projects / srvgit / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Bug 25898: Prohibit indirect object notation
[srvgit] / C4 / Auth.pm
diff --git a/C4/Auth.pm b/C4/Auth.pm
index 067c576..9c52c79 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -38,6 +38,7 @@ use Koha::Checkouts;
 use Koha::DateUtils qw(dt_from_string);
 use Koha::Library::Groups;
 use Koha::Libraries;
+use Koha::Desks;
 use Koha::Patrons;
 use Koha::Patron::Consents;
 use POSIX qw/strftime/;
@@ -45,6 +46,7 @@ use List::MoreUtils qw/ any /;
 use Encode qw( encode is_utf8);
 use C4::Auth_with_shibboleth;
 use Net::CIDR;
+use C4::Log qw/logaction/;
 
 # use utf8;
 use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout);
@@ -169,7 +171,9 @@ sub get_template_and_user {
             $in->{'query'},
             $in->{'authnotrequired'},
             $in->{'flagsrequired'},
-            $in->{'type'}
+            $in->{'type'},
+            undef,
+            $in->{template_name},
         );
     }
 
@@ -228,6 +232,7 @@ sub get_template_and_user {
                 -value    => '',
                 -expires  => '',
                 -HttpOnly => 1,
+                -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
             );
 
             $template->param(
@@ -448,11 +453,6 @@ sub get_template_and_user {
 
     # these template parameters are set the same regardless of $in->{'type'}
 
-    # Set the using_https variable for templates
-    # FIXME Under Plack the CGI->https method always returns 'OFF'
-    my $https = $in->{query}->https();
-    my $using_https = ( defined $https and $https ne 'OFF' ) ? 1 : 0;
-
     my $minPasswordLength = C4::Context->preference('minPasswordLength');
     $minPasswordLength = 3 if not $minPasswordLength or $minPasswordLength < 3;
     $template->param(
@@ -461,7 +461,6 @@ sub get_template_and_user {
         GoogleJackets                                                      => C4::Context->preference("GoogleJackets"),
         OpenLibraryCovers                                                  => C4::Context->preference("OpenLibraryCovers"),
         KohaAdminEmailAddress                                              => "" . C4::Context->preference("KohaAdminEmailAddress"),
-        LoginBranchcode => ( C4::Context->userenv ? C4::Context->userenv->{"branch"}    : undef ),
         LoginFirstname  => ( C4::Context->userenv ? C4::Context->userenv->{"firstname"} : "Bel" ),
         LoginSurname    => C4::Context->userenv ? C4::Context->userenv->{"surname"}      : "Inconnu",
         emailaddress    => C4::Context->userenv ? C4::Context->userenv->{"emailaddress"} : undef,
@@ -472,7 +471,6 @@ sub get_template_and_user {
         singleBranchMode   => ( Koha::Libraries->search->count == 1 ),
         XSLTDetailsDisplay => C4::Context->preference("XSLTDetailsDisplay"),
         XSLTResultsDisplay => C4::Context->preference("XSLTResultsDisplay"),
-        using_https        => $using_https,
         noItemTypeImages   => C4::Context->preference("noItemTypeImages"),
         marcflavour        => C4::Context->preference("marcflavour"),
         OPACBaseURL        => C4::Context->preference('OPACBaseURL'),
@@ -489,7 +487,6 @@ sub get_template_and_user {
             IntranetNav                                                                => C4::Context->preference("IntranetNav"),
             IntranetmainUserblock                                                      => C4::Context->preference("IntranetmainUserblock"),
             LibraryName                                                                => C4::Context->preference("LibraryName"),
-            LoginBranchname                                                            => ( C4::Context->userenv ? C4::Context->userenv->{"branchname"} : undef ),
             advancedMARCEditor                                                         => C4::Context->preference("advancedMARCEditor"),
             canreservefromotherbranches                                                => C4::Context->preference('canreservefromotherbranches'),
             intranetcolorstylesheet                                                    => C4::Context->preference("intranetcolorstylesheet"),
@@ -557,7 +554,6 @@ sub get_template_and_user {
             opac_name                             => $opac_name,
             LibraryName                           => "" . C4::Context->preference("LibraryName"),
             LibraryNameTitle                      => "" . $LibraryNameTitle,
-            LoginBranchname                       => C4::Context->userenv ? C4::Context->userenv->{"branchname"} : "",
             OPACAmazonCoverImages                 => C4::Context->preference("OPACAmazonCoverImages"),
             OPACFRBRizeEditions                   => C4::Context->preference("OPACFRBRizeEditions"),
             OpacHighlightedWords                  => C4::Context->preference("OpacHighlightedWords"),
@@ -571,7 +567,6 @@ sub get_template_and_user {
             OpacBrowser                           => C4::Context->preference("OpacBrowser"),
             OpacCloud                             => C4::Context->preference("OpacCloud"),
             OpacKohaUrl                           => C4::Context->preference("OpacKohaUrl"),
-            OpacMainUserBlock                     => "" . C4::Context->preference("OpacMainUserBlock"),
             OpacNav                               => "" . C4::Context->preference("OpacNav"),
             OpacNavBottom                         => "" . C4::Context->preference("OpacNavBottom"),
             OpacPasswordChange                    => C4::Context->preference("OpacPasswordChange"),
@@ -584,7 +579,6 @@ sub get_template_and_user {
             hidelostitems                         => C4::Context->preference("hidelostitems"),
             mylibraryfirst                        => ( C4::Context->preference("SearchMyLibraryFirst") && C4::Context->userenv ) ? C4::Context->userenv->{'branch'} : '',
             opacbookbag                           => "" . C4::Context->preference("opacbookbag"),
-            opaccredits                           => "" . C4::Context->preference("opaccredits"),
             OpacFavicon                           => C4::Context->preference("OpacFavicon"),
             opaclanguagesdisplay                  => "" . C4::Context->preference("opaclanguagesdisplay"),
             opacreadinghistory                    => C4::Context->preference("opacreadinghistory"),
@@ -768,12 +762,22 @@ sub _session_log {
 }
 
 sub _timeout_syspref {
-    my $timeout = C4::Context->preference('timeout') || 600;
+    my $default_timeout = 600;
+    my $timeout = C4::Context->preference('timeout') || $default_timeout;
 
     # value in days, convert in seconds
-    if ( $timeout =~ /(\d+)[dD]/ ) {
+    if ( $timeout =~ /^(\d+)[dD]$/ ) {
         $timeout = $1 * 86400;
     }
+    # value in hours, convert in seconds
+    elsif ( $timeout =~ /^(\d+)[hH]$/ ) {
+        $timeout = $1 * 3600;
+    }
+    elsif ( $timeout !~ m/^\d+$/ ) {
+        warn "The value of the system preference 'timeout' is not correct, defaulting to $default_timeout";
+        $timeout = $default_timeout;
+    }
+
     return $timeout;
 }
 
@@ -790,8 +794,21 @@ sub checkauth {
     my $flagsrequired   = shift;
     my $type            = shift;
     my $emailaddress    = shift;
+    my $template_name   = shift;
     $type = 'opac' unless $type;
 
+    unless ( C4::Context->preference("OpacPublic") ) {
+        my @allowed_scripts_for_private_opac = qw(
+          opac-memberentry.tt
+          opac-registration-email-sent.tt
+          opac-registration-confirmation.tt
+          opac-memberentry-update-submitted.tt
+          opac-password-recovery.tt
+        );
+        $authnotrequired = 0 unless grep { $_ eq $template_name }
+          @allowed_scripts_for_private_opac;
+    }
+
     my $dbh     = C4::Context->dbh;
     my $timeout = _timeout_syspref();
 
@@ -829,6 +846,7 @@ sub checkauth {
             -value    => '',
             -expires  => '',
             -HttpOnly => 1,
+            -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
         );
         $loggedin = 1;
     }
@@ -848,8 +866,8 @@ sub checkauth {
                 $session->param('cardnumber'),   $session->param('firstname'),
                 $session->param('surname'),      $session->param('branch'),
                 $session->param('branchname'),   $session->param('flags'),
-                $session->param('emailaddress'),
-                $session->param('shibboleth')
+                $session->param('emailaddress'), $session->param('shibboleth'),
+                $session->param('desk_id'),      $session->param('desk_name')
             );
             C4::Context::set_shelves_userenv( 'bar', $session->param('barshelves') );
             C4::Context::set_shelves_userenv( 'pub', $session->param('pubshelves') );
@@ -929,7 +947,8 @@ sub checkauth {
             $cookie = $query->cookie(
                 -name     => 'CGISESSID',
                 -value    => $session->id,
-                -HttpOnly => 1
+                -HttpOnly => 1,
+                -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
             );
             $session->param( 'lasttime', time() );
             unless ( $sessiontype && $sessiontype eq 'anon' ) {    #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
@@ -958,7 +977,8 @@ sub checkauth {
         $cookie = $query->cookie(
             -name     => 'CGISESSID',
             -value    => $session->id,
-            -HttpOnly => 1
+            -HttpOnly => 1,
+            -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
         );
         my $pki_field = C4::Context->preference('AllowPKIAuth');
         if ( !defined($pki_field) ) {
@@ -1069,7 +1089,7 @@ sub checkauth {
                     C4::Context->_unset_userenv($sessionID);
                 }
                 my ( $borrowernumber, $firstname, $surname, $userflags,
-                    $branchcode, $branchname, $emailaddress );
+                    $branchcode, $branchname, $emailaddress, $desk_id, $desk_name );
 
                 if ( $return == 1 ) {
                     my $select = "
@@ -1113,6 +1133,11 @@ sub checkauth {
                         my $library = Koha::Libraries->find($branchcode);
                         $branchname = $library? $library->branchname: '';
                     }
+                    if ( $query->param('desk_id') ) {
+                        $desk_id = $query->param('desk_id');
+                        my $desk = Koha::Desks->find($desk_id);
+                        $desk_name = $desk ? $desk->desk_name : '';
+                    }
                     my $branches = { map { $_->branchcode => $_->unblessed } Koha::Libraries->search };
                     if ( $type ne 'opac' and C4::Context->boolean_preference('AutoLocation') ) {
 
@@ -1124,7 +1149,8 @@ sub checkauth {
                             $cookie = $query->cookie(
                                 -name     => 'CGISESSID',
                                 -value    => '',
-                                -HttpOnly => 1
+                                -HttpOnly => 1,
+                                -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
                             );
                             $info{'wrongip'} = 1;
                         }
@@ -1148,6 +1174,8 @@ sub checkauth {
                     $session->param( 'surname',      $surname );
                     $session->param( 'branch',       $branchcode );
                     $session->param( 'branchname',   $branchname );
+                    $session->param( 'desk_id',      $desk_id);
+                    $session->param( 'desk_name',     $desk_name);
                     $session->param( 'flags',        $userflags );
                     $session->param( 'emailaddress', $emailaddress );
                     $session->param( 'ip',           $session->remote_addr() );
@@ -1162,7 +1190,8 @@ sub checkauth {
                     $session->param('cardnumber'),   $session->param('firstname'),
                     $session->param('surname'),      $session->param('branch'),
                     $session->param('branchname'),   $session->param('flags'),
-                    $session->param('emailaddress'), $session->param('shibboleth')
+                    $session->param('emailaddress'), $session->param('shibboleth'),
+                    $session->param('desk_id'),      $session->param('desk_name')
                 );
 
             }
@@ -1202,10 +1231,13 @@ sub checkauth {
             $cookie = $query->cookie(
                 -name     => 'CGISESSID',
                 -value    => '',
-                -HttpOnly => 1
+                -HttpOnly => 1,
+                -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
             );
         }
 
+        track_login_daily( $userid );
+
         # In case, that this request was a login attempt, we want to prevent that users can repost the opac login
         # request. We therefore redirect the user to the requested page again without the login parameters.
         # See Post/Redirect/Get (PRG) design pattern: https://en.wikipedia.org/wiki/Post/Redirect/Get
@@ -1218,8 +1250,6 @@ sub checkauth {
             exit;
         }
 
-        track_login_daily( $userid );
-
         return ( $userid, $cookie, $sessionID, $flags );
     }
 
@@ -1243,8 +1273,8 @@ sub checkauth {
     $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
     $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
 
-    my $template_name = ( $type eq 'opac' ) ? 'opac-auth.tt' : 'auth.tt';
-    my $template = C4::Templates::gettemplate( $template_name, $type, $query );
+    my $auth_template_name = ( $type eq 'opac' ) ? 'opac-auth.tt' : 'auth.tt';
+    my $template = C4::Templates::gettemplate( $auth_template_name, $type, $query );
     $template->param(
         login                                 => 1,
         INPUTS                                => \@inputs,
@@ -1259,7 +1289,6 @@ sub checkauth {
         opacuserlogin                         => C4::Context->preference("opacuserlogin"),
         OpacNav                               => C4::Context->preference("OpacNav"),
         OpacNavBottom                         => C4::Context->preference("OpacNavBottom"),
-        opaccredits                           => C4::Context->preference("opaccredits"),
         OpacFavicon                           => C4::Context->preference("OpacFavicon"),
         opacreadinghistory                    => C4::Context->preference("opacreadinghistory"),
         opaclanguagesdisplay                  => C4::Context->preference("opaclanguagesdisplay"),
@@ -1440,7 +1469,8 @@ sub check_api_auth {
                 $session->param('cardnumber'),   $session->param('firstname'),
                 $session->param('surname'),      $session->param('branch'),
                 $session->param('branchname'),   $session->param('flags'),
-                $session->param('emailaddress')
+                $session->param('emailaddress'), $session->param('shibboleth'),
+                $session->param('desk_id'),      $session->param('desk_name')
             );
 
             my $ip       = $session->param('ip');
@@ -1469,6 +1499,7 @@ sub check_api_auth {
                     -name     => 'CGISESSID',
                     -value    => $session->id,
                     -HttpOnly => 1,
+                    -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
                 );
                 $session->param( 'lasttime', time() );
                 my $flags = haspermission( $userid, $flagsrequired );
@@ -1523,6 +1554,7 @@ sub check_api_auth {
                 -name     => 'CGISESSID',
                 -value    => $sessionID,
                 -HttpOnly => 1,
+                -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
             );
             if ( $return == 1 ) {
                 my (
@@ -1599,8 +1631,8 @@ sub check_api_auth {
                 $session->param('number'),       $session->param('id'),
                 $session->param('cardnumber'),   $session->param('firstname'),
                 $session->param('surname'),      $session->param('branch'),
-                $session->param('branchname'),   $session->param('flags'),
-                $session->param('emailaddress')
+                $session->param('emailaddress'), $session->param('shibboleth'),
+                $session->param('desk_id'),      $session->param('desk_name')
             );
             return ( "ok", $cookie, $sessionID );
         } else {
@@ -1688,7 +1720,8 @@ sub check_cookie_auth {
             $session->param('cardnumber'),   $session->param('firstname'),
             $session->param('surname'),      $session->param('branch'),
             $session->param('branchname'),   $session->param('flags'),
-            $session->param('emailaddress')
+            $session->param('emailaddress'), $session->param('shibboleth'),
+            $session->param('desk_id'),      $session->param('desk_name')
         );
 
         my $ip       = $session->param('ip');
@@ -1771,7 +1804,7 @@ sub _get_session_params {
 sub get_session {
     my $sessionID      = shift;
     my $params = _get_session_params();
-    return new CGI::Session( $params->{dsn}, $sessionID, $params->{dsn_args} );
+    return CGI::Session->new( $params->{dsn}, $sessionID, $params->{dsn_args} );
 }
 
 
@@ -1862,6 +1895,14 @@ sub checkpw {
             $patron->update({ login_attempts => $patron->login_attempts + 1 });
         }
     }
+
+    # Optionally log success or failure
+    if( $patron && $passwd_ok && C4::Context->preference('AuthSuccessLog') ) {
+        logaction( 'AUTH', 'SUCCESS', $patron->id, "Valid password for $userid", $type );
+    } elsif( !$passwd_ok && C4::Context->preference('AuthFailureLog') ) {
+        logaction( 'AUTH', 'FAILURE', $patron ? $patron->id : 0, "Wrong password for $userid", $type );
+    }
+
     return @return;
 }
 
KOHA@FFZG based on git://git.koha.org/pub/scm/koha.git