X-Git-Url: http://git.rot13.org/?a=blobdiff_plain;f=C4%2FAuth.pm;h=c3ba5baad25204060488fabf353e80ce28c5dbe2;hb=refs%2Fheads%2Fkoha_ffzg;hp=f0822a61a6528742b1259eb31200d80e7d0d1fe1;hpb=19a977dc7b779173c4a3e96b6b06dc35db663601;p=koha.git diff --git a/C4/Auth.pm b/C4/Auth.pm index f0822a61a6..c3ba5baad2 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -19,8 +19,9 @@ package C4::Auth; use strict; use warnings; +use Carp qw/croak/; + use Digest::MD5 qw(md5_base64); -use File::Spec; use JSON qw/encode_json/; use URI::Escape; use CGI::Session; @@ -29,20 +30,23 @@ require Exporter; use C4::Context; use C4::Templates; # to get the template use C4::Languages; -use C4::Branch; # GetBranches use C4::Search::History; use Koha; use Koha::Caches; use Koha::AuthUtils qw(get_script_name hash_password); +use Koha::Checkouts; +use Koha::DateUtils qw(dt_from_string); +use Koha::Library::Groups; use Koha::Libraries; -use Koha::LibraryCategories; -use Koha::Libraries; +use Koha::Patrons; +use Koha::Patron::Consents; use POSIX qw/strftime/; use List::MoreUtils qw/ any /; use Encode qw( encode is_utf8); +use C4::Auth_with_shibboleth; # use utf8; -use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout $shib $shib_login); +use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout); BEGIN { sub psgi_env { any { /^psgi\./ } keys %ENV } @@ -56,12 +60,11 @@ BEGIN { @ISA = qw(Exporter); @EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions); @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &checkpw_internal &checkpw_hash - &get_all_subpermissions &get_user_subpermissions + &get_all_subpermissions &get_user_subpermissions track_login_daily ); %EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] ); $ldap = C4::Context->config('useldapserver') || 0; $cas = C4::Context->preference('casAuthentication'); - $shib = C4::Context->config('useshibboleth') || 0; $caslogout = C4::Context->preference('casLogout'); require C4::Auth_with_cas; # no import @@ -69,25 +72,8 @@ BEGIN { require C4::Auth_with_ldap; import C4::Auth_with_ldap qw(checkpw_ldap); } - if ($shib) { - require C4::Auth_with_shibboleth; - import C4::Auth_with_shibboleth - qw(shib_ok checkpw_shib logout_shib login_shib_url get_login_shib); - - # Check for good config - if ( shib_ok() ) { - - # Get shibboleth login attribute - $shib_login = get_login_shib(); - } - - # Bad config, disable shibboleth - else { - $shib = 0; - } - } if ($cas) { - import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url); + import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url logout_if_required); } } @@ -145,7 +131,7 @@ See C<&checkauth> for an explanation of these parameters. The C is then used to find the correct template for the page. The authenticated users details are loaded onto the -template in the HTML::Template LOOP variable C. Also the +template in the logged_in_user variable (which is a Koha::Patron object). Also the C is passed to the template. This can be used in templates if cookies are disabled. It needs to be put as and input to every authenticated page. @@ -160,17 +146,19 @@ sub get_template_and_user { my $in = shift; my ( $user, $cookie, $sessionID, $flags ); - C4::Context->interface( $in->{type} ); + # Get shibboleth login attribute + my $shib = C4::Context->config('useshibboleth') && shib_ok(); + my $shib_login = $shib ? get_login_shib() : undef; - my $safe_chars = 'a-zA-Z0-9_\-\/'; - die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+\.tt$/ig; #sanitize input + C4::Context->interface( $in->{type} ); $in->{'authnotrequired'} ||= 0; + + # the following call includes a bad template check; might croak my $template = C4::Templates::gettemplate( $in->{'template_name'}, $in->{'type'}, $in->{'query'}, - $in->{'is_plugin'} ); if ( $in->{'template_name'} !~ m/maintenance/ ) { @@ -182,12 +170,56 @@ sub get_template_and_user { ); } + # If we enforce GDPR and the user did not consent, redirect + if( $in->{type} eq 'opac' && $user && + $in->{'template_name'} !~ /opac-patron-consent/ && + C4::Context->preference('GDPR_Policy') eq 'Enforced' ) + { + my $consent = Koha::Patron::Consents->search({ + borrowernumber => getborrowernumber($user), + type => 'GDPR_PROCESSING', + given_on => { '!=', undef }, + })->next; + if( !$consent ) { + print $in->{query}->redirect(-uri => '/cgi-bin/koha/opac-patron-consent.pl', -cookie => $cookie); + safe_exit; + } + } + + if ( $in->{type} eq 'opac' && $user ) { + my $kick_out; - # If the user logged in is the SCO user and he tries to go out the SCO module, log the user out removing the CGISESSID cookie - if ( $in->{type} eq 'opac' and $in->{template_name} !~ m|sco/| ) { - if ( C4::Context->preference('AutoSelfCheckID') && $user eq C4::Context->preference('AutoSelfCheckID') ) { - $template = C4::Templates::gettemplate( 'opac-auth.tt', 'opac', $in->{query} ); - my $cookie = $in->{query}->cookie( + if ( +# If the user logged in is the SCO user and they try to go out of the SCO module, +# log the user out removing the CGISESSID cookie + $in->{template_name} !~ m|sco/| + && C4::Context->preference('AutoSelfCheckID') + && $user eq C4::Context->preference('AutoSelfCheckID') + ) + { + $kick_out = 1; + } + elsif ( +# If the user logged in is the SCI user and they try to go out of the SCI module, +# kick them out unless it is SCO with a valid permission +# or they are a superlibrarian + $in->{template_name} !~ m|sci/| + && haspermission( $user, { self_check => 'self_checkin_module' } ) + && !( + $in->{template_name} =~ m|sco/| && haspermission( + $user, { self_check => 'self_checkout_module' } + ) + ) + && $flags && $flags->{superlibrarian} != 1 + ) + { + $kick_out = 1; + } + + if ($kick_out) { + $template = C4::Templates::gettemplate( 'opac-auth.tt', 'opac', + $in->{query} ); + $cookie = $in->{query}->cookie( -name => 'CGISESSID', -value => '', -expires => '', @@ -198,43 +230,46 @@ sub get_template_and_user { loginprompt => 1, script_name => get_script_name(), ); + print $in->{query}->header( - { type => 'text/html', + { + type => 'text/html', charset => 'utf-8', cookie => $cookie, 'X-Frame-Options' => 'SAMEORIGIN' } ), - $template->output; + $template->output; safe_exit; } } my $borrowernumber; if ($user) { - require C4::Members; # It's possible for $user to be the borrowernumber if they don't have a # userid defined (and are logging in through some other method, such # as SSL certs against an email address) - my $borrower; + my $patron; $borrowernumber = getborrowernumber($user) if defined($user); if ( !defined($borrowernumber) && defined($user) ) { - $borrower = C4::Members::GetMember( borrowernumber => $user ); - if ($borrower) { + $patron = Koha::Patrons->find( $user ); + if ($patron) { $borrowernumber = $user; # A bit of a hack, but I don't know there's a nicer way # to do it. - $user = $borrower->{firstname} . ' ' . $borrower->{surname}; + $user = $patron->firstname . ' ' . $patron->surname; } } else { - $borrower = C4::Members::GetMember( borrowernumber => $borrowernumber ); + $patron = Koha::Patrons->find( $borrowernumber ); + # FIXME What to do if $patron does not exist? } # user info - $template->param( loggedinusername => $user ); - $template->param( loggedinusernumber => $borrowernumber ); + $template->param( loggedinusername => $user ); # OBSOLETE - Do not reuse this in template, use logged_in_user.userid instead + $template->param( loggedinusernumber => $borrowernumber ); # FIXME Should be replaced with logged_in_user.borrowernumber + $template->param( logged_in_user => $patron ); $template->param( sessionID => $sessionID ); if ( $in->{'type'} eq 'opac' ) { @@ -256,12 +291,10 @@ sub get_template_and_user { ); } - $template->param( "USER_INFO" => $borrower ); - my $all_perms = get_all_subpermissions(); my @flagroots = qw(circulate catalogue parameters borrowers permissions reserveforothers borrow - editcatalogue updatecharges management tools editauthorities serials reports acquisition); + editcatalogue updatecharges tools editauthorities serials reports acquisition clubs); # We are going to use the $flags returned by checkauth # to create the template's parameters that will indicate @@ -276,7 +309,6 @@ sub get_template_and_user { $template->param( CAN_user_editcatalogue => 1 ); $template->param( CAN_user_updatecharges => 1 ); $template->param( CAN_user_acquisition => 1 ); - $template->param( CAN_user_management => 1 ); $template->param( CAN_user_tools => 1 ); $template->param( CAN_user_editauthorities => 1 ); $template->param( CAN_user_serials => 1 ); @@ -284,8 +316,11 @@ sub get_template_and_user { $template->param( CAN_user_staffaccess => 1 ); $template->param( CAN_user_plugins => 1 ); $template->param( CAN_user_coursereserves => 1 ); - foreach my $module ( keys %$all_perms ) { + $template->param( CAN_user_clubs => 1 ); + $template->param( CAN_user_ill => 1 ); + $template->param( CAN_user_stockrotation => 1 ); + foreach my $module ( keys %$all_perms ) { foreach my $subperm ( keys %{ $all_perms->{$module} } ) { $template->param( "CAN_user_${module}_${subperm}" => 1 ); } @@ -310,9 +345,6 @@ sub get_template_and_user { foreach my $module ( keys %$flags ) { if ( $flags->{$module} == 1 or ref( $flags->{$module} ) ) { $template->param( "CAN_user_$module" => 1 ); - if ( $module eq "parameters" ) { - $template->param( CAN_user_management => 1 ); - } } } } @@ -331,31 +363,33 @@ sub get_template_and_user { # We show the link in opac $template->param( EnableOpacSearchHistory => 1 ); } + if (C4::Context->preference('LoadSearchHistoryToTheFirstLoggedUser')) + { + # And if there are searches performed when the user was not logged in, + # we add them to the logged-in search history + my @recentSearches = C4::Search::History::get_from_session( { cgi => $in->{'query'} } ); + if (@recentSearches) { + my $dbh = C4::Context->dbh; + my $query = q{ + INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, type, total, time ) + VALUES (?, ?, ?, ?, ?, ?, ?) + }; + my $sth = $dbh->prepare($query); + $sth->execute( $borrowernumber, + $in->{query}->cookie("CGISESSID"), + $_->{query_desc}, + $_->{query_cgi}, + $_->{type} || 'biblio', + $_->{total}, + $_->{time}, + ) foreach @recentSearches; + + # clear out the search history from the session now that + # we've saved it to the database + } + } + C4::Search::History::set_to_session( { cgi => $in->{'query'}, search_history => [] } ); - # And if there are searches performed when the user was not logged in, - # we add them to the logged-in search history - my @recentSearches = C4::Search::History::get_from_session( { cgi => $in->{'query'} } ); - if (@recentSearches) { - my $dbh = C4::Context->dbh; - my $query = q{ - INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, type, total, time ) - VALUES (?, ?, ?, ?, ?, ?, ?) - }; - - my $sth = $dbh->prepare($query); - $sth->execute( $borrowernumber, - $in->{query}->cookie("CGISESSID"), - $_->{query_desc}, - $_->{query_cgi}, - $_->{type} || 'biblio', - $_->{total}, - $_->{time}, - ) foreach @recentSearches; - - # clear out the search history from the session now that - # we've saved it to the database - C4::Search::History::set_to_session( { cgi => $in->{'query'}, search_history => [] } ); - } } elsif ( $in->{type} eq 'intranet' and C4::Context->preference('EnableSearchHistory') ) { $template->param( EnableSearchHistory => 1 ); } @@ -414,6 +448,8 @@ sub get_template_and_user { my $https = $in->{query}->https(); my $using_https = ( defined $https and $https ne 'OFF' ) ? 1 : 0; + my $minPasswordLength = C4::Context->preference('minPasswordLength'); + $minPasswordLength = 3 if not $minPasswordLength or $minPasswordLength < 3; $template->param( "BiblioDefaultView" . C4::Context->preference("BiblioDefaultView") => 1, EnhancedMessagingPreferences => C4::Context->preference('EnhancedMessagingPreferences'), @@ -424,7 +460,6 @@ sub get_template_and_user { LoginFirstname => ( C4::Context->userenv ? C4::Context->userenv->{"firstname"} : "Bel" ), LoginSurname => C4::Context->userenv ? C4::Context->userenv->{"surname"} : "Inconnu", emailaddress => C4::Context->userenv ? C4::Context->userenv->{"emailaddress"} : undef, - loggedinpersona => C4::Context->userenv ? C4::Context->userenv->{"persona"} : undef, TagsEnabled => C4::Context->preference("TagsEnabled"), hide_marc => C4::Context->preference("hide_marc"), item_level_itypes => C4::Context->preference('item-level_itypes'), @@ -435,8 +470,8 @@ sub get_template_and_user { using_https => $using_https, noItemTypeImages => C4::Context->preference("noItemTypeImages"), marcflavour => C4::Context->preference("marcflavour"), - persona => C4::Context->preference("persona"), OPACBaseURL => C4::Context->preference('OPACBaseURL'), + minPasswordLength => $minPasswordLength, ); if ( $in->{'type'} eq "intranet" ) { $template->param( @@ -470,6 +505,7 @@ sub get_template_and_user { UseKohaPlugins => C4::Context->preference('UseKohaPlugins'), UseCourseReserves => C4::Context->preference("UseCourseReserves"), useDischarge => C4::Context->preference('useDischarge'), + pending_checkout_notes => scalar Koha::Checkouts->search({ noteseen => 0 }), ); } else { @@ -499,8 +535,8 @@ sub get_template_and_user { my $opac_limit_override = $ENV{'OPAC_LIMIT_OVERRIDE'}; my $opac_name = ''; if ( - ( $opac_limit_override && $opac_search_limit && $opac_search_limit =~ /branch:(\w+)/ ) || - ( $in->{'query'}->param('limit') && $in->{'query'}->param('limit') =~ /branch:(\w+)/ ) || + ( $opac_limit_override && $opac_search_limit && $opac_search_limit =~ /branch:([\w-]+)/ ) || + ( $in->{'query'}->param('limit') && $in->{'query'}->param('limit') =~ /branch:([\w-]+)/ ) || ( $in->{'query'}->param('multibranchlimit') && $in->{'query'}->param('multibranchlimit') =~ /multibranchlimit-(\w+)/ ) ) { $opac_name = $1; # opac_search_limit is a branch, so we use it. @@ -510,12 +546,11 @@ sub get_template_and_user { $opac_name = C4::Context->userenv->{'branch'}; } - my $library_categories = Koha::LibraryCategories->search({categorytype => 'searchdomain', show_in_pulldown => 1}, { order_by => ['categorytype', 'categorycode']}); + my @search_groups = Koha::Library::Groups->get_search_groups({ interface => 'opac' }); $template->param( OpacAdditionalStylesheet => C4::Context->preference("OpacAdditionalStylesheet"), AnonSuggestions => "" . C4::Context->preference("AnonSuggestions"), - BranchesLoop => GetBranchesLoop($opac_name), - BranchCategoriesLoop => $library_categories, + LibrarySearchGroups => \@search_groups, opac_name => $opac_name, LibraryName => "" . C4::Context->preference("LibraryName"), LibraryNameTitle => "" . $LibraryNameTitle, @@ -746,11 +781,15 @@ sub checkauth { my $query = shift; $debug and warn "Checking Auth"; + # Get shibboleth login attribute + my $shib = C4::Context->config('useshibboleth') && shib_ok(); + my $shib_login = $shib ? get_login_shib() : undef; + # $authnotrequired will be set for scripts which will run without authentication my $authnotrequired = shift; my $flagsrequired = shift; my $type = shift; - my $persona = shift; + my $emailaddress = shift; $type = 'opac' unless $type; my $dbh = C4::Context->dbh; @@ -765,12 +804,14 @@ sub checkauth { my $logout = $query->param('logout.x'); my $anon_search_history; - + my $cas_ticket = ''; # This parameter is the name of the CAS server we want to authenticate against, # when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml my $casparam = $query->param('cas'); my $q_userid = $query->param('userid') // ''; + my $session; + # Basic authentication is incompatible with the use of Shibboleth, # as Shibboleth may return REMOTE_USER as a Shibboleth attribute, # and it may not be the attribute we want to use to match the koha login. @@ -791,13 +832,12 @@ sub checkauth { ); $loggedin = 1; } - elsif ($persona) { - - # we don't want to set a session because we are being called by a persona callback + elsif ( $emailaddress) { + # the Google OpenID Connect passes an email address } elsif ( $sessionID = $query->cookie("CGISESSID") ) { # assignment, not comparison - my $session = get_session($sessionID); + $session = get_session($sessionID); C4::Context->_new_userenv($sessionID); my ( $ip, $lasttime, $sessiontype ); my $s_userid = ''; @@ -809,7 +849,7 @@ sub checkauth { $session->param('surname'), $session->param('branch'), $session->param('branchname'), $session->param('flags'), $session->param('emailaddress'), $session->param('branchprinter'), - $session->param('persona'), $session->param('shibboleth') + $session->param('shibboleth') ); C4::Context::set_shelves_userenv( 'bar', $session->param('barshelves') ); C4::Context::set_shelves_userenv( 'pub', $session->param('pubshelves') ); @@ -853,9 +893,7 @@ sub checkauth { } # If we are in a shibboleth session (shibboleth is enabled, a shibboleth match attribute is set and matches koha matchpoint) - if ( $shib and $shib_login and $shibSuccess and $type eq 'opac' ) { - - # (Note: $type eq 'opac' condition should be removed when shibboleth authentication for intranet will be implemented) + if ( $shib and $shib_login and $shibSuccess) { logout_shib($query); } } @@ -905,7 +943,6 @@ sub checkauth { } } unless ( $userid || $sessionID ) { - #we initiate a session prior to checking for a username to allow for anonymous sessions... my $session = get_session("") or die "Auth ERROR: Cannot get_session()"; @@ -916,36 +953,34 @@ sub checkauth { $session->param( 'search_history', $anon_search_history ); } - my $sessionID = $session->id; + $sessionID = $session->id; C4::Context->_new_userenv($sessionID); $cookie = $query->cookie( -name => 'CGISESSID', -value => $session->id, -HttpOnly => 1 ); - $userid = $q_userid; my $pki_field = C4::Context->preference('AllowPKIAuth'); if ( !defined($pki_field) ) { print STDERR "ERROR: Missing system preference AllowPKIAuth.\n"; $pki_field = 'None'; } if ( ( $cas && $query->param('ticket') ) - || $userid + || $q_userid || ( $shib && $shib_login ) || $pki_field ne 'None' - || $persona ) + || $emailaddress ) { my $password = $query->param('password'); my $shibSuccess = 0; - my ( $return, $cardnumber ); # If shib is enabled and we have a shib login, does the login match a valid koha user - if ( $shib && $shib_login && $type eq 'opac' ) { + if ( $shib && $shib_login ) { my $retuserid; # Do not pass password here, else shib will not be checked in checkpw. - ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, undef, $query ); + ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $q_userid, undef, $query ); $userid = $retuserid; $shibSuccess = $return; $info{'invalidShibLogin'} = 1 unless ($return); @@ -955,27 +990,26 @@ sub checkauth { unless ($shibSuccess) { if ( $cas && $query->param('ticket') ) { my $retuserid; - ( $return, $cardnumber, $retuserid ) = + ( $return, $cardnumber, $retuserid, $cas_ticket ) = checkpw( $dbh, $userid, $password, $query, $type ); $userid = $retuserid; $info{'invalidCasLogin'} = 1 unless ($return); } - elsif ($persona) { - my $value = $persona; + elsif ( $emailaddress ) { + my $value = $emailaddress; # If we're looking up the email, there's a chance that the person # doesn't have a userid. So if there is none, we pass along the # borrower number, and the bits of code that need to know the user # ID will have to be smart enough to handle that. - require C4::Members; - my @users_info = C4::Members::GetBorrowersWithEmail($value); - if (@users_info) { + my $patrons = Koha::Patrons->search({ email => $value }); + if ($patrons->count) { # First the userid, then the borrowernum - $value = $users_info[0][1] || $users_info[0][0]; - } - else { + my $patron = $patrons->next; + $value = $patron->userid || $patron->borrowernumber; + } else { undef $value; } $return = $value ? 1 : 0; @@ -999,12 +1033,12 @@ sub checkauth { # doesn't have a userid. So if there is none, we pass along the # borrower number, and the bits of code that need to know the user # ID will have to be smart enough to handle that. - require C4::Members; - my @users_info = C4::Members::GetBorrowersWithEmail($value); - if (@users_info) { + my $patrons = Koha::Patrons->search({ email => $value }); + if ($patrons->count) { # First the userid, then the borrowernum - $value = $users_info[0][1] || $users_info[0][0]; + my $patron = $patrons->next; + $value = $patron->userid || $patron->borrowernumber; } else { undef $value; } @@ -1016,14 +1050,14 @@ sub checkauth { } else { my $retuserid; - ( $return, $cardnumber, $retuserid ) = - checkpw( $dbh, $userid, $password, $query, $type ); + ( $return, $cardnumber, $retuserid, $cas_ticket ) = + checkpw( $dbh, $q_userid, $password, $query, $type ); $userid = $retuserid if ($retuserid); $info{'invalid_username_or_password'} = 1 unless ($return); } } - # $return: 1 = valid user, 2 = superlibrarian + # $return: 1 = valid user if ($return) { #_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime)); @@ -1078,20 +1112,26 @@ sub checkauth { # if they specify at login, use that if ( $query->param('branch') ) { $branchcode = $query->param('branch'); - $branchname = Koha::Libraries->find($branchcode)->branchname; + my $library = Koha::Libraries->find($branchcode); + $branchname = $library? $library->branchname: ''; } - my $branches = GetBranches(); - if ( C4::Context->boolean_preference('IndependentBranches') && C4::Context->boolean_preference('Autolocation') ) { + my $branches = { map { $_->branchcode => $_->unblessed } Koha::Libraries->search }; + if ( $type ne 'opac' and C4::Context->boolean_preference('AutoLocation') ) { # we have to check they are coming from the right ip range my $domain = $branches->{$branchcode}->{'branchip'}; + $domain =~ s|\.\*||g; if ( $ip !~ /^$domain/ ) { $loggedin = 0; + $cookie = $query->cookie( + -name => 'CGISESSID', + -value => '', + -HttpOnly => 1 + ); $info{'wrongip'} = 1; } } - my @branchesloop; foreach my $br ( keys %$branches ) { # now we work with the treatment of ip @@ -1118,32 +1158,14 @@ sub checkauth { $session->param( 'shibboleth', $shibSuccess ); $debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map { $session->param($_) } qw(cardnumber firstname surname branch); } - elsif ( $return == 2 ) { - - #We suppose the user is the superlibrarian - $borrowernumber = 0; - $session->param( 'number', 0 ); - $session->param( 'id', C4::Context->config('user') ); - $session->param( 'cardnumber', C4::Context->config('user') ); - $session->param( 'firstname', C4::Context->config('user') ); - $session->param( 'surname', C4::Context->config('user') ); - $session->param( 'branch', 'NO_LIBRARY_SET' ); - $session->param( 'branchname', 'NO_LIBRARY_SET' ); - $session->param( 'flags', 1 ); - $session->param( 'emailaddress', C4::Context->preference('KohaAdminEmailAddress') ); - $session->param( 'ip', $session->remote_addr() ); - $session->param( 'lasttime', time() ); - } - if ($persona) { - $session->param( 'persona', 1 ); - } + $session->param('cas_ticket', $cas_ticket) if $cas_ticket; C4::Context->set_userenv( $session->param('number'), $session->param('id'), $session->param('cardnumber'), $session->param('firstname'), $session->param('surname'), $session->param('branch'), $session->param('branchname'), $session->param('flags'), $session->param('emailaddress'), $session->param('branchprinter'), - $session->param('persona'), $session->param('shibboleth') + $session->param('shibboleth') ); } @@ -1159,7 +1181,7 @@ sub checkauth { $session->param( 'ip', $session->remote_addr() ); $session->param( 'sessiontype', 'anon' ); } - } # END if ( $userid = $query->param('userid') ) + } # END if ( $q_userid elsif ( $type eq "opac" ) { # if we are here this is an anonymous session; add public lists to it and a few other items... @@ -1184,6 +1206,9 @@ sub checkauth { -HttpOnly => 1 ); } + + track_login_daily( $userid ); + return ( $userid, $cookie, $sessionID, $flags ); } @@ -1197,10 +1222,12 @@ sub checkauth { my @inputs = (); foreach my $name ( param $query) { (next) if ( $name eq 'userid' || $name eq 'password' || $name eq 'ticket' ); - my $value = $query->param($name); - push @inputs, { name => $name, value => $value }; + my @value = $query->multi_param($name); + push @inputs, { name => $name, value => $_ } for @value; } + my $patron = Koha::Patrons->find({ userid => $q_userid }); # Not necessary logged in! + my $LibraryNameTitle = C4::Context->preference("LibraryName"); $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi; $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg; @@ -1208,7 +1235,6 @@ sub checkauth { my $template_name = ( $type eq 'opac' ) ? 'opac-auth.tt' : 'auth.tt'; my $template = C4::Templates::gettemplate( $template_name, $type, $query ); $template->param( - branchloop => GetBranchesLoop(), OpacAdditionalStylesheet => C4::Context->preference("OpacAdditionalStylesheet"), opaclayoutstylesheet => C4::Context->preference("opaclayoutstylesheet"), login => 1, @@ -1250,11 +1276,12 @@ sub checkauth { wrongip => $info{'wrongip'}, PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"), PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"), - persona => C4::Context->preference("Persona"), opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'}, + too_many_login_attempts => ( $patron and $patron->account_locked ) ); $template->param( SCO_login => 1 ) if ( $query->param('sco_user_login') ); + $template->param( SCI_login => 1 ) if ( $query->param('sci_user_login') ); $template->param( OpacPublic => C4::Context->preference("OpacPublic") ); $template->param( loginprompt => 1 ) unless $info{'nopermission'}; @@ -1360,9 +1387,9 @@ Possible return values in C<$status> are: =cut sub check_api_auth { + my $query = shift; my $flagsrequired = shift; - my $dbh = C4::Context->dbh; my $timeout = _timeout_syspref(); @@ -1456,7 +1483,7 @@ sub check_api_auth { # new login my $userid = $query->param('userid'); my $password = $query->param('password'); - my ( $return, $cardnumber ); + my ( $return, $cardnumber, $cas_ticket ); # Proxy CAS auth if ( $cas && $query->param('PT') ) { @@ -1465,7 +1492,7 @@ sub check_api_auth { # In case of a CAS authentication, we use the ticket instead of the password my $PT = $query->param('PT'); - ( $return, $cardnumber, $userid ) = check_api_auth_cas( $dbh, $PT, $query ); # EXTERNAL AUTH + ( $return, $cardnumber, $userid, $cas_ticket ) = check_api_auth_cas( $dbh, $PT, $query ); # EXTERNAL AUTH } else { # User / password auth @@ -1474,7 +1501,8 @@ sub check_api_auth { # caller did something wrong, fail the authenticateion return ( "failed", undef, undef ); } - ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query ); + my $newuserid; + ( $return, $cardnumber, $newuserid, $cas_ticket ) = checkpw( $dbh, $userid, $password, $query ); } if ( $return and haspermission( $userid, $flagsrequired ) ) { @@ -1530,10 +1558,10 @@ sub check_api_auth { # if they specify at login, use that if ( $query->param('branch') ) { $branchcode = $query->param('branch'); - $branchname = Koha::Libraries->find($branchcode)->branchname; + my $library = Koha::Libraries->find($branchcode); + $branchname = $library? $library->branchname: ''; } - my $branches = GetBranches(); - my @branchesloop; + my $branches = { map { $_->branchcode => $_->unblessed } Koha::Libraries->search }; foreach my $br ( keys %$branches ) { # now we work with the treatment of ip @@ -1557,21 +1585,8 @@ sub check_api_auth { $session->param( 'emailaddress', $emailaddress ); $session->param( 'ip', $session->remote_addr() ); $session->param( 'lasttime', time() ); - } elsif ( $return == 2 ) { - - #We suppose the user is the superlibrarian - $session->param( 'number', 0 ); - $session->param( 'id', C4::Context->config('user') ); - $session->param( 'cardnumber', C4::Context->config('user') ); - $session->param( 'firstname', C4::Context->config('user') ); - $session->param( 'surname', C4::Context->config('user') ); - $session->param( 'branch', 'NO_LIBRARY_SET' ); - $session->param( 'branchname', 'NO_LIBRARY_SET' ); - $session->param( 'flags', 1 ); - $session->param( 'emailaddress', C4::Context->preference('KohaAdminEmailAddress') ); - $session->param( 'ip', $session->remote_addr() ); - $session->param( 'lasttime', time() ); } + $session->param( 'cas_ticket', $cas_ticket); C4::Context->set_userenv( $session->param('number'), $session->param('id'), $session->param('cardnumber'), $session->param('firstname'), @@ -1591,7 +1606,11 @@ sub check_api_auth { ($status, $sessionId) = check_api_auth($cookie, $userflags); Given a CGISESSID cookie set during a previous login to Koha, determine -if the user has the privileges specified by C<$userflags>. +if the user has the privileges specified by C<$userflags>. C<$userflags> +is passed unaltered into C and as such accepts all options +avaiable to that routine with the one caveat that C will +also allow 'undef' to be passed and in such a case the permissions check +will be skipped altogether. C is meant for authenticating special services such as tools/upload-file.pl that are invoked by other pages that @@ -1686,7 +1705,7 @@ sub check_cookie_auth { return ( "expired", undef ); } else { $session->param( 'lasttime', time() ); - my $flags = haspermission( $userid, $flagsrequired ); + my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1; if ($flags) { return ( "ok", $sessionID ); } else { @@ -1718,28 +1737,32 @@ will be created. =cut -sub get_session { - my $sessionID = shift; +sub _get_session_params { my $storage_method = C4::Context->preference('SessionStorage'); - my $dbh = C4::Context->dbh; - my $session; if ( $storage_method eq 'mysql' ) { - $session = new CGI::Session( "driver:MySQL;serializer:yaml;id:md5", $sessionID, { Handle => $dbh } ); + my $dbh = C4::Context->dbh; + return { dsn => "driver:MySQL;serializer:yaml;id:md5", dsn_args => { Handle => $dbh } }; } elsif ( $storage_method eq 'Pg' ) { - $session = new CGI::Session( "driver:PostgreSQL;serializer:yaml;id:md5", $sessionID, { Handle => $dbh } ); + my $dbh = C4::Context->dbh; + return { dsn => "driver:PostgreSQL;serializer:yaml;id:md5", dsn_args => { Handle => $dbh } }; } elsif ( $storage_method eq 'memcached' && Koha::Caches->get_instance->memcached_cache ) { my $memcached = Koha::Caches->get_instance()->memcached_cache; - $session = new CGI::Session( "driver:memcached;serializer:yaml;id:md5", $sessionID, { Memcached => $memcached } ); + return { dsn => "driver:memcached;serializer:yaml;id:md5", dsn_args => { Memcached => $memcached } }; } else { # catch all defaults to tmp should work on all systems - my $dir = File::Spec->tmpdir; + my $dir = C4::Context::temporary_directory; my $instance = C4::Context->config( 'database' ); #actually for packages not exactly the instance name, but generally safer to leave it as it is - $session = new CGI::Session( "driver:File;serializer:yaml;id:md5", $sessionID, { Directory => "$dir/cgisess_$instance" } ); + return { dsn => "driver:File;serializer:yaml;id:md5", dsn_args => { Directory => "$dir/cgisess_$instance" } }; } - return $session; +} + +sub get_session { + my $sessionID = shift; + my $params = _get_session_params(); + return new CGI::Session( $params->{dsn}, $sessionID, $params->{dsn_args} ); } @@ -1750,28 +1773,50 @@ sub get_session { sub checkpw { my ( $dbh, $userid, $password, $query, $type, $no_set_userenv ) = @_; $type = 'opac' unless $type; - if ($ldap) { + + # Get shibboleth login attribute + my $shib = C4::Context->config('useshibboleth') && shib_ok(); + my $shib_login = $shib ? get_login_shib() : undef; + + my @return; + my $patron = Koha::Patrons->find({ userid => $userid }); + my $check_internal_as_fallback = 0; + my $passwd_ok = 0; + # Note: checkpw_* routines returns: + # 1 if auth is ok + # 0 if auth is nok + # -1 if user bind failed (LDAP only) + + if ( $patron and $patron->account_locked ) { + # Nothing to check, account is locked + } elsif ($ldap && defined($password)) { $debug and print STDERR "## checkpw - checking LDAP\n"; my ( $retval, $retcard, $retuserid ) = checkpw_ldap(@_); # EXTERNAL AUTH - return 0 if $retval == -1; # Incorrect password for LDAP login attempt - ($retval) and return ( $retval, $retcard, $retuserid ); - } + if ( $retval == 1 ) { + @return = ( $retval, $retcard, $retuserid ); + $passwd_ok = 1; + } + $check_internal_as_fallback = 1 if $retval == 0; - if ( $cas && $query && $query->param('ticket') ) { + } elsif ( $cas && $query && $query->param('ticket') ) { $debug and print STDERR "## checkpw - checking CAS\n"; # In case of a CAS authentication, we use the ticket instead of the password my $ticket = $query->param('ticket'); $query->delete('ticket'); # remove ticket to come back to original URL - my ( $retval, $retcard, $retuserid ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH - ($retval) and return ( $retval, $retcard, $retuserid ); - return 0; + my ( $retval, $retcard, $retuserid, $cas_ticket ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH + if ( $retval ) { + @return = ( $retval, $retcard, $retuserid, $cas_ticket ); + } else { + @return = (0); + } + $passwd_ok = $retval; } # If we are in a shibboleth session (shibboleth is enabled, and a shibboleth match attribute is present) # Check for password to asertain whether we want to be testing against shibboleth or another method this # time around. - if ( $shib && $shib_login && !$password ) { + elsif ( $shib && $shib_login && !$password ) { $debug and print STDERR "## checkpw - checking Shibboleth\n"; @@ -1782,13 +1827,29 @@ sub checkpw { # Then, we check if it matches a valid koha user if ($shib_login) { my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib($shib_login); # EXTERNAL AUTH - ($retval) and return ( $retval, $retcard, $retuserid ); - return 0; + if ( $retval ) { + @return = ( $retval, $retcard, $retuserid ); + } + $passwd_ok = $retval; } + } else { + $check_internal_as_fallback = 1; } # INTERNAL AUTH - return checkpw_internal( $dbh, $userid, $password, $no_set_userenv); + if ( $check_internal_as_fallback ) { + @return = checkpw_internal( $dbh, $userid, $password, $no_set_userenv); + $passwd_ok = 1 if $return[0] > 0; # 1 or 2 + } + + if( $patron ) { + if ( $passwd_ok ) { + $patron->update({ login_attempts => 0 }); + } else { + $patron->update({ login_attempts => $patron->login_attempts + 1 }); + } + } + return @return; } sub checkpw_internal { @@ -1797,18 +1858,6 @@ sub checkpw_internal { $password = Encode::encode( 'UTF-8', $password ) if Encode::is_utf8($password); - if ( $userid && $userid eq C4::Context->config('user') ) { - if ( $password && $password eq C4::Context->config('pass') ) { - - # Koha superuser account - # C4::Context->set_userenv(0,0,C4::Context->config('user'),C4::Context->config('user'),C4::Context->config('user'),"",1); - return 2; - } - else { - return 0; - } - } - my $sth = $dbh->prepare( "select password,cardnumber,borrowernumber,userid,firstname,surname,borrowers.branchcode,branches.branchname,flags from borrowers join branches on borrowers.branchcode=branches.branchcode where userid=?" @@ -1843,15 +1892,6 @@ sub checkpw_internal { return 1, $cardnumber, $userid; } } - if ( $userid && $userid eq 'demo' - && "$password" eq 'demo' - && C4::Context->config('demo') ) - { - - # DEMO => the demo user is allowed to do everything (if demo set to 1 in koha.conf - # some features won't be effective : modify systempref, modify MARC structure, - return 2; - } return 0; } @@ -1988,50 +2028,74 @@ sub get_all_subpermissions { =head2 haspermission + $flagsrequired = '*'; # Any permission at all + $flagsrequired = 'a_flag'; # a_flag must be satisfied (all subpermissions) + $flagsrequired = [ 'a_flag', 'b_flag' ]; # a_flag OR b_flag must be satisfied + $flagsrequired = { 'a_flag => 1, 'b_flag' => 1 }; # a_flag AND b_flag must be satisfied + $flagsrequired = { 'a_flag' => 'sub_a' }; # sub_a of a_flag must be satisfied + $flagsrequired = { 'a_flag' => [ 'sub_a, 'sub_b' ] }; # sub_a OR sub_b of a_flag must be satisfied + $flags = ($userid, $flagsrequired); C<$userid> the userid of the member -C<$flags> is a hashref of required flags like C<$borrower-<{authflags}> +C<$flags> is a query structure similar to that used by SQL::Abstract that +denotes the combination of flags required. It is a required parameter. + +The main logic of this method is that things in arrays are OR'ed, and things +in hashes are AND'ed. The `*` character can be used, at any depth, to denote `ANY` Returns member's flags or 0 if a permission is not met. =cut +sub _dispatch { + my ($required, $flags) = @_; + + my $ref = ref($required); + if ($ref eq '') { + if ($required eq '*') { + return 0 unless ( $flags or ref( $flags ) ); + } else { + return 0 unless ( $flags and (!ref( $flags ) || $flags->{$required} )); + } + } elsif ($ref eq 'HASH') { + foreach my $key (keys %{$required}) { + my $require = $required->{$key}; + my $rflags = $flags->{$key}; + return 0 unless _dispatch($require, $rflags); + } + } elsif ($ref eq 'ARRAY') { + my $satisfied = 0; + foreach my $require ( @{$required} ) { + my $rflags = + ( ref($flags) && !ref($require) && ( $require ne '*' ) ) + ? $flags->{$require} + : $flags; + $satisfied++ if _dispatch( $require, $rflags ); + } + return 0 unless $satisfied; + } else { + croak "Unexpected structure found: $ref"; + } + + return $flags; +}; + sub haspermission { my ( $userid, $flagsrequired ) = @_; + + + #Koha::Exceptions::WrongParameter->throw('$flagsrequired should not be undef') + # unless defined($flagsrequired); + my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?"); $sth->execute($userid); my $row = $sth->fetchrow(); my $flags = getuserflags( $row, $userid ); - if ( $userid eq C4::Context->config('user') ) { - - # Super User Account from /etc/koha.conf - $flags->{'superlibrarian'} = 1; - } - elsif ( $userid eq 'demo' && C4::Context->config('demo') ) { - - # Demo user that can do "anything" (demo=1 in /etc/koha.conf) - $flags->{'superlibrarian'} = 1; - } + return $flags unless defined($flagsrequired); return $flags if $flags->{superlibrarian}; - - foreach my $module ( keys %$flagsrequired ) { - my $subperm = $flagsrequired->{$module}; - if ( $subperm eq '*' ) { - return 0 unless ( $flags->{$module} == 1 or ref( $flags->{$module} ) ); - } else { - return 0 unless ( - ( defined $flags->{$module} and - $flags->{$module} == 1 ) - or - ( ref( $flags->{$module} ) and - exists $flags->{$module}->{$subperm} and - $flags->{$module}->{$subperm} == 1 ) - ); - } - } - return $flags; + return _dispatch($flagsrequired, $flags); #FIXME - This fcn should return the failed permission so a suitable error msg can be delivered. } @@ -2055,6 +2119,30 @@ sub getborrowernumber { return 0; } +=head2 track_login_daily + + track_login_daily( $userid ); + +Wraps the call to $patron->track_login, the method used to update borrowers.lastseen. We only call track_login once a day. + +=cut + +sub track_login_daily { + my $userid = shift; + return if !$userid || !C4::Context->preference('TrackLastPatronActivity'); + + my $cache = Koha::Caches->get_instance(); + my $cache_key = "track_login_" . $userid; + my $cached = $cache->get_from_cache($cache_key); + my $today = dt_from_string()->ymd; + return if $cached && $cached eq $today; + + my $patron = Koha::Patrons->find({ userid => $userid }); + return unless $patron; + $patron->track_login; + $cache->set_in_cache( $cache_key, $today ); +} + END { } # module clean-up code here (global destructor) 1; __END__