LP#
1474029: teach Evergreen how to prevent expired staff from logging in
This patch adds the ability to prevent staff users whose
accounts have expired from logging in. This is controlled
by the new global flag "auth.block_expired_staff_login", which
is not enabled by default. If that flag is turned on, accounts
that have the `STAFF_LOGIN` permission and whose expiration date
is in the past are prevented from logging into any Evergreen
interface, including the staff client, the public catalog, and SIP2.
It should be noted that ordinary patrons are allowed to log into
the public catalog if their circulation privileges have expired. This
feature prevents expired staff users from logging into the public catalog
(and all other Evergreen interfaces and APIs) outright in order to
prevent them from getting into the staff interface anyway by
creative use of Evergreen's authentication APIs.
Evergreen admins are advised to check the expiration status of staff
accounts before turning on the global flag, as otherwise it is
possible to lock staff users out unexpectedly.
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org>
Signed-off-by: Bill Erickson <berickxx@gmail.com>
projects / evergreen / pines.git / commit