From 1adbc2842e463dcfd6721c1f8a3cd08d14c809d1 Mon Sep 17 00:00:00 2001 From: Bill Erickson Date: Tue, 17 Oct 2017 12:40:11 -0400 Subject: [PATCH 1/1] LP#1693035 Login timeout honors workstation org Use the org unit linked to the provided workstation to collect the login timeout org unit setting value during login. Previously, all checks defaulted to the global org unit. This patch solidifies the precedence order for OUS lookups during login like so: 1. Workstation org unit. 2. API org unit value. 3. Users' home org unit. Signed-off-by: Bill Erickson Signed-off-by: Michele Morgan Signed-off-by: Galen Charlton --- Open-ILS/src/c-apps/oils_auth_internal.c | 36 +++++++++++++++--------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_auth_internal.c b/Open-ILS/src/c-apps/oils_auth_internal.c index 96ad19335f..d0c46f80f3 100644 --- a/Open-ILS/src/c-apps/oils_auth_internal.c +++ b/Open-ILS/src/c-apps/oils_auth_internal.c @@ -287,10 +287,6 @@ int oilsAuthInternalCreateSession(osrfMethodContext* ctx) { "Missing parameters for method: %s", ctx->method->name ); } - // default to the root org unit if none is provided. - if (org_unit < 1) - org_unit = oilsUtilsGetRootOrgId(); - oilsEvent* response = NULL; // fetch the user object @@ -307,18 +303,32 @@ int oilsAuthInternalCreateSession(osrfMethodContext* ctx) { // If a workstation is defined, add the workstation info if (workstation) { response = oilsAuthVerifyWorkstation(ctx, userObj, workstation); - if (response) { + + if (response) { // invalid workstation. jsonObjectFree(userObj); osrfAppRespondComplete(ctx, oilsEventToJSON(response)); oilsEventFree(response); return 0; + + } else { // workstation OK. + + // The worksation org unit supersedes any org unit value + // provided via the API. oilsAuthVerifyWorkstation() sets the + // ws_ou value to the WS owning lib. A value is guaranteed. + org_unit = atoi(oilsFMGetStringConst(userObj, "ws_ou")); } - } else { - // Otherwise, use the home org as the workstation org on the user - char* orgid = oilsFMGetString(userObj, "home_ou"); + } else { // no workstation + + // For backwards compatibility, when no workstation is provided, use + // the users's home org as its workstation org unit, regardless of + // any API-level org unit value provided. + const char* orgid = oilsFMGetStringConst(userObj, "home_ou"); oilsFMSetString(userObj, "ws_ou", orgid); - free(orgid); + + // The context org unit defaults to the user's home library when + // no workstation is used and no API-level value is provided. + if (org_unit < 1) org_unit = atoi(orgid); } // determine the auth/cache timeout @@ -380,10 +390,6 @@ int oilsAuthInternalValidate(osrfMethodContext* ctx) { "Missing parameters for method: %s", ctx->method->name ); } - // default to the root org unit if none is provided. - if (org_unit < 1) - org_unit = oilsUtilsGetRootOrgId(); - oilsEvent* response = NULL; jsonObject *userObj = NULL, *params = NULL; char* tmp_str = NULL; @@ -446,6 +452,10 @@ int oilsAuthInternalValidate(osrfMethodContext* ctx) { } } + // XXX: login permission checks are always global (see + // oilsAuthCheckLoginPerm()). No need to extract the + // workstation org unit here. + if (!response) { // Still OK // Confirm user has permission to login w/ the requested type. response = oilsAuthCheckLoginPerm( -- 2.43.2