https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18315 Bug ID: 18315 Summary: authentication and authorization refactoring Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: gmcharlt@gmail.com Reporter: oha@oha.it QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Currently, C4::Auth is responsible to do session management, authentication and authorization. There is no clear separations between them, and the authentication is not modular, making it increasingly harder to maintain and/or introduce no authentication integrations. I was experimenting on this for a while, and I managed to put together few commits in a branch. It started as a proposal, but turned out to be working in _most_ of my tests. here more details: I completely removed any need for CGI and CGI::Session while maintaining a fork-exec aproach to the scripts. (This made it easier to implement Koha::Middleware::Session, Koha::Session::DB and ::KohaCache) Koha::Middleware::Session inject a session object in the Plack request, and invoke Koha::Auth if any authentication tokens are available. Koha::Auth has a list of modules which will be invoked in turn and could be enabled/disabled plack.psgi is changed as well, it has enabled the new Middleware and the applications used are no longer Plack::App::CGIBin but Koha::Middleware::App. here few of the things i want to do to simplify the interaction with the current "legacy" code: I didn't change the scripts or any other module at all, instead I tried to hijack C4::Auth methods to rely on Koha::Session and Koha::Auth. This make it simple to switch back to the previous plack.psgi OR using apache and the normal cgi-bin. authentication should happen upfront, before the script is even started. script will have to verify authorization. authentication MUST be modular, possibly having different systems cooperate. (Some serious discussions must be around this point, especially about accounting and authority) what needs to be done: permissions should be reintroduced. right now permissions are read for the user and set in the template, but no checks are perform on requests. (should be fairly simple to do) reintroduce the code related to shib, cas and any other. more testing, especially for the installer (there is lots of code regarding the web installer which isn't there anymore) -- You are receiving this mail because: You are watching all bug changes.