[Bug 16694] New: Limit SIP2 auth by patron attribute

classic Classic list List threaded Threaded
26 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] New: Limit SIP2 auth by patron attribute

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

            Bug ID: 16694
           Summary: Limit SIP2 auth by patron attribute
 Change sponsored?: Sponsored
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Authentication
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

In Scandinavia "more open" (Swedish: "Meröppet", Norwegian: "Meråpent") is a
hot issue at the moment. What this means is that patrons can use their card and
password/PIN to lock themselves into the library even when staff is not around.
Typically, this means that patrons can get access to the library building from
7 am to 11 pm, even if the library is only staffed from 8 am to 5 pm.

Typically, SIP2 is used to communnicate between the "more open"-system and the
ILS, specifically to authenticate the user with a username and password/PIN.

Also, you want the ability to turn "more open" access on and off for patrons.
An extended patron attribute with possible values of NULL/empty, 0 or 1 should
serve well for this.

SIP2 does not have a field for saying "this is a moreopen login", so we need a
way to identify a SIP2 user as a moreopen user. My plan is to add another
attribute to the login element in SIPConfig.xml to achieve this:

<login id="koha"   password="koha"  delimiter="|" error-detect="enabled"
institution="kohalibrary" patron-attribute="MEROPPET" />

"MEROPPET" is then the name of an extended patron attribute which can be set to
NULL or 0 (patron should not have access to moreopen) or 1 (patron should have
access).

This should be flexible enough to allow other, similar schemes to use some
other patron attribute.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

--- Comment #1 from Benjamin Rokseth <[hidden email]> ---
Created attachment 54920
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=54920&action=edit
Bug 16694 - Limit SIP2 auth by patron attribute

The main use case of this bug is to use patron attributes to grant special
privileges, e.g. to open a door to an unmanned library.

This patch adds an extra check against patron attributes if login account
in SIPconfig.xml has a key validate_patron_attribute set to some patron
attribute.

If a patron information request is sent (63), and patron has proper rights in
the
given attribute: (a value of 1/true or some authorised value mapping to 1)
The user will be allowed access (in SIP: charge and/or renewal ok).
Otherwise denied.

Please note that this is specific to the SIP login account, so self checkout
machines can be handled differently than e.g. a door card terminal.

To test:
0) you need to debug using telnet or the koha provided sip_client
1) add validate_patron_attribute="testattribute" to some login account in
SIPconfig.xml
2) add a patron attribute "testattribute"
3) edit some patron and set "testattribute" to "1"
4) do a sip login with the given login account from SIPconfig.xml
5) do a patron information request (63) on the patron
6) observe that no charge or renewal denied is given in the response (64  )
7) try all or any of the following:
 - set patron attribute to anything but "1"
 - delete the patron attribute
 - map the patron attribute to an authorized list, e.g. (YES_NO) and
   set it to a value that doesn't map to "1", e.g. "No".
8) do a patron information request (63) again
9) observe that charge and renewal is now denied in the SIP response (64YY)
10) thank yourself if noone else does and grab a coffee

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
                   |                            |ommune.no
             Status|NEW                         |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #54920|0                           |1
        is obsolete|                            |

--- Comment #2 from Benjamin Rokseth <[hidden email]> ---
Created attachment 56068
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=56068&action=edit
Bug 16694 - Limit SIP2 auth by patron attribute

The main use case of this bug is to use patron attributes to grant special
privileges, e.g. to open a door to an unmanned library.

This patch adds an extra check against patron attributes if login account
in SIPconfig.xml has a key validate_patron_attribute set to some patron
attribute.

If a patron information request is sent (63), and patron has proper rights in
the
given attribute: (a value of 1/true or some authorised value mapping to 1)
The user will be allowed access (in SIP: charge and/or renewal ok).
Otherwise denied.

Please note that this is specific to the SIP login account, so self checkout
machines can be handled differently than e.g. a door card terminal.

To test:
0) you need to debug using telnet or the koha provided sip_client
1) add validate_patron_attribute="testattribute" to some login account in
SIPconfig.xml
2) add a patron attribute "testattribute"
3) edit some patron and set "testattribute" to "1"
4) do a sip login with the given login account from SIPconfig.xml
5) do a patron information request (63) on the patron
6) observe that no charge or renewal denied is given in the response (64  )
7) try all or any of the following:
 - set patron attribute to anything but "1"
 - delete the patron attribute
 - map the patron attribute to an authorized list, e.g. (YES_NO) and
   set it to a value that doesn't map to "1", e.g. "No".
8) do a patron information request (63) again
9) observe that charge and renewal is now denied in the SIP response (64YY)
10) thank yourself if noone else does and grab a coffee

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Magnus Enger <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Failed QA

--- Comment #3 from Magnus Enger <[hidden email]> ---
I can't seem to be able to turn "64  " into "64YY", no matter what I set the
extended patron attribute is set to. I think this is because the default values
for charge_ok and renew_ok are 1, so by only setting them to 1 the patches
never changes them. Something like this should work, I think:

            if ($attr || $attr == "1") {
                syslog( "LOG_ERR", "attr OK" );
                $patron->{charge_ok} = 1;
                $patron->{renew_ok} = 1;
            } else {
                $patron->{charge_ok} = 0;
                $patron->{renew_ok} = 0;
            }

Otherwise, this looks OK, so it should be an easy fix/followup.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

--- Comment #4 from Magnus Enger <[hidden email]> ---
I had been working on a patch for this where I did:

if ( defined $server->{'account'}->{'patron-attribute'} ) {
    my $attribute_value =
$patron->get_patron_attribute_value($server->{'account'}->{'patron-attribute'});
    $patron->{'charge_ok'} = $attribute_value;
}

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #56068|0                           |1
        is obsolete|                            |

--- Comment #5 from Benjamin Rokseth <[hidden email]> ---
Created attachment 56442
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=56442&action=edit
Bug 16694 - Limit SIP2 auth by patron attribute

The main use case of this bug is to use patron attributes to grant special
privileges, e.g. to open a door to an unmanned library.

This patch adds an extra check against patron attributes if login account
in SIPconfig.xml has a key validate_patron_attribute set to some patron
attribute.

If a patron information request is sent (63), and patron has proper rights in
the
given attribute: (a value of 1/true or some authorised value mapping to 1)
The user will be allowed access (in SIP: charge and/or renewal ok).
Otherwise denied.

Please note that this is specific to the SIP login account, so self checkout
machines can be handled differently than e.g. a door card terminal.

To test:
0) you need to debug using telnet or the koha provided sip_client
1) add validate_patron_attribute="testattribute" to some login account in
SIPconfig.xml
2) add a patron attribute "testattribute"
3) edit some patron and set "testattribute" to "1"
4) do a sip login with the given login account from SIPconfig.xml
5) do a patron information request (63) on the patron
6) observe that no charge or renewal denied is given in the response (64  )
7) try all or any of the following:
 - set patron attribute to anything but "1"
 - delete the patron attribute
 - map the patron attribute to an authorized list, e.g. (YES_NO) and
   set it to a value that doesn't map to "1", e.g. "No".
8) do a patron information request (63) again
9) observe that charge and renewal is now denied in the SIP response (64YY)
10) thank yourself if noone else does and grab a coffee

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Failed QA                   |Needs Signoff

--- Comment #6 from Benjamin Rokseth <[hidden email]> ---
Thx for the followup, Magnus! Actually there was also a logical error in the
original code, so I merged in your change. It should work as advertised now.

That is, only an borrower attribute value of "1" or an authorised value mapped
to "1" will grant access to the patron if the validate_patron_attribute is set
to a borrower attribute in the SIPConfig login.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Magnus Enger <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Signed Off
   Patch complexity|---                         |Small patch

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Magnus Enger <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #56442|0                           |1
        is obsolete|                            |

--- Comment #7 from Magnus Enger <[hidden email]> ---
Created attachment 56579
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=56579&action=edit
Bug 16694 - Limit SIP2 auth by patron attribute

The main use case of this bug is to use patron attributes to grant special
privileges, e.g. to open a door to an unmanned library.

This patch adds an extra check against patron attributes if login account
in SIPconfig.xml has a key validate_patron_attribute set to some patron
attribute.

If a patron information request is sent (63), and patron has proper rights in
the
given attribute: (a value of 1/true or some authorised value mapping to 1)
The user will be allowed access (in SIP: charge and/or renewal ok).
Otherwise denied.

Please note that this is specific to the SIP login account, so self checkout
machines can be handled differently than e.g. a door card terminal.

To test:
0) you need to debug using telnet or the koha provided sip_client
1) add validate_patron_attribute="testattribute" to some login account in
SIPconfig.xml
2) add a patron attribute "testattribute"
3) edit some patron and set "testattribute" to "1"
4) do a sip login with the given login account from SIPconfig.xml
5) do a patron information request (63) on the patron
6) observe that no charge or renewal denied is given in the response (64  )
7) try all or any of the following:
 - set patron attribute to anything but "1"
 - delete the patron attribute
 - map the patron attribute to an authorized list, e.g. (YES_NO) and
   set it to a value that doesn't map to "1", e.g. "No".
8) do a patron information request (63) again
9) observe that charge and renewal is now denied in the SIP response (64YY)
10) thank yourself if noone else does and grab a coffee

Signed-off-by: Magnus Enger <[hidden email]>
Took me a while to remember I was on a gitified setup and needed to do
sudo cp C4/SIP/Sip/MsgType.pm /usr/share/koha/lib/C4/SIP/Sip/MsgType.pm
before I could test properly. Works as expected. I have a Swedish customer
running a similar hack in production, so looking forward to getting this
into Koha proper.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
             Status|Signed Off                  |Failed QA

--- Comment #8 from Marcel de Rooy <[hidden email]> ---
Would be nice to validate this small change with a small test in e.g.
t/db_dependent/SIP/Message.t
We already have a test there for patron info.
Should not be big deal :)

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.koha-community
                   |                            |.org/bugzilla3/show_bug.cgi
                   |                            |?id=14731

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

--- Comment #9 from Magnus Enger <[hidden email]> ---
Benjamin: Feel like writing that test?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #56579|0                           |1
        is obsolete|                            |

--- Comment #10 from Benjamin Rokseth <[hidden email]> ---
Created attachment 66845
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66845&action=edit
Bug 16694 - Limit SIP2 auth by patron attribute

The main use case of this bug is to use patron attributes to grant special
privileges, e.g. to open a door to an unmanned library.

This patch adds an extra check against patron attributes if login account
in SIPconfig.xml has a key validate_patron_attribute set to some patron
attribute.

If a patron information request is sent (63), and patron has proper rights in
the
given attribute: (a value of 1/true or some authorised value mapping to 1)
The user will be allowed access (in SIP: charge and/or renewal ok).
Otherwise denied.

Please note that this is specific to the SIP login account, so self checkout
machines can be handled differently than e.g. a door card terminal.

To test:
0) you need to debug using telnet or the koha provided sip_client
1) add validate_patron_attribute="testattribute" to some login account in
SIPconfig.xml
2) add a patron attribute "testattribute"
3) edit some patron and set "testattribute" to "1"
4) do a sip login with the given login account from SIPconfig.xml
5) do a patron information request (63) on the patron
6) observe that no charge or renewal denied is given in the response (64  )
7) try all or any of the following:
 - set patron attribute to anything but "1"
 - delete the patron attribute
 - map the patron attribute to an authorized list, e.g. (YES_NO) and
   set it to a value that doesn't map to "1", e.g. "No".
8) do a patron information request (63) again
9) observe that charge and renewal is now denied in the SIP response (64YY)
10) thank yourself if noone else does and grab a coffee

Signed-off-by: Magnus Enger <[hidden email]>
Took me a while to remember I was on a gitified setup and needed to do
sudo cp C4/SIP/Sip/MsgType.pm /usr/share/koha/lib/C4/SIP/Sip/MsgType.pm
before I could test properly. Works as expected. I have a Swedish customer
running a similar hack in production, so looking forward to getting this
into Koha proper.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

--- Comment #11 from Benjamin Rokseth <[hidden email]> ---
rebased against master.

Ignoring failing test 'Checkin V2' as it has no bearing on this bug and should
be resolved in another bug

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

--- Comment #12 from Benjamin Rokseth <[hidden email]> ---
Created attachment 66846
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66846&action=edit
Bug 18137: (QA followup) Make sure the session exists and is expired on
expiration tests

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

Signed-off-by: Lari Taskula <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #66846|0                           |1
        is obsolete|                            |

--- Comment #13 from Benjamin Rokseth <[hidden email]> ---
Created attachment 66847
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66847&action=edit
Bug 18137: (QA followup) Make sure the session exists and is expired on
expiration tests

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

Signed-off-by: Lari Taskula <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #66847|0                           |1
        is obsolete|                            |

--- Comment #14 from Benjamin Rokseth <[hidden email]> ---
Created attachment 66848
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66848&action=edit
Bug 16694 - Limit SIP2 auth by patron attribute

The main use case of this bug is to use patron attributes to grant special
privileges, e.g. to open a door to an unmanned library.

This patch adds an extra check against patron attributes if login account
in SIPconfig.xml has a key validate_patron_attribute set to some patron
attribute.

If a patron information request is sent (63), and patron has proper rights in
the
given attribute: (a value of 1/true or some authorised value mapping to 1)
The user will be allowed access (in SIP: charge and/or renewal ok).
Otherwise denied.

Please note that this is specific to the SIP login account, so self checkout
machines can be handled differently than e.g. a door card terminal.

To test:
0) you need to debug using telnet or the koha provided sip_client
1) add validate_patron_attribute="testattribute" to some login account in
SIPconfig.xml
2) add a patron attribute "testattribute"
3) edit some patron and set "testattribute" to "1"
4) do a sip login with the given login account from SIPconfig.xml
5) do a patron information request (63) on the patron
6) observe that no charge or renewal denied is given in the response (64  )
7) try all or any of the following:
 - set patron attribute to anything but "1"
 - delete the patron attribute
 - map the patron attribute to an authorized list, e.g. (YES_NO) and
   set it to a value that doesn't map to "1", e.g. "No".
8) do a patron information request (63) again
9) observe that charge and renewal is now denied in the SIP response (64YY)
10) thank yourself if noone else does and grab a coffee

Signed-off-by: Magnus Enger <[hidden email]>
Took me a while to remember I was on a gitified setup and needed to do
sudo cp C4/SIP/Sip/MsgType.pm /usr/share/koha/lib/C4/SIP/Sip/MsgType.pm
before I could test properly. Works as expected. I have a Swedish customer
running a similar hack in production, so looking forward to getting this
into Koha proper.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #66845|0                           |1
        is obsolete|                            |

--- Comment #15 from Benjamin Rokseth <[hidden email]> ---
Created attachment 66849
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66849&action=edit
Bug 16694 - Add tests to t/db_dependent/SIP/Message.t

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

--- Comment #16 from Marcel de Rooy <[hidden email]> ---
(In reply to Benjamin Rokseth from comment #11)
> rebased against master.
>
> Ignoring failing test 'Checkin V2' as it has no bearing on this bug and
> should be resolved in another bug

The test passes with me btw. Please copy your test results in a comment.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Benjamin Rokseth <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Failed QA                   |Needs Signoff

--- Comment #17 from Benjamin Rokseth <[hidden email]> ---
needs another signoff on added tests

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

--- Comment #18 from Benjamin Rokseth <[hidden email]> ---
(In reply to Marcel de Rooy from comment #16)
> (In reply to Benjamin Rokseth from comment #11)
> > rebased against master.
> >
> > Ignoring failing test 'Checkin V2' as it has no bearing on this bug and
> > should be resolved in another bug
>
> The test passes with me btw. Please copy your test results in a comment.

Good. May be I have corrupted my DB somehow from testing various tests.
Seems there are problems on creating items

  resensitize(): no item found in object to resensitize at
  C4/SIP/ILS/Transaction/Checkin.pm line 127.

    #   Failed test 'Check screen msg'
    #   at ./t/db_dependent/SIP/Message.t line 448.
    #          got: ''
    #     expected: '1'
  new ILS::Item(Kckdb) : No item 'Kckdb'. at C4/SIP/ILS/Item.pm line 80.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Owen Leonard <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Signed Off

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Owen Leonard <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #66849|0                           |1
        is obsolete|                            |

--- Comment #19 from Owen Leonard <[hidden email]> ---
Created attachment 67956
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=67956&action=edit
Bug 16694 - Add tests to t/db_dependent/SIP/Message.t

Signed-off-by: Owen Leonard <[hidden email]>

Test passes with no errors

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         QA Contact|[hidden email]-communit |[hidden email]
                   |y.org                       |

--- Comment #20 from Marcel de Rooy <[hidden email]> ---
QA: Looking here now

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 16694] Limit SIP2 auth by patron attribute

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16694

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |colin.campbell@ptfs-europe.
                   |                            |com
             Status|Signed Off                  |Failed QA

--- Comment #21 from Marcel de Rooy <[hidden email]> ---
QA Comment:
Thanks for adding the test.
I am not yet fully comfortable with the code added to MsgType.pm. I would
rather have the validation in Patron.pm and just calling
$patron->validate_or_something from MsgType.

Also the current code needs additional checking.
If a patron is already debarred etc, so charge_ok is already 0, we should not
set charge_ok to 1 only because the validation attribute is present.

Another point (no blocker, but adding to discussion): Is the test attr==1 not
too simple? Could we allow something like validate_patron="opendoor=Y" or even
two expr like validate_patron="opendoor=Y;categorycode=X" etc.? Could be a
future extension..

Copying Coling: Do you have additional feedback ?

Changing status

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/