Changes to installed indexing.

[koha.git] / C4 / Auth.pm
diff --git a/C4/Auth.pm b/C4/Auth.pm

old mode 100755 (executable)

new mode 100644 (file)

index 279d790..7a5f6a3
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -31,7 +31,7 @@ use C4::Output;    # to get the template
  use C4::Members;
  use C4::Koha;
  use C4::Branch; # GetBranches
  use C4::Members;
  use C4::Koha;
  use C4::Branch; # GetBranches
-use C4::VirtualShelves 3.02 qw(GetShelvesSummary);
+use C4::VirtualShelves;
  
  # use utf8;
  use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap);
  
  # use utf8;
  use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap);
@@ -41,7 +41,8 @@ BEGIN {
      $debug = $ENV{DEBUG} || 0 ;
      @ISA   = qw(Exporter);
      @EXPORT    = qw(&checkauth &get_template_and_user);
      $debug = $ENV{DEBUG} || 0 ;
      @ISA   = qw(Exporter);
      @EXPORT    = qw(&checkauth &get_template_and_user);
-    @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw);
+    @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &get_all_subpermissions &get_user_subpermissions);
+    %EXPORT_TAGS = (EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)]);
      $ldap = C4::Context->config('useldapserver') || 0;
      if ($ldap) {
          require C4::Auth_with_ldap;             # no import
      $ldap = C4::Context->config('useldapserver') || 0;
      if ($ldap) {
          require C4::Auth_with_ldap;             # no import
@@ -57,6 +58,7 @@ C4::Auth - Authenticates Koha users
  
    use CGI;
    use C4::Auth;
  
    use CGI;
    use C4::Auth;
+  use C4::Output;
  
    my $query = new CGI;
  
  
    my $query = new CGI;
  
@@ -67,15 +69,11 @@ C4::Auth - Authenticates Koha users
              query           => $query,
        type            => "opac",
        authnotrequired => 1,
              query           => $query,
        type            => "opac",
        authnotrequired => 1,
-      flagsrequired   => {borrow => 1},
+      flagsrequired   => {borrow => 1, catalogue => '*', tools => 'import_patrons' },
    }
      );
  
    }
      );
  
-  print $query->header(
-    -type => 'utf-8',
-    -cookie => $cookie
-  ), $template->output;
-
+  output_html_with_http_headers $query, $cookie, $template->output;
  
  =head1 DESCRIPTION
  
  
  =head1 DESCRIPTION
  
@@ -97,7 +95,7 @@ C4::Auth - Authenticates Koha users
              query           => $query,
              type            => "opac",
              authnotrequired => 1,
              query           => $query,
              type            => "opac",
              authnotrequired => 1,
-            flagsrequired   => {borrow => 1},
+            flagsrequired   => {borrow => 1, catalogue => '*', tools => 'import_patrons' },
            }
          );
  
            }
          );
  
@@ -146,18 +144,28 @@ sub get_template_and_user {
          # user info
          $template->param( loggedinusername => $user );
          $template->param( sessionID        => $sessionID );
          # user info
          $template->param( loggedinusername => $user );
          $template->param( sessionID        => $sessionID );
-               my $shelves;
-               if ($shelves = C4::Context->get_shelves_userenv()) {
-               $template->param( barshelves     => scalar (@$shelves));
-               $template->param( barshelvesloop => $shelves);
+
+               my ($total, $pubshelves, $barshelves) = C4::Context->get_shelves_userenv();
+               if (defined($pubshelves)) {
+               $template->param(       pubshelves      => scalar (@$pubshelves),
+                                                       pubshelvesloop  => $pubshelves,
+                                                       );
+                       $template->param(       pubtotal                => $total->{'pubtotal'}, ) if ($total->{'pubtotal'} > scalar (@$pubshelves));
+               }
+               if (defined($barshelves)) {
+               $template->param(       barshelves      => scalar (@$barshelves),
+                                                       barshelvesloop  => $barshelves,
+                                                       );
+                       $template->param(       bartotal                => $total->{'bartotal'}, ) if ($total->{'bartotal'} > scalar (@$barshelves));
                 }
  
          $borrowernumber = getborrowernumber($user);
                 }
  
          $borrowernumber = getborrowernumber($user);
-        my ( $borr, $alternativeflags ) =
-          GetMemberDetails( $borrowernumber );
+        my ( $borr ) = GetMemberDetails( $borrowernumber );
          my @bordat;
          $bordat[0] = $borr;
          $template->param( "USER_INFO" => \@bordat );
          my @bordat;
          $bordat[0] = $borr;
          $template->param( "USER_INFO" => \@bordat );
+        
+        my $all_perms = get_all_subpermissions();
  
          my @flagroots = qw(circulate catalogue parameters borrowers permissions reserveforothers borrow
                              editcatalogue updatecharges management tools editauthorities serials reports);
  
          my @flagroots = qw(circulate catalogue parameters borrowers permissions reserveforothers borrow
                              editcatalogue updatecharges management tools editauthorities serials reports);
@@ -169,7 +177,7 @@ sub get_template_and_user {
              $template->param( CAN_user_catalogue        => 1 );
              $template->param( CAN_user_parameters       => 1 );
              $template->param( CAN_user_borrowers        => 1 );
              $template->param( CAN_user_catalogue        => 1 );
              $template->param( CAN_user_parameters       => 1 );
              $template->param( CAN_user_borrowers        => 1 );
-            $template->param( CAN_user_permission       => 1 );
+            $template->param( CAN_user_permissions      => 1 );
              $template->param( CAN_user_reserveforothers => 1 );
              $template->param( CAN_user_borrow           => 1 );
              $template->param( CAN_user_editcatalogue    => 1 );
              $template->param( CAN_user_reserveforothers => 1 );
              $template->param( CAN_user_borrow           => 1 );
              $template->param( CAN_user_editcatalogue    => 1 );
@@ -181,100 +189,111 @@ sub get_template_and_user {
              $template->param( CAN_user_serials          => 1 );
              $template->param( CAN_user_reports          => 1 );
              $template->param( CAN_user_staffaccess      => 1 );
              $template->param( CAN_user_serials          => 1 );
              $template->param( CAN_user_reports          => 1 );
              $template->param( CAN_user_staffaccess      => 1 );
+            foreach my $module (keys %$all_perms) {
+                foreach my $subperm (keys %{ $all_perms->{$module} }) {
+                    $template->param( "CAN_user_${module}_${subperm}" => 1 );
+                }
+            }
          }
  
          }
  
-        if ( $flags && $flags->{circulate} == 1 ) {
-            $template->param( CAN_user_circulate => 1 );
-        }
-
-        if ( $flags && $flags->{catalogue} == 1 ) {
-            $template->param( CAN_user_catalogue => 1 );
-        }
-
-        if ( $flags && $flags->{parameters} == 1 ) {
-            $template->param( CAN_user_parameters => 1 );
-            $template->param( CAN_user_management => 1 );
-        }
-
-        if ( $flags && $flags->{borrowers} == 1 ) {
-            $template->param( CAN_user_borrowers => 1 );
-        }
-
-        if ( $flags && $flags->{permissions} == 1 ) {
-            $template->param( CAN_user_permission => 1 );
+        if (C4::Context->preference('GranularPermissions')) {
+            if ( $flags ) {
+                foreach my $module (keys %$all_perms) {
+                    if ( $flags->{$module} == 1) {
+                        foreach my $subperm (keys %{ $all_perms->{$module} }) {
+                            $template->param( "CAN_user_${module}_${subperm}" => 1 );
+                        }
+                    } elsif ( ref($flags->{$module}) ) {
+                        foreach my $subperm (keys %{ $flags->{$module} } ) {
+                            $template->param( "CAN_user_${module}_${subperm}" => 1 );
+                        }
+                    }
+                }
+            }
+        } else {
+            foreach my $module (keys %$all_perms) {
+                foreach my $subperm (keys %{ $all_perms->{$module} }) {
+                    $template->param( "CAN_user_${module}_${subperm}" => 1 );
+                }
+            }
          }
  
          }
  
-        if ( $flags && $flags->{reserveforothers} == 1 ) {
-            $template->param( CAN_user_reserveforothers => 1 );
+        if ($flags) {
+            foreach my $module (keys %$flags) {
+                if ( $flags->{$module} == 1 or ref($flags->{$module}) ) {
+                    $template->param( "CAN_user_$module" => 1 );
+                    if ($module eq "parameters") {
+                        $template->param( CAN_user_management => 1 );
+                    }
+                }
+            }
          }
          }
+    }
+       else {  # if this is an anonymous session, setup to display public lists...
  
  
-        if ( $flags && $flags->{borrow} == 1 ) {
-            $template->param( CAN_user_borrow => 1 );
-        }
+        # load the template variables for stylesheets and JavaScript
+        $template->param( css_libs => $in->{'css_libs'} );
+        $template->param( css_module => $in->{'css_module'} );
+        $template->param( css_page => $in->{'css_page'} );
+        $template->param( css_widgets => $in->{'css_widgets'} );
  
  
-        if ( $flags && $flags->{editcatalogue} == 1 ) {
-            $template->param( CAN_user_editcatalogue => 1 );
-        }
+        $template->param( js_libs => $in->{'js_libs'} );
+        $template->param( js_module => $in->{'js_module'} );
+        $template->param( js_page => $in->{'js_page'} );
+        $template->param( js_widgets => $in->{'js_widgets'} );
  
  
-        if ( $flags && $flags->{updatecharges} == 1 ) {
-            $template->param( CAN_user_updatecharges => 1 );
-        }
+        $template->param( sessionID        => $sessionID );
+               
+               my ($total, $pubshelves) = C4::Context->get_shelves_userenv();  # an anonymous user has no 'barshelves'...
+               if (defined(($pubshelves))) {
+               $template->param(       pubshelves      => scalar (@$pubshelves),
+                                                       pubshelvesloop  => $pubshelves,
+                                                       );
+                       $template->param(       pubtotal                => $total->{'pubtotal'}, ) if ($total->{'pubtotal'} > scalar (@$pubshelves));
+               }
  
  
-        if ( $flags && $flags->{acquisition} == 1 ) {
-            $template->param( CAN_user_acquisition => 1 );
-        }
+       }
  
  
-        if ( $flags && $flags->{tools} == 1 ) {
-            $template->param( CAN_user_tools => 1 );
-        }
-  
-        if ( $flags && $flags->{editauthorities} == 1 ) {
-            $template->param( CAN_user_editauthorities => 1 );
-        }
-    
-        if ( $flags && $flags->{serials} == 1 ) {
-            $template->param( CAN_user_serials => 1 );
-        }
+    # these template parameters are set the same regardless of $in->{'type'}
+    $template->param(
+            "BiblioDefaultView".C4::Context->preference("BiblioDefaultView")         => 1,
+            EnhancedMessagingPreferences => C4::Context->preference('EnhancedMessagingPreferences'),
+            GoogleJackets                => C4::Context->preference("GoogleJackets"),
+            KohaAdminEmailAddress        => "" . C4::Context->preference("KohaAdminEmailAddress"),
+            LoginBranchcode              => (C4::Context->userenv?C4::Context->userenv->{"branch"}:"insecure"),
+            LoginFirstname               => (C4::Context->userenv?C4::Context->userenv->{"firstname"}:"Bel"),
+            LoginSurname                 => C4::Context->userenv?C4::Context->userenv->{"surname"}:"Inconnu",
+            TagsEnabled                  => C4::Context->preference("TagsEnabled"),
+            hide_marc                    => C4::Context->preference("hide_marc"),
+            dateformat                   => C4::Context->preference("dateformat"),
+            'item-level_itypes'          => C4::Context->preference('item-level_itypes'),
+            patronimages                 => C4::Context->preference("patronimages"),
+            singleBranchMode             => C4::Context->preference("singleBranchMode"),
+                 );
  
  
-        if ( $flags && $flags->{reports} == 1 ) {
-            $template->param( CAN_user_reports => 1 );
-        }
-        if ( $flags && $flags->{staffaccess} == 1 ) {
-            $template->param( CAN_user_staffaccess => 1 );
-        }
-    }
      if ( $in->{'type'} eq "intranet" ) {
          $template->param(
      if ( $in->{'type'} eq "intranet" ) {
          $template->param(
-            intranetcolorstylesheet => C4::Context->preference("intranetcolorstylesheet"),
-            intranetstylesheet => C4::Context->preference("intranetstylesheet"),
-            IntranetNav        => C4::Context->preference("IntranetNav"),
-            intranetuserjs     => C4::Context->preference("intranetuserjs"),
-            TemplateEncoding   => C4::Context->preference("TemplateEncoding"),
-            AmazonContent      => C4::Context->preference("AmazonContent"),
-            LibraryName        => C4::Context->preference("LibraryName"),
-            LoginBranchcode    => (C4::Context->userenv?C4::Context->userenv->{"branch"}:"insecure"),
-            LoginBranchname    => (C4::Context->userenv?C4::Context->userenv->{"branchname"}:"insecure"),
-            LoginFirstname     => (C4::Context->userenv?C4::Context->userenv->{"firstname"}:"Bel"),
-            LoginSurname       => C4::Context->userenv?C4::Context->userenv->{"surname"}:"Inconnu", 
-            AutoLocation       => C4::Context->preference("AutoLocation"),
-            hide_marc          => C4::Context->preference("hide_marc"),
-            patronimages       => C4::Context->preference("patronimages"),
+            AmazonContent               => C4::Context->preference("AmazonContent"),
+            AmazonSimilarItems          => C4::Context->preference("AmazonSimilarItems"),
+            AutoLocation                => C4::Context->preference("AutoLocation"),
              "BiblioDefaultView".C4::Context->preference("IntranetBiblioDefaultView") => 1,
              "BiblioDefaultView".C4::Context->preference("IntranetBiblioDefaultView") => 1,
-            advancedMARCEditor      => C4::Context->preference("advancedMARCEditor"),
-            suggestion              => C4::Context->preference("suggestion"),
-            virtualshelves          => C4::Context->preference("virtualshelves"),
-            LibraryName             => C4::Context->preference("LibraryName"),
-            KohaAdminEmailAddress   => "" . C4::Context->preference("KohaAdminEmailAddress"),
-            IntranetmainUserblock   => C4::Context->preference("IntranetmainUserblock"),
-            IndependantBranches     => C4::Context->preference("IndependantBranches"),
-                       CircAutocompl => C4::Context->preference("CircAutocompl"),
-                       yuipath => C4::Context->preference("yuipath"),
-                       FRBRizeEditions => C4::Context->preference("FRBRizeEditions"),
-                       AmazonSimilarItems => C4::Context->preference("AmazonSimilarItems"),
-                       'item-level_itypes' => C4::Context->preference('item-level_itypes'),
-                       canreservefromotherbranches => C4::Context->preference('canreservefromotherbranches'),
-                       intranetreadinghistory => C4::Context->preference("intranetreadinghistory"),
-                       noItemTypeImages => C4::Context->preference("noItemTypeImages"),
+            CircAutocompl               => C4::Context->preference("CircAutocompl"),
+            FRBRizeEditions             => C4::Context->preference("FRBRizeEditions"),
+            IndependantBranches         => C4::Context->preference("IndependantBranches"),
+            IntranetNav                 => C4::Context->preference("IntranetNav"),
+            IntranetmainUserblock       => C4::Context->preference("IntranetmainUserblock"),
+            LibraryName                 => C4::Context->preference("LibraryName"),
+            LoginBranchname             => (C4::Context->userenv?C4::Context->userenv->{"branchname"}:"insecure"),
+            TemplateEncoding            => C4::Context->preference("TemplateEncoding"),
+            advancedMARCEditor          => C4::Context->preference("advancedMARCEditor"),
+            canreservefromotherbranches => C4::Context->preference('canreservefromotherbranches'),
+            intranetcolorstylesheet     => C4::Context->preference("intranetcolorstylesheet"),
+            intranetreadinghistory      => C4::Context->preference("intranetreadinghistory"),
+            intranetstylesheet          => C4::Context->preference("intranetstylesheet"),
+            intranetuserjs              => C4::Context->preference("intranetuserjs"),
+            noItemTypeImages            => C4::Context->preference("noItemTypeImages"),
+            suggestion                  => C4::Context->preference("suggestion"),
+            virtualshelves              => C4::Context->preference("virtualshelves"),
          );
      }
      else {
          );
      }
      else {
@@ -282,53 +301,52 @@ sub get_template_and_user {
          my $LibraryNameTitle = C4::Context->preference("LibraryName");
          $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
          $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
          my $LibraryNameTitle = C4::Context->preference("LibraryName");
          $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
          $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
-  $template->param(
-            KohaAdminEmailAddress  => "" . C4::Context->preference("KohaAdminEmailAddress"),
-            AnonSuggestions =>  "" . C4::Context->preference("AnonSuggestions"),
-            suggestion             => "" . C4::Context->preference("suggestion"),
-            virtualshelves         => "" . C4::Context->preference("virtualshelves"),
-            OpacNav                => "" . C4::Context->preference("OpacNav"),
-            opacheader             => "" . C4::Context->preference("opacheader"),
-            opaccredits            => "" . C4::Context->preference("opaccredits"),
-            opacsmallimage         => "" . C4::Context->preference("opacsmallimage"),
-            opaclargeimage         => "" . C4::Context->preference("opaclargeimage"),
-            opaclayoutstylesheet   => "". C4::Context->preference("opaclayoutstylesheet"),
-            opaccolorstylesheet    => "". C4::Context->preference("opaccolorstylesheet"),
-            opaclanguagesdisplay   => "". C4::Context->preference("opaclanguagesdisplay"),
-            opacuserlogin          => "" . C4::Context->preference("opacuserlogin"),
-                       OpacMainUserBlock =>  "" . C4::Context->preference("OpacMainUserBlock"),
-            opacbookbag            => "" . C4::Context->preference("opacbookbag"),
-            TemplateEncoding       => "". C4::Context->preference("TemplateEncoding"),
-            AmazonContent          => "" . C4::Context->preference("AmazonContent"),
-            OPACShelfBrowser       => "". C4::Context->preference("OPACShelfBrowser"),
-            OPACAmazonSimilarItems => "" . C4::Context->preference("OPACAmazonSimilarItems"),
-            LibraryName            => "" . C4::Context->preference("LibraryName"),
-            LibraryNameTitle       => "" . $LibraryNameTitle,
-            LoginBranchcode        => (C4::Context->userenv?C4::Context->userenv->{"branch"}:"insecure"),
-            LoginBranchname        => C4::Context->userenv?C4::Context->userenv->{"branchname"}:"", 
-            LoginFirstname        => (C4::Context->userenv?C4::Context->userenv->{"firstname"}:"Bel"),
-            LoginSurname        => C4::Context->userenv?C4::Context->userenv->{"surname"}:"Inconnu", 
-            OpacPasswordChange     => C4::Context->preference("OpacPasswordChange"),
-            opacreadinghistory     => C4::Context->preference("opacreadinghistory"),
-            opacuserjs             => C4::Context->preference("opacuserjs"),
-            OpacCloud              => C4::Context->preference("OpacCloud"),
-            OpacTopissue           => C4::Context->preference("OpacTopissue"),
-            OpacAuthorities        => C4::Context->preference("OpacAuthorities"),
-            OpacBrowser            => C4::Context->preference("OpacBrowser"),
-            RequestOnOpac          => C4::Context->preference("RequestOnOpac"),
-            reviewson              => C4::Context->preference("reviewson"),
-            hide_marc              => C4::Context->preference("hide_marc"),
-            patronimages           => C4::Context->preference("patronimages"),
-            hidelostitems          => C4::Context->preference("hidelostitems"),
-            mylibraryfirst   => C4::Context->preference("SearchMyLibraryFirst"),
-            "BiblioDefaultView".C4::Context->preference("BiblioDefaultView") => 1,
-            OPACFRBRizeEditions => C4::Context->preference("OPACFRBRizeEditions"),
-            'item-level_itypes' => C4::Context->preference('item-level_itypes'),
-            'Version' => C4::Context->preference('Version'),
-                       yuipath => C4::Context->preference("yuipath"),
+        $template->param(
+            OPACAmazonContent             => "" . C4::Context->preference("OPACAmazonContent"),
+            AnonSuggestions           => "" . C4::Context->preference("AnonSuggestions"),
+            AuthorisedValueImages     => C4::Context->preference("AuthorisedValueImages"),
+            LibraryName               => "" . C4::Context->preference("LibraryName"),
+            LibraryNameTitle          => "" . $LibraryNameTitle,
+            LoginBranchname           => C4::Context->userenv?C4::Context->userenv->{"branchname"}:"",
+            OPACAmazonSimilarItems    => "" . C4::Context->preference("OPACAmazonSimilarItems"),
+            OPACFRBRizeEditions       => C4::Context->preference("OPACFRBRizeEditions"),
+            OPACItemHolds             => C4::Context->preference("OPACItemHolds"),
+            OPACShelfBrowser          => "". C4::Context->preference("OPACShelfBrowser"),
+            OPACURLOpenInNewWindow    => "" . C4::Context->preference("OPACURLOpenInNewWindow"),
+            OPACUserCSS               => "". C4::Context->preference("OPACUserCSS"),
+            OPACViewOthersSuggestions => "" . C4::Context->preference("OPACViewOthersSuggestions"),
+            OpacAuthorities           => C4::Context->preference("OpacAuthorities"),
+            OPACBaseURL               => ($in->{'query'}->https() ? "https://" : "http://") .
+                   $ENV{'SERVER_NAME'} .
+                   ($ENV{'SERVER_PORT'} eq ($in->{'query'}->https() ? "443" : "80") ? '' : ":$ENV{'SERVER_PORT'}"),
+            OpacBrowser               => C4::Context->preference("OpacBrowser"),
+            OpacCloud                 => C4::Context->preference("OpacCloud"),
+            OpacMainUserBlock         => "" . C4::Context->preference("OpacMainUserBlock"),
+            OpacNav                   => "" . C4::Context->preference("OpacNav"),
+            OpacPasswordChange        => C4::Context->preference("OpacPasswordChange"),
+            OpacTopissue              => C4::Context->preference("OpacTopissue"),
+            RequestOnOpac             => C4::Context->preference("RequestOnOpac"),
+            TemplateEncoding          => "". C4::Context->preference("TemplateEncoding"),
+            'Version'                 => C4::Context->preference('Version'),
+            XSLTDetailsDisplay        => C4::Context->preference("XSLTDetailsDisplay"),
+            XSLTResultsDisplay        => C4::Context->preference("XSLTResultsDisplay"),
+            hidelostitems             => C4::Context->preference("hidelostitems"),
+            mylibraryfirst            => C4::Context->preference("SearchMyLibraryFirst"),
+            opacbookbag               => "" . C4::Context->preference("opacbookbag"),
+            opaccolorstylesheet       => "". C4::Context->preference("opaccolorstylesheet"),
+            opaccredits               => "" . C4::Context->preference("opaccredits"),
+            opacheader                => "" . C4::Context->preference("opacheader"),
+            opaclanguagesdisplay      => "". C4::Context->preference("opaclanguagesdisplay"),
+            opaclayoutstylesheet      => "". C4::Context->preference("opaclayoutstylesheet"),
+            opacreadinghistory        => C4::Context->preference("opacreadinghistory"),
+            opacsmallimage            => "" . C4::Context->preference("opacsmallimage"),
+            opacuserjs                => C4::Context->preference("opacuserjs"),
+            opacuserlogin             => "" . C4::Context->preference("opacuserlogin"),
+            reviewson                 => C4::Context->preference("reviewson"),
+            suggestion                => "" . C4::Context->preference("suggestion"),
+            virtualshelves            => "" . C4::Context->preference("virtualshelves"),
          );
      }
          );
      }
-       $template->param(listloop=>[{shelfname=>"Freelist", shelfnumber=>110}]);
      return ( $template, $borrowernumber, $cookie, $flags);
  }
  
      return ( $template, $borrowernumber, $cookie, $flags);
  }
  
@@ -338,8 +356,8 @@ sub get_template_and_user {
  
  Verifies that the user is authorized to run this script.  If
  the user is authorized, a (userid, cookie, session-id, flags)
  
  Verifies that the user is authorized to run this script.  If
  the user is authorized, a (userid, cookie, session-id, flags)
-quadruple is returned.  If the user is not authorized but does
-not have the required privilege (see $flagsrequired below), it
+quadruple is returned.  If the user is not authorized due to
+insufficent privileges (see $flagsrequired below), it
  displays an error page and exits.  Otherwise, it displays the
  login page and exits.
  
  displays an error page and exits.  Otherwise, it displays the
  login page and exits.
  
@@ -367,6 +385,25 @@ that the user must have the "circulate" privilege in order to
  proceed. To make sure that access control is correct, the
  C<$flagsrequired> parameter must be specified correctly.
  
  proceed. To make sure that access control is correct, the
  C<$flagsrequired> parameter must be specified correctly.
  
+If the GranularPermissions system preference is ON, the
+value of each key in the C<flagsrequired> hash takes on an additional
+meaning, e.g.,
+
+=item 1
+
+The user must have access to all subfunctions of the module
+specified by the hash key.
+
+=item *
+
+The user must have access to at least one subfunction of the module
+specified by the hash key.
+
+=item specific permission, e.g., 'export_catalog'
+
+The user must have access to the specific subfunction list, which
+must correspond to a row in the permissions table.
+
  The C<$type> argument specifies whether the template should be
  retrieved from the opac or intranet directory tree.  "opac" is
  assumed if it is not specified; however, if C<$type> is specified,
  The C<$type> argument specifies whether the template should be
  retrieved from the opac or intranet directory tree.  "opac" is
  assumed if it is not specified; however, if C<$type> is specified,
@@ -396,7 +433,11 @@ sub _version_check ($$) {
      my $version;
      # If Version syspref is unavailable, it means Koha is beeing installed,
      # and so we must redirect to OPAC maintenance page or to the WebInstaller
      my $version;
      # If Version syspref is unavailable, it means Koha is beeing installed,
      # and so we must redirect to OPAC maintenance page or to the WebInstaller
-    #warn "about to check version";
+       # also, if OpacMaintenance is ON, OPAC should redirect to maintenance
+       if (C4::Context->preference('OpacMaintenance') && $type eq 'opac') {
+               warn "OPAC Install required, redirecting to maintenance";
+               print $query->redirect("/cgi-bin/koha/maintenance.pl");
+       }
      unless ($version = C4::Context->preference('Version')) {    # assignment, not comparison
        if ($type ne 'opac') {
          warn "Install required, redirecting to Installer";
      unless ($version = C4::Context->preference('Version')) {    # assignment, not comparison
        if ($type ne 'opac') {
          warn "Install required, redirecting to Installer";
@@ -418,8 +459,7 @@ sub _version_check ($$) {
      $kohaversion =~ s/(.*\..*)\.(.*)\.(.*)/$1$2$3/;
      $debug and print STDERR "kohaversion : $kohaversion\n";
      if ($version < $kohaversion){
      $kohaversion =~ s/(.*\..*)\.(.*)\.(.*)/$1$2$3/;
      $debug and print STDERR "kohaversion : $kohaversion\n";
      if ($version < $kohaversion){
-        my $warning = "Database update needed, redirecting to %s. Database is $version and Koha is "
-            . C4::Context->config("kohaversion");
+        my $warning = "Database update needed, redirecting to %s. Database is $version and Koha is $kohaversion";
          if ($type ne 'opac'){
              warn sprintf($warning, 'Installer');
              print $query->redirect("/cgi-bin/koha/installer/install.pl?step=3");
          if ($type ne 'opac'){
              warn sprintf($warning, 'Installer');
              print $query->redirect("/cgi-bin/koha/installer/install.pl?step=3");
@@ -459,8 +499,9 @@ sub checkauth {
      # state variables
      my $loggedin = 0;
      my %info;
      # state variables
      my $loggedin = 0;
      my %info;
-    my ( $userid, $cookie, $sessionID, $flags, $shelves );
+    my ( $userid, $cookie, $sessionID, $flags, $barshelves, $pubshelves );
      my $logout = $query->param('logout.x');
      my $logout = $query->param('logout.x');
+
      if ( $userid = $ENV{'REMOTE_USER'} ) {
          # Using Basic Authentication, no cookies required
          $cookie = $query->cookie(
      if ( $userid = $ENV{'REMOTE_USER'} ) {
          # Using Basic Authentication, no cookies required
          $cookie = $query->cookie(
@@ -473,7 +514,7 @@ sub checkauth {
      elsif ( $sessionID = $query->cookie("CGISESSID")) {     # assignment, not comparison 
          my $session = get_session($sessionID);
          C4::Context->_new_userenv($sessionID);
      elsif ( $sessionID = $query->cookie("CGISESSID")) {     # assignment, not comparison 
          my $session = get_session($sessionID);
          C4::Context->_new_userenv($sessionID);
-        my ($ip, $lasttime);
+        my ($ip, $lasttime, $sessiontype);
          if ($session){
              C4::Context::set_userenv(
                  $session->param('number'),       $session->param('id'),
          if ($session){
              C4::Context::set_userenv(
                  $session->param('number'),       $session->param('id'),
@@ -482,14 +523,27 @@ sub checkauth {
                  $session->param('branchname'),   $session->param('flags'),
                  $session->param('emailaddress'), $session->param('branchprinter')
              );
                  $session->param('branchname'),   $session->param('flags'),
                  $session->param('emailaddress'), $session->param('branchprinter')
              );
-            C4::Context::set_shelves_userenv($session->param('shelves'));
+            C4::Context::set_shelves_userenv('bar',$session->param('barshelves'));
+            C4::Context::set_shelves_userenv('pub',$session->param('pubshelves'));
+            C4::Context::set_shelves_userenv('tot',$session->param('totshelves'));
              $debug and printf STDERR "AUTH_SESSION: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
              $ip       = $session->param('ip');
              $lasttime = $session->param('lasttime');
              $userid   = $session->param('id');
              $debug and printf STDERR "AUTH_SESSION: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
              $ip       = $session->param('ip');
              $lasttime = $session->param('lasttime');
              $userid   = $session->param('id');
+                       $sessiontype = $session->param('sessiontype');
          }
          }
-    
-        if ($logout) {
+   
+               if ( ($query->param('koha_login_context')) && ($query->param('userid') ne $session->param('id')) ) {
+                       #if a user enters an id ne to the id in the current session, we need to log them in...
+                       #first we need to clear the anonymous session...
+                       $debug and warn "query id = " . $query->param('userid') . " but session id = " . $session->param('id');
+            $session->flush;      
+            $session->delete();
+            C4::Context->_unset_userenv($sessionID);
+                       $sessionID = undef;
+                       $userid = undef;
+               }
+        elsif ($logout) {
              # voluntary logout the user
              $session->flush;      
              $session->delete();
              # voluntary logout the user
              $session->flush;      
              $session->delete();
@@ -521,144 +575,181 @@ sub checkauth {
                 else {
                         $cookie = $query->cookie( CGISESSID => $session->id );
                         $session->param('lasttime',time());
                 else {
                         $cookie = $query->cookie( CGISESSID => $session->id );
                         $session->param('lasttime',time());
-                       $flags = haspermission( $dbh, $userid, $flagsrequired );
-                       if ($flags) {
-                               $loggedin = 1;
-                       } else {
-                               $info{'nopermission'} = 1;
+                       unless ( $sessiontype eq 'anon' ) {     #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
+                               $flags = haspermission( $dbh, $userid, $flagsrequired );
+                               if ($flags) {
+                                       $loggedin = 1;
+                               } else {
+                                       $info{'nopermission'} = 1;
+                               }
                         }
                 }
      }
                         }
                 }
      }
-    unless ($userid) {
-        my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
+    unless ($userid || $sessionID) {
+        #we initiate a session prior to checking for a username to allow for anonymous sessions...
+               my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
          my $sessionID = $session->id;
          my $sessionID = $session->id;
-        $userid    = $query->param('userid');
-        my $password = $query->param('password');
-        C4::Context->_new_userenv($sessionID);
-        my ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password );
-        if ($return) {
-            _session_log(sprintf "%20s from %16s logged in  at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},localtime);
-            $cookie = $query->cookie(CGISESSID => $sessionID);
-            if ( $flags = haspermission( $dbh, $userid, $flagsrequired ) ) {
-                               $loggedin = 1;
-            }
-            else {
-                $info{'nopermission'} = 1;
-                C4::Context->_unset_userenv($sessionID);
-            }
-
-                       my ($borrowernumber, $firstname, $surname, $userflags,
-                               $branchcode, $branchname, $branchprinter, $emailaddress);
-
-            if ( $return == 1 ) {
-                my $select = "
-                SELECT borrowernumber, firstname, surname, flags, borrowers.branchcode, 
-                        branches.branchname    as branchname, 
-                        branches.branchprinter as branchprinter, 
-                        email 
-                FROM borrowers 
-                LEFT JOIN branches on borrowers.branchcode=branches.branchcode
-                ";
-                my $sth = $dbh->prepare("$select where userid=?");
-                $sth->execute($userid);
-                               unless ($sth->rows) {
-                       $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
-                                       $sth = $dbh->prepare("$select where cardnumber=?");
-                    $sth->execute($cardnumber);
+               C4::Context->_new_userenv($sessionID);
+        $cookie = $query->cookie(CGISESSID => $sessionID);
+               if ( $userid    = $query->param('userid') ) {
+               my $password = $query->param('password');
+               my ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password );
+               if ($return) {
+               _session_log(sprintf "%20s from %16s logged in  at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},localtime);
+               if ( $flags = haspermission( $dbh, $userid, $flagsrequired ) ) {
+                                       $loggedin = 1;
+               }
+                       else {
+                       $info{'nopermission'} = 1;
+                       C4::Context->_unset_userenv($sessionID);
+               }
+
+                               my ($borrowernumber, $firstname, $surname, $userflags,
+                                       $branchcode, $branchname, $branchprinter, $emailaddress);
+
+               if ( $return == 1 ) {
+                       my $select = "
+                       SELECT borrowernumber, firstname, surname, flags, borrowers.branchcode, 
+                           branches.branchname    as branchname, 
+                               branches.branchprinter as branchprinter, 
+                               email 
+                       FROM borrowers 
+                       LEFT JOIN branches on borrowers.branchcode=branches.branchcode
+                       ";
+                       my $sth = $dbh->prepare("$select where userid=?");
+                       $sth->execute($userid);
                                         unless ($sth->rows) {
                                         unless ($sth->rows) {
-                               $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
-                       $sth->execute($userid);
+                               $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
+                                               $sth = $dbh->prepare("$select where cardnumber=?");
+                               $sth->execute($cardnumber);
                                                 unless ($sth->rows) {
                                                 unless ($sth->rows) {
-                                       $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
+                                       $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
+                               $sth->execute($userid);
+                                                       unless ($sth->rows) {
+                                               $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
+                                                       }
                                                 }
                                         }
                                                 }
                                         }
-                               }
-                if ($sth->rows) {
-                    ($borrowernumber, $firstname, $surname, $userflags,
-                       $branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow;
-                                       $debug and print STDERR "AUTH_3 results: " .
-                                               "$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n";
-                               } else {
-                                       print STDERR "AUTH_3: no results for userid='$userid', cardnumber='$cardnumber'.\n";
-                               }
+                       if ($sth->rows) {
+                       ($borrowernumber, $firstname, $surname, $userflags,
+                               $branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow;
+                                               $debug and print STDERR "AUTH_3 results: " .
+                                                       "$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n";
+                                       } else {
+                                               print STDERR "AUTH_3: no results for userid='$userid', cardnumber='$cardnumber'.\n";
+                                       }
  
  # launch a sequence to check if we have a ip for the branch, i
  # if we have one we replace the branchcode of the userenv by the branch bound in the ip.
  
  
  # launch a sequence to check if we have a ip for the branch, i
  # if we have one we replace the branchcode of the userenv by the branch bound in the ip.
  
-                my $ip       = $ENV{'REMOTE_ADDR'};
-                # if they specify at login, use that
-                if ($query->param('branch')) {
-                    $branchcode  = $query->param('branch');
-                    $branchname = GetBranchName($branchcode);
-                }
-                my $branches = GetBranches();
-                if (C4::Context->boolean_preference('IndependantBranches') && C4::Context->boolean_preference('Autolocation')){
-                                   # we have to check they are coming from the right ip range
-                                       my $domain = $branches->{$branchcode}->{'branchip'};
-                                       if ($ip !~ /^$domain/){
-                                               $loggedin=0;
-                                               $info{'wrongip'} = 1;
+                                       my $ip       = $ENV{'REMOTE_ADDR'};
+                                       # if they specify at login, use that
+                                       if ($query->param('branch')) {
+                                               $branchcode  = $query->param('branch');
+                                               $branchname = GetBranchName($branchcode);
+                                       }
+                                       my $branches = GetBranches();
+                                       if (C4::Context->boolean_preference('IndependantBranches') && C4::Context->boolean_preference('Autolocation')){
+                                               # we have to check they are coming from the right ip range
+                                               my $domain = $branches->{$branchcode}->{'branchip'};
+                                               if ($ip !~ /^$domain/){
+                                                       $loggedin=0;
+                                                       $info{'wrongip'} = 1;
+                                               }
                                         }
                                         }
-                               }
-
-                my @branchesloop;
-                foreach my $br ( keys %$branches ) {
-                    #     now we work with the treatment of ip
-                    my $domain = $branches->{$br}->{'branchip'};
-                    if ( $domain && $ip =~ /^$domain/ ) {
-                        $branchcode = $branches->{$br}->{'branchcode'};
  
  
-                        # new op dev : add the branchprinter and branchname in the cookie
-                        $branchprinter = $branches->{$br}->{'branchprinter'};
-                        $branchname    = $branches->{$br}->{'branchname'};
-                    }
-                }
-                $session->param('number',$borrowernumber);
-                $session->param('id',$userid);
-                $session->param('cardnumber',$cardnumber);
-                $session->param('firstname',$firstname);
-                $session->param('surname',$surname);
-                $session->param('branch',$branchcode);
-                $session->param('branchname',$branchname);
-                $session->param('flags',$userflags);
-                $session->param('emailaddress',$emailaddress);
-                $session->param('ip',$session->remote_addr());
-                $session->param('lasttime',time());
-                $debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
-            }
-            elsif ( $return == 2 ) {
-                #We suppose the user is the superlibrarian
-                               $borrowernumber = 0;
-                $session->param('number',0);
-                $session->param('id',C4::Context->config('user'));
-                $session->param('cardnumber',C4::Context->config('user'));
-                $session->param('firstname',C4::Context->config('user'));
-                $session->param('surname',C4::Context->config('user'));
-                $session->param('branch','NO_LIBRARY_SET');
-                $session->param('branchname','NO_LIBRARY_SET');
-                $session->param('flags',1);
-                $session->param('emailaddress', C4::Context->preference('KohaAdminEmailAddress'));
-                $session->param('ip',$session->remote_addr());
-                $session->param('lasttime',time());
-            }
-            C4::Context::set_userenv(
-                $session->param('number'),       $session->param('id'),
-                $session->param('cardnumber'),   $session->param('firstname'),
-                $session->param('surname'),      $session->param('branch'),
-                $session->param('branchname'),   $session->param('flags'),
-                $session->param('emailaddress'), $session->param('branchprinter')
-            );
-                       $shelves = GetShelvesSummary($borrowernumber,2,10);
-                       $session->param('shelves', $shelves);
-                       C4::Context::set_shelves_userenv($shelves);
-        }
-        else {
-            if ($userid) {
-                $info{'invalid_username_or_password'} = 1;
-                C4::Context->_unset_userenv($sessionID);
-            }
+                                       my @branchesloop;
+                                       foreach my $br ( keys %$branches ) {
+                                               #     now we work with the treatment of ip
+                                               my $domain = $branches->{$br}->{'branchip'};
+                                               if ( $domain && $ip =~ /^$domain/ ) {
+                                                       $branchcode = $branches->{$br}->{'branchcode'};
  
  
-        }
+                                                       # new op dev : add the branchprinter and branchname in the cookie
+                                                       $branchprinter = $branches->{$br}->{'branchprinter'};
+                                                       $branchname    = $branches->{$br}->{'branchname'};
+                                               }
+                                       }
+                                       $session->param('number',$borrowernumber);
+                                       $session->param('id',$userid);
+                                       $session->param('cardnumber',$cardnumber);
+                                       $session->param('firstname',$firstname);
+                                       $session->param('surname',$surname);
+                                       $session->param('branch',$branchcode);
+                                       $session->param('branchname',$branchname);
+                                       $session->param('flags',$userflags);
+                                       $session->param('emailaddress',$emailaddress);
+                                       $session->param('ip',$session->remote_addr());
+                                       $session->param('lasttime',time());
+                                       $debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
+                               }
+                               elsif ( $return == 2 ) {
+                                       #We suppose the user is the superlibrarian
+                                       $borrowernumber = 0;
+                                       $session->param('number',0);
+                                       $session->param('id',C4::Context->config('user'));
+                                       $session->param('cardnumber',C4::Context->config('user'));
+                                       $session->param('firstname',C4::Context->config('user'));
+                                       $session->param('surname',C4::Context->config('user'));
+                                       $session->param('branch','NO_LIBRARY_SET');
+                                       $session->param('branchname','NO_LIBRARY_SET');
+                                       $session->param('flags',1);
+                                       $session->param('emailaddress', C4::Context->preference('KohaAdminEmailAddress'));
+                                       $session->param('ip',$session->remote_addr());
+                                       $session->param('lasttime',time());
+                               }
+                               C4::Context::set_userenv(
+                                       $session->param('number'),       $session->param('id'),
+                                       $session->param('cardnumber'),   $session->param('firstname'),
+                                       $session->param('surname'),      $session->param('branch'),
+                                       $session->param('branchname'),   $session->param('flags'),
+                                       $session->param('emailaddress'), $session->param('branchprinter')
+                               );
+
+                               # Grab borrower's shelves and public shelves and add them to the session
+                               # $row_count determines how many records are returned from the db query
+                               # and the number of lists to be displayed of each type in the 'Lists' button drop down
+                               my $row_count = 10; # FIXME:This probably should be a syspref
+                               my ($total, $totshelves, $barshelves, $pubshelves);
+                               ($barshelves, $totshelves) = C4::VirtualShelves::GetRecentShelves(1, $row_count, $borrowernumber);
+                               $total->{'bartotal'} = $totshelves;
+                               ($pubshelves, $totshelves) = C4::VirtualShelves::GetRecentShelves(2, $row_count, undef);
+                               $total->{'pubtotal'} = $totshelves;
+                               $session->param('barshelves', $barshelves->[0]);
+                               $session->param('pubshelves', $pubshelves->[0]);
+                               $session->param('totshelves', $total);
+                               
+                               C4::Context::set_shelves_userenv('bar',$barshelves->[0]);
+                               C4::Context::set_shelves_userenv('pub',$pubshelves->[0]);
+                               C4::Context::set_shelves_userenv('tot',$total);
+                       }
+               else {
+               if ($userid) {
+                       $info{'invalid_username_or_password'} = 1;
+                       C4::Context->_unset_userenv($sessionID);
+               }
+                       }
+        }      # END if ( $userid    = $query->param('userid') )
+               elsif ($type eq "opac") {       
+            # if we are here this is an anonymous session; add public lists to it and a few other items...
+            # anonymous sessions are created only for the OPAC
+                       $debug and warn "Initiating an anonymous session...";
+
+                       # Grab the public shelves and add to the session...
+                       my $row_count = 20; # FIXME:This probably should be a syspref
+                       my ($total, $totshelves, $pubshelves);
+                       ($pubshelves, $totshelves) = C4::VirtualShelves::GetRecentShelves(2, $row_count, undef);
+                       $total->{'pubtotal'} = $totshelves;
+                       $session->param('pubshelves', $pubshelves->[0]);
+                       $session->param('totshelves', $total);
+                       C4::Context::set_shelves_userenv('pub',$pubshelves->[0]);
+                       C4::Context::set_shelves_userenv('tot',$total);
+                       
+                       # setting a couple of other session vars...
+                       $session->param('ip',$session->remote_addr());
+                       $session->param('lasttime',time());
+                       $session->param('sessiontype','anon');
+               }
      }  # END unless ($userid)
      my $insecure = C4::Context->boolean_preference('insecure');
  
      }  # END unless ($userid)
      my $insecure = C4::Context->boolean_preference('insecure');
  
@@ -700,7 +791,6 @@ sub checkauth {
          INPUTS               => \@inputs,
          suggestion           => C4::Context->preference("suggestion"),
          virtualshelves       => C4::Context->preference("virtualshelves"),
          INPUTS               => \@inputs,
          suggestion           => C4::Context->preference("suggestion"),
          virtualshelves       => C4::Context->preference("virtualshelves"),
-        opaclargeimage       => C4::Context->preference("opaclargeimage"),
          LibraryName          => C4::Context->preference("LibraryName"),
          opacuserlogin        => C4::Context->preference("opacuserlogin"),
          OpacNav              => C4::Context->preference("OpacNav"),
          LibraryName          => C4::Context->preference("LibraryName"),
          opacuserlogin        => C4::Context->preference("opacuserlogin"),
          OpacNav              => C4::Context->preference("OpacNav"),
@@ -716,6 +806,9 @@ sub checkauth {
          OpacTopissue         => C4::Context->preference("OpacTopissue"),
          OpacAuthorities      => C4::Context->preference("OpacAuthorities"),
          OpacBrowser          => C4::Context->preference("OpacBrowser"),
          OpacTopissue         => C4::Context->preference("OpacTopissue"),
          OpacAuthorities      => C4::Context->preference("OpacAuthorities"),
          OpacBrowser          => C4::Context->preference("OpacBrowser"),
+        opacheader           => C4::Context->preference("opacheader"),
+        TagsEnabled                  => C4::Context->preference("TagsEnabled"),
+        OPACUserCSS           => C4::Context->preference("OPACUserCSS"),
          intranetcolorstylesheet =>
                                                                 C4::Context->preference("intranetcolorstylesheet"),
          intranetstylesheet => C4::Context->preference("intranetstylesheet"),
          intranetcolorstylesheet =>
                                                                 C4::Context->preference("intranetcolorstylesheet"),
          intranetstylesheet => C4::Context->preference("intranetstylesheet"),
@@ -724,7 +817,6 @@ sub checkauth {
          TemplateEncoding   => C4::Context->preference("TemplateEncoding"),
          IndependantBranches=> C4::Context->preference("IndependantBranches"),
          AutoLocation       => C4::Context->preference("AutoLocation"),
          TemplateEncoding   => C4::Context->preference("TemplateEncoding"),
          IndependantBranches=> C4::Context->preference("IndependantBranches"),
          AutoLocation       => C4::Context->preference("AutoLocation"),
-        yuipath            => C4::Context->preference("yuipath"),
                 wrongip            => $info{'wrongip'}
      );
      
                 wrongip            => $info{'wrongip'}
      );
      
@@ -1104,14 +1196,14 @@ sub get_session {
      my $dbh = C4::Context->dbh;
      my $session;
      if ($storage_method eq 'mysql'){
      my $dbh = C4::Context->dbh;
      my $session;
      if ($storage_method eq 'mysql'){
-        $session = new CGI::Session("driver:MySQL;serializer:yaml", $sessionID, {Handle=>$dbh});
+        $session = new CGI::Session("driver:MySQL;serializer:yaml;id:md5", $sessionID, {Handle=>$dbh});
      }
      elsif ($storage_method eq 'Pg') {
      }
      elsif ($storage_method eq 'Pg') {
-        $session = new CGI::Session("driver:PostgreSQL;serializer:yaml", $sessionID, {Handle=>$dbh});
+        $session = new CGI::Session("driver:PostgreSQL;serializer:yaml;id:md5", $sessionID, {Handle=>$dbh});
      }
      else {
          # catch all defaults to tmp should work on all systems
      }
      else {
          # catch all defaults to tmp should work on all systems
-        $session = new CGI::Session("driver:File;serializer:yaml", $sessionID, {Directory=>'/tmp'});
+        $session = new CGI::Session("driver:File;serializer:yaml;id:md5", $sessionID, {Directory=>'/tmp'});
      }
      return $session;
  }
      }
      return $session;
  }
@@ -1120,7 +1212,7 @@ sub checkpw {
  
      my ( $dbh, $userid, $password ) = @_;
      if ($ldap) {
  
      my ( $dbh, $userid, $password ) = @_;
      if ($ldap) {
-        $debug and print "## checkpw - checking LDAP\n";
+        $debug and print STDERR "## checkpw - checking LDAP\n";
          my ($retval,$retcard) = checkpw_ldap(@_);    # EXTERNAL AUTH
          ($retval) and return ($retval,$retcard);
      }
          my ($retval,$retcard) = checkpw_ldap(@_);    # EXTERNAL AUTH
          ($retval) and return ($retval,$retcard);
      }
@@ -1190,6 +1282,7 @@ C<$authflags> is a hashref of permissions
  
  sub getuserflags {
      my $flags   = shift;
  
  sub getuserflags {
      my $flags   = shift;
+    my $userid  = shift;
      my $dbh     = shift;
      my $userflags;
      $flags = 0 unless $flags;
      my $dbh     = shift;
      my $userflags;
      $flags = 0 unless $flags;
@@ -1204,15 +1297,101 @@ sub getuserflags {
              $userflags->{$flag} = 0;
          }
      }
              $userflags->{$flag} = 0;
          }
      }
+
+    # get subpermissions and merge with top-level permissions
+    my $user_subperms = get_user_subpermissions($userid);
+    foreach my $module (keys %$user_subperms) {
+        next if $userflags->{$module} == 1; # user already has permission for everything in this module
+        $userflags->{$module} = $user_subperms->{$module};
+    }
+
      return $userflags;
  }
  
      return $userflags;
  }
  
+=item get_user_subpermissions 
+
+=over 4
+
+my $user_perm_hashref = get_user_subpermissions($userid);
+
+=back
+
+Given the userid (note, not the borrowernumber) of a staff user,
+return a hashref of hashrefs of the specific subpermissions 
+accorded to the user.  An example return is
+
+{ 
+    tools => {
+        export_catalog => 1,
+        import_patrons => 1,
+    }
+}
+
+The top-level hash-key is a module or function code from
+userflags.flag, while the second-level key is a code
+from permissions.
+
+The results of this function do not give a complete picture
+of the functions that a staff user can access; it is also
+necessary to check borrowers.flags.
+
+=cut
+
+sub get_user_subpermissions {
+    my $userid = shift;
+
+    my $dbh = C4::Context->dbh;
+    my $sth = $dbh->prepare("SELECT flag, user_permissions.code as code
+                             FROM user_permissions
+                             JOIN permissions USING (module_bit, code)
+                             JOIN userflags ON (permissions.module_bit = userflags.bit)
+                             JOIN borrowers ON (user_permissions.borrowernumber=borrowers.borrowernumber)
+                             WHERE userid = ?");
+    $sth->execute($userid);
+
+    my $user_perms = {};
+    while (my $perm = $sth->fetchrow_hashref) {
+        $user_perms->{$perm->{'flag'}}->{$perm->{'code'}} = 1;
+    }
+    return $user_perms;
+}
+
+=item get_all_subpermissions
+
+=over 4
+
+my $perm_hashref = get_all_subpermissions();
+
+=back
+
+Returns a hashref of hashrefs defining all specific
+permissions currently defined.  The return value
+has the same structure as that of C<get_user_subpermissions>,
+except that the innermost hash value is the description
+of the subpermission.
+
+=cut
+
+sub get_all_subpermissions {
+    my $dbh = C4::Context->dbh;
+    my $sth = $dbh->prepare("SELECT flag, code, description
+                             FROM permissions
+                             JOIN userflags ON (module_bit = bit)");
+    $sth->execute();
+
+    my $all_perms = {};
+    while (my $perm = $sth->fetchrow_hashref) {
+        $all_perms->{$perm->{'flag'}}->{$perm->{'code'}} = $perm->{'description'};
+    }
+    return $all_perms;
+}
+
  =item haspermission 
  
    $flags = ($dbh,$member,$flagsrequired);
  
  C<$member> may be either userid or overloaded with $borrower hashref from GetMemberDetails.
  =item haspermission 
  
    $flags = ($dbh,$member,$flagsrequired);
  
  C<$member> may be either userid or overloaded with $borrower hashref from GetMemberDetails.
-C<$flags> is a hashref of required flags lik C<$borrower-&lt;{authflags}> 
+C<$flags> is a hashref of required flags like C<$borrower-&lt;{authflags}> 
  
  Returns member's flags or 0 if a permission is not met.
  
  
  Returns member's flags or 0 if a permission is not met.
  
@@ -1228,7 +1407,7 @@ sub haspermission {
          my $sth = $dbh->prepare("SELECT flags FROM borrowers WHERE userid=?");
          $sth->execute($userid);
          my ($intflags) = $sth->fetchrow;
          my $sth = $dbh->prepare("SELECT flags FROM borrowers WHERE userid=?");
          $sth->execute($userid);
          my ($intflags) = $sth->fetchrow;
-        $flags = getuserflags( $intflags, $dbh );
+        $flags = getuserflags( $intflags, $userid, $dbh );
      }
      if ( $userid eq C4::Context->config('user') ) {
          # Super User Account from /etc/koha.conf
      }
      if ( $userid eq C4::Context->config('user') ) {
          # Super User Account from /etc/koha.conf
@@ -1239,8 +1418,22 @@ sub haspermission {
          $flags->{'superlibrarian'} = 1;
      }
      return $flags if $flags->{superlibrarian};
          $flags->{'superlibrarian'} = 1;
      }
      return $flags if $flags->{superlibrarian};
-    foreach ( keys %$flagsrequired ) {
-        return 0 unless( $flags->{$_} );
+    foreach my $module ( keys %$flagsrequired ) {
+        if (C4::Context->preference('GranularPermissions')) {
+            my $subperm = $flagsrequired->{$module};
+            if ($subperm eq '*') {
+                return 0 unless ( $flags->{$module} == 1 or ref($flags->{$module}) );
+            } else {
+                return 0 unless ( $flags->{$module} == 1 or
+                                    ( ref($flags->{$module}) and 
+                                      exists $flags->{$module}->{$subperm} and 
+                                      $flags->{$module}->{$subperm} == 1 
+                                    ) 
+                                );
+            }
+        } else {
+            return 0 unless ( $flags->{$module} );
+        }
      }
      return $flags;
      #FIXME - This fcn should return the failed permission so a suitable error msg can be delivered.
      }
      return $flags;
      #FIXME - This fcn should return the failed permission so a suitable error msg can be delivered.