search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 10671: Update Reviews Help
[koha.git] / C4 / Auth.pm
blobd73edaf5f7cda2c06bd1acfa082b1f2bdb2d921f
1 package C4::Auth;
2
3 # Copyright 2000-2002 Katipo Communications
4 #
5 # This file is part of Koha.
6 #
7 # Koha is free software; you can redistribute it and/or modify it under the
8 # terms of the GNU General Public License as published by the Free Software
9 # Foundation; either version 2 of the License, or (at your option) any later
10 # version.
11 #
12 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
13 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
14 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License along
17 # with Koha; if not, write to the Free Software Foundation, Inc.,
18 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19
20 use strict;
21 use warnings;
22 use Digest::MD5 qw(md5_base64);
23 use JSON qw/encode_json decode_json/;
24 use URI::Escape;
25 use CGI::Session;
26
27 require Exporter;
28 use C4::Context;
29 use C4::Templates; # to get the template
30 use C4::Branch; # GetBranches
31 use C4::VirtualShelves;
32 use Koha::AuthUtils qw(hash_password);
33 use POSIX qw/strftime/;
34 use List::MoreUtils qw/ any /;
35
36 # use utf8;
37 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout);
38
39 BEGIN {
40 sub psgi_env { any { /^psgi\./ } keys %ENV }
41 sub safe_exit {
42 if ( psgi_env ) { die 'psgi:exit' }
43 else { exit }
44 }
45 $VERSION = 3.07.00.049; # set version for version checking
46
47 $debug = $ENV{DEBUG};
48 @ISA = qw(Exporter);
49 @EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions);
50 @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &checkpw_internal &checkpw_hash
51 &get_all_subpermissions &get_user_subpermissions
52 ParseSearchHistoryCookie
53 );
54 %EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] );
55 $ldap = C4::Context->config('useldapserver') || 0;
56 $cas = C4::Context->preference('casAuthentication');
57 $caslogout = C4::Context->preference('casLogout');
58 require C4::Auth_with_cas; # no import
59 if ($ldap) {
60 require C4::Auth_with_ldap;
61 import C4::Auth_with_ldap qw(checkpw_ldap);
62 }
63 if ($cas) {
64 import C4::Auth_with_cas qw(check_api_auth_cas checkpw_cas login_cas logout_cas login_cas_url);
65 }
66
67 }
68
69 =head1 NAME
70
71 C4::Auth - Authenticates Koha users
72
73 =head1 SYNOPSIS
74
75 use CGI;
76 use C4::Auth;
77 use C4::Output;
78
79 my $query = new CGI;
80
81 my ($template, $borrowernumber, $cookie)
82 = get_template_and_user(
83 {
84 template_name => "opac-main.tmpl",
85 query => $query,
86 type => "opac",
87 authnotrequired => 1,
88 flagsrequired => {borrow => 1, catalogue => '*', tools => 'import_patrons' },
89 }
90 );
91
92 output_html_with_http_headers $query, $cookie, $template->output;
93
94 =head1 DESCRIPTION
95
96 The main function of this module is to provide
97 authentification. However the get_template_and_user function has
98 been provided so that a users login information is passed along
99 automatically. This gets loaded into the template.
100
101 =head1 FUNCTIONS
102
103 =head2 get_template_and_user
104
105 my ($template, $borrowernumber, $cookie)
106 = get_template_and_user(
107 {
108 template_name => "opac-main.tmpl",
109 query => $query,
110 type => "opac",
111 authnotrequired => 1,
112 flagsrequired => {borrow => 1, catalogue => '*', tools => 'import_patrons' },
113 }
114 );
115
116 This call passes the C<query>, C<flagsrequired> and C<authnotrequired>
117 to C<&checkauth> (in this module) to perform authentification.
118 See C<&checkauth> for an explanation of these parameters.
119
120 The C<template_name> is then used to find the correct template for
121 the page. The authenticated users details are loaded onto the
122 template in the HTML::Template LOOP variable C<USER_INFO>. Also the
123 C<sessionID> is passed to the template. This can be used in templates
124 if cookies are disabled. It needs to be put as and input to every
125 authenticated page.
126
127 More information on the C<gettemplate> sub can be found in the
128 Output.pm module.
129
130 =cut
131
132 my $SEARCH_HISTORY_INSERT_SQL =<<EOQ;
133 INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, total, time )
134 VALUES ( ?, ?, ?, ?, ?, FROM_UNIXTIME(?))
135 EOQ
136
137 sub get_template_and_user {
138
139 my $in = shift;
140 my ( $user, $cookie, $sessionID, $flags );
141
142 my $template = C4::Templates::gettemplate(
143 $in->{'template_name'},
144 $in->{'type'},
145 $in->{'query'},
146 $in->{'is_plugin'}
147 );
148
149 if ( $in->{'template_name'} !~m/maintenance/ ) {
150 ( $user, $cookie, $sessionID, $flags ) = checkauth(
151 $in->{'query'},
152 $in->{'authnotrequired'},
153 $in->{'flagsrequired'},
154 $in->{'type'}
155 );
156 }
157
158 my $borrowernumber;
159 if ($user) {
160 require C4::Members;
161 # It's possible for $user to be the borrowernumber if they don't have a
162 # userid defined (and are logging in through some other method, such
163 # as SSL certs against an email address)
164 $borrowernumber = getborrowernumber($user) if defined($user);
165 if (!defined($borrowernumber) && defined($user)) {
166 my $borrower = C4::Members::GetMember(borrowernumber => $user);
167 if ($borrower) {
168 $borrowernumber = $user;
169 # A bit of a hack, but I don't know there's a nicer way
170 # to do it.
171 $user = $borrower->{firstname} . ' ' . $borrower->{surname};
172 }
173 }
174
175 # user info
176 $template->param( loggedinusername => $user );
177 $template->param( sessionID => $sessionID );
178
179 my ($total, $pubshelves, $barshelves) = C4::VirtualShelves::GetSomeShelfNames($borrowernumber, 'MASTHEAD');
180 $template->param(
181 pubshelves => $total->{pubtotal},
182 pubshelvesloop => $pubshelves,
183 barshelves => $total->{bartotal},
184 barshelvesloop => $barshelves,
185 );
186
187 my ( $borr ) = C4::Members::GetMemberDetails( $borrowernumber );
188 my @bordat;
189 $bordat[0] = $borr;
190 $template->param( "USER_INFO" => \@bordat );
191
192 my $all_perms = get_all_subpermissions();
193
194 my @flagroots = qw(circulate catalogue parameters borrowers permissions reserveforothers borrow
195 editcatalogue updatecharges management tools editauthorities serials reports acquisition);
196 # We are going to use the $flags returned by checkauth
197 # to create the template's parameters that will indicate
198 # which menus the user can access.
199 if ( $flags && $flags->{superlibrarian}==1 ) {
200 $template->param( CAN_user_circulate => 1 );
201 $template->param( CAN_user_catalogue => 1 );
202 $template->param( CAN_user_parameters => 1 );
203 $template->param( CAN_user_borrowers => 1 );
204 $template->param( CAN_user_permissions => 1 );
205 $template->param( CAN_user_reserveforothers => 1 );
206 $template->param( CAN_user_borrow => 1 );
207 $template->param( CAN_user_editcatalogue => 1 );
208 $template->param( CAN_user_updatecharges => 1 );
209 $template->param( CAN_user_acquisition => 1 );
210 $template->param( CAN_user_management => 1 );
211 $template->param( CAN_user_tools => 1 );
212 $template->param( CAN_user_editauthorities => 1 );
213 $template->param( CAN_user_serials => 1 );
214 $template->param( CAN_user_reports => 1 );
215 $template->param( CAN_user_staffaccess => 1 );
216 $template->param( CAN_user_plugins => 1 );
217 $template->param( CAN_user_coursereserves => 1 );
218 foreach my $module (keys %$all_perms) {
219 foreach my $subperm (keys %{ $all_perms->{$module} }) {
220 $template->param( "CAN_user_${module}_${subperm}" => 1 );
221 }
222 }
223 }
224
225 if ( $flags ) {
226 foreach my $module (keys %$all_perms) {
227 if ( $flags->{$module} == 1) {
228 foreach my $subperm (keys %{ $all_perms->{$module} }) {
229 $template->param( "CAN_user_${module}_${subperm}" => 1 );
230 }
231 } elsif ( ref($flags->{$module}) ) {
232 foreach my $subperm (keys %{ $flags->{$module} } ) {
233 $template->param( "CAN_user_${module}_${subperm}" => 1 );
234 }
235 }
236 }
237 }
238
239 if ($flags) {
240 foreach my $module (keys %$flags) {
241 if ( $flags->{$module} == 1 or ref($flags->{$module}) ) {
242 $template->param( "CAN_user_$module" => 1 );
243 if ($module eq "parameters") {
244 $template->param( CAN_user_management => 1 );
245 }
246 }
247 }
248 }
249 # Logged-in opac search history
250 # If the requested template is an opac one and opac search history is enabled
251 if ($in->{type} eq 'opac' && C4::Context->preference('EnableOpacSearchHistory')) {
252 my $dbh = C4::Context->dbh;
253 my $query = "SELECT COUNT(*) FROM search_history WHERE userid=?";
254 my $sth = $dbh->prepare($query);
255 $sth->execute($borrowernumber);
256
257 # If at least one search has already been performed
258 if ($sth->fetchrow_array > 0) {
259 # We show the link in opac
260 $template->param(ShowOpacRecentSearchLink => 1);
261 }
262
263 # And if there's a cookie with searches performed when the user was not logged in,
264 # we add them to the logged-in search history
265 my @recentSearches = ParseSearchHistoryCookie($in->{'query'});
266 if (@recentSearches) {
267 my $sth = $dbh->prepare($SEARCH_HISTORY_INSERT_SQL);
268 $sth->execute( $borrowernumber,
269 $in->{'query'}->cookie("CGISESSID"),
270 $_->{'query_desc'},
271 $_->{'query_cgi'},
272 $_->{'total'},
273 $_->{'time'},
274 ) foreach @recentSearches;
275
276 # And then, delete the cookie's content
277 my $newsearchcookie = $in->{'query'}->cookie(
278 -name => 'KohaOpacRecentSearches',
279 -value => encode_json([]),
280 -HttpOnly => 1,
281 -expires => ''
282 );
283 $cookie = [$cookie, $newsearchcookie];
284 }
285 }
286 }
287 else { # if this is an anonymous session, setup to display public lists...
288
289 $template->param( sessionID => $sessionID );
290
291 my ($total, $pubshelves) = C4::VirtualShelves::GetSomeShelfNames(undef, 'MASTHEAD');
292 $template->param(
293 pubshelves => $total->{pubtotal},
294 pubshelvesloop => $pubshelves,
295 );
296 }
297 # Anonymous opac search history
298 # If opac search history is enabled and at least one search has already been performed
299 if (C4::Context->preference('EnableOpacSearchHistory')) {
300 my @recentSearches = ParseSearchHistoryCookie($in->{'query'});
301 if (@recentSearches) {
302 $template->param(ShowOpacRecentSearchLink => 1);
303 }
304 }
305
306 if(C4::Context->preference('dateformat')){
307 $template->param(dateformat => C4::Context->preference('dateformat'))
308 }
309
310 # these template parameters are set the same regardless of $in->{'type'}
311 $template->param(
312 "BiblioDefaultView".C4::Context->preference("BiblioDefaultView") => 1,
313 EnhancedMessagingPreferences => C4::Context->preference('EnhancedMessagingPreferences'),
314 GoogleJackets => C4::Context->preference("GoogleJackets"),
315 OpenLibraryCovers => C4::Context->preference("OpenLibraryCovers"),
316 KohaAdminEmailAddress => "" . C4::Context->preference("KohaAdminEmailAddress"),
317 LoginBranchcode => (C4::Context->userenv?C4::Context->userenv->{"branch"}:undef),
318 LoginFirstname => (C4::Context->userenv?C4::Context->userenv->{"firstname"}:"Bel"),
319 LoginSurname => C4::Context->userenv?C4::Context->userenv->{"surname"}:"Inconnu",
320 emailaddress => C4::Context->userenv?C4::Context->userenv->{"emailaddress"}:undef,
321 loggedinpersona => C4::Context->userenv?C4::Context->userenv->{"persona"}:undef,
322 TagsEnabled => C4::Context->preference("TagsEnabled"),
323 hide_marc => C4::Context->preference("hide_marc"),
324 item_level_itypes => C4::Context->preference('item-level_itypes'),
325 patronimages => C4::Context->preference("patronimages"),
326 singleBranchMode => C4::Context->preference("singleBranchMode"),
327 XSLTDetailsDisplay => C4::Context->preference("XSLTDetailsDisplay"),
328 XSLTResultsDisplay => C4::Context->preference("XSLTResultsDisplay"),
329 using_https => $in->{'query'}->https() ? 1 : 0,
330 noItemTypeImages => C4::Context->preference("noItemTypeImages"),
331 marcflavour => C4::Context->preference("marcflavour"),
332 persona => C4::Context->preference("persona"),
333 );
334 if ( $in->{'type'} eq "intranet" ) {
335 $template->param(
336 AmazonCoverImages => C4::Context->preference("AmazonCoverImages"),
337 AutoLocation => C4::Context->preference("AutoLocation"),
338 "BiblioDefaultView".C4::Context->preference("IntranetBiblioDefaultView") => 1,
339 CalendarFirstDayOfWeek => (C4::Context->preference("CalendarFirstDayOfWeek") eq "Sunday")?0:1,
340 CircAutocompl => C4::Context->preference("CircAutocompl"),
341 FRBRizeEditions => C4::Context->preference("FRBRizeEditions"),
342 IndependentBranches => C4::Context->preference("IndependentBranches"),
343 IntranetNav => C4::Context->preference("IntranetNav"),
344 IntranetmainUserblock => C4::Context->preference("IntranetmainUserblock"),
345 LibraryName => C4::Context->preference("LibraryName"),
346 LoginBranchname => (C4::Context->userenv?C4::Context->userenv->{"branchname"}:undef),
347 advancedMARCEditor => C4::Context->preference("advancedMARCEditor"),
348 canreservefromotherbranches => C4::Context->preference('canreservefromotherbranches'),
349 intranetcolorstylesheet => C4::Context->preference("intranetcolorstylesheet"),
350 IntranetFavicon => C4::Context->preference("IntranetFavicon"),
351 intranetreadinghistory => C4::Context->preference("intranetreadinghistory"),
352 intranetstylesheet => C4::Context->preference("intranetstylesheet"),
353 IntranetUserCSS => C4::Context->preference("IntranetUserCSS"),
354 intranetuserjs => C4::Context->preference("intranetuserjs"),
355 intranetbookbag => C4::Context->preference("intranetbookbag"),
356 suggestion => C4::Context->preference("suggestion"),
357 virtualshelves => C4::Context->preference("virtualshelves"),
358 StaffSerialIssueDisplayCount => C4::Context->preference("StaffSerialIssueDisplayCount"),
359 EasyAnalyticalRecords => C4::Context->preference('EasyAnalyticalRecords'),
360 LocalCoverImages => C4::Context->preference('LocalCoverImages'),
361 OPACLocalCoverImages => C4::Context->preference('OPACLocalCoverImages'),
362 AllowMultipleCovers => C4::Context->preference('AllowMultipleCovers'),
363 EnableBorrowerFiles => C4::Context->preference('EnableBorrowerFiles'),
364 UseKohaPlugins => C4::Context->preference('UseKohaPlugins'),
365 UseCourseReserves => C4::Context->preference("UseCourseReserves"),
366 );
367 }
368 else {
369 warn "template type should be OPAC, here it is=[" . $in->{'type'} . "]" unless ( $in->{'type'} eq 'opac' );
370 #TODO : replace LibraryName syspref with 'system name', and remove this html processing
371 my $LibraryNameTitle = C4::Context->preference("LibraryName");
372 $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
373 $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
374 # clean up the busc param in the session if the page is not opac-detail
375 if (C4::Context->preference("OpacBrowseResults") && $in->{'template_name'} =~ /opac-(.+)\.(?:tt|tmpl)$/ && $1 !~ /^(?:MARC|ISBD)?detail$/) {
376 my $sessionSearch = get_session($sessionID || $in->{'query'}->cookie("CGISESSID"));
377 $sessionSearch->clear(["busc"]) if ($sessionSearch->param("busc"));
378 }
379 # variables passed from CGI: opac_css_override and opac_search_limits.
380 my $opac_search_limit = $ENV{'OPAC_SEARCH_LIMIT'};
381 my $opac_limit_override = $ENV{'OPAC_LIMIT_OVERRIDE'};
382 my $opac_name = '';
383 if (($opac_search_limit && $opac_search_limit =~ /branch:(\w+)/ && $opac_limit_override) || ($in->{'query'}->param('limit') && $in->{'query'}->param('limit') =~ /branch:(\w+)/)){
384 $opac_name = $1; # opac_search_limit is a branch, so we use it.
385 } elsif ( $in->{'query'}->param('multibranchlimit') ) {
386 $opac_name = $in->{'query'}->param('multibranchlimit');
387 } elsif (C4::Context->preference("SearchMyLibraryFirst") && C4::Context->userenv && C4::Context->userenv->{'branch'}) {
388 $opac_name = C4::Context->userenv->{'branch'};
389 }
390 $template->param(
391 opaccolorstylesheet => C4::Context->preference("opaccolorstylesheet"),
392 AnonSuggestions => "" . C4::Context->preference("AnonSuggestions"),
393 AuthorisedValueImages => C4::Context->preference("AuthorisedValueImages"),
394 BranchesLoop => GetBranchesLoop($opac_name),
395 BranchCategoriesLoop => GetBranchCategories( 'searchdomain', 1, $opac_name ),
396 CalendarFirstDayOfWeek => (C4::Context->preference("CalendarFirstDayOfWeek") eq "Sunday")?0:1,
397 LibraryName => "" . C4::Context->preference("LibraryName"),
398 LibraryNameTitle => "" . $LibraryNameTitle,
399 LoginBranchname => C4::Context->userenv?C4::Context->userenv->{"branchname"}:"",
400 OPACAmazonCoverImages => C4::Context->preference("OPACAmazonCoverImages"),
401 OPACFRBRizeEditions => C4::Context->preference("OPACFRBRizeEditions"),
402 OpacHighlightedWords => C4::Context->preference("OpacHighlightedWords"),
403 OPACItemHolds => C4::Context->preference("OPACItemHolds"),
404 OPACShelfBrowser => "". C4::Context->preference("OPACShelfBrowser"),
405 OPACURLOpenInNewWindow => "" . C4::Context->preference("OPACURLOpenInNewWindow"),
406 OPACUserCSS => "". C4::Context->preference("OPACUserCSS"),
407 OPACMobileUserCSS => "". C4::Context->preference("OPACMobileUserCSS"),
408 OPACViewOthersSuggestions => "" . C4::Context->preference("OPACViewOthersSuggestions"),
409 OpacAuthorities => C4::Context->preference("OpacAuthorities"),
410 OPACBaseURL => ($in->{'query'}->https() ? "https://" : "http://") . $ENV{'SERVER_NAME'} .
411 ($ENV{'SERVER_PORT'} eq ($in->{'query'}->https() ? "443" : "80") ? '' : ":$ENV{'SERVER_PORT'}"),
412 opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'},
413 opac_search_limit => $opac_search_limit,
414 opac_limit_override => $opac_limit_override,
415 OpacBrowser => C4::Context->preference("OpacBrowser"),
416 OpacCloud => C4::Context->preference("OpacCloud"),
417 OpacKohaUrl => C4::Context->preference("OpacKohaUrl"),
418 OpacMainUserBlock => "" . C4::Context->preference("OpacMainUserBlock"),
419 OpacMainUserBlockMobile => "" . C4::Context->preference("OpacMainUserBlockMobile"),
420 OpacShowFiltersPulldownMobile => C4::Context->preference("OpacShowFiltersPulldownMobile"),
421 OpacShowLibrariesPulldownMobile => C4::Context->preference("OpacShowLibrariesPulldownMobile"),
422 OpacNav => "" . C4::Context->preference("OpacNav"),
423 OpacNavRight => "" . C4::Context->preference("OpacNavRight"),
424 OpacNavBottom => "" . C4::Context->preference("OpacNavBottom"),
425 OpacPasswordChange => C4::Context->preference("OpacPasswordChange"),
426 OPACPatronDetails => C4::Context->preference("OPACPatronDetails"),
427 OPACPrivacy => C4::Context->preference("OPACPrivacy"),
428 OPACFinesTab => C4::Context->preference("OPACFinesTab"),
429 OpacTopissue => C4::Context->preference("OpacTopissue"),
430 RequestOnOpac => C4::Context->preference("RequestOnOpac"),
431 'Version' => C4::Context->preference('Version'),
432 hidelostitems => C4::Context->preference("hidelostitems"),
433 mylibraryfirst => (C4::Context->preference("SearchMyLibraryFirst") && C4::Context->userenv) ? C4::Context->userenv->{'branch'} : '',
434 opaclayoutstylesheet => "" . C4::Context->preference("opaclayoutstylesheet"),
435 opacbookbag => "" . C4::Context->preference("opacbookbag"),
436 opaccredits => "" . C4::Context->preference("opaccredits"),
437 OpacFavicon => C4::Context->preference("OpacFavicon"),
438 opacheader => "" . C4::Context->preference("opacheader"),
439 opaclanguagesdisplay => "" . C4::Context->preference("opaclanguagesdisplay"),
440 opacreadinghistory => C4::Context->preference("opacreadinghistory"),
441 opacsmallimage => "" . C4::Context->preference("opacsmallimage"),
442 opacuserjs => C4::Context->preference("opacuserjs"),
443 opacuserlogin => "" . C4::Context->preference("opacuserlogin"),
444 ShowReviewer => C4::Context->preference("ShowReviewer"),
445 ShowReviewerPhoto => C4::Context->preference("ShowReviewerPhoto"),
446 suggestion => "" . C4::Context->preference("suggestion"),
447 virtualshelves => "" . C4::Context->preference("virtualshelves"),
448 OPACSerialIssueDisplayCount => C4::Context->preference("OPACSerialIssueDisplayCount"),
449 OPACXSLTDetailsDisplay => C4::Context->preference("OPACXSLTDetailsDisplay"),
450 OPACXSLTResultsDisplay => C4::Context->preference("OPACXSLTResultsDisplay"),
451 SyndeticsClientCode => C4::Context->preference("SyndeticsClientCode"),
452 SyndeticsEnabled => C4::Context->preference("SyndeticsEnabled"),
453 SyndeticsCoverImages => C4::Context->preference("SyndeticsCoverImages"),
454 SyndeticsTOC => C4::Context->preference("SyndeticsTOC"),
455 SyndeticsSummary => C4::Context->preference("SyndeticsSummary"),
456 SyndeticsEditions => C4::Context->preference("SyndeticsEditions"),
457 SyndeticsExcerpt => C4::Context->preference("SyndeticsExcerpt"),
458 SyndeticsReviews => C4::Context->preference("SyndeticsReviews"),
459 SyndeticsAuthorNotes => C4::Context->preference("SyndeticsAuthorNotes"),
460 SyndeticsAwards => C4::Context->preference("SyndeticsAwards"),
461 SyndeticsSeries => C4::Context->preference("SyndeticsSeries"),
462 SyndeticsCoverImageSize => C4::Context->preference("SyndeticsCoverImageSize"),
463 OPACLocalCoverImages => C4::Context->preference("OPACLocalCoverImages"),
464 PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"),
465 PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"),
466 );
467
468 $template->param(OpacPublic => '1') if ($user || C4::Context->preference("OpacPublic"));
469 }
470
471 # Check if we were asked using parameters to force a specific language
472 if ( defined $in->{'query'}->param('language') ) {
473 # Extract the language, let C4::Templates::getlanguage choose
474 # what to do
475 my $language = C4::Templates::getlanguage($in->{'query'},$in->{'type'});
476 my $languagecookie = C4::Templates::getlanguagecookie($in->{'query'},$language);
477 if ( ref $cookie eq 'ARRAY' ) {
478 push @{ $cookie }, $languagecookie;
479 } else {
480 $cookie = [$cookie, $languagecookie];
481 }
482 }
483
484 return ( $template, $borrowernumber, $cookie, $flags);
485 }
486
487 =head2 checkauth
488
489 ($userid, $cookie, $sessionID) = &checkauth($query, $noauth, $flagsrequired, $type);
490
491 Verifies that the user is authorized to run this script. If
492 the user is authorized, a (userid, cookie, session-id, flags)
493 quadruple is returned. If the user is not authorized but does
494 not have the required privilege (see $flagsrequired below), it
495 displays an error page and exits. Otherwise, it displays the
496 login page and exits.
497
498 Note that C<&checkauth> will return if and only if the user
499 is authorized, so it should be called early on, before any
500 unfinished operations (e.g., if you've opened a file, then
501 C<&checkauth> won't close it for you).
502
503 C<$query> is the CGI object for the script calling C<&checkauth>.
504
505 The C<$noauth> argument is optional. If it is set, then no
506 authorization is required for the script.
507
508 C<&checkauth> fetches user and session information from C<$query> and
509 ensures that the user is authorized to run scripts that require
510 authorization.
511
512 The C<$flagsrequired> argument specifies the required privileges
513 the user must have if the username and password are correct.
514 It should be specified as a reference-to-hash; keys in the hash
515 should be the "flags" for the user, as specified in the Members
516 intranet module. Any key specified must correspond to a "flag"
517 in the userflags table. E.g., { circulate => 1 } would specify
518 that the user must have the "circulate" privilege in order to
519 proceed. To make sure that access control is correct, the
520 C<$flagsrequired> parameter must be specified correctly.
521
522 Koha also has a concept of sub-permissions, also known as
523 granular permissions. This makes the value of each key
524 in the C<flagsrequired> hash take on an additional
525 meaning, i.e.,
526
527 1
528
529 The user must have access to all subfunctions of the module
530 specified by the hash key.
531
532 *
533
534 The user must have access to at least one subfunction of the module
535 specified by the hash key.
536
537 specific permission, e.g., 'export_catalog'
538
539 The user must have access to the specific subfunction list, which
540 must correspond to a row in the permissions table.
541
542 The C<$type> argument specifies whether the template should be
543 retrieved from the opac or intranet directory tree. "opac" is
544 assumed if it is not specified; however, if C<$type> is specified,
545 "intranet" is assumed if it is not "opac".
546
547 If C<$query> does not have a valid session ID associated with it
548 (i.e., the user has not logged in) or if the session has expired,
549 C<&checkauth> presents the user with a login page (from the point of
550 view of the original script, C<&checkauth> does not return). Once the
551 user has authenticated, C<&checkauth> restarts the original script
552 (this time, C<&checkauth> returns).
553
554 The login page is provided using a HTML::Template, which is set in the
555 systempreferences table or at the top of this file. The variable C<$type>
556 selects which template to use, either the opac or the intranet
557 authentification template.
558
559 C<&checkauth> returns a user ID, a cookie, and a session ID. The
560 cookie should be sent back to the browser; it verifies that the user
561 has authenticated.
562
563 =cut
564
565 sub _version_check {
566 my $type = shift;
567 my $query = shift;
568 my $version;
569 # If Version syspref is unavailable, it means Koha is beeing installed,
570 # and so we must redirect to OPAC maintenance page or to the WebInstaller
571 # also, if OpacMaintenance is ON, OPAC should redirect to maintenance
572 if (C4::Context->preference('OpacMaintenance') && $type eq 'opac') {
573 warn "OPAC Install required, redirecting to maintenance";
574 print $query->redirect("/cgi-bin/koha/maintenance.pl");
575 safe_exit;
576 }
577 unless ( $version = C4::Context->preference('Version') ) { # assignment, not comparison
578 if ( $type ne 'opac' ) {
579 warn "Install required, redirecting to Installer";
580 print $query->redirect("/cgi-bin/koha/installer/install.pl");
581 } else {
582 warn "OPAC Install required, redirecting to maintenance";
583 print $query->redirect("/cgi-bin/koha/maintenance.pl");
584 }
585 safe_exit;
586 }
587
588 # check that database and koha version are the same
589 # there is no DB version, it's a fresh install,
590 # go to web installer
591 # there is a DB version, compare it to the code version
592 my $kohaversion=C4::Context::KOHAVERSION;
593 # remove the 3 last . to have a Perl number
594 $kohaversion =~ s/(.*\..*)\.(.*)\.(.*)/$1$2$3/;
595 $debug and print STDERR "kohaversion : $kohaversion\n";
596 if ($version < $kohaversion){
597 my $warning = "Database update needed, redirecting to %s. Database is $version and Koha is $kohaversion";
598 if ($type ne 'opac'){
599 warn sprintf($warning, 'Installer');
600 print $query->redirect("/cgi-bin/koha/installer/install.pl?step=3");
601 } else {
602 warn sprintf("OPAC: " . $warning, 'maintenance');
603 print $query->redirect("/cgi-bin/koha/maintenance.pl");
604 }
605 safe_exit;
606 }
607 }
608
609 sub _session_log {
610 (@_) or return 0;
611 open my $fh, '>>', "/tmp/sessionlog" or warn "ERROR: Cannot append to /tmp/sessionlog";
612 printf $fh join("\n",@_);
613 close $fh;
614 }
615
616 sub _timeout_syspref {
617 my $timeout = C4::Context->preference('timeout') || 600;
618 # value in days, convert in seconds
619 if ($timeout =~ /(\d+)[dD]/) {
620 $timeout = $1 * 86400;
621 };
622 return $timeout;
623 }
624
625 sub checkauth {
626 my $query = shift;
627 $debug and warn "Checking Auth";
628 # $authnotrequired will be set for scripts which will run without authentication
629 my $authnotrequired = shift;
630 my $flagsrequired = shift;
631 my $type = shift;
632 my $persona = shift;
633 $type = 'opac' unless $type;
634
635 my $dbh = C4::Context->dbh;
636 my $timeout = _timeout_syspref();
637
638 _version_check($type,$query);
639 # state variables
640 my $loggedin = 0;
641 my %info;
642 my ( $userid, $cookie, $sessionID, $flags, $barshelves, $pubshelves );
643 my $logout = $query->param('logout.x');
644
645 # This parameter is the name of the CAS server we want to authenticate against,
646 # when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml
647 my $casparam = $query->param('cas');
648
649 if ( $userid = $ENV{'REMOTE_USER'} ) {
650 # Using Basic Authentication, no cookies required
651 $cookie = $query->cookie(
652 -name => 'CGISESSID',
653 -value => '',
654 -expires => '',
655 -HttpOnly => 1,
656 );
657 $loggedin = 1;
658 }
659 elsif ( $persona ){
660 # we dont want to set a session because we are being called by a persona callback
661 }
662 elsif ( $sessionID = $query->cookie("CGISESSID") )
663 { # assignment, not comparison
664 my $session = get_session($sessionID);
665 C4::Context->_new_userenv($sessionID);
666 my ($ip, $lasttime, $sessiontype);
667 if ($session){
668 C4::Context::set_userenv(
669 $session->param('number'), $session->param('id'),
670 $session->param('cardnumber'), $session->param('firstname'),
671 $session->param('surname'), $session->param('branch'),
672 $session->param('branchname'), $session->param('flags'),
673 $session->param('emailaddress'), $session->param('branchprinter'),
674 $session->param('persona')
675 );
676 C4::Context::set_shelves_userenv('bar',$session->param('barshelves'));
677 C4::Context::set_shelves_userenv('pub',$session->param('pubshelves'));
678 C4::Context::set_shelves_userenv('tot',$session->param('totshelves'));
679 $debug and printf STDERR "AUTH_SESSION: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
680 $ip = $session->param('ip');
681 $lasttime = $session->param('lasttime');
682 $userid = $session->param('id');
683 $sessiontype = $session->param('sessiontype') || '';
684 }
685 if ( ( ($query->param('koha_login_context')) && ($query->param('userid') ne $session->param('id')) )
686 || ( $cas && $query->param('ticket') ) ) {
687 #if a user enters an id ne to the id in the current session, we need to log them in...
688 #first we need to clear the anonymous session...
689 $debug and warn "query id = " . $query->param('userid') . " but session id = " . $session->param('id');
690 $session->flush;
691 $session->delete();
692 C4::Context->_unset_userenv($sessionID);
693 $sessionID = undef;
694 $userid = undef;
695 }
696 elsif ($logout) {
697 # voluntary logout the user
698 $session->flush;
699 $session->delete();
700 C4::Context->_unset_userenv($sessionID);
701 #_session_log(sprintf "%20s from %16s logged out at %30s (manually).\n", $userid,$ip,(strftime "%c",localtime));
702 $sessionID = undef;
703 $userid = undef;
704
705 if ($cas and $caslogout) {
706 logout_cas($query);
707 }
708 }
709 elsif ( $lasttime < time() - $timeout ) {
710 # timed logout
711 $info{'timed_out'} = 1;
712 $session->delete() if $session;
713 C4::Context->_unset_userenv($sessionID);
714 #_session_log(sprintf "%20s from %16s logged out at %30s (inactivity).\n", $userid,$ip,(strftime "%c",localtime));
715 $userid = undef;
716 $sessionID = undef;
717 }
718 elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
719 # Different ip than originally logged in from
720 $info{'oldip'} = $ip;
721 $info{'newip'} = $ENV{'REMOTE_ADDR'};
722 $info{'different_ip'} = 1;
723 $session->delete();
724 C4::Context->_unset_userenv($sessionID);
725 #_session_log(sprintf "%20s from %16s logged out at %30s (ip changed to %16s).\n", $userid,$ip,(strftime "%c",localtime), $info{'newip'});
726 $sessionID = undef;
727 $userid = undef;
728 }
729 else {
730 $cookie = $query->cookie(
731 -name => 'CGISESSID',
732 -value => $session->id,
733 -HttpOnly => 1
734 );
735 $session->param( 'lasttime', time() );
736 unless ( $sessiontype && $sessiontype eq 'anon' ) { #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
737 $flags = haspermission($userid, $flagsrequired);
738 if ($flags) {
739 $loggedin = 1;
740 } else {
741 $info{'nopermission'} = 1;
742 }
743 }
744 }
745 }
746 unless ($userid || $sessionID) {
747
748 #we initiate a session prior to checking for a username to allow for anonymous sessions...
749 my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
750 my $sessionID = $session->id;
751 C4::Context->_new_userenv($sessionID);
752 $cookie = $query->cookie(
753 -name => 'CGISESSID',
754 -value => $session->id,
755 -HttpOnly => 1
756 );
757 $userid = $query->param('userid');
758 if ( ( $cas && $query->param('ticket') )
759 || $userid
760 || ( my $pki_field = C4::Context->preference('AllowPKIAuth') ) ne
761 'None' || $persona )
762 {
763 my $password = $query->param('password');
764
765 my ( $return, $cardnumber );
766 if ( $cas && $query->param('ticket') ) {
767 my $retuserid;
768 ( $return, $cardnumber, $retuserid ) =
769 checkpw( $dbh, $userid, $password, $query );
770 $userid = $retuserid;
771 $info{'invalidCasLogin'} = 1 unless ($return);
772 }
773
774 elsif ($persona) {
775 my $value = $persona;
776
777 # If we're looking up the email, there's a chance that the person
778 # doesn't have a userid. So if there is none, we pass along the
779 # borrower number, and the bits of code that need to know the user
780 # ID will have to be smart enough to handle that.
781 require C4::Members;
782 my @users_info = C4::Members::GetBorrowersWithEmail($value);
783 if (@users_info) {
784
785 # First the userid, then the borrowernum
786 $value = $users_info[0][1] || $users_info[0][0];
787 }
788 else {
789 undef $value;
790 }
791 $return = $value ? 1 : 0;
792 $userid = $value;
793 }
794
795 elsif (
796 ( $pki_field eq 'Common Name' && $ENV{'SSL_CLIENT_S_DN_CN'} )
797 || ( $pki_field eq 'emailAddress'
798 && $ENV{'SSL_CLIENT_S_DN_Email'} )
799 )
800 {
801 my $value;
802 if ( $pki_field eq 'Common Name' ) {
803 $value = $ENV{'SSL_CLIENT_S_DN_CN'};
804 }
805 elsif ( $pki_field eq 'emailAddress' ) {
806 $value = $ENV{'SSL_CLIENT_S_DN_Email'};
807
808 # If we're looking up the email, there's a chance that the person
809 # doesn't have a userid. So if there is none, we pass along the
810 # borrower number, and the bits of code that need to know the user
811 # ID will have to be smart enough to handle that.
812 require C4::Members;
813 my @users_info = C4::Members::GetBorrowersWithEmail($value);
814 if (@users_info) {
815
816 # First the userid, then the borrowernum
817 $value = $users_info[0][1] || $users_info[0][0];
818 } else {
819 undef $value;
820 }
821 }
822
823
824 $return = $value ? 1 : 0;
825 $userid = $value;
826
827 }
828 else {
829 my $retuserid;
830 ( $return, $cardnumber, $retuserid ) =
831 checkpw( $dbh, $userid, $password, $query );
832 $userid = $retuserid if ( $retuserid ne '' );
833 }
834 if ($return) {
835 #_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
836 if ( $flags = haspermission( $userid, $flagsrequired ) ) {
837 $loggedin = 1;
838 }
839 else {
840 $info{'nopermission'} = 1;
841 C4::Context->_unset_userenv($sessionID);
842 }
843 my ($borrowernumber, $firstname, $surname, $userflags,
844 $branchcode, $branchname, $branchprinter, $emailaddress);
845
846 if ( $return == 1 ) {
847 my $select = "
848 SELECT borrowernumber, firstname, surname, flags, borrowers.branchcode,
849 branches.branchname as branchname,
850 branches.branchprinter as branchprinter,
851 email
852 FROM borrowers
853 LEFT JOIN branches on borrowers.branchcode=branches.branchcode
854 ";
855 my $sth = $dbh->prepare("$select where userid=?");
856 $sth->execute($userid);
857 unless ($sth->rows) {
858 $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
859 $sth = $dbh->prepare("$select where cardnumber=?");
860 $sth->execute($cardnumber);
861
862 unless ($sth->rows) {
863 $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
864 $sth->execute($userid);
865 unless ($sth->rows) {
866 $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
867 }
868 }
869 }
870 if ($sth->rows) {
871 ($borrowernumber, $firstname, $surname, $userflags,
872 $branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow;
873 $debug and print STDERR "AUTH_3 results: " .
874 "$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n";
875 } else {
876 print STDERR "AUTH_3: no results for userid='$userid', cardnumber='$cardnumber'.\n";
877 }
878
879 # launch a sequence to check if we have a ip for the branch, i
880 # if we have one we replace the branchcode of the userenv by the branch bound in the ip.
881
882 my $ip = $ENV{'REMOTE_ADDR'};
883 # if they specify at login, use that
884 if ($query->param('branch')) {
885 $branchcode = $query->param('branch');
886 $branchname = GetBranchName($branchcode);
887 }
888 my $branches = GetBranches();
889 if (C4::Context->boolean_preference('IndependentBranches') && C4::Context->boolean_preference('Autolocation')){
890 # we have to check they are coming from the right ip range
891 my $domain = $branches->{$branchcode}->{'branchip'};
892 if ($ip !~ /^$domain/){
893 $loggedin=0;
894 $info{'wrongip'} = 1;
895 }
896 }
897
898 my @branchesloop;
899 foreach my $br ( keys %$branches ) {
900 # now we work with the treatment of ip
901 my $domain = $branches->{$br}->{'branchip'};
902 if ( $domain && $ip =~ /^$domain/ ) {
903 $branchcode = $branches->{$br}->{'branchcode'};
904
905 # new op dev : add the branchprinter and branchname in the cookie
906 $branchprinter = $branches->{$br}->{'branchprinter'};
907 $branchname = $branches->{$br}->{'branchname'};
908 }
909 }
910 $session->param('number',$borrowernumber);
911 $session->param('id',$userid);
912 $session->param('cardnumber',$cardnumber);
913 $session->param('firstname',$firstname);
914 $session->param('surname',$surname);
915 $session->param('branch',$branchcode);
916 $session->param('branchname',$branchname);
917 $session->param('flags',$userflags);
918 $session->param('emailaddress',$emailaddress);
919 $session->param('ip',$session->remote_addr());
920 $session->param('lasttime',time());
921 $debug and printf STDERR "AUTH_4: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
922 }
923 elsif ( $return == 2 ) {
924 #We suppose the user is the superlibrarian
925 $borrowernumber = 0;
926 $session->param('number',0);
927 $session->param('id',C4::Context->config('user'));
928 $session->param('cardnumber',C4::Context->config('user'));
929 $session->param('firstname',C4::Context->config('user'));
930 $session->param('surname',C4::Context->config('user'));
931 $session->param('branch','NO_LIBRARY_SET');
932 $session->param('branchname','NO_LIBRARY_SET');
933 $session->param('flags',1);
934 $session->param('emailaddress', C4::Context->preference('KohaAdminEmailAddress'));
935 $session->param('ip',$session->remote_addr());
936 $session->param('lasttime',time());
937 }
938 if ($persona){
939 $session->param('persona',1);
940 }
941 C4::Context::set_userenv(
942 $session->param('number'), $session->param('id'),
943 $session->param('cardnumber'), $session->param('firstname'),
944 $session->param('surname'), $session->param('branch'),
945 $session->param('branchname'), $session->param('flags'),
946 $session->param('emailaddress'), $session->param('branchprinter'),
947 $session->param('persona')
948 );
949
950 }
951 else {
952 if ($userid) {
953 $info{'invalid_username_or_password'} = 1;
954 C4::Context->_unset_userenv($sessionID);
955 }
956 }
957 } # END if ( $userid = $query->param('userid') )
958 elsif ($type eq "opac") {
959 # if we are here this is an anonymous session; add public lists to it and a few other items...
960 # anonymous sessions are created only for the OPAC
961 $debug and warn "Initiating an anonymous session...";
962
963 # setting a couple of other session vars...
964 $session->param('ip',$session->remote_addr());
965 $session->param('lasttime',time());
966 $session->param('sessiontype','anon');
967 }
968 } # END unless ($userid)
969
970 # finished authentification, now respond
971 if ( $loggedin || $authnotrequired )
972 {
973 # successful login
974 unless ($cookie) {
975 $cookie = $query->cookie(
976 -name => 'CGISESSID',
977 -value => '',
978 -HttpOnly => 1
979 );
980 }
981 return ( $userid, $cookie, $sessionID, $flags );
982 }
983
984 #
985 #
986 # AUTH rejected, show the login/password template, after checking the DB.
987 #
988 #
989
990 # get the inputs from the incoming query
991 my @inputs = ();
992 foreach my $name ( param $query) {
993 (next) if ( $name eq 'userid' || $name eq 'password' || $name eq 'ticket' );
994 my $value = $query->param($name);
995 push @inputs, { name => $name, value => $value };
996 }
997
998 my $LibraryNameTitle = C4::Context->preference("LibraryName");
999 $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
1000 $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
1001
1002 my $template_name = ( $type eq 'opac' ) ? 'opac-auth.tmpl' : 'auth.tmpl';
1003 my $template = C4::Templates::gettemplate($template_name, $type, $query );
1004 $template->param(
1005 branchloop => GetBranchesLoop(),
1006 opaccolorstylesheet => C4::Context->preference("opaccolorstylesheet"),
1007 opaclayoutstylesheet => C4::Context->preference("opaclayoutstylesheet"),
1008 login => 1,
1009 INPUTS => \@inputs,
1010 casAuthentication => C4::Context->preference("casAuthentication"),
1011 suggestion => C4::Context->preference("suggestion"),
1012 virtualshelves => C4::Context->preference("virtualshelves"),
1013 LibraryName => "" . C4::Context->preference("LibraryName"),
1014 LibraryNameTitle => "" . $LibraryNameTitle,
1015 opacuserlogin => C4::Context->preference("opacuserlogin"),
1016 OpacNav => C4::Context->preference("OpacNav"),
1017 OpacNavRight => C4::Context->preference("OpacNavRight"),
1018 OpacNavBottom => C4::Context->preference("OpacNavBottom"),
1019 opaccredits => C4::Context->preference("opaccredits"),
1020 OpacFavicon => C4::Context->preference("OpacFavicon"),
1021 opacreadinghistory => C4::Context->preference("opacreadinghistory"),
1022 opacsmallimage => C4::Context->preference("opacsmallimage"),
1023 opaclanguagesdisplay => C4::Context->preference("opaclanguagesdisplay"),
1024 opacuserjs => C4::Context->preference("opacuserjs"),
1025 opacbookbag => "" . C4::Context->preference("opacbookbag"),
1026 OpacCloud => C4::Context->preference("OpacCloud"),
1027 OpacTopissue => C4::Context->preference("OpacTopissue"),
1028 OpacAuthorities => C4::Context->preference("OpacAuthorities"),
1029 OpacBrowser => C4::Context->preference("OpacBrowser"),
1030 opacheader => C4::Context->preference("opacheader"),
1031 TagsEnabled => C4::Context->preference("TagsEnabled"),
1032 OPACUserCSS => C4::Context->preference("OPACUserCSS"),
1033 intranetcolorstylesheet => C4::Context->preference("intranetcolorstylesheet"),
1034 intranetstylesheet => C4::Context->preference("intranetstylesheet"),
1035 intranetbookbag => C4::Context->preference("intranetbookbag"),
1036 IntranetNav => C4::Context->preference("IntranetNav"),
1037 IntranetFavicon => C4::Context->preference("IntranetFavicon"),
1038 intranetuserjs => C4::Context->preference("intranetuserjs"),
1039 IndependentBranches=> C4::Context->preference("IndependentBranches"),
1040 AutoLocation => C4::Context->preference("AutoLocation"),
1041 wrongip => $info{'wrongip'},
1042 PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"),
1043 PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"),
1044 persona => C4::Context->preference("Persona"),
1045 opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'},
1046 );
1047
1048 $template->param( OpacPublic => C4::Context->preference("OpacPublic"));
1049 $template->param( loginprompt => 1 ) unless $info{'nopermission'};
1050
1051 if($type eq 'opac'){
1052 my ($total, $pubshelves) = C4::VirtualShelves::GetSomeShelfNames(undef, 'MASTHEAD');
1053 $template->param(
1054 pubshelves => $total->{pubtotal},
1055 pubshelvesloop => $pubshelves,
1056 );
1057 }
1058
1059 if ($cas) {
1060
1061 # Is authentication against multiple CAS servers enabled?
1062 if (C4::Auth_with_cas::multipleAuth && !$casparam) {
1063 my $casservers = C4::Auth_with_cas::getMultipleAuth();
1064 my @tmplservers;
1065 foreach my $key (keys %$casservers) {
1066 push @tmplservers, {name => $key, value => login_cas_url($query, $key) . "?cas=$key" };
1067 }
1068 $template->param(
1069 casServersLoop => \@tmplservers
1070 );
1071 } else {
1072 $template->param(
1073 casServerUrl => login_cas_url($query),
1074 );
1075 }
1076
1077 $template->param(
1078 invalidCasLogin => $info{'invalidCasLogin'}
1079 );
1080 }
1081
1082 my $self_url = $query->url( -absolute => 1 );
1083 $template->param(
1084 url => $self_url,
1085 LibraryName => C4::Context->preference("LibraryName"),
1086 );
1087 $template->param( %info );
1088 # $cookie = $query->cookie(CGISESSID => $session->id
1089 # );
1090 print $query->header(
1091 -type => 'text/html',
1092 -charset => 'utf-8',
1093 -cookie => $cookie
1094 ),
1095 $template->output;
1096 safe_exit;
1097 }
1098
1099 =head2 check_api_auth
1100
1101 ($status, $cookie, $sessionId) = check_api_auth($query, $userflags);
1102
1103 Given a CGI query containing the parameters 'userid' and 'password' and/or a session
1104 cookie, determine if the user has the privileges specified by C<$userflags>.
1105
1106 C<check_api_auth> is is meant for authenticating users of web services, and
1107 consequently will always return and will not attempt to redirect the user
1108 agent.
1109
1110 If a valid session cookie is already present, check_api_auth will return a status
1111 of "ok", the cookie, and the Koha session ID.
1112
1113 If no session cookie is present, check_api_auth will check the 'userid' and 'password
1114 parameters and create a session cookie and Koha session if the supplied credentials
1115 are OK.
1116
1117 Possible return values in C<$status> are:
1118
1119 =over
1120
1121 =item "ok" -- user authenticated; C<$cookie> and C<$sessionid> have valid values.
1122
1123 =item "failed" -- credentials are not correct; C<$cookie> and C<$sessionid> are undef
1124
1125 =item "maintenance" -- DB is in maintenance mode; no login possible at the moment
1126
1127 =item "expired -- session cookie has expired; API user should resubmit userid and password
1128
1129 =back
1130
1131 =cut
1132
1133 sub check_api_auth {
1134 my $query = shift;
1135 my $flagsrequired = shift;
1136
1137 my $dbh = C4::Context->dbh;
1138 my $timeout = _timeout_syspref();
1139
1140 unless (C4::Context->preference('Version')) {
1141 # database has not been installed yet
1142 return ("maintenance", undef, undef);
1143 }
1144 my $kohaversion=C4::Context::KOHAVERSION;
1145 $kohaversion =~ s/(.*\..*)\.(.*)\.(.*)/$1$2$3/;
1146 if (C4::Context->preference('Version') < $kohaversion) {
1147 # database in need of version update; assume that
1148 # no API should be called while databsae is in
1149 # this condition.
1150 return ("maintenance", undef, undef);
1151 }
1152
1153 # FIXME -- most of what follows is a copy-and-paste
1154 # of code from checkauth. There is an obvious need
1155 # for refactoring to separate the various parts of
1156 # the authentication code, but as of 2007-11-19 this
1157 # is deferred so as to not introduce bugs into the
1158 # regular authentication code for Koha 3.0.
1159
1160 # see if we have a valid session cookie already
1161 # however, if a userid parameter is present (i.e., from
1162 # a form submission, assume that any current cookie
1163 # is to be ignored
1164 my $sessionID = undef;
1165 unless ($query->param('userid')) {
1166 $sessionID = $query->cookie("CGISESSID");
1167 }
1168 if ($sessionID && not ($cas && $query->param('PT')) ) {
1169 my $session = get_session($sessionID);
1170 C4::Context->_new_userenv($sessionID);
1171 if ($session) {
1172 C4::Context::set_userenv(
1173 $session->param('number'), $session->param('id'),
1174 $session->param('cardnumber'), $session->param('firstname'),
1175 $session->param('surname'), $session->param('branch'),
1176 $session->param('branchname'), $session->param('flags'),
1177 $session->param('emailaddress'), $session->param('branchprinter')
1178 );
1179
1180 my $ip = $session->param('ip');
1181 my $lasttime = $session->param('lasttime');
1182 my $userid = $session->param('id');
1183 if ( $lasttime < time() - $timeout ) {
1184 # time out
1185 $session->delete();
1186 C4::Context->_unset_userenv($sessionID);
1187 $userid = undef;
1188 $sessionID = undef;
1189 return ("expired", undef, undef);
1190 } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
1191 # IP address changed
1192 $session->delete();
1193 C4::Context->_unset_userenv($sessionID);
1194 $userid = undef;
1195 $sessionID = undef;
1196 return ("expired", undef, undef);
1197 } else {
1198 my $cookie = $query->cookie(
1199 -name => 'CGISESSID',
1200 -value => $session->id,
1201 -HttpOnly => 1,
1202 );
1203 $session->param('lasttime',time());
1204 my $flags = haspermission($userid, $flagsrequired);
1205 if ($flags) {
1206 return ("ok", $cookie, $sessionID);
1207 } else {
1208 $session->delete();
1209 C4::Context->_unset_userenv($sessionID);
1210 $userid = undef;
1211 $sessionID = undef;
1212 return ("failed", undef, undef);
1213 }
1214 }
1215 } else {
1216 return ("expired", undef, undef);
1217 }
1218 } else {
1219 # new login
1220 my $userid = $query->param('userid');
1221 my $password = $query->param('password');
1222 my ($return, $cardnumber);
1223
1224 # Proxy CAS auth
1225 if ($cas && $query->param('PT')) {
1226 my $retuserid;
1227 $debug and print STDERR "## check_api_auth - checking CAS\n";
1228 # In case of a CAS authentication, we use the ticket instead of the password
1229 my $PT = $query->param('PT');
1230 ($return,$cardnumber,$userid) = check_api_auth_cas($dbh, $PT, $query); # EXTERNAL AUTH
1231 } else {
1232 # User / password auth
1233 unless ($userid and $password) {
1234 # caller did something wrong, fail the authenticateion
1235 return ("failed", undef, undef);
1236 }
1237 ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query );
1238 }
1239
1240 if ($return and haspermission( $userid, $flagsrequired)) {
1241 my $session = get_session("");
1242 return ("failed", undef, undef) unless $session;
1243
1244 my $sessionID = $session->id;
1245 C4::Context->_new_userenv($sessionID);
1246 my $cookie = $query->cookie(
1247 -name => 'CGISESSID',
1248 -value => $sessionID,
1249 -HttpOnly => 1,
1250 );
1251 if ( $return == 1 ) {
1252 my (
1253 $borrowernumber, $firstname, $surname,
1254 $userflags, $branchcode, $branchname,
1255 $branchprinter, $emailaddress
1256 );
1257 my $sth =
1258 $dbh->prepare(
1259 "select borrowernumber, firstname, surname, flags, borrowers.branchcode, branches.branchname as branchname,branches.branchprinter as branchprinter, email from borrowers left join branches on borrowers.branchcode=branches.branchcode where userid=?"
1260 );
1261 $sth->execute($userid);
1262 (
1263 $borrowernumber, $firstname, $surname,
1264 $userflags, $branchcode, $branchname,
1265 $branchprinter, $emailaddress
1266 ) = $sth->fetchrow if ( $sth->rows );
1267
1268 unless ($sth->rows ) {
1269 my $sth = $dbh->prepare(
1270 "select borrowernumber, firstname, surname, flags, borrowers.branchcode, branches.branchname as branchname, branches.branchprinter as branchprinter, email from borrowers left join branches on borrowers.branchcode=branches.branchcode where cardnumber=?"
1271 );
1272 $sth->execute($cardnumber);
1273 (
1274 $borrowernumber, $firstname, $surname,
1275 $userflags, $branchcode, $branchname,
1276 $branchprinter, $emailaddress
1277 ) = $sth->fetchrow if ( $sth->rows );
1278
1279 unless ( $sth->rows ) {
1280 $sth->execute($userid);
1281 (
1282 $borrowernumber, $firstname, $surname, $userflags,
1283 $branchcode, $branchname, $branchprinter, $emailaddress
1284 ) = $sth->fetchrow if ( $sth->rows );
1285 }
1286 }
1287
1288 my $ip = $ENV{'REMOTE_ADDR'};
1289 # if they specify at login, use that
1290 if ($query->param('branch')) {
1291 $branchcode = $query->param('branch');
1292 $branchname = GetBranchName($branchcode);
1293 }
1294 my $branches = GetBranches();
1295 my @branchesloop;
1296 foreach my $br ( keys %$branches ) {
1297 # now we work with the treatment of ip
1298 my $domain = $branches->{$br}->{'branchip'};
1299 if ( $domain && $ip =~ /^$domain/ ) {
1300 $branchcode = $branches->{$br}->{'branchcode'};
1301
1302 # new op dev : add the branchprinter and branchname in the cookie
1303 $branchprinter = $branches->{$br}->{'branchprinter'};
1304 $branchname = $branches->{$br}->{'branchname'};
1305 }
1306 }
1307 $session->param('number',$borrowernumber);
1308 $session->param('id',$userid);
1309 $session->param('cardnumber',$cardnumber);
1310 $session->param('firstname',$firstname);
1311 $session->param('surname',$surname);
1312 $session->param('branch',$branchcode);
1313 $session->param('branchname',$branchname);
1314 $session->param('flags',$userflags);
1315 $session->param('emailaddress',$emailaddress);
1316 $session->param('ip',$session->remote_addr());
1317 $session->param('lasttime',time());
1318 } elsif ( $return == 2 ) {
1319 #We suppose the user is the superlibrarian
1320 $session->param('number',0);
1321 $session->param('id',C4::Context->config('user'));
1322 $session->param('cardnumber',C4::Context->config('user'));
1323 $session->param('firstname',C4::Context->config('user'));
1324 $session->param('surname',C4::Context->config('user'));
1325 $session->param('branch','NO_LIBRARY_SET');
1326 $session->param('branchname','NO_LIBRARY_SET');
1327 $session->param('flags',1);
1328 $session->param('emailaddress', C4::Context->preference('KohaAdminEmailAddress'));
1329 $session->param('ip',$session->remote_addr());
1330 $session->param('lasttime',time());
1331 }
1332 C4::Context::set_userenv(
1333 $session->param('number'), $session->param('id'),
1334 $session->param('cardnumber'), $session->param('firstname'),
1335 $session->param('surname'), $session->param('branch'),
1336 $session->param('branchname'), $session->param('flags'),
1337 $session->param('emailaddress'), $session->param('branchprinter')
1338 );
1339 return ("ok", $cookie, $sessionID);
1340 } else {
1341 return ("failed", undef, undef);
1342 }
1343 }
1344 }
1345
1346 =head2 check_cookie_auth
1347
1348 ($status, $sessionId) = check_api_auth($cookie, $userflags);
1349
1350 Given a CGISESSID cookie set during a previous login to Koha, determine
1351 if the user has the privileges specified by C<$userflags>.
1352
1353 C<check_cookie_auth> is meant for authenticating special services
1354 such as tools/upload-file.pl that are invoked by other pages that
1355 have been authenticated in the usual way.
1356
1357 Possible return values in C<$status> are:
1358
1359 =over
1360
1361 =item "ok" -- user authenticated; C<$sessionID> have valid values.
1362
1363 =item "failed" -- credentials are not correct; C<$sessionid> are undef
1364
1365 =item "maintenance" -- DB is in maintenance mode; no login possible at the moment
1366
1367 =item "expired -- session cookie has expired; API user should resubmit userid and password
1368
1369 =back
1370
1371 =cut
1372
1373 sub check_cookie_auth {
1374 my $cookie = shift;
1375 my $flagsrequired = shift;
1376
1377 my $dbh = C4::Context->dbh;
1378 my $timeout = _timeout_syspref();
1379
1380 unless (C4::Context->preference('Version')) {
1381 # database has not been installed yet
1382 return ("maintenance", undef);
1383 }
1384 my $kohaversion=C4::Context::KOHAVERSION;
1385 $kohaversion =~ s/(.*\..*)\.(.*)\.(.*)/$1$2$3/;
1386 if (C4::Context->preference('Version') < $kohaversion) {
1387 # database in need of version update; assume that
1388 # no API should be called while databsae is in
1389 # this condition.
1390 return ("maintenance", undef);
1391 }
1392
1393 # FIXME -- most of what follows is a copy-and-paste
1394 # of code from checkauth. There is an obvious need
1395 # for refactoring to separate the various parts of
1396 # the authentication code, but as of 2007-11-23 this
1397 # is deferred so as to not introduce bugs into the
1398 # regular authentication code for Koha 3.0.
1399
1400 # see if we have a valid session cookie already
1401 # however, if a userid parameter is present (i.e., from
1402 # a form submission, assume that any current cookie
1403 # is to be ignored
1404 unless (defined $cookie and $cookie) {
1405 return ("failed", undef);
1406 }
1407 my $sessionID = $cookie;
1408 my $session = get_session($sessionID);
1409 C4::Context->_new_userenv($sessionID);
1410 if ($session) {
1411 C4::Context::set_userenv(
1412 $session->param('number'), $session->param('id'),
1413 $session->param('cardnumber'), $session->param('firstname'),
1414 $session->param('surname'), $session->param('branch'),
1415 $session->param('branchname'), $session->param('flags'),
1416 $session->param('emailaddress'), $session->param('branchprinter')
1417 );
1418
1419 my $ip = $session->param('ip');
1420 my $lasttime = $session->param('lasttime');
1421 my $userid = $session->param('id');
1422 if ( $lasttime < time() - $timeout ) {
1423 # time out
1424 $session->delete();
1425 C4::Context->_unset_userenv($sessionID);
1426 $userid = undef;
1427 $sessionID = undef;
1428 return ("expired", undef);
1429 } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
1430 # IP address changed
1431 $session->delete();
1432 C4::Context->_unset_userenv($sessionID);
1433 $userid = undef;
1434 $sessionID = undef;
1435 return ("expired", undef);
1436 } else {
1437 $session->param('lasttime',time());
1438 my $flags = haspermission($userid, $flagsrequired);
1439 if ($flags) {
1440 return ("ok", $sessionID);
1441 } else {
1442 $session->delete();
1443 C4::Context->_unset_userenv($sessionID);
1444 $userid = undef;
1445 $sessionID = undef;
1446 return ("failed", undef);
1447 }
1448 }
1449 } else {
1450 return ("expired", undef);
1451 }
1452 }
1453
1454 =head2 get_session
1455
1456 use CGI::Session;
1457 my $session = get_session($sessionID);
1458
1459 Given a session ID, retrieve the CGI::Session object used to store
1460 the session's state. The session object can be used to store
1461 data that needs to be accessed by different scripts during a
1462 user's session.
1463
1464 If the C<$sessionID> parameter is an empty string, a new session
1465 will be created.
1466
1467 =cut
1468
1469 sub get_session {
1470 my $sessionID = shift;
1471 my $storage_method = C4::Context->preference('SessionStorage');
1472 my $dbh = C4::Context->dbh;
1473 my $session;
1474 if ($storage_method eq 'mysql'){
1475 $session = new CGI::Session("driver:MySQL;serializer:yaml;id:md5", $sessionID, {Handle=>$dbh});
1476 }
1477 elsif ($storage_method eq 'Pg') {
1478 $session = new CGI::Session("driver:PostgreSQL;serializer:yaml;id:md5", $sessionID, {Handle=>$dbh});
1479 }
1480 elsif ($storage_method eq 'memcached' && C4::Context->ismemcached){
1481 $session = new CGI::Session("driver:memcached;serializer:yaml;id:md5", $sessionID, { Memcached => C4::Context->memcached } );
1482 }
1483 else {
1484 # catch all defaults to tmp should work on all systems
1485 $session = new CGI::Session("driver:File;serializer:yaml;id:md5", $sessionID, {Directory=>'/tmp'});
1486 }
1487 return $session;
1488 }
1489
1490 sub checkpw {
1491 my ( $dbh, $userid, $password, $query ) = @_;
1492
1493 if ($ldap) {
1494 $debug and print STDERR "## checkpw - checking LDAP\n";
1495 my ($retval,$retcard,$retuserid) = checkpw_ldap(@_); # EXTERNAL AUTH
1496 ($retval) and return ($retval,$retcard,$retuserid);
1497 }
1498
1499 if ($cas && $query && $query->param('ticket')) {
1500 $debug and print STDERR "## checkpw - checking CAS\n";
1501 # In case of a CAS authentication, we use the ticket instead of the password
1502 my $ticket = $query->param('ticket');
1503 my ($retval,$retcard,$retuserid) = checkpw_cas($dbh, $ticket, $query); # EXTERNAL AUTH
1504 ($retval) and return ($retval,$retcard,$retuserid);
1505 return 0;
1506 }
1507
1508 return checkpw_internal(@_)
1509 }
1510
1511 sub checkpw_internal {
1512 my ( $dbh, $userid, $password ) = @_;
1513
1514 my $sth =
1515 $dbh->prepare(
1516 "select password,cardnumber,borrowernumber,userid,firstname,surname,branchcode,flags from borrowers where userid=?"
1517 );
1518 $sth->execute($userid);
1519 if ( $sth->rows ) {
1520 my ( $stored_hash, $cardnumber, $borrowernumber, $userid, $firstname,
1521 $surname, $branchcode, $flags )
1522 = $sth->fetchrow;
1523
1524 if ( checkpw_hash($password, $stored_hash) ) {
1525
1526 C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber,
1527 $firstname, $surname, $branchcode, $flags );
1528 return 1, $cardnumber, $userid;
1529 }
1530 }
1531 $sth =
1532 $dbh->prepare(
1533 "select password,cardnumber,borrowernumber,userid, firstname,surname,branchcode,flags from borrowers where cardnumber=?"
1534 );
1535 $sth->execute($userid);
1536 if ( $sth->rows ) {
1537 my ( $stored_hash, $cardnumber, $borrowernumber, $userid, $firstname,
1538 $surname, $branchcode, $flags )
1539 = $sth->fetchrow;
1540
1541 if ( checkpw_hash($password, $stored_hash) ) {
1542
1543 C4::Context->set_userenv( $borrowernumber, $userid, $cardnumber,
1544 $firstname, $surname, $branchcode, $flags );
1545 return 1, $cardnumber, $userid;
1546 }
1547 }
1548 if ( $userid && $userid eq C4::Context->config('user')
1549 && "$password" eq C4::Context->config('pass') )
1550 {
1551
1552 # Koha superuser account
1553 # C4::Context->set_userenv(0,0,C4::Context->config('user'),C4::Context->config('user'),C4::Context->config('user'),"",1);
1554 return 2;
1555 }
1556 if ( $userid && $userid eq 'demo'
1557 && "$password" eq 'demo'
1558 && C4::Context->config('demo') )
1559 {
1560
1561 # DEMO => the demo user is allowed to do everything (if demo set to 1 in koha.conf
1562 # some features won't be effective : modify systempref, modify MARC structure,
1563 return 2;
1564 }
1565 return 0;
1566 }
1567
1568 sub checkpw_hash {
1569 my ( $password, $stored_hash ) = @_;
1570
1571 return if $stored_hash eq '!';
1572
1573 # check what encryption algorithm was implemented: Bcrypt - if the hash starts with '$2' it is Bcrypt else md5
1574 my $hash;
1575 if ( substr($stored_hash,0,2) eq '$2') {
1576 $hash = hash_password($password, $stored_hash);
1577 } else {
1578 $hash = md5_base64($password);
1579 }
1580 return $hash eq $stored_hash;
1581 }
1582
1583 =head2 getuserflags
1584
1585 my $authflags = getuserflags($flags, $userid, [$dbh]);
1586
1587 Translates integer flags into permissions strings hash.
1588
1589 C<$flags> is the integer userflags value ( borrowers.userflags )
1590 C<$userid> is the members.userid, used for building subpermissions
1591 C<$authflags> is a hashref of permissions
1592
1593 =cut
1594
1595 sub getuserflags {
1596 my $flags = shift;
1597 my $userid = shift;
1598 my $dbh = @_ ? shift : C4::Context->dbh;
1599 my $userflags;
1600 {
1601 # I don't want to do this, but if someone logs in as the database
1602 # user, it would be preferable not to spam them to death with
1603 # numeric warnings. So, we make $flags numeric.
1604 no warnings 'numeric';
1605 $flags += 0;
1606 }
1607 my $sth = $dbh->prepare("SELECT bit, flag, defaulton FROM userflags");
1608 $sth->execute;
1609
1610 while ( my ( $bit, $flag, $defaulton ) = $sth->fetchrow ) {
1611 if ( ( $flags & ( 2**$bit ) ) || $defaulton ) {
1612 $userflags->{$flag} = 1;
1613 }
1614 else {
1615 $userflags->{$flag} = 0;
1616 }
1617 }
1618
1619 # get subpermissions and merge with top-level permissions
1620 my $user_subperms = get_user_subpermissions($userid);
1621 foreach my $module (keys %$user_subperms) {
1622 next if $userflags->{$module} == 1; # user already has permission for everything in this module
1623 $userflags->{$module} = $user_subperms->{$module};
1624 }
1625
1626 return $userflags;
1627 }
1628
1629 =head2 get_user_subpermissions
1630
1631 $user_perm_hashref = get_user_subpermissions($userid);
1632
1633 Given the userid (note, not the borrowernumber) of a staff user,
1634 return a hashref of hashrefs of the specific subpermissions
1635 accorded to the user. An example return is
1636
1637 {
1638 tools => {
1639 export_catalog => 1,
1640 import_patrons => 1,
1641 }
1642 }
1643
1644 The top-level hash-key is a module or function code from
1645 userflags.flag, while the second-level key is a code
1646 from permissions.
1647
1648 The results of this function do not give a complete picture
1649 of the functions that a staff user can access; it is also
1650 necessary to check borrowers.flags.
1651
1652 =cut
1653
1654 sub get_user_subpermissions {
1655 my $userid = shift;
1656
1657 my $dbh = C4::Context->dbh;
1658 my $sth = $dbh->prepare("SELECT flag, user_permissions.code
1659 FROM user_permissions
1660 JOIN permissions USING (module_bit, code)
1661 JOIN userflags ON (module_bit = bit)
1662 JOIN borrowers USING (borrowernumber)
1663 WHERE userid = ?");
1664 $sth->execute($userid);
1665
1666 my $user_perms = {};
1667 while (my $perm = $sth->fetchrow_hashref) {
1668 $user_perms->{$perm->{'flag'}}->{$perm->{'code'}} = 1;
1669 }
1670 return $user_perms;
1671 }
1672
1673 =head2 get_all_subpermissions
1674
1675 my $perm_hashref = get_all_subpermissions();
1676
1677 Returns a hashref of hashrefs defining all specific
1678 permissions currently defined. The return value
1679 has the same structure as that of C<get_user_subpermissions>,
1680 except that the innermost hash value is the description
1681 of the subpermission.
1682
1683 =cut
1684
1685 sub get_all_subpermissions {
1686 my $dbh = C4::Context->dbh;
1687 my $sth = $dbh->prepare("SELECT flag, code, description
1688 FROM permissions
1689 JOIN userflags ON (module_bit = bit)");
1690 $sth->execute();
1691
1692 my $all_perms = {};
1693 while (my $perm = $sth->fetchrow_hashref) {
1694 $all_perms->{$perm->{'flag'}}->{$perm->{'code'}} = $perm->{'description'};
1695 }
1696 return $all_perms;
1697 }
1698
1699 =head2 haspermission
1700
1701 $flags = ($userid, $flagsrequired);
1702
1703 C<$userid> the userid of the member
1704 C<$flags> is a hashref of required flags like C<$borrower-&lt;{authflags}>
1705
1706 Returns member's flags or 0 if a permission is not met.
1707
1708 =cut
1709
1710 sub haspermission {
1711 my ($userid, $flagsrequired) = @_;
1712 my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?");
1713 $sth->execute($userid);
1714 my $flags = getuserflags($sth->fetchrow(), $userid);
1715 if ( $userid eq C4::Context->config('user') ) {
1716 # Super User Account from /etc/koha.conf
1717 $flags->{'superlibrarian'} = 1;
1718 }
1719 elsif ( $userid eq 'demo' && C4::Context->config('demo') ) {
1720 # Demo user that can do "anything" (demo=1 in /etc/koha.conf)
1721 $flags->{'superlibrarian'} = 1;
1722 }
1723
1724 return $flags if $flags->{superlibrarian};
1725
1726 foreach my $module ( keys %$flagsrequired ) {
1727 my $subperm = $flagsrequired->{$module};
1728 if ($subperm eq '*') {
1729 return 0 unless ( $flags->{$module} == 1 or ref($flags->{$module}) );
1730 } else {
1731 return 0 unless ( $flags->{$module} == 1 or
1732 ( ref($flags->{$module}) and
1733 exists $flags->{$module}->{$subperm} and
1734 $flags->{$module}->{$subperm} == 1
1735 )
1736 );
1737 }
1738 }
1739 return $flags;
1740 #FIXME - This fcn should return the failed permission so a suitable error msg can be delivered.
1741 }
1742
1743
1744 sub getborrowernumber {
1745 my ($userid) = @_;
1746 my $userenv = C4::Context->userenv;
1747 if ( defined( $userenv ) && ref( $userenv ) eq 'HASH' && $userenv->{number} ) {
1748 return $userenv->{number};
1749 }
1750 my $dbh = C4::Context->dbh;
1751 for my $field ( 'userid', 'cardnumber' ) {
1752 my $sth =
1753 $dbh->prepare("select borrowernumber from borrowers where $field=?");
1754 $sth->execute($userid);
1755 if ( $sth->rows ) {
1756 my ($bnumber) = $sth->fetchrow;
1757 return $bnumber;
1758 }
1759 }
1760 return 0;
1761 }
1762
1763 sub ParseSearchHistoryCookie {
1764 my $input = shift;
1765 my $search_cookie = $input->cookie('KohaOpacRecentSearches');
1766 return () unless $search_cookie;
1767 my $obj = eval { decode_json(uri_unescape($search_cookie)) };
1768 return () unless defined $obj;
1769 return () unless ref $obj eq 'ARRAY';
1770 return @{ $obj };
1771 }
1772
1773 END { } # module clean-up code here (global destructor)
1774 1;
1775 __END__
1776
1777 =head1 SEE ALSO
1778
1779 CGI(3)
1780
1781 C4::Output(3)
1782
1783 Crypt::Eksblowfish::Bcrypt(3)
1784
1785 Digest::MD5(3)
1786
1787 =cut
Koha ILS