X-Git-Url: http://git.rot13.org/?a=blobdiff_plain;f=C4%2FAuth.pm;h=c3ba5baad25204060488fabf353e80ce28c5dbe2;hb=refs%2Fheads%2Fkoha_ffzg;hp=7903099bf44449f0808f3150a326c431dce7ac34;hpb=d2f2590c894efca417112795e05248dbd16636f5;p=koha.git diff --git a/C4/Auth.pm b/C4/Auth.pm index 7903099bf4..c3ba5baad2 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -19,8 +19,9 @@ package C4::Auth; use strict; use warnings; +use Carp qw/croak/; + use Digest::MD5 qw(md5_base64); -use File::Spec; use JSON qw/encode_json/; use URI::Escape; use CGI::Session; @@ -33,15 +34,19 @@ use C4::Search::History; use Koha; use Koha::Caches; use Koha::AuthUtils qw(get_script_name hash_password); +use Koha::Checkouts; +use Koha::DateUtils qw(dt_from_string); use Koha::Library::Groups; use Koha::Libraries; use Koha::Patrons; +use Koha::Patron::Consents; use POSIX qw/strftime/; use List::MoreUtils qw/ any /; use Encode qw( encode is_utf8); +use C4::Auth_with_shibboleth; # use utf8; -use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout $shib $shib_login); +use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout); BEGIN { sub psgi_env { any { /^psgi\./ } keys %ENV } @@ -55,12 +60,11 @@ BEGIN { @ISA = qw(Exporter); @EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions); @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &checkpw_internal &checkpw_hash - &get_all_subpermissions &get_user_subpermissions + &get_all_subpermissions &get_user_subpermissions track_login_daily ); %EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] ); $ldap = C4::Context->config('useldapserver') || 0; $cas = C4::Context->preference('casAuthentication'); - $shib = C4::Context->config('useshibboleth') || 0; $caslogout = C4::Context->preference('casLogout'); require C4::Auth_with_cas; # no import @@ -68,25 +72,8 @@ BEGIN { require C4::Auth_with_ldap; import C4::Auth_with_ldap qw(checkpw_ldap); } - if ($shib) { - require C4::Auth_with_shibboleth; - import C4::Auth_with_shibboleth - qw(shib_ok checkpw_shib logout_shib login_shib_url get_login_shib); - - # Check for good config - if ( shib_ok() ) { - - # Get shibboleth login attribute - $shib_login = get_login_shib(); - } - - # Bad config, disable shibboleth - else { - $shib = 0; - } - } if ($cas) { - import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url); + import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url logout_if_required); } } @@ -144,7 +131,7 @@ See C<&checkauth> for an explanation of these parameters. The C is then used to find the correct template for the page. The authenticated users details are loaded onto the -template in the HTML::Template LOOP variable C. Also the +template in the logged_in_user variable (which is a Koha::Patron object). Also the C is passed to the template. This can be used in templates if cookies are disabled. It needs to be put as and input to every authenticated page. @@ -159,6 +146,10 @@ sub get_template_and_user { my $in = shift; my ( $user, $cookie, $sessionID, $flags ); + # Get shibboleth login attribute + my $shib = C4::Context->config('useshibboleth') && shib_ok(); + my $shib_login = $shib ? get_login_shib() : undef; + C4::Context->interface( $in->{type} ); $in->{'authnotrequired'} ||= 0; @@ -179,12 +170,56 @@ sub get_template_and_user { ); } + # If we enforce GDPR and the user did not consent, redirect + if( $in->{type} eq 'opac' && $user && + $in->{'template_name'} !~ /opac-patron-consent/ && + C4::Context->preference('GDPR_Policy') eq 'Enforced' ) + { + my $consent = Koha::Patron::Consents->search({ + borrowernumber => getborrowernumber($user), + type => 'GDPR_PROCESSING', + given_on => { '!=', undef }, + })->next; + if( !$consent ) { + print $in->{query}->redirect(-uri => '/cgi-bin/koha/opac-patron-consent.pl', -cookie => $cookie); + safe_exit; + } + } + + if ( $in->{type} eq 'opac' && $user ) { + my $kick_out; - # If the user logged in is the SCO user and they try to go out of the SCO module, log the user out removing the CGISESSID cookie - if ( $in->{type} eq 'opac' and $in->{template_name} !~ m|sco/| ) { - if ( $user && C4::Context->preference('AutoSelfCheckID') && $user eq C4::Context->preference('AutoSelfCheckID') ) { - $template = C4::Templates::gettemplate( 'opac-auth.tt', 'opac', $in->{query} ); - my $cookie = $in->{query}->cookie( + if ( +# If the user logged in is the SCO user and they try to go out of the SCO module, +# log the user out removing the CGISESSID cookie + $in->{template_name} !~ m|sco/| + && C4::Context->preference('AutoSelfCheckID') + && $user eq C4::Context->preference('AutoSelfCheckID') + ) + { + $kick_out = 1; + } + elsif ( +# If the user logged in is the SCI user and they try to go out of the SCI module, +# kick them out unless it is SCO with a valid permission +# or they are a superlibrarian + $in->{template_name} !~ m|sci/| + && haspermission( $user, { self_check => 'self_checkin_module' } ) + && !( + $in->{template_name} =~ m|sco/| && haspermission( + $user, { self_check => 'self_checkout_module' } + ) + ) + && $flags && $flags->{superlibrarian} != 1 + ) + { + $kick_out = 1; + } + + if ($kick_out) { + $template = C4::Templates::gettemplate( 'opac-auth.tt', 'opac', + $in->{query} ); + $cookie = $in->{query}->cookie( -name => 'CGISESSID', -value => '', -expires => '', @@ -195,14 +230,16 @@ sub get_template_and_user { loginprompt => 1, script_name => get_script_name(), ); + print $in->{query}->header( - { type => 'text/html', + { + type => 'text/html', charset => 'utf-8', cookie => $cookie, 'X-Frame-Options' => 'SAMEORIGIN' } ), - $template->output; + $template->output; safe_exit; } } @@ -230,7 +267,7 @@ sub get_template_and_user { } # user info - $template->param( loggedinusername => $user ); # FIXME Should be replaced with something like patron-title.inc + $template->param( loggedinusername => $user ); # OBSOLETE - Do not reuse this in template, use logged_in_user.userid instead $template->param( loggedinusernumber => $borrowernumber ); # FIXME Should be replaced with logged_in_user.borrowernumber $template->param( logged_in_user => $patron ); $template->param( sessionID => $sessionID ); @@ -254,12 +291,10 @@ sub get_template_and_user { ); } - $template->param( "USER_INFO" => $patron->unblessed ); - my $all_perms = get_all_subpermissions(); my @flagroots = qw(circulate catalogue parameters borrowers permissions reserveforothers borrow - editcatalogue updatecharges management tools editauthorities serials reports acquisition clubs); + editcatalogue updatecharges tools editauthorities serials reports acquisition clubs); # We are going to use the $flags returned by checkauth # to create the template's parameters that will indicate @@ -274,7 +309,6 @@ sub get_template_and_user { $template->param( CAN_user_editcatalogue => 1 ); $template->param( CAN_user_updatecharges => 1 ); $template->param( CAN_user_acquisition => 1 ); - $template->param( CAN_user_management => 1 ); $template->param( CAN_user_tools => 1 ); $template->param( CAN_user_editauthorities => 1 ); $template->param( CAN_user_serials => 1 ); @@ -283,6 +317,8 @@ sub get_template_and_user { $template->param( CAN_user_plugins => 1 ); $template->param( CAN_user_coursereserves => 1 ); $template->param( CAN_user_clubs => 1 ); + $template->param( CAN_user_ill => 1 ); + $template->param( CAN_user_stockrotation => 1 ); foreach my $module ( keys %$all_perms ) { foreach my $subperm ( keys %{ $all_perms->{$module} } ) { @@ -309,9 +345,6 @@ sub get_template_and_user { foreach my $module ( keys %$flags ) { if ( $flags->{$module} == 1 or ref( $flags->{$module} ) ) { $template->param( "CAN_user_$module" => 1 ); - if ( $module eq "parameters" ) { - $template->param( CAN_user_management => 1 ); - } } } } @@ -472,7 +505,7 @@ sub get_template_and_user { UseKohaPlugins => C4::Context->preference('UseKohaPlugins'), UseCourseReserves => C4::Context->preference("UseCourseReserves"), useDischarge => C4::Context->preference('useDischarge'), - KOHA_VERSION => C4::Context->preference('Version'), + pending_checkout_notes => scalar Koha::Checkouts->search({ noteseen => 0 }), ); } else { @@ -502,8 +535,8 @@ sub get_template_and_user { my $opac_limit_override = $ENV{'OPAC_LIMIT_OVERRIDE'}; my $opac_name = ''; if ( - ( $opac_limit_override && $opac_search_limit && $opac_search_limit =~ /branch:(\w+)/ ) || - ( $in->{'query'}->param('limit') && $in->{'query'}->param('limit') =~ /branch:(\w+)/ ) || + ( $opac_limit_override && $opac_search_limit && $opac_search_limit =~ /branch:([\w-]+)/ ) || + ( $in->{'query'}->param('limit') && $in->{'query'}->param('limit') =~ /branch:([\w-]+)/ ) || ( $in->{'query'}->param('multibranchlimit') && $in->{'query'}->param('multibranchlimit') =~ /multibranchlimit-(\w+)/ ) ) { $opac_name = $1; # opac_search_limit is a branch, so we use it. @@ -513,11 +546,11 @@ sub get_template_and_user { $opac_name = C4::Context->userenv->{'branch'}; } - my $search_groups = Koha::Library::Groups->get_search_groups(); + my @search_groups = Koha::Library::Groups->get_search_groups({ interface => 'opac' }); $template->param( OpacAdditionalStylesheet => C4::Context->preference("OpacAdditionalStylesheet"), AnonSuggestions => "" . C4::Context->preference("AnonSuggestions"), - LibrarySearchGroups => $search_groups, + LibrarySearchGroups => \@search_groups, opac_name => $opac_name, LibraryName => "" . C4::Context->preference("LibraryName"), LibraryNameTitle => "" . $LibraryNameTitle, @@ -546,7 +579,6 @@ sub get_template_and_user { OpacTopissue => C4::Context->preference("OpacTopissue"), RequestOnOpac => C4::Context->preference("RequestOnOpac"), 'Version' => C4::Context->preference('Version'), - KOHA_VERSION => C4::Context->preference('Version'), hidelostitems => C4::Context->preference("hidelostitems"), mylibraryfirst => ( C4::Context->preference("SearchMyLibraryFirst") && C4::Context->userenv ) ? C4::Context->userenv->{'branch'} : '', opaclayoutstylesheet => "" . C4::Context->preference("opaclayoutstylesheet"), @@ -749,6 +781,10 @@ sub checkauth { my $query = shift; $debug and warn "Checking Auth"; + # Get shibboleth login attribute + my $shib = C4::Context->config('useshibboleth') && shib_ok(); + my $shib_login = $shib ? get_login_shib() : undef; + # $authnotrequired will be set for scripts which will run without authentication my $authnotrequired = shift; my $flagsrequired = shift; @@ -768,12 +804,14 @@ sub checkauth { my $logout = $query->param('logout.x'); my $anon_search_history; - + my $cas_ticket = ''; # This parameter is the name of the CAS server we want to authenticate against, # when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml my $casparam = $query->param('cas'); my $q_userid = $query->param('userid') // ''; + my $session; + # Basic authentication is incompatible with the use of Shibboleth, # as Shibboleth may return REMOTE_USER as a Shibboleth attribute, # and it may not be the attribute we want to use to match the koha login. @@ -799,7 +837,7 @@ sub checkauth { } elsif ( $sessionID = $query->cookie("CGISESSID") ) { # assignment, not comparison - my $session = get_session($sessionID); + $session = get_session($sessionID); C4::Context->_new_userenv($sessionID); my ( $ip, $lasttime, $sessiontype ); my $s_userid = ''; @@ -855,9 +893,7 @@ sub checkauth { } # If we are in a shibboleth session (shibboleth is enabled, a shibboleth match attribute is set and matches koha matchpoint) - if ( $shib and $shib_login and $shibSuccess and $type eq 'opac' ) { - - # (Note: $type eq 'opac' condition should be removed when shibboleth authentication for intranet will be implemented) + if ( $shib and $shib_login and $shibSuccess) { logout_shib($query); } } @@ -907,7 +943,6 @@ sub checkauth { } } unless ( $userid || $sessionID ) { - #we initiate a session prior to checking for a username to allow for anonymous sessions... my $session = get_session("") or die "Auth ERROR: Cannot get_session()"; @@ -918,7 +953,7 @@ sub checkauth { $session->param( 'search_history', $anon_search_history ); } - my $sessionID = $session->id; + $sessionID = $session->id; C4::Context->_new_userenv($sessionID); $cookie = $query->cookie( -name => 'CGISESSID', @@ -938,11 +973,10 @@ sub checkauth { { my $password = $query->param('password'); my $shibSuccess = 0; - my ( $return, $cardnumber ); # If shib is enabled and we have a shib login, does the login match a valid koha user - if ( $shib && $shib_login && $type eq 'opac' ) { + if ( $shib && $shib_login ) { my $retuserid; # Do not pass password here, else shib will not be checked in checkpw. @@ -956,7 +990,7 @@ sub checkauth { unless ($shibSuccess) { if ( $cas && $query->param('ticket') ) { my $retuserid; - ( $return, $cardnumber, $retuserid ) = + ( $return, $cardnumber, $retuserid, $cas_ticket ) = checkpw( $dbh, $userid, $password, $query, $type ); $userid = $retuserid; $info{'invalidCasLogin'} = 1 unless ($return); @@ -1016,17 +1050,15 @@ sub checkauth { } else { my $retuserid; - ( $return, $cardnumber, $retuserid ) = + ( $return, $cardnumber, $retuserid, $cas_ticket ) = checkpw( $dbh, $q_userid, $password, $query, $type ); $userid = $retuserid if ($retuserid); $info{'invalid_username_or_password'} = 1 unless ($return); } } - # $return: 1 = valid user, 2 = superlibrarian + # $return: 1 = valid user if ($return) { - # If DB user is logged in - $userid ||= $q_userid if $return == 2; #_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime)); if ( $flags = haspermission( $userid, $flagsrequired ) ) { @@ -1126,22 +1158,7 @@ sub checkauth { $session->param( 'shibboleth', $shibSuccess ); $debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map { $session->param($_) } qw(cardnumber firstname surname branch); } - elsif ( $return == 2 ) { - - #We suppose the user is the superlibrarian - $borrowernumber = 0; - $session->param( 'number', 0 ); - $session->param( 'id', C4::Context->config('user') ); - $session->param( 'cardnumber', C4::Context->config('user') ); - $session->param( 'firstname', C4::Context->config('user') ); - $session->param( 'surname', C4::Context->config('user') ); - $session->param( 'branch', 'NO_LIBRARY_SET' ); - $session->param( 'branchname', 'NO_LIBRARY_SET' ); - $session->param( 'flags', 1 ); - $session->param( 'emailaddress', C4::Context->preference('KohaAdminEmailAddress') ); - $session->param( 'ip', $session->remote_addr() ); - $session->param( 'lasttime', time() ); - } + $session->param('cas_ticket', $cas_ticket) if $cas_ticket; C4::Context->set_userenv( $session->param('number'), $session->param('id'), $session->param('cardnumber'), $session->param('firstname'), @@ -1190,11 +1207,7 @@ sub checkauth { ); } - if ( $userid ) { - # track_login also depends on pref TrackLastPatronActivity - my $patron = Koha::Patrons->find({ userid => $userid }); - $patron->track_login if $patron; - } + track_login_daily( $userid ); return ( $userid, $cookie, $sessionID, $flags ); } @@ -1209,8 +1222,8 @@ sub checkauth { my @inputs = (); foreach my $name ( param $query) { (next) if ( $name eq 'userid' || $name eq 'password' || $name eq 'ticket' ); - my $value = $query->param($name); - push @inputs, { name => $name, value => $value }; + my @value = $query->multi_param($name); + push @inputs, { name => $name, value => $_ } for @value; } my $patron = Koha::Patrons->find({ userid => $q_userid }); # Not necessary logged in! @@ -1264,10 +1277,11 @@ sub checkauth { PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"), PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"), opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'}, - too_many_login_attempts => ( $patron and $patron->account_locked ), + too_many_login_attempts => ( $patron and $patron->account_locked ) ); $template->param( SCO_login => 1 ) if ( $query->param('sco_user_login') ); + $template->param( SCI_login => 1 ) if ( $query->param('sci_user_login') ); $template->param( OpacPublic => C4::Context->preference("OpacPublic") ); $template->param( loginprompt => 1 ) unless $info{'nopermission'}; @@ -1373,9 +1387,9 @@ Possible return values in C<$status> are: =cut sub check_api_auth { + my $query = shift; my $flagsrequired = shift; - my $dbh = C4::Context->dbh; my $timeout = _timeout_syspref(); @@ -1469,7 +1483,7 @@ sub check_api_auth { # new login my $userid = $query->param('userid'); my $password = $query->param('password'); - my ( $return, $cardnumber ); + my ( $return, $cardnumber, $cas_ticket ); # Proxy CAS auth if ( $cas && $query->param('PT') ) { @@ -1478,7 +1492,7 @@ sub check_api_auth { # In case of a CAS authentication, we use the ticket instead of the password my $PT = $query->param('PT'); - ( $return, $cardnumber, $userid ) = check_api_auth_cas( $dbh, $PT, $query ); # EXTERNAL AUTH + ( $return, $cardnumber, $userid, $cas_ticket ) = check_api_auth_cas( $dbh, $PT, $query ); # EXTERNAL AUTH } else { # User / password auth @@ -1487,7 +1501,8 @@ sub check_api_auth { # caller did something wrong, fail the authenticateion return ( "failed", undef, undef ); } - ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query ); + my $newuserid; + ( $return, $cardnumber, $newuserid, $cas_ticket ) = checkpw( $dbh, $userid, $password, $query ); } if ( $return and haspermission( $userid, $flagsrequired ) ) { @@ -1570,21 +1585,8 @@ sub check_api_auth { $session->param( 'emailaddress', $emailaddress ); $session->param( 'ip', $session->remote_addr() ); $session->param( 'lasttime', time() ); - } elsif ( $return == 2 ) { - - #We suppose the user is the superlibrarian - $session->param( 'number', 0 ); - $session->param( 'id', C4::Context->config('user') ); - $session->param( 'cardnumber', C4::Context->config('user') ); - $session->param( 'firstname', C4::Context->config('user') ); - $session->param( 'surname', C4::Context->config('user') ); - $session->param( 'branch', 'NO_LIBRARY_SET' ); - $session->param( 'branchname', 'NO_LIBRARY_SET' ); - $session->param( 'flags', 1 ); - $session->param( 'emailaddress', C4::Context->preference('KohaAdminEmailAddress') ); - $session->param( 'ip', $session->remote_addr() ); - $session->param( 'lasttime', time() ); } + $session->param( 'cas_ticket', $cas_ticket); C4::Context->set_userenv( $session->param('number'), $session->param('id'), $session->param('cardnumber'), $session->param('firstname'), @@ -1604,7 +1606,11 @@ sub check_api_auth { ($status, $sessionId) = check_api_auth($cookie, $userflags); Given a CGISESSID cookie set during a previous login to Koha, determine -if the user has the privileges specified by C<$userflags>. +if the user has the privileges specified by C<$userflags>. C<$userflags> +is passed unaltered into C and as such accepts all options +avaiable to that routine with the one caveat that C will +also allow 'undef' to be passed and in such a case the permissions check +will be skipped altogether. C is meant for authenticating special services such as tools/upload-file.pl that are invoked by other pages that @@ -1699,7 +1705,7 @@ sub check_cookie_auth { return ( "expired", undef ); } else { $session->param( 'lasttime', time() ); - my $flags = haspermission( $userid, $flagsrequired ); + my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1; if ($flags) { return ( "ok", $sessionID ); } else { @@ -1731,28 +1737,32 @@ will be created. =cut -sub get_session { - my $sessionID = shift; +sub _get_session_params { my $storage_method = C4::Context->preference('SessionStorage'); - my $dbh = C4::Context->dbh; - my $session; if ( $storage_method eq 'mysql' ) { - $session = new CGI::Session( "driver:MySQL;serializer:yaml;id:md5", $sessionID, { Handle => $dbh } ); + my $dbh = C4::Context->dbh; + return { dsn => "driver:MySQL;serializer:yaml;id:md5", dsn_args => { Handle => $dbh } }; } elsif ( $storage_method eq 'Pg' ) { - $session = new CGI::Session( "driver:PostgreSQL;serializer:yaml;id:md5", $sessionID, { Handle => $dbh } ); + my $dbh = C4::Context->dbh; + return { dsn => "driver:PostgreSQL;serializer:yaml;id:md5", dsn_args => { Handle => $dbh } }; } elsif ( $storage_method eq 'memcached' && Koha::Caches->get_instance->memcached_cache ) { my $memcached = Koha::Caches->get_instance()->memcached_cache; - $session = new CGI::Session( "driver:memcached;serializer:yaml;id:md5", $sessionID, { Memcached => $memcached } ); + return { dsn => "driver:memcached;serializer:yaml;id:md5", dsn_args => { Memcached => $memcached } }; } else { # catch all defaults to tmp should work on all systems - my $dir = File::Spec->tmpdir; + my $dir = C4::Context::temporary_directory; my $instance = C4::Context->config( 'database' ); #actually for packages not exactly the instance name, but generally safer to leave it as it is - $session = new CGI::Session( "driver:File;serializer:yaml;id:md5", $sessionID, { Directory => "$dir/cgisess_$instance" } ); + return { dsn => "driver:File;serializer:yaml;id:md5", dsn_args => { Directory => "$dir/cgisess_$instance" } }; } - return $session; +} + +sub get_session { + my $sessionID = shift; + my $params = _get_session_params(); + return new CGI::Session( $params->{dsn}, $sessionID, $params->{dsn_args} ); } @@ -1764,6 +1774,10 @@ sub checkpw { my ( $dbh, $userid, $password, $query, $type, $no_set_userenv ) = @_; $type = 'opac' unless $type; + # Get shibboleth login attribute + my $shib = C4::Context->config('useshibboleth') && shib_ok(); + my $shib_login = $shib ? get_login_shib() : undef; + my @return; my $patron = Koha::Patrons->find({ userid => $userid }); my $check_internal_as_fallback = 0; @@ -1772,11 +1786,10 @@ sub checkpw { # 1 if auth is ok # 0 if auth is nok # -1 if user bind failed (LDAP only) - # 2 if DB user is used (internal only) if ( $patron and $patron->account_locked ) { # Nothing to check, account is locked - } elsif ($ldap) { + } elsif ($ldap && defined($password)) { $debug and print STDERR "## checkpw - checking LDAP\n"; my ( $retval, $retcard, $retuserid ) = checkpw_ldap(@_); # EXTERNAL AUTH if ( $retval == 1 ) { @@ -1791,9 +1804,11 @@ sub checkpw { # In case of a CAS authentication, we use the ticket instead of the password my $ticket = $query->param('ticket'); $query->delete('ticket'); # remove ticket to come back to original URL - my ( $retval, $retcard, $retuserid ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH + my ( $retval, $retcard, $retuserid, $cas_ticket ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH if ( $retval ) { - @return = ( $retval, $retcard, $retuserid ); + @return = ( $retval, $retcard, $retuserid, $cas_ticket ); + } else { + @return = (0); } $passwd_ok = $retval; } @@ -1843,18 +1858,6 @@ sub checkpw_internal { $password = Encode::encode( 'UTF-8', $password ) if Encode::is_utf8($password); - if ( $userid && $userid eq C4::Context->config('user') ) { - if ( $password && $password eq C4::Context->config('pass') ) { - - # Koha superuser account - # C4::Context->set_userenv(0,0,C4::Context->config('user'),C4::Context->config('user'),C4::Context->config('user'),"",1); - return 2; - } - else { - return 0; - } - } - my $sth = $dbh->prepare( "select password,cardnumber,borrowernumber,userid,firstname,surname,borrowers.branchcode,branches.branchname,flags from borrowers join branches on borrowers.branchcode=branches.branchcode where userid=?" @@ -2025,45 +2028,74 @@ sub get_all_subpermissions { =head2 haspermission + $flagsrequired = '*'; # Any permission at all + $flagsrequired = 'a_flag'; # a_flag must be satisfied (all subpermissions) + $flagsrequired = [ 'a_flag', 'b_flag' ]; # a_flag OR b_flag must be satisfied + $flagsrequired = { 'a_flag => 1, 'b_flag' => 1 }; # a_flag AND b_flag must be satisfied + $flagsrequired = { 'a_flag' => 'sub_a' }; # sub_a of a_flag must be satisfied + $flagsrequired = { 'a_flag' => [ 'sub_a, 'sub_b' ] }; # sub_a OR sub_b of a_flag must be satisfied + $flags = ($userid, $flagsrequired); C<$userid> the userid of the member -C<$flags> is a hashref of required flags like C<$borrower-<{authflags}> +C<$flags> is a query structure similar to that used by SQL::Abstract that +denotes the combination of flags required. It is a required parameter. + +The main logic of this method is that things in arrays are OR'ed, and things +in hashes are AND'ed. The `*` character can be used, at any depth, to denote `ANY` Returns member's flags or 0 if a permission is not met. =cut +sub _dispatch { + my ($required, $flags) = @_; + + my $ref = ref($required); + if ($ref eq '') { + if ($required eq '*') { + return 0 unless ( $flags or ref( $flags ) ); + } else { + return 0 unless ( $flags and (!ref( $flags ) || $flags->{$required} )); + } + } elsif ($ref eq 'HASH') { + foreach my $key (keys %{$required}) { + my $require = $required->{$key}; + my $rflags = $flags->{$key}; + return 0 unless _dispatch($require, $rflags); + } + } elsif ($ref eq 'ARRAY') { + my $satisfied = 0; + foreach my $require ( @{$required} ) { + my $rflags = + ( ref($flags) && !ref($require) && ( $require ne '*' ) ) + ? $flags->{$require} + : $flags; + $satisfied++ if _dispatch( $require, $rflags ); + } + return 0 unless $satisfied; + } else { + croak "Unexpected structure found: $ref"; + } + + return $flags; +}; + sub haspermission { my ( $userid, $flagsrequired ) = @_; + + + #Koha::Exceptions::WrongParameter->throw('$flagsrequired should not be undef') + # unless defined($flagsrequired); + my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?"); $sth->execute($userid); my $row = $sth->fetchrow(); my $flags = getuserflags( $row, $userid ); - if ( $userid eq C4::Context->config('user') ) { - - # Super User Account from /etc/koha.conf - $flags->{'superlibrarian'} = 1; - } + return $flags unless defined($flagsrequired); return $flags if $flags->{superlibrarian}; - - foreach my $module ( keys %$flagsrequired ) { - my $subperm = $flagsrequired->{$module}; - if ( $subperm eq '*' ) { - return 0 unless ( $flags->{$module} == 1 or ref( $flags->{$module} ) ); - } else { - return 0 unless ( - ( defined $flags->{$module} and - $flags->{$module} == 1 ) - or - ( ref( $flags->{$module} ) and - exists $flags->{$module}->{$subperm} and - $flags->{$module}->{$subperm} == 1 ) - ); - } - } - return $flags; + return _dispatch($flagsrequired, $flags); #FIXME - This fcn should return the failed permission so a suitable error msg can be delivered. } @@ -2087,6 +2119,30 @@ sub getborrowernumber { return 0; } +=head2 track_login_daily + + track_login_daily( $userid ); + +Wraps the call to $patron->track_login, the method used to update borrowers.lastseen. We only call track_login once a day. + +=cut + +sub track_login_daily { + my $userid = shift; + return if !$userid || !C4::Context->preference('TrackLastPatronActivity'); + + my $cache = Koha::Caches->get_instance(); + my $cache_key = "track_login_" . $userid; + my $cached = $cache->get_from_cache($cache_key); + my $today = dt_from_string()->ymd; + return if $cached && $cached eq $today; + + my $patron = Koha::Patrons->find({ userid => $userid }); + return unless $patron; + $patron->track_login; + $cache->set_in_cache( $cache_key, $today ); +} + END { } # module clean-up code here (global destructor) 1; __END__