X-Git-Url: http://koha-dev.rot13.org:8081/gitweb/?a=blobdiff_plain;f=C4%2FAuth.pm;h=2eb63f5170a417a52e8cbc4950527d8fa67a090a;hb=e901ae15de6717f8594bd80ecfb0c5e8a23b8af5;hp=9edf932f0b86e6f9feaa120e23fbec490127e463;hpb=81ee945a580189e79a268f60d9e7638e92e85f26;p=koha_fer

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 9edf932f0b..2eb63f5170 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -381,7 +381,7 @@ sub get_template_and_user {
         my $opac_search_limit = $ENV{'OPAC_SEARCH_LIMIT'};
         my $opac_limit_override = $ENV{'OPAC_LIMIT_OVERRIDE'};
         my $opac_name = '';
-        if (($opac_search_limit =~ /branch:(\w+)/ && $opac_limit_override) || $in->{'query'}->param('limit') =~ /branch:(\w+)/){
+        if (($opac_search_limit && $opac_search_limit =~ /branch:(\w+)/ && $opac_limit_override) || ($in->{'query'}->param('limit') && $in->{'query'}->param('limit') =~ /branch:(\w+)/)){
             $opac_name = $1;   # opac_search_limit is a branch, so we use it.
         } elsif (C4::Context->preference("SearchMyLibraryFirst") && C4::Context->userenv && C4::Context->userenv->{'branch'}) {
             $opac_name = C4::Context->userenv->{'branch'};
@@ -462,6 +462,8 @@ sub get_template_and_user {
             SyndeticsSeries              => C4::Context->preference("SyndeticsSeries"),
             SyndeticsCoverImageSize      => C4::Context->preference("SyndeticsCoverImageSize"),
             OPACLocalCoverImages         => C4::Context->preference("OPACLocalCoverImages"),
+            PatronSelfRegistration       => C4::Context->preference("PatronSelfRegistration"),
+            PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"),
         );
 
         $template->param(OpacPublic => '1') if ($user || C4::Context->preference("OpacPublic"));
@@ -557,6 +559,7 @@ sub _version_check {
 	if (C4::Context->preference('OpacMaintenance') && $type eq 'opac') {
         warn "OPAC Install required, redirecting to maintenance";
         print $query->redirect("/cgi-bin/koha/maintenance.pl");
+        safe_exit;
     }
     unless ( $version = C4::Context->preference('Version') ) {    # assignment, not comparison
         if ( $type ne 'opac' ) {
@@ -597,6 +600,15 @@ sub _session_log {
     close $fh;
 }
 
+sub _timeout_syspref {
+    my $timeout = C4::Context->preference('timeout') || 600;
+    # value in days, convert in seconds
+    if ($timeout =~ /(\d+)[dD]/) {
+        $timeout = $1 * 86400;
+    };
+    return $timeout;
+}
+
 sub checkauth {
     my $query = shift;
 	$debug and warn "Checking Auth";
@@ -607,12 +619,7 @@ sub checkauth {
     $type = 'opac' unless $type;
 
     my $dbh     = C4::Context->dbh;
-    my $timeout = C4::Context->preference('timeout');
-    # days
-    if ($timeout =~ /(\d+)[dD]/) {
-        $timeout = $1 * 86400;
-    };
-    $timeout = 600 unless $timeout;
+    my $timeout = _timeout_syspref();
 
     _version_check($type,$query);
     # state variables
@@ -628,13 +635,15 @@ sub checkauth {
     if ( $userid = $ENV{'REMOTE_USER'} ) {
         # Using Basic Authentication, no cookies required
         $cookie = $query->cookie(
-            -name    => 'CGISESSID',
-            -value   => '',
-            -expires => ''
+            -name     => 'CGISESSID',
+            -value    => '',
+            -expires  => '',
+            -HttpOnly => 1,
         );
         $loggedin = 1;
     }
-    elsif ( $sessionID = $query->cookie("CGISESSID")) {     # assignment, not comparison
+    elsif ( $sessionID = $query->cookie("CGISESSID") )
+    {    # assignment, not comparison
         my $session = get_session($sessionID);
         C4::Context->_new_userenv($sessionID);
         my ($ip, $lasttime, $sessiontype);
@@ -653,7 +662,7 @@ sub checkauth {
             $ip       = $session->param('ip');
             $lasttime = $session->param('lasttime');
             $userid   = $session->param('id');
-			$sessiontype = $session->param('sessiontype');
+            $sessiontype = $session->param('sessiontype') || '';
         }
         if ( ( ($query->param('koha_login_context')) && ($query->param('userid') ne $session->param('id')) )
           || ( $cas && $query->param('ticket') ) ) {
@@ -700,9 +709,13 @@ sub checkauth {
             $userid    = undef;
         }
         else {
-            $cookie = $query->cookie( CGISESSID => $session->id );
-            $session->param('lasttime',time());
-            unless ( $sessiontype eq 'anon' ) { #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
+            $cookie = $query->cookie(
+                -name     => 'CGISESSID',
+                -value    => $session->id,
+                -HttpOnly => 1
+            );
+            $session->param( 'lasttime', time() );
+            unless ( $sessiontype && $sessiontype eq 'anon' ) { #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
                 $flags = haspermission($userid, $flagsrequired);
                 if ($flags) {
                     $loggedin = 1;
@@ -717,8 +730,12 @@ sub checkauth {
         my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
         my $sessionID = $session->id;
         C4::Context->_new_userenv($sessionID);
-        $cookie = $query->cookie( CGISESSID => $sessionID );
-        $userid = $query->param('userid');
+        $cookie = $query->cookie(
+            -name     => 'CGISESSID',
+            -value    => $session->id,
+            -HttpOnly => 1
+        );
+    $userid = $query->param('userid');
         if (   ( $cas && $query->param('ticket') )
             || $userid
             || ( my $pki_field = C4::Context->preference('AllowPKIAuth') ) ne
@@ -909,7 +926,11 @@ sub checkauth {
     {
         # successful login
         unless ($cookie) {
-            $cookie = $query->cookie( CGISESSID => '' );
+            $cookie = $query->cookie(
+                -name     => 'CGISESSID',
+                -value    => '',
+                -HttpOnly => 1
+            );
         }
         return ( $userid, $cookie, $sessionID, $flags );
     }
@@ -927,17 +948,11 @@ sub checkauth {
         my $value = $query->param($name);
         push @inputs, { name => $name, value => $value };
     }
-    # get the branchloop, which we need for authentication
-    my $branches = GetBranches();
-    my @branch_loop;
-    for my $branch_hash (sort keys %$branches) {
-		push @branch_loop, {branchcode => "$branch_hash", branchname => $branches->{$branch_hash}->{'branchname'}, };
-    }
 
     my $template_name = ( $type eq 'opac' ) ? 'opac-auth.tmpl' : 'auth.tmpl';
     my $template = C4::Templates::gettemplate($template_name, $type, $query );
     $template->param(
-        branchloop           => \@branch_loop,
+        branchloop           => GetBranchesLoop(),
         opaccolorstylesheet  => C4::Context->preference("opaccolorstylesheet"),
         opaclayoutstylesheet => C4::Context->preference("opaclayoutstylesheet"),
         login                => 1,
@@ -962,10 +977,9 @@ sub checkauth {
         OpacAuthorities      => C4::Context->preference("OpacAuthorities"),
         OpacBrowser          => C4::Context->preference("OpacBrowser"),
         opacheader           => C4::Context->preference("opacheader"),
-        TagsEnabled                  => C4::Context->preference("TagsEnabled"),
+        TagsEnabled          => C4::Context->preference("TagsEnabled"),
         OPACUserCSS           => C4::Context->preference("OPACUserCSS"),
-        intranetcolorstylesheet =>
-								C4::Context->preference("intranetcolorstylesheet"),
+        intranetcolorstylesheet => C4::Context->preference("intranetcolorstylesheet"),
         intranetstylesheet => C4::Context->preference("intranetstylesheet"),
         intranetbookbag    => C4::Context->preference("intranetbookbag"),
         IntranetNav        => C4::Context->preference("IntranetNav"),
@@ -973,7 +987,9 @@ sub checkauth {
         intranetuserjs     => C4::Context->preference("intranetuserjs"),
         IndependantBranches=> C4::Context->preference("IndependantBranches"),
         AutoLocation       => C4::Context->preference("AutoLocation"),
-		wrongip            => $info{'wrongip'},
+        wrongip            => $info{'wrongip'},
+        PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"),
+        PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"),
     );
 
     $template->param( OpacPublic => C4::Context->preference("OpacPublic"));
@@ -1059,8 +1075,7 @@ sub check_api_auth {
     my $flagsrequired = shift;
 
     my $dbh     = C4::Context->dbh;
-    my $timeout = C4::Context->preference('timeout');
-    $timeout = 600 unless $timeout;
+    my $timeout = _timeout_syspref();
 
     unless (C4::Context->preference('Version')) {
         # database has not been installed yet
@@ -1292,8 +1307,7 @@ sub check_cookie_auth {
     my $flagsrequired = shift;
 
     my $dbh     = C4::Context->dbh;
-    my $timeout = C4::Context->preference('timeout');
-    $timeout = 600 unless $timeout;
+    my $timeout = _timeout_syspref();
 
     unless (C4::Context->preference('Version')) {
         # database has not been installed yet
@@ -1493,7 +1507,13 @@ sub getuserflags {
     my $userid  = shift;
     my $dbh     = @_ ? shift : C4::Context->dbh;
     my $userflags;
-    $flags = 0 unless $flags;
+    {
+        # I don't want to do this, but if someone logs in as the database
+        # user, it would be preferable not to spam them to death with
+        # numeric warnings. So, we make $flags numeric.
+        no warnings 'numeric';
+        $flags += 0;
+    }
     my $sth = $dbh->prepare("SELECT bit, flag, defaulton FROM userflags");
     $sth->execute;