LP#1693035 Login timeout honors workstation org

Use the org unit linked to the provided workstation to collect the
login timeout org unit setting value during login.  Previously, all
checks defaulted to the global org unit.

This patch solidifies the precedence order for OUS lookups during login
like so:

1. Workstation org unit.
2. API org unit value.
3. Users' home org unit.

Signed-off-by: Bill Erickson <berickxx@gmail.com>
Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>

diff --git a/Open-ILS/src/c-apps/oils_auth_internal.c b/Open-ILS/src/c-apps/oils_auth_internal.c
index 96ad193..d0c46f8 100644 (file)
--- a/Open-ILS/src/c-apps/oils_auth_internal.c
+++ b/Open-ILS/src/c-apps/oils_auth_internal.c
@@ -287,10 +287,6 @@ int oilsAuthInternalCreateSession(osrfMethodContext* ctx) {
             "Missing parameters for method: %s", ctx->method->name );
     }
 
-    // default to the root org unit if none is provided.
-    if (org_unit < 1) 
-        org_unit = oilsUtilsGetRootOrgId();
-
     oilsEvent* response = NULL;
 
     // fetch the user object
@@ -307,18 +303,32 @@ int oilsAuthInternalCreateSession(osrfMethodContext* ctx) {
     // If a workstation is defined, add the workstation info
     if (workstation) {
         response = oilsAuthVerifyWorkstation(ctx, userObj, workstation);
-        if (response) {
+
+        if (response) { // invalid workstation.
             jsonObjectFree(userObj);
             osrfAppRespondComplete(ctx, oilsEventToJSON(response));
             oilsEventFree(response);
             return 0;
+
+        } else { // workstation OK.  
+
+            // The worksation org unit supersedes any org unit value 
+            // provided via the API.  oilsAuthVerifyWorkstation() sets the 
+            // ws_ou value to the WS owning lib.  A value is guaranteed.
+            org_unit = atoi(oilsFMGetStringConst(userObj, "ws_ou"));
         }
 
-    } else {
-        // Otherwise, use the home org as the workstation org on the user
-        char* orgid = oilsFMGetString(userObj, "home_ou");
+    } else { // no workstation
+
+        // For backwards compatibility, when no workstation is provided, use 
+        // the users's home org as its workstation org unit, regardless of 
+        // any API-level org unit value provided.
+        const char* orgid = oilsFMGetStringConst(userObj, "home_ou");
         oilsFMSetString(userObj, "ws_ou", orgid);
-        free(orgid);
+
+        // The context org unit defaults to the user's home library when
+        // no workstation is used and no API-level value is provided.
+        if (org_unit < 1) org_unit = atoi(orgid);
     }
 
     // determine the auth/cache timeout
@@ -380,10 +390,6 @@ int oilsAuthInternalValidate(osrfMethodContext* ctx) {
             "Missing parameters for method: %s", ctx->method->name );
     }
 
-    // default to the root org unit if none is provided.
-    if (org_unit < 1) 
-        org_unit = oilsUtilsGetRootOrgId();
-
     oilsEvent* response = NULL;
     jsonObject *userObj = NULL, *params = NULL;
     char* tmp_str = NULL;
@@ -446,6 +452,10 @@ int oilsAuthInternalValidate(osrfMethodContext* ctx) {
         }
     }
 
+    // XXX: login permission checks are always global (see 
+    // oilsAuthCheckLoginPerm()).  No need to extract the 
+    // workstation org unit here.
+
     if (!response) { // Still OK
         // Confirm user has permission to login w/ the requested type.
         response = oilsAuthCheckLoginPerm(