LP#1474029: teach Evergreen how to prevent expired staff from logging in
authorGalen Charlton <gmc@equinoxinitiative.org>
Thu, 10 Dec 2020 22:23:47 +0000 (17:23 -0500)
committerBill Erickson <berickxx@gmail.com>
Wed, 10 Feb 2021 20:44:44 +0000 (15:44 -0500)
commit18f5404261b3ed2e97ba5d00d4761a0b43b7157f
tree83902d654b2f185cb7dd564b22ab038709d16210
parent2dbb92d4acd10eb9e67e2ac6d9625c237b162c62
LP#1474029: teach Evergreen how to prevent expired staff from logging in

This patch adds the ability to prevent staff users whose
accounts have expired from logging in. This is controlled
by the new global flag "auth.block_expired_staff_login", which
is not enabled by default. If that flag is turned on, accounts
that have the `STAFF_LOGIN` permission and whose expiration date
is in the past are prevented from logging into any Evergreen
interface, including the staff client, the public catalog, and SIP2.

It should be noted that ordinary patrons are allowed to log into
the public catalog if their circulation privileges have expired. This
feature prevents expired staff users from logging into the public catalog
(and all other Evergreen interfaces and APIs) outright in order to
prevent them from getting into the staff interface anyway by
creative use of Evergreen's authentication APIs.

Evergreen admins are advised to check the expiration status of staff
accounts before turning on the global flag, as otherwise it is
possible to lock staff users out unexpectedly.

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org>
Signed-off-by: Bill Erickson <berickxx@gmail.com>
Open-ILS/src/c-apps/oils_auth_internal.c
Open-ILS/src/sql/Pg/950.data.seed-values.sql
Open-ILS/src/sql/Pg/upgrade/XXXX.data.block_expired_staff_login_flag.sql [new file with mode: 0644]
docs/RELEASE_NOTES_NEXT/Architecture/Block_Login_of_Expired_Staff_Accounts.adoc [new file with mode: 0644]