[open-ils-commits] [GIT] Evergreen ILS branch rel_2_0 updated. 54da44be00e44954136a03de96e838b37f4809ba

Evergreen Git git at git.evergreen-ils.org
Wed Jun 13 11:21:05 EDT 2012 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_0 has been updated
       via  54da44be00e44954136a03de96e838b37f4809ba (commit)
       via  4bae1e1f06e6d459d15d16a375bddc8a496ee1d6 (commit)
       via  55d809fe0550e57fb927e5269041a6cc92fe8cae (commit)
       via  1c18f452ee6fc8c00b02725fb8987ae738f22dce (commit)
      from  462d6577d6124430d814829835f39a124c696ecc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 54da44be00e44954136a03de96e838b37f4809ba
Author: Jason Stephenson <jstephenson at mvlc.org>
Date:   Wed Jun 13 09:35:07 2012 -0400

    Add the 2.0.11-2.0.12 database upgrade script.
    
    Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>

diff --git a/Open-ILS/src/sql/Pg/2.0.11-2.0.12-upgrade-db.sql b/Open-ILS/src/sql/Pg/2.0.11-2.0.12-upgrade-db.sql
new file mode 100644
index 0000000..74e3ee1
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/2.0.11-2.0.12-upgrade-db.sql
@@ -0,0 +1,5 @@
+BEGIN;
+
+INSERT INTO config.upgrade_log (version) VALUES ('2.0.12');
+
+COMMIT;

commit 4bae1e1f06e6d459d15d16a375bddc8a496ee1d6
Author: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Date:   Tue Jun 12 17:26:39 2012 -0400

    For auth, give back the same stacktrace for all cases of LOGIN_FAILED
    
    Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
    Signed-off-by: Mike Rylander <mrylander at gmail.com>

diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index cf19fdf..93b73db 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -576,6 +576,12 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
 
 	const char* ws = (workstation) ? workstation : "";
 
+	/* Use __FILE__, harmless_line_number for creating
+	 * OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid
+	 * giving away information about why an authentication attempt failed.
+	 */
+	int harmless_line_number = __LINE__;
+
 	if( !type )
 		 type = OILS_AUTH_STAFF;
 
@@ -643,7 +649,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
 	}
 
 	if(!userObj || barred || deleted) {
-		response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+		response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
 		osrfLogInfo(OSRF_LOG_MARK,  "failed login: username=%s, barcode=%s, workstation=%s",
 				uname, (barcode ? barcode : "(none)"), ws );
 		osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
@@ -670,7 +676,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
 		if( passOK )
 			response = oilsNewEvent( OSRF_LOG_MARK, "PATRON_INACTIVE" );
 		else
-			response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+			response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
 
 		osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
 		oilsEventFree(response);
@@ -725,7 +731,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
 		response = oilsAuthHandleLoginOK( userObj, uname, type, orgloc, workstation );
 
 	} else {
-		response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+		response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
 		osrfLogInfo(OSRF_LOG_MARK,  "failed login: username=%s, barcode=%s, workstation=%s",
 				uname, (barcode ? barcode : "(none)"), ws );
 	}

commit 55d809fe0550e57fb927e5269041a6cc92fe8cae
Author: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Date:   Mon Jun 11 16:23:32 2012 -0400

    Prevent login by deleted and barred users
    
    An existing comment in the code suggested that we thought we were already
    keeping barred users out.  LP #1010671 brings up that deleted users were
    not being kept out.
    
    Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
    Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>

diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index 4b2a4dc..cf19fdf 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -629,7 +629,20 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
 		}
 	}
 
-	if(!userObj) {
+	int     barred = 0, deleted = 0;
+	char   *barred_str, *deleted_str;
+
+	if(userObj) {
+		barred_str = oilsFMGetString( userObj, "barred" );
+		barred = oilsUtilsIsDBTrue( barred_str );
+		free( barred_str );
+
+		deleted_str = oilsFMGetString( userObj, "deleted" );
+		deleted = oilsUtilsIsDBTrue( deleted_str );
+		free( deleted_str );
+	}
+
+	if(!userObj || barred || deleted) {
 		response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
 		osrfLogInfo(OSRF_LOG_MARK,  "failed login: username=%s, barcode=%s, workstation=%s",
 				uname, (barcode ? barcode : "(none)"), ws );
@@ -638,7 +651,8 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
 		return 0;           // No such user
 	}
 
-	// Such a user exists.  Now see if he or she has the right credentials.
+	// Such a user exists and isn't barred or deleted.
+	// Now see if he or she has the right credentials.
 	int passOK = -1;
 	if(uname)
 		passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );

commit 1c18f452ee6fc8c00b02725fb8987ae738f22dce
Author: Jason Stephenson <jstephenson at mvlc.org>
Date:   Mon Jun 11 16:12:54 2012 -0400

    Security fix for Launchpad Bug 1003052.
    
    Bug reported by James Fournie:
    
    Revoking the UPDATE_MARC permission doesn't actually seem to prevent a
    user from editing a record. Our use case is that we would like a user
    to create new records but not edit existing MARC records.
    
    Changing CREATE_MARC to UPDATE_MARC in OpenILS::Application::Cat's
    biblio_record_replace_marc() method seems to fix the problem.
    
    Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/OpenILS/Application/Cat.pm
index 4a9c12e..b9ffdff 100644
--- a/Open-ILS/src/perlmods/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Cat.pm
@@ -157,7 +157,7 @@ sub biblio_record_replace_marc  {
 	my( $self, $conn, $auth, $recid, $newxml, $source ) = @_;
 	my $e = new_editor(authtoken=>$auth, xact=>1);
 	return $e->die_event unless $e->checkauth;
-	return $e->die_event unless $e->allowed('CREATE_MARC', $e->requestor->ws_ou);
+	return $e->die_event unless $e->allowed('UPDATE_MARC', $e->requestor->ws_ou);
 
     my $fix_tcn = $self->api_name =~ /replace/o;
     my $override = $self->api_name =~ /override/o;

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/src/c-apps/oils_auth.c                  |   30 ++++++++++++++++++---
 Open-ILS/src/perlmods/OpenILS/Application/Cat.pm |    2 +-
 Open-ILS/src/sql/Pg/2.0.11-2.0.12-upgrade-db.sql |    5 +++
 3 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 Open-ILS/src/sql/Pg/2.0.11-2.0.12-upgrade-db.sql


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list