From 7fec6759df3f916c5f0226fa19244e401775e907 Mon Sep 17 00:00:00 2001 From: Bill Erickson Date: Tue, 15 Sep 2015 16:11:08 -0400 Subject: [PATCH] JBAS-886 ezproxy/remoteauth DB permission check (Students) Instead of calling authenticate procedures, ensure the user is valid, knows their password, then check whether the user has the ACCESS_EBOOKS_AND_DATABASES permission. This was added to support Schools cards, where users can access databases and e-books, but cannot log into the catalog. Signed-off-by: Bill Erickson --- Open-ILS/examples/remoteauth.cgi | 82 +++++++++++++++++++++++++--------------- 1 file changed, 51 insertions(+), 31 deletions(-) diff --git a/Open-ILS/examples/remoteauth.cgi b/Open-ILS/examples/remoteauth.cgi index 67c7b5c795..94959d2325 100755 --- a/Open-ILS/examples/remoteauth.cgi +++ b/Open-ILS/examples/remoteauth.cgi @@ -21,15 +21,17 @@ # ::external=https://hostname/cgi-bin/ezproxy/remoteauth.cgi,post=user=^u&passwd=^p # -#use strict; +use strict; use warnings; use CGI; use Digest::MD5 qw(md5_hex); -use OpenSRF::EX qw(:try); use OpenSRF::System; use OpenSRF::AppSession; +use OpenILS::Utils::Fieldmapper; +use OpenILS::Utils::CStoreEditor qw/:funcs/; +use OpenILS::Application::AppUtils; my $bootstrap = '/openils/conf/opensrf_core.xml'; my $cgi = new CGI; @@ -43,50 +45,68 @@ print $cgi->header(-type=>'text/html', -expires=>'-1d'); OpenSRF::AppSession->ingress('remoteauth'); OpenSRF::System->bootstrap_client( config_file => $bootstrap ); +Fieldmapper->import(IDL => + OpenSRF::Utils::SettingsClient->new->config_value("IDL")); + +my $actor = OpenSRF::AppSession->create('open-ils.actor'); +my $e = new_editor(); +$e->init; if (!($u || $usrname || $barcode) || !$p) { - print '+INCOMPLETE'; + print '+INCOMPLETE'; } else { - my $nametype; + my $nametype; if ($usrname) { $u = $usrname; - $nametype = 'username'; + $nametype = 'username'; } elsif ($barcode) { $u = $barcode; $nametype = 'barcode'; } else { - $nametype = 'username'; - my $regex_response = OpenSRF::AppSession - ->create('open-ils.actor') - ->request('open-ils.actor.ou_setting.ancestor_default', 1, 'opac.barcode_regex') + $nametype = 'username'; + my $regex_response = $actor->request( + 'open-ils.actor.ou_setting.ancestor_default', + 1, 'opac.barcode_regex') ->gather(1); if ($regex_response) { my $regexp = $regex_response->{'value'}; $nametype = 'barcode' if ($u =~ qr/$regexp/); } } - my $seed = OpenSRF::AppSession - ->create('open-ils.auth') - ->request( 'open-ils.auth.authenticate.init', $u ) - ->gather(1); - if ($seed) { - my $response = OpenSRF::AppSession - ->create('open-ils.auth') - ->request( 'open-ils.auth.authenticate.verify', - { $nametype => $u, password => md5_hex($seed . md5_hex($p)), type => 'opac', agent => $agent }) - ->gather(1); - if ($response) { - if ($response->{ilsevent} == 0) { - print '+VALID'; - } else { - print '+NO'; - } - } else { - print '+BACKEND_ERROR'; - } - } else { - print '+BACKEND_ERROR'; - } + + my $user; + + if ($nametype eq 'barcode') { + + my $card = $e->search_actor_card([ + {barcode => $u}, + {flesh => 1, flesh_fields => {ac => ['usr']}} + ])->[0]; + + $user = $card->usr if $card and $card->active eq 't'; + + } else { + $user = $e->search_actor_user({usrname => $u})->[0]; + } + + if ($user + and $user->deleted eq 'f' + and $user->active eq 't' + and $user->passwd eq md5_hex($p)) { + + $e->requestor($user); + if ($e->allowed('ACCESS_EBOOKS_AND_DATABASES', $user->home_ou)) { + + OpenILS::Application::AppUtils + ->log_user_activity($user->id, $agent, 'verify'); + + print '+VALID'; + } else { + print '+NO'; + } + } else { + print '+NO'; + } } 1; -- 2.11.0