Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 436 lines (366 sloc) 15.013 kb
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
1 # -*- tab-width: 8 -*-
2 # NOTE: This file uses 8-character tabs; do not change the tab size!
3
4 package InstallAuth;
5
6 # Copyright 2000-2002 Katipo Communications
7 #
8 # This file is part of Koha.
9 #
10 # Koha is free software; you can redistribute it and/or modify it under the
11 # terms of the GNU General Public License as published by the Free Software
12 # Foundation; either version 2 of the License, or (at your option) any later
13 # version.
14 #
15 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
16 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
17 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License along with
20 # Koha; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
21 # Suite 330, Boston, MA 02111-1307 USA
22
23 use strict;
24 use Digest::MD5 qw(md5_base64);
25
26 require Exporter;
3607caa @ctfliblime Add Koha.pm and include it universally
ctfliblime authored
27 use Koha;
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
28 use C4::Context;
100e6a9 functions that were in C4::Interface::CGI::Output are now in C4::Output.
hdl authored
29 use C4::Output;
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
30 use C4::Koha;
24d5e31 Changing InstallAuth to use CGI::Session and fixing install.pl which bro...
Chris Cormack authored
31 use CGI::Session;
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
32
33 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS);
34
35 # set the version for version checking
b9c20fa Patch from Galen Charlton, removing $Id$ $Log$ and $Revision$ from files
Chris Cormack authored
36 $VERSION = 3.00;
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
37
38 =head1 NAME
39
40 InstallAuth - Authenticates Koha users for Install process
41
42 =head1 SYNOPSIS
43
44 use CGI;
45 use InstallAuth;
a7ba1bb kohabug 2105: prevent crash on IE7
Galen Charlton authored
46 use C4::Output;
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
47
48 my $query = new CGI;
49
50 my ($template, $borrowernumber, $cookie)
51 = get_template_and_user({template_name => "opac-main.tmpl",
52 query => $query,
53 type => "opac",
54 authnotrequired => 1,
55 flagsrequired => {borrow => 1},
56 });
57
a7ba1bb kohabug 2105: prevent crash on IE7
Galen Charlton authored
58 output_html_with_http_headers $query, $cookie, $template->output;
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
59
60 =head1 DESCRIPTION
61
62 The main function of this module is to provide
63 authentification. However the get_template_and_user function has
64 been provided so that a users login information is passed along
65 automatically. This gets loaded into the template.
66 This package is different from C4::Auth in so far as
67 C4::Auth uses many preferences which are supposed NOT to be obtainable when installing the database.
68
69 As in C4::Auth, Authentication is based on cookies.
70
71 =head1 FUNCTIONS
72
73 =over 2
74
75 =cut
76
77 @ISA = qw(Exporter);
78 @EXPORT = qw(
79 &checkauth
80 &get_template_and_user
81 );
82
83 =item get_template_and_user
84
85 my ($template, $borrowernumber, $cookie)
86 = get_template_and_user({template_name => "opac-main.tmpl",
87 query => $query,
88 type => "opac",
89 authnotrequired => 1,
90 flagsrequired => {borrow => 1},
91 });
92
93 This call passes the C<query>, C<flagsrequired> and C<authnotrequired>
94 to C<&checkauth> (in this module) to perform authentification.
95 See C<&checkauth> for an explanation of these parameters.
96
97 The C<template_name> is then used to find the correct template for
98 the page. The authenticated users details are loaded onto the
99 template in the HTML::Template LOOP variable C<USER_INFO>. Also the
100 C<sessionID> is passed to the template. This can be used in templates
101 if cookies are disabled. It needs to be put as and input to every
102 authenticated page.
103
104 More information on the C<gettemplate> sub can be found in the
105 Output.pm module.
106
107 =cut
108
109 sub get_template_and_user {
110 my $in = shift;
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
111 my $query = $in->{'query'};
112 my $language = $query->cookie('KohaOpacLanguage');
872ca13 @ctfliblime [#21464023] (followup) Security: arbitrary file inclusion
ctfliblime authored
113 $language =~ s/[^\p{IsAlnum}\-_]//g; # untaint
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
114 my $path =
115 C4::Context->config('intrahtdocs') . "/prog/"
116 . ( $language ? $language : "en" );
117 my $template = HTML::Template::Pro->new(
d1f6407 moved images to img fixed installer path for templates
Joshua Ferraro authored
118 filename => "$path/modules/" . $in->{template_name},
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
119 die_on_bad_params => 1,
120 global_vars => 1,
121 case_sensitive => 1,
122 path => ["$path/includes"]
123 );
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
124
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
125 my ( $user, $cookie, $sessionID, $flags ) = checkauth(
126 $in->{'query'},
127 $in->{'authnotrequired'},
128 $in->{'flagsrequired'},
129 $in->{'type'}
130 );
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
131
132 # use Data::Dumper;warn "utilisateur $user cookie : ".Dumper($cookie);
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
133
134 my $borrowernumber;
135 if ($user) {
136 $template->param( loggedinusername => $user );
137 $template->param( sessionID => $sessionID );
138
139 # We are going to use the $flags returned by checkauth
140 # to create the template's parameters that will indicate
141 # which menus the user can access.
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
142 if ( ( $flags && $flags->{superlibrarian} == 1 ) ) {
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
143 $template->param( CAN_user_circulate => 1 );
144 $template->param( CAN_user_catalogue => 1 );
145 $template->param( CAN_user_parameters => 1 );
146 $template->param( CAN_user_borrowers => 1 );
147 $template->param( CAN_user_permission => 1 );
148 $template->param( CAN_user_reserveforothers => 1 );
149 $template->param( CAN_user_borrow => 1 );
150 $template->param( CAN_user_editcatalogue => 1 );
fbc151c Auth.pm should have "CAN_user_updatecharges" (plural), and this change t...
Joe Atzberger authored
151 $template->param( CAN_user_updatecharges => 1 );
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
152 $template->param( CAN_user_acquisition => 1 );
153 $template->param( CAN_user_management => 1 );
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
154 $template->param( CAN_user_tools => 1 );
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
155 $template->param( CAN_user_editauthorities => 1 );
156 $template->param( CAN_user_serials => 1 );
157 $template->param( CAN_user_reports => 1 );
158 }
159 }
160 return ( $template, $borrowernumber, $cookie );
161 }
162
163 =item checkauth
164
165 ($userid, $cookie, $sessionID) = &checkauth($query, $noauth, $flagsrequired, $type);
166
167 Verifies that the user is authorized to run this script. If
168 the user is authorized, a (userid, cookie, session-id, flags)
169 quadruple is returned. If the user is not authorized but does
170 not have the required privilege (see $flagsrequired below), it
171 displays an error page and exits. Otherwise, it displays the
172 login page and exits.
173
174 Note that C<&checkauth> will return if and only if the user
175 is authorized, so it should be called early on, before any
176 unfinished operations (e.g., if you've opened a file, then
177 C<&checkauth> won't close it for you).
178
179 C<$query> is the CGI object for the script calling C<&checkauth>.
180
181 The C<$noauth> argument is optional. If it is set, then no
182 authorization is required for the script.
183
184 C<&checkauth> fetches user and session information from C<$query> and
185 ensures that the user is authorized to run scripts that require
186 authorization.
187
188 The C<$flagsrequired> argument specifies the required privileges
189 the user must have if the username and password are correct.
190 It should be specified as a reference-to-hash; keys in the hash
191 should be the "flags" for the user, as specified in the Members
192 intranet module. Any key specified must correspond to a "flag"
193 in the userflags table. E.g., { circulate => 1 } would specify
194 that the user must have the "circulate" privilege in order to
195 proceed. To make sure that access control is correct, the
196 C<$flagsrequired> parameter must be specified correctly.
197
198 The C<$type> argument specifies whether the template should be
199 retrieved from the opac or intranet directory tree. "opac" is
200 assumed if it is not specified; however, if C<$type> is specified,
201 "intranet" is assumed if it is not "opac".
202
203 If C<$query> does not have a valid session ID associated with it
204 (i.e., the user has not logged in) or if the session has expired,
205 C<&checkauth> presents the user with a login page (from the point of
206 view of the original script, C<&checkauth> does not return). Once the
207 user has authenticated, C<&checkauth> restarts the original script
208 (this time, C<&checkauth> returns).
209
210 The login page is provided using a HTML::Template, which is set in the
211 systempreferences table or at the top of this file. The variable C<$type>
212 selects which template to use, either the opac or the intranet
213 authentification template.
214
215 C<&checkauth> returns a user ID, a cookie, and a session ID. The
216 cookie should be sent back to the browser; it verifies that the user
217 has authenticated.
218
219 =cut
220
221 sub checkauth {
222 my $query = shift;
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
223
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
224 # $authnotrequired will be set for scripts which will run without authentication
225 my $authnotrequired = shift;
226 my $flagsrequired = shift;
227 my $type = shift;
228 $type = 'intranet' unless $type;
229
24d5e31 Changing InstallAuth to use CGI::Session and fixing install.pl which bro...
Chris Cormack authored
230 my $dbh = C4::Context->dbh();
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
231 my $template_name;
232 $template_name = "installer/auth.tmpl";
233
234 # state variables
235 my $loggedin = 0;
236 my %info;
237 my ( $userid, $cookie, $sessionID, $flags, $envcookie );
238 my $logout = $query->param('logout.x');
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
239 if ( $sessionID = $query->cookie("CGISESSID") ) {
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
240 C4::Context->_new_userenv($sessionID);
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
241 my $session =
8d7d372 @PaulPoulain use YAML for installer auth like we do for Koha itself
PaulPoulain authored
242 new CGI::Session( "driver:File;serializer:yaml", $sessionID,
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
243 { Directory => '/tmp' } );
f14a897 Fixing a bug that was causing the installer to not check the password
Chris Cormack authored
244 if ( $session->param('cardnumber') ) {
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
245 C4::Context::set_userenv(
246 $session->param('number'),
247 $session->param('id'),
248 $session->param('cardnumber'),
249 $session->param('firstname'),
250 $session->param('surname'),
251 $session->param('branch'),
252 $session->param('branchname'),
253 $session->param('flags'),
254 $session->param('emailaddress'),
255 $session->param('branchprinter')
256 );
257 $cookie = $query->cookie( CGISESSID => $session->id );
258 $loggedin = 1;
259 $userid = $session->param('cardnumber');
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
260 }
261 my ( $ip, $lasttime );
262
263 if ($logout) {
264
265 # voluntary logout the user
266 C4::Context->_unset_userenv($sessionID);
267 $sessionID = undef;
268 $userid = undef;
269 open L, ">>/tmp/sessionlog";
270 my $time = localtime( time() );
271 printf L "%20s from %16s logged out at %30s (manually).\n", $userid,
272 $ip, $time;
273 close L;
274 }
275 }
276 unless ($userid) {
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
277 my $session =
6696633 completed use of YAML by InstallAuth
Galen Charlton authored
278 new CGI::Session( "driver:File;serializer:yaml", undef, { Directory => '/tmp' } );
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
279 $sessionID = $session->id;
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
280 $userid = $query->param('userid');
281 C4::Context->_new_userenv($sessionID);
282 my $password = $query->param('password');
283 C4::Context->_new_userenv($sessionID);
284 my ( $return, $cardnumber ) = checkpw( $userid, $password );
285 if ($return) {
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
286 $loggedin = 1;
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
287 open L, ">>/tmp/sessionlog";
288 my $time = localtime( time() );
289 printf L "%20s from %16s logged in at %30s.\n", $userid,
290 $ENV{'REMOTE_ADDR'}, $time;
291 close L;
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
292 $cookie = $query->cookie( CGISESSID => $sessionID );
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
293 if ( $return == 2 ) {
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
294
295 #Only superlibrarian should have access to this page.
296 #Since if it is a user, it is supposed that there is a borrower table
297 #And thus that data structure is loaded.
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
298 my $hash = C4::Context::set_userenv(
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
299 0, 0,
300 C4::Context->config('user'), C4::Context->config('user'),
301 C4::Context->config('user'), "",
302 "NO_LIBRARY_SET", 1,
303 ""
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
304 );
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
305 $session->param( 'number', 0 );
306 $session->param( 'id', C4::Context->config('user') );
307 $session->param( 'cardnumber', C4::Context->config('user') );
308 $session->param( 'firstname', C4::Context->config('user') );
309 $session->param( 'surname', C4::Context->config('user'), );
310 $session->param( 'branch', 'NO_LIBRARY_SET' );
311 $session->param( 'branchname', 'NO_LIBRARY_SET' );
312 $session->param( 'flags', 1 );
313 $session->param( 'emailaddress',
314 C4::Context->preference('KohaAdminEmailAddress') );
315 $session->param( 'ip', $session->remote_addr() );
316 $session->param( 'lasttime', time() );
317 $userid = C4::Context->config('user');
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
318 }
319 }
320 else {
321 if ($userid) {
322 $info{'invalid_username_or_password'} = 1;
323 C4::Context->_unset_userenv($sessionID);
324 }
325 }
326 }
327
328 # finished authentification, now respond
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
329 if ($loggedin) {
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
330
331 # successful login
332 unless ($cookie) {
333 $cookie = $query->cookie(
8494eff Removing warn in Auth.pm
Chris Cormack authored
334 -name => 'CGISESSID',
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
335 -value => '',
336 -expires => ''
337 );
338 }
339 if ($envcookie) {
340 return ( $userid, [ $cookie, $envcookie ], $sessionID, $flags );
341 }
342 else {
343 return ( $userid, $cookie, $sessionID, $flags );
344 }
345 }
346
347 # else we have a problem...
348 # get the inputs from the incoming query
349 my @inputs = ();
350 foreach my $name ( param $query) {
351 (next) if ( $name eq 'userid' || $name eq 'password' );
352 my $value = $query->param($name);
353 push @inputs, { name => $name, value => $value };
354 }
355
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
356 my $path =
357 C4::Context->config('intrahtdocs') . "/prog/"
358 . ( $query->param('language') ? $query->param('language') : "en" );
359 my $template = HTML::Template::Pro->new(
d1f6407 moved images to img fixed installer path for templates
Joshua Ferraro authored
360 filename => "$path/modules/$template_name",
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
361 die_on_bad_params => 1,
362 global_vars => 1,
363 case_sensitive => 1,
364 path => ["$path/includes"]
365 );
366 $template->param(
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
367 INPUTS => \@inputs,
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
368
369 );
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
370 $template->param( login => 1 );
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
371 $template->param( loginprompt => 1 ) unless $info{'nopermission'};
372
373 my $self_url = $query->url( -absolute => 1 );
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
374 $template->param( url => $self_url, );
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
375 $template->param( \%info );
376 $cookie = $query->cookie(
24d5e31 Changing InstallAuth to use CGI::Session and fixing install.pl which bro...
Chris Cormack authored
377 -name => 'CGISESSID',
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
378 -value => $sessionID,
379 -expires => ''
380 );
381 print $query->header(
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
382 -type => 'text/html; charset=utf-8',
383 -cookie => $cookie
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
384 ),
385 $template->output;
386 exit;
387 }
388
389 sub checkpw {
390
391 my ( $userid, $password ) = @_;
392
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
393 if ( $userid
394 && $userid eq C4::Context->config('user')
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
395 && "$password" eq C4::Context->config('pass') )
396 {
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
397
398 # Koha superuser account
399 C4::Context->set_userenv(
400 0, 0,
401 C4::Context->config('user'),
402 C4::Context->config('user'),
403 C4::Context->config('user'),
404 "", 1
405 );
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
406 return 2;
407 }
836b985 content-type was incorrectly set in InstallAuth.pm
Joshua Ferraro authored
408 if ( $userid
409 && $userid eq 'demo'
f8e9fb6 rel_3_0 moved to HEAD (introducing new files)
tipaul authored
410 && "$password" eq 'demo'
411 && C4::Context->config('demo') )
412 {
413
414 # DEMO => the demo user is allowed to do everything (if demo set to 1 in koha.conf
415 # some features won't be effective : modify systempref, modify MARC structure,
416 return 2;
417 }
418 return 0;
419 }
420
421 END { } # module clean-up code here (global destructor)
422 1;
423 __END__
424
425 =back
426
427 =head1 SEE ALSO
428
429 CGI(3)
430
431 C4::Output(3)
432
433 Digest::MD5(3)
434
435 =cut
Something went wrong with that request. Please try again.