JBAS-886 ezproxy/remoteauth DB permission check (Students)

Instead of calling authenticate procedures, ensure the user is valid,
knows their password, then check whether the user has the
ACCESS_EBOOKS_AND_DATABASES permission.

This was added to support Schools cards, where users can access
databases and e-books, but cannot log into the catalog.

Signed-off-by: Bill Erickson <berickxx@gmail.com>

diff --git a/Open-ILS/examples/remoteauth.cgi b/Open-ILS/examples/remoteauth.cgi
index 67c7b5c..94959d2 100755 (executable)
--- a/Open-ILS/examples/remoteauth.cgi
+++ b/Open-ILS/examples/remoteauth.cgi
@@ -21,15 +21,17 @@
 #    ::external=https://hostname/cgi-bin/ezproxy/remoteauth.cgi,post=user=^u&passwd=^p
 #
 
-#use strict;
+use strict;
 use warnings;
 
 use CGI;
 use Digest::MD5 qw(md5_hex);
 
-use OpenSRF::EX qw(:try);
 use OpenSRF::System;
 use OpenSRF::AppSession;
+use OpenILS::Utils::Fieldmapper;
+use OpenILS::Utils::CStoreEditor qw/:funcs/;
+use OpenILS::Application::AppUtils;
 
 my $bootstrap = '/openils/conf/opensrf_core.xml';
 my $cgi = new CGI;
@@ -43,50 +45,68 @@ print $cgi->header(-type=>'text/html', -expires=>'-1d');
 
 OpenSRF::AppSession->ingress('remoteauth');
 OpenSRF::System->bootstrap_client( config_file => $bootstrap );
+Fieldmapper->import(IDL =>
+    OpenSRF::Utils::SettingsClient->new->config_value("IDL"));
+
+my $actor = OpenSRF::AppSession->create('open-ils.actor');
+my $e = new_editor();
+$e->init;
 
 if (!($u || $usrname || $barcode) || !$p) {
-       print '+INCOMPLETE';
+    print '+INCOMPLETE';
 } else {
-       my $nametype;
+    my $nametype;
     if ($usrname) {
         $u = $usrname;
-           $nametype = 'username';
+        $nametype = 'username';
     } elsif ($barcode) {
         $u = $barcode;
         $nametype = 'barcode';
     } else {
-           $nametype = 'username';
-        my $regex_response = OpenSRF::AppSession
-            ->create('open-ils.actor')
-            ->request('open-ils.actor.ou_setting.ancestor_default', 1, 'opac.barcode_regex')
+        $nametype = 'username';
+        my $regex_response = $actor->request(
+            'open-ils.actor.ou_setting.ancestor_default', 
+                1, 'opac.barcode_regex')
             ->gather(1);
         if ($regex_response) {
             my $regexp = $regex_response->{'value'};
             $nametype = 'barcode' if ($u =~ qr/$regexp/);
         }
     }
-       my $seed = OpenSRF::AppSession
-               ->create('open-ils.auth')
-               ->request( 'open-ils.auth.authenticate.init', $u )
-               ->gather(1);
-       if ($seed) {
-               my $response = OpenSRF::AppSession
-                       ->create('open-ils.auth')
-                       ->request( 'open-ils.auth.authenticate.verify', 
-                               { $nametype => $u, password => md5_hex($seed . md5_hex($p)), type => 'opac', agent => $agent })
-                       ->gather(1);
-               if ($response) {
-                       if ($response->{ilsevent} == 0) {
-                               print '+VALID';
-                       } else {
-                               print '+NO';
-                       }
-               } else {
-                       print '+BACKEND_ERROR';
-               }
-       } else {
-               print '+BACKEND_ERROR';
-       }
+
+    my $user;
+
+    if ($nametype eq 'barcode') {
+
+        my $card = $e->search_actor_card([
+            {barcode => $u},
+            {flesh => 1, flesh_fields => {ac => ['usr']}}
+        ])->[0];
+
+        $user = $card->usr if $card and $card->active eq 't';
+
+    } else {
+        $user = $e->search_actor_user({usrname => $u})->[0];
+    }
+
+    if ($user 
+        and $user->deleted eq 'f' 
+        and $user->active eq 't' 
+        and $user->passwd eq md5_hex($p)) {
+
+        $e->requestor($user);
+        if ($e->allowed('ACCESS_EBOOKS_AND_DATABASES', $user->home_ou)) {
+
+            OpenILS::Application::AppUtils
+                ->log_user_activity($user->id, $agent, 'verify');
+
+            print '+VALID';
+        } else {
+            print '+NO';
+        }
+    } else {
+        print '+NO';
+    }
 }
 
 1;