From ce22424c3156e5c53e79779008cc904ba26fd883 Mon Sep 17 00:00:00 2001 From: Jeff Davis Date: Thu, 20 Jun 2019 12:49:31 -0700 Subject: [PATCH] LP#1786552: AuthProxy: restrict_by_home_ou based on authenticator org_units It makes more sense to check the patron's home library against the org units to which the authenticator applies, rather than the login org param. Signed-off-by: Jeff Davis Signed-off-by: Galen Charlton --- .../perlmods/lib/OpenILS/Application/AuthProxy.pm | 25 +++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm index d0fcbe7881..dbf4db474c 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm @@ -261,11 +261,26 @@ sub login { return OpenILS::Event->new( 'LOGIN_FAILED' ); } else { my $restrict_by_ou = $authenticator->{restrict_by_home_ou}; - if ($args->{org} and defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) { - my $descendants = $U->get_org_descendants($args->{org}); - unless (grep $user->[0]->home_ou, @$descendants) { - $logger->debug("Matching user does not belong to this org, aborting"); - return OpenILS::Event->new( 'LOGIN_FAILED' ); + if (defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) { + my $home_ou = $user->[0]->home_ou; + my $allowed = 0; + # disallow auth if user's home library is not one of the org_units for this authenticator + if ($authenticator->org_units) { + if (grep(/^all$/, @{$authenticator->org_units})) { + $allowed = 1; + } else { + foreach my $org (@{$authenticator->org_units}) { + my $allowed_orgs = $U->get_org_descendants($org); + if (grep(/^$home_ou$/, @$allowed_orgs)) { + $allowed = 1; + last; + } + } + } + if (!$allowed) { + $logger->debug("Auth disallowed for matching user's home library, aborting"); + return OpenILS::Event->new( 'LOGIN_FAILED' ); + } } } $args->{user_id} = $user->[0]->id; -- 2.11.0