LP#1786552: AuthProxy: restrict_by_home_ou based on authenticator org_units
authorJeff Davis <jdavis@sitka.bclibraries.ca>
Thu, 20 Jun 2019 19:49:31 +0000 (12:49 -0700)
committerGalen Charlton <gmc@equinoxinitiative.org>
Fri, 6 Sep 2019 21:43:26 +0000 (17:43 -0400)
It makes more sense to check the patron's home library against the org
units to which the authenticator applies, rather than the login org
param.

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm

index d0fcbe7..dbf4db4 100644 (file)
@@ -261,11 +261,26 @@ sub login {
                     return OpenILS::Event->new( 'LOGIN_FAILED' );
                 } else {
                     my $restrict_by_ou = $authenticator->{restrict_by_home_ou};
                     return OpenILS::Event->new( 'LOGIN_FAILED' );
                 } else {
                     my $restrict_by_ou = $authenticator->{restrict_by_home_ou};
-                    if ($args->{org} and defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) {
-                        my $descendants = $U->get_org_descendants($args->{org});
-                        unless (grep $user->[0]->home_ou, @$descendants) {
-                            $logger->debug("Matching user does not belong to this org, aborting");
-                            return OpenILS::Event->new( 'LOGIN_FAILED' );
+                    if (defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) {
+                        my $home_ou = $user->[0]->home_ou;
+                        my $allowed = 0;
+                        # disallow auth if user's home library is not one of the org_units for this authenticator
+                        if ($authenticator->org_units) {
+                            if (grep(/^all$/, @{$authenticator->org_units})) {
+                                $allowed = 1;
+                            } else {
+                                foreach my $org (@{$authenticator->org_units}) {
+                                    my $allowed_orgs = $U->get_org_descendants($org);
+                                    if (grep(/^$home_ou$/, @$allowed_orgs)) {
+                                        $allowed = 1;
+                                        last;
+                                    }
+                                }
+                            }
+                            if (!$allowed) {
+                                $logger->debug("Auth disallowed for matching user's home library, aborting");
+                                return OpenILS::Event->new( 'LOGIN_FAILED' );
+                            }
                         }
                     }
                     $args->{user_id} = $user->[0]->id;
                         }
                     }
                     $args->{user_id} = $user->[0]->id;