron->account_locked )
);
$template->param( SCO_login => 1 ) if ( $query->param('sco_user_login') );
+ $template->param( SCI_login => 1 ) if ( $query->param('sci_user_login') );
$template->param( OpacPublic => C4::Context->preference("OpacPublic") );
$template->param( loginprompt => 1 ) unless $info{'nopermission'};
=cut
sub check_api_auth {
+
my $query = shift;
my $flagsrequired = shift;
-
my $dbh = C4::Context->dbh;
my $timeout = _timeout_syspref();
my $session = get_session($sessionID);
C4::Context->_new_userenv($sessionID);
if ($session) {
+ C4::Context->interface($session->param('interface'));
C4::Context->set_userenv(
$session->param('number'), $session->param('id'),
$session->param('cardnumber'), $session->param('firstname'),
# new login
my $userid = $query->param('userid');
my $password = $query->param('password');
- my ( $return, $cardnumber );
+ my ( $return, $cardnumber, $cas_ticket );
# Proxy CAS auth
if ( $cas && $query->param('PT') ) {
# In case of a CAS authentication, we use the ticket instead of the password
my $PT = $query->param('PT');
- ( $return, $cardnumber, $userid ) = check_api_auth_cas( $dbh, $PT, $query ); # EXTERNAL AUTH
+ ( $return, $cardnumber, $userid, $cas_ticket ) = check_api_auth_cas( $dbh, $PT, $query ); # EXTERNAL AUTH
} else {
# User / password auth
# caller did something wrong, fail the authenticateion
return ( "failed", undef, undef );
}
- ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query );
+ my $newuserid;
+ ( $return, $cardnumber, $newuserid, $cas_ticket ) = checkpw( $dbh, $userid, $password, $query );
}
if ( $return and haspermission( $userid, $flagsrequired ) ) {
# if they specify at login, use that
if ( $query->param('branch') ) {
$branchcode = $query->param('branch');
- $branchname = GetBranchName($branchcode);
+ my $library = Koha::Libraries->find($branchcode);
+ $branchname = $library? $library->branchname: '';
}
- my $branches = GetBranches();
- my @branchesloop;
+ my $branches = { map { $_->branchcode => $_->unblessed } Koha::Libraries->search };
foreach my $br ( keys %$branches ) {
# now we work with the treatment of ip
$session->param( 'emailaddress', $emailaddress );
$session->param( 'ip', $session->remote_addr() );
$session->param( 'lasttime', time() );
- } elsif ( $return == 2 ) {
-
- #We suppose the user is the superlibrarian
- $session->param( 'number', 0 );
- $session->param( 'id', C4::Context->config('user') );
- $session->param( 'cardnumber', C4::Context->config('user') );
- $session->param( 'firstname', C4::Context->config('user') );
- $session->param( 'surname', C4::Context->config('user') );
- $session->param( 'branch', 'NO_LIBRARY_SET' );
- $session->param( 'branchname', 'NO_LIBRARY_SET' );
- $session->param( 'flags', 1 );
- $session->param( 'emailaddress', C4::Context->preference('KohaAdminEmailAddress') );
- $session->param( 'ip', $session->remote_addr() );
- $session->param( 'lasttime', time() );
+ $session->param( 'interface', 'api' );
}
+ $session->param( 'cas_ticket', $cas_ticket);
C4::Context->set_userenv(
$session->param('number'), $session->param('id'),
$session->param('cardnumber'), $session->param('firstname'),
($status, $sessionId) = check_api_auth($cookie, $userflags);
Given a CGISESSID cookie set during a previous login to Koha, determine
-if the user has the privileges specified by C<$userflags>.
+if the user has the privileges specified by C<$userflags>. C<$userflags>
+is passed unaltered into C<haspermission> and as such accepts all options
+avaiable to that routine with the one caveat that C<check_api_auth> will
+also allow 'undef' to be passed and in such a case the permissions check
+will be skipped altogether.
C<check_cookie_auth> is meant for authenticating special services
such as tools/upload-file.pl that are invoked by other pages that
sub check_cookie_auth {
my $cookie = shift;
my $flagsrequired = shift;
+ my $params = shift;
+ my $remote_addr = $params->{remote_addr} || $ENV{REMOTE_ADDR};
my $dbh = C4::Context->dbh;
my $timeout = _timeout_syspref();
my $session = get_session($sessionID);
C4::Context->_new_userenv($sessionID);
if ($session) {
+ C4::Context->interface($session->param('interface'));
C4::Context->set_userenv(
$session->param('number'), $session->param('id'),
$session->param('cardnumber'), $session->param('firstname'),
$userid = undef;
$sessionID = undef;
return ("expired", undef);
- } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $ENV{'REMOTE_ADDR'} ) {
+ } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $remote_addr ) {
# IP address changed
$session->delete();
return ( "expired", undef );
} else {
$session->param( 'lasttime', time() );
- my $flags = haspermission( $userid, $flagsrequired );
+ my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1;
if ($flags) {
return ( "ok", $sessionID );
} else {
=cut
-sub get_session {
- my $sessionID = shift;
+sub _get_session_params {
my $storage_method = C4::Context->preference('SessionStorage');
- my $dbh = C4::Context->dbh;
- my $session;
if ( $storage_method eq 'mysql' ) {
- $session = new CGI::Session( "driver:MySQL;serializer:yaml;id:md5", $sessionID, { Handle => $dbh } );
+ my $dbh = C4::Context->dbh;
+ return { dsn => "driver:MySQL;serializer:yaml;id:md5", dsn_args => { Handle => $dbh } };
}
elsif ( $storage_method eq 'Pg' ) {
- $session = new CGI::Session( "driver:PostgreSQL;serializer:yaml;id:md5", $sessionID, { Handle => $dbh } );
+ my $dbh = C4::Context->dbh;
+ return { dsn => "driver:PostgreSQL;serializer:yaml;id:md5", dsn_args => { Handle => $dbh } };
}
- elsif ( $storage_method eq 'memcached' && C4::Context->ismemcached ) {
- $session = new CGI::Session( "driver:memcached;serializer:yaml;id:md5", $sessionID, { Memcached => C4::Context->memcached } );
+ elsif ( $storage_method eq 'memcached' && Koha::Caches->get_instance->memcached_cache ) {
+ my $memcached = Koha::Caches->get_instance()->memcached_cache;
+ return { dsn => "driver:memcached;serializer:yaml;id:md5", dsn_args => { Memcached => $memcached } };
}
else {
# catch all defaults to tmp should work on all systems
- my $dir = File::Spec->tmpdir;
+ my $dir = C4::Context::temporary_directory;
my $instance = C4::Context->config( 'database' ); #actually for packages not exactly the instance name, but generally safer to leave it as it is
- $session = new CGI::Session( "driver:File;serializer:yaml;id:md5", $sessionID, { Directory => "$dir/cgisess_$instance" } );
+ return { dsn => "driver:File;serializer:yaml;id:md5", dsn_args => { Directory => "$dir/cgisess_$instance" } };
}
- return $session;
}
+sub get_session {
+ my $sessionID = shift;
+ my $params = _get_session_params();
+ return new CGI::Session( $params->{dsn}, $sessionID, $params->{dsn_args} );
+}
+
+
+# FIXME no_set_userenv may be replaced with force_branchcode_for_userenv
+# (or something similar)
+# Currently it's only passed from C4::SIP::ILS::Patron::check_password, but
+# not having a userenv defined could cause a crash.
sub checkpw {
my ( $dbh, $userid, $password, $query, $type, $no_set_userenv ) = @_;
$type = 'opac' unless $type;
- if ($ldap) {
+
+ # Get shibboleth login attribute
+ my $shib = C4::Context->config('useshibboleth') && shib_ok();
+ my $shib_login = $shib ? get_login_shib() : undef;
+
+ my @return;
+ my $patron = Koha::Patrons->find({ userid => $userid });
+ my $check_internal_as_fallback = 0;
+ my $passwd_ok = 0;
+ # Note: checkpw_* routines returns:
+ # 1 if auth is ok
+ # 0 if auth is nok
+ # -1 if user bind failed (LDAP only)
+
+ if ( $patron and $patron->account_locked ) {
+ # Nothing to check, account is locked
+ } elsif ($ldap && defined($password)) {
$debug and print STDERR "## checkpw - checking LDAP\n";
my ( $retval, $retcard, $retuserid ) = checkpw_ldap(@_); # EXTERNAL AUTH
- return 0 if $retval == -1; # Incorrect password for LDAP login attempt
- ($retval) and return ( $retval, $retcard, $retuserid );
- }
+ if ( $retval == 1 ) {
+ @return = ( $retval, $retcard, $retuserid );
+ $passwd_ok = 1;
+ }
+ $check_internal_as_fallback = 1 if $retval == 0;
- if ( $cas && $query && $query->param('ticket') ) {
+ } elsif ( $cas && $query && $query->param('ticket') ) {
$debug and print STDERR "## checkpw - checking CAS\n";
# In case of a CAS authentication, we use the ticket instead of the password
my $ticket = $query->param('ticket');
$query->delete('ticket'); # remove ticket to come back to original URL
- my ( $retval, $retcard, $retuserid ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH
- ($retval) and return ( $retval, $retcard, $retuserid );
- return 0;
+ my ( $retval, $retcard, $retuserid, $cas_ticket ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH
+ if ( $retval ) {
+ @return = ( $retval, $retcard, $retuserid, $cas_ticket );
+ } else {
+ @return = (0);
+ }
+ $passwd_ok = $retval;
}
# If we are in a shibboleth session (shibboleth is enabled, and a shibboleth match attribute is present)
# Check for password to asertain whether we want to be testing against shibboleth or another method this
# time around.
- if ( $shib && $shib_login && !$password ) {
+ elsif ( $shib && $shib_login && !$password ) {
$debug and print STDERR "## checkpw - checking Shibboleth\n";
# Then, we check if it matches a valid koha user
if ($shib_login) {
my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib($shib_login); # EXTERNAL AUTH
- ($retval) and return ( $retval, $retcard, $retuserid );
- return 0;
+ if ( $retval ) {
+ @return = ( $retval, $retcard, $retuserid );
+ }
+ $passwd_ok = $retval;
}
+ } else {
+ $check_internal_as_fallback = 1;
}
# INTERNAL AUTH
- return checkpw_internal( $dbh, $userid, $password, $no_set_userenv);
+ if ( $check_internal_as_fallback ) {
+ @return = checkpw_internal( $dbh, $userid, $password, $no_set_userenv);
+ $passwd_ok = 1 if $return[0] > 0; # 1 or 2
+ }
+
+ if( $patron ) {
+ if ( $passwd_ok ) {
+ $patron->update({ login_attempts => 0 });
+ } elsif( !$patron->account_locked ) {
+ $patron->update({ login_attempts => $patron->login_attempts + 1 });
+ }
+ }
+ return @return;
}
sub checkpw_internal {
$password = Encode::encode( 'UTF-8', $password )
if Encode::is_utf8($password);
- if ( $userid && $userid eq C4::Context->config('user') ) {
- if ( $password && $password eq C4::Context->config('pass') ) {
-
- # Koha superuser account
- # C4::Context->set_userenv(0,0,C4::Context->config('user'),C4::Context->config('user'),C4::Context->config('user'),"",1);
- return 2;
- }
- else {
- return 0;
- }
- }
-
my $sth =
$dbh->prepare(
"select password,cardnumber,borrowernumber,userid,firstname,surname,borrowers.branchcode,branches.branchname,flags from borrowers join branches on borrowers.branchcode=branches.branchcode where userid=?"
return 1, $cardnumber, $userid;
}
}
- if ( $userid && $userid eq 'demo'
- && "$password" eq 'demo'
- && C4::Context->config('demo') )
- {
-
- # DEMO => the demo user is allowed to do everything (if demo set to 1 in koha.conf
- # some features won't be effective : modify systempref, modify MARC structure,
- return 2;
- }
return 0;
}
=head2 haspermission
+ $flagsrequired = '*'; # Any permission at all
+ $flagsrequired = 'a_flag'; # a_flag must be satisfied (all subpermissions)
+ $flagsrequired = [ 'a_flag', 'b_flag' ]; # a_flag OR b_flag must be satisfied
+ $flagsrequired = { 'a_flag => 1, 'b_flag' => 1 }; # a_flag AND b_flag must be satisfied
+ $flagsrequired = { 'a_flag' => 'sub_a' }; # sub_a of a_flag must be satisfied
+ $flagsrequired = { 'a_flag' => [ 'sub_a, 'sub_b' ] }; # sub_a OR sub_b of a_flag must be satisfied
+
$flags = ($userid, $flagsrequired);
C<$userid> the userid of the member
-C<$flags> is a hashref of required flags like C<$borrower-<{authflags}>
+C<$flags> is a query structure similar to that used by SQL::Abstract that
+denotes the combination of flags required. It is a required parameter.
+
+The main logic of this method is that things in arrays are OR'ed, and things
+in hashes are AND'ed. The `*` character can be used, at any depth, to denote `ANY`
Returns member's flags or 0 if a permission is not met.
=cut
+sub _dispatch {
+ my ($required, $flags) = @_;
+
+ my $ref = ref($required);
+ if ($ref eq '') {
+ if ($required eq '*') {
+ return 0 unless ( $flags or ref( $flags ) );
+ } else {
+ return 0 unless ( $flags and (!ref( $flags ) || $flags->{$required} ));
+ }
+ } elsif ($ref eq 'HASH') {
+ foreach my $key (keys %{$required}) {
+ my $require = $required->{$key};
+ my $rflags = $flags->{$key};
+ return 0 unless _dispatch($require, $rflags);
+ }
+ } elsif ($ref eq 'ARRAY') {
+ my $satisfied = 0;
+ foreach my $require ( @{$required} ) {
+ my $rflags =
+ ( ref($flags) && !ref($require) && ( $require ne '*' ) )
+ ? $flags->{$require}
+ : $flags;
+ $satisfied++ if _dispatch( $require, $rflags );
+ }
+ return 0 unless $satisfied;
+ } else {
+ croak "Unexpected structure found: $ref";
+ }
+
+ return $flags;
+};
+
sub haspermission {
my ( $userid, $flagsrequired ) = @_;
+
+
+ #Koha::Exceptions::WrongParameter->throw('$flagsrequired should not be undef')
+ # unless defined($flagsrequired);
+
my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?");
$sth->execute($userid);
my $row = $sth->fetchrow();
my $flags = getuserflags( $row, $userid );
- if ( $userid eq C4::Context->config('user') ) {
-
- # Super User Account from /etc/koha.conf
- $flags->{'superlibrarian'} = 1;
- }
- elsif ( $userid eq 'demo' && C4::Context->config('demo') ) {
-
- # Demo user that can do "anything" (demo=1 in /etc/koha.conf)
- $flags->{'superlibrarian'} = 1;
- }
+ return $flags unless defined($flagsrequired);
return $flags if $flags->{superlibrarian};
-
- foreach my $module ( keys %$flagsrequired ) {
- my $subperm = $flagsrequired->{$module};
- if ( $subperm eq '*' ) {
- return 0 unless ( $flags->{$module} == 1 or ref( $flags->{$module} ) );
- } else {
- return 0 unless (
- ( defined $flags->{$module} and
- $flags->{$module} == 1 )
- or
- ( ref( $flags->{$module} ) and
- exists $flags->{$module}->{$subperm} and
- $flags->{$module}->{$subperm} == 1 )
- );
- }
- }
- return $flags;
+ return _dispatch($flagsrequired, $flags);
#FIXME - This fcn should return the failed permission so a suitable error msg can be delivered.
}
return 0;
}
-=head2 _get_script_name
+=head2 track_login_daily
+
+ track_login_daily( $userid );
-This returns the correct script name, for use in redirecting back to the correct page after showing
-the login screen. It depends on details of the package Plack configuration, and should not be used
-outside this context.
+Wraps the call to $patron->track_login, the method used to update borrowers.lastseen. We only call track_login once a day.
=cut
-sub _get_script_name {
- # This is the method about.pl uses to detect Plack; now that two places use it, it MUST be
- # right.
- if ( ( any { /(^psgi\.|^plack\.)/i } keys %ENV ) && $ENV{SCRIPT_NAME} =~ m,^/(intranet|opac)(.*), ) {
- return '/cgi-bin/koha' . $2;
- } else {
- return $ENV{SCRIPT_NAME};
- }
+sub track_login_daily {
+ my $userid = shift;
+ return if !$userid || !C4::Context->preference('TrackLastPatronActivity');
+
+ my $cache = Koha::Caches->get_instance();
+ my $cache_key = "track_login_" . $userid;
+ my $cached = $cache->get_from_cache($cache_key);
+ my $today = dt_from_string()->ymd;
+ return if $cached && $cached eq $today;
+
+ my $patron = Koha::Patrons->find({ userid => $userid });
+ return unless $patron;
+ $patron->track_login;
+ $cache->set_in_cache( $cache_key, $today );
}
END { } # module clean-up code here (global destructor)
projects / koha-equinox.git / blobdiff