X-Git-Url: http://koha-dev.rot13.org:8081/gitweb/?a=blobdiff_plain;f=C4%2FAuth.pm;h=16e908a3996978127cd6d9e24d4b35d37fbedaeb;hb=a7dd94769f0af0e9cfcfd3b78549fa532e326756;hp=a31161ef8ec4b7835c708192a55267589a83fb62;hpb=0d663c7e8aae16a1b12c03af20b152b186829abf;p=koha_gimpoz diff --git a/C4/Auth.pm b/C4/Auth.pm index a31161ef8e..16e908a399 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -32,27 +32,34 @@ use C4::Koha; use C4::Branch; # GetBranches use C4::VirtualShelves; use POSIX qw/strftime/; +use List::MoreUtils qw/ any /; # use utf8; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout $servers $memcached); BEGIN { - $VERSION = 3.02; # set version for version checking - $debug = $ENV{DEBUG}; - @ISA = qw(Exporter); - @EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions); - @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &get_all_subpermissions &get_user_subpermissions); - %EXPORT_TAGS = (EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)]); - $ldap = C4::Context->config('useldapserver') || 0; - $cas = C4::Context->preference('casAuthentication'); - $caslogout = C4::Context->preference('casLogout'); + sub psgi_env { any { /^psgi\./ } keys %ENV } + sub safe_exit { + if ( psgi_env ) { die 'psgi:exit' } + else { exit } + } + + $VERSION = 3.02; # set version for version checking + $debug = $ENV{DEBUG}; + @ISA = qw(Exporter); + @EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions); + @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &get_all_subpermissions &get_user_subpermissions); + %EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] ); + $ldap = C4::Context->config('useldapserver') || 0; + $cas = C4::Context->preference('casAuthentication'); + $caslogout = C4::Context->preference('casLogout'); + require C4::Auth_with_cas; # no import if ($ldap) { - require C4::Auth_with_ldap; # no import - import C4::Auth_with_ldap qw(checkpw_ldap); + require C4::Auth_with_ldap; + # no import import C4::Auth_with_ldap qw(checkpw_ldap); } if ($cas) { - require C4::Auth_with_cas; # no import - import C4::Auth_with_cas qw(checkpw_cas login_cas logout_cas login_cas_url); + import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url); } $servers = C4::Context->config('memcached_servers'); if ($servers) { @@ -130,19 +137,22 @@ Output.pm module. =cut my $SEARCH_HISTORY_INSERT_SQL =<{'template_name'}, $in->{'type'}, $in->{'query'} ); - my ( $user, $cookie, $sessionID, $flags ) = checkauth( - $in->{'query'}, - $in->{'authnotrequired'}, - $in->{'flagsrequired'}, - $in->{'type'} - ) unless ($in->{'template_name'}=~/maintenance/); + my ( $user, $cookie, $sessionID, $flags ); + if ( $in->{'template_name'} !~m/maintenance/ ) { + ( $user, $cookie, $sessionID, $flags ) = checkauth( + $in->{'query'}, + $in->{'authnotrequired'}, + $in->{'flagsrequired'}, + $in->{'type'} + ); + } my $borrowernumber; my $insecure = C4::Context->preference('insecure'); @@ -261,13 +271,9 @@ sub get_template_and_user { my @recentSearches = @{thaw($searchcookie) || []}; if (@recentSearches) { my $sth = $dbh->prepare($SEARCH_HISTORY_INSERT_SQL); - $sth->execute( $borrowernumber, - $in->{'query'}->cookie("CGISESSID"), - $_->{'query_desc'}, - $_->{'query_cgi'}, - $_->{'total'}, - $_->{'time'}, - ) foreach @recentSearches; + + $sth->execute( $borrowernumber, $in->{'query'}->cookie("CGISESSID"), $_->{'query_desc'}, $_->{'query_cgi'}, $_->{'limit_desc'}, $_->{'limit_cgi'}, $_->{'total'}, $_->{'time'}, ) + foreach @recentSearches; # And then, delete the cookie's content my $newsearchcookie = $in->{'query'}->cookie( @@ -335,6 +341,7 @@ sub get_template_and_user { "BiblioDefaultView".C4::Context->preference("BiblioDefaultView") => 1, EnhancedMessagingPreferences => C4::Context->preference('EnhancedMessagingPreferences'), GoogleJackets => C4::Context->preference("GoogleJackets"), + OpenLibraryCovers => C4::Context->preference("OpenLibraryCovers"), KohaAdminEmailAddress => "" . C4::Context->preference("KohaAdminEmailAddress"), LoginBranchcode => (C4::Context->userenv?C4::Context->userenv->{"branch"}:"insecure"), LoginFirstname => (C4::Context->userenv?C4::Context->userenv->{"firstname"}:"Bel"), @@ -455,6 +462,7 @@ sub get_template_and_user { opacuserlogin => "" . C4::Context->preference("opacuserlogin"), reviewson => C4::Context->preference("reviewson"), ShowReviewer => C4::Context->preference("ShowReviewer"), + ShowReviewerPhoto => C4::Context->preference("ShowReviewerPhoto"), suggestion => "" . C4::Context->preference("suggestion"), virtualshelves => "" . C4::Context->preference("virtualshelves"), OPACSerialIssueDisplayCount => C4::Context->preference("OPACSerialIssueDisplayCount"), @@ -567,19 +575,18 @@ sub _version_check ($$) { # and so we must redirect to OPAC maintenance page or to the WebInstaller # also, if OpacMaintenance is ON, OPAC should redirect to maintenance if (C4::Context->preference('OpacMaintenance') && $type eq 'opac') { - warn "OPAC Install required, redirecting to maintenance"; - print $query->redirect("/cgi-bin/koha/maintenance.pl"); - } - unless ($version = C4::Context->preference('Version')) { # assignment, not comparison - if ($type ne 'opac') { - warn "Install required, redirecting to Installer"; - print $query->redirect("/cgi-bin/koha/installer/install.pl"); - } - else { warn "OPAC Install required, redirecting to maintenance"; print $query->redirect("/cgi-bin/koha/maintenance.pl"); - } - exit; + } + unless ( $version = C4::Context->preference('Version') ) { # assignment, not comparison + if ( $type ne 'opac' ) { + warn "Install required, redirecting to Installer"; + print $query->redirect("/cgi-bin/koha/installer/install.pl"); + } else { + warn "OPAC Install required, redirecting to maintenance"; + print $query->redirect("/cgi-bin/koha/maintenance.pl"); + } + safe_exit; } # check that database and koha version are the same @@ -599,7 +606,7 @@ sub _version_check ($$) { warn sprintf("OPAC: " . $warning, 'maintenance'); print $query->redirect("/cgi-bin/koha/maintenance.pl"); } - exit; + safe_exit; } } @@ -634,6 +641,10 @@ sub checkauth { my ( $userid, $cookie, $sessionID, $flags, $barshelves, $pubshelves ); my $logout = $query->param('logout.x'); + # This parameter is the name of the CAS server we want to authenticate against, + # when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml + my $casparam = $query->param('cas'); + if ( $userid = $ENV{'REMOTE_USER'} ) { # Using Basic Authentication, no cookies required $cookie = $query->cookie( @@ -736,7 +747,9 @@ sub checkauth { $userid = $retuserid; $info{'invalidCasLogin'} = 1 unless ($return); } else { - ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query ); + my $retuserid; + ( $return, $retuserid ) = checkpw( $dbh, $userid, $password, $query ); + $userid = $retuserid if ($retuserid ne ''); } if ($return) { _session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime)); @@ -762,20 +775,21 @@ sub checkauth { "; my $sth = $dbh->prepare("$select where userid=?"); $sth->execute($userid); - unless ($sth->rows) { - $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n"; - $sth = $dbh->prepare("$select where cardnumber=?"); - $sth->execute($cardnumber); - unless ($sth->rows) { - $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n"; - $sth->execute($userid); - unless ($sth->rows) { - $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n"; - } - } - } + unless ($sth->rows) { + $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n"; + $sth = $dbh->prepare("$select where cardnumber=?"); + $sth->execute($cardnumber); + + unless ($sth->rows) { + $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n"; + $sth->execute($userid); + unless ($sth->rows) { + $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n"; + } + } + } if ($sth->rows) { - ($borrowernumber, $firstname, $surname, $userflags, + ($borrowernumber, $firstname, $surname, $userflags, $branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow; $debug and print STDERR "AUTH_3 results: " . "$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n"; @@ -978,11 +992,28 @@ sub checkauth { $template->param( OpacPublic => C4::Context->preference("OpacPublic")); $template->param( loginprompt => 1 ) unless $info{'nopermission'}; - if ($cas) { + if ($cas) { + + # Is authentication against multiple CAS servers enabled? + if (C4::Auth_with_cas::multipleAuth && !$casparam) { + my $casservers = C4::Auth_with_cas::getMultipleAuth(); + my @tmplservers; + foreach my $key (keys %$casservers) { + push @tmplservers, {name => $key, value => login_cas_url($query, $key) . "?cas=$key" }; + } + #warn Data::Dumper::Dumper(\@tmplservers); + $template->param( + casServersLoop => \@tmplservers + ); + } else { + $template->param( + casServerUrl => login_cas_url($query), + ); + } + $template->param( - casServerUrl => login_cas_url(), - invalidCasLogin => $info{'invalidCasLogin'} - ); + invalidCasLogin => $info{'invalidCasLogin'} + ); } my $self_url = $query->url( -absolute => 1 ); @@ -999,7 +1030,7 @@ sub checkauth { -cookie => $cookie ), $template->output; - exit; + safe_exit; } =head2 check_api_auth @@ -1072,7 +1103,7 @@ sub check_api_auth { unless ($query->param('userid')) { $sessionID = $query->cookie("CGISESSID"); } - if ($sessionID) { + if ($sessionID && not $cas) { my $session = get_session($sessionID); C4::Context->_new_userenv($sessionID); if ($session) { @@ -1122,18 +1153,24 @@ sub check_api_auth { # new login my $userid = $query->param('userid'); my $password = $query->param('password'); - unless ($userid and $password) { - # caller did something wrong, fail the authenticateion - return ("failed", undef, undef); - } - my ($return, $cardnumber); - if ($cas && $query->param('ticket')) { + my ($return, $cardnumber); + + # Proxy CAS auth + if ($cas && $query->param('PT')) { my $retuserid; - ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, $password, $query ); - $userid = $retuserid; + $debug and print STDERR "## check_api_auth - checking CAS\n"; + # In case of a CAS authentication, we use the ticket instead of the password + my $PT = $query->param('PT'); + ($return,$cardnumber,$userid) = check_api_auth_cas($dbh, $PT, $query); # EXTERNAL AUTH } else { + # User / password auth + unless ($userid and $password) { + # caller did something wrong, fail the authenticateion + return ("failed", undef, undef); + } ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query ); } + if ($return and haspermission( $userid, $flagsrequired)) { my $session = get_session(""); return ("failed", undef, undef) unless $session; @@ -1390,7 +1427,7 @@ sub checkpw { ($retval) and return ($retval,$retcard); } - if ($cas && $query->param('ticket')) { + if ($cas && $query && $query->param('ticket')) { $debug and print STDERR "## checkpw - checking CAS\n"; # In case of a CAS authentication, we use the ticket instead of the password my $ticket = $query->param('ticket'); @@ -1413,7 +1450,7 @@ sub checkpw { C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber, $firstname, $surname, $branchcode, $flags ); - return 1, $cardnumber; + return 1, $userid; } } $sth = @@ -1577,7 +1614,7 @@ sub haspermission { my ($userid, $flagsrequired) = @_; my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?"); $sth->execute($userid); - my $flags = getuserflags( $sth->fetchrow(), $userid ); + my $flags = getuserflags($sth->fetchrow(), $userid); if ( $userid eq C4::Context->config('user') ) { # Super User Account from /etc/koha.conf $flags->{'superlibrarian'} = 1; @@ -1586,7 +1623,9 @@ sub haspermission { # Demo user that can do "anything" (demo=1 in /etc/koha.conf) $flags->{'superlibrarian'} = 1; } + return $flags if $flags->{superlibrarian}; + foreach my $module ( keys %$flagsrequired ) { my $subperm = $flagsrequired->{$module}; if ($subperm eq '*') {