[Bug 30700] New: Patrons who can log into staff client should be able to change their own password
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Bug ID: 30700 Summary: Patrons who can log into staff client should be able to change their own password Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: aleisha@catalyst.net.nz QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com Patrons must have the additional borrowers->edit_borrowers subpermission to change other patron's passwords. This is fine, except if a patron has permission to log into the staff client but doesn't have borrowers permissions, they cannot change their own password via the staff client. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|koha-bugs@lists.koha-commun |aleisha@catalyst.net.nz |ity.org | Change sponsored?|--- |Sponsored -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #1 from David Cook <dcook@prosentient.com.au> --- That's a really good point. That would be a great enhancement. I'm not a fan of directing staff to the OPAC for things like password changes. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 --- Comment #2 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 134669 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=134669&action=edit Bug 30700: Allow staff users to change their password via staff client Patrons who can log into the staff client (have the 'catalogue' permission) should be able to change their own password. To test: 1) Create a user with only 'catalogue' permissions (Patron A) 2) Log in to the staff client as Patron A 3) Click the menu with your username in the top-right of the window. Click the 'your account' menu link. 4) Confirm you are forced to a login screen, so you cannot view your account, which is where the 'change password' link is normally found. 5) Try to access the page to change your password directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap Patron A's borrowernumber in). Confirm you are forced to a login screen. 6) Apply this patch and restart services. Go back to the mainpage logged in as Patron A. 7) Click the menu with your username in the top-right of the window. Notice there is now a 'Change password' menu link. Go to 'change password'. 8) Confirm you are now shown a page to change your password. Change your password, and confirm you are redirect to the mainpage. 9) Try to access the page to change someone else's page directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap some other borrowernumber in). Confirm you are redirected to a 404. 10) Log out and log back in as your original borrower. Confirm you are able to change your password as normal. Sponsored-by: Education Services Australia SCIS -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #134669|0 |1 is obsolete| | --- Comment #3 from David Nind <david@davidnind.com> --- Created attachment 134772 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=134772&action=edit Bug 30700: Allow staff users to change their password via staff client Patrons who can log into the staff client (have the 'catalogue' permission) should be able to change their own password. To test: 1) Create a user with only 'catalogue' permissions (Patron A) 2) Log in to the staff client as Patron A 3) Click the menu with your username in the top-right of the window. Click the 'your account' menu link. 4) Confirm you are forced to a login screen, so you cannot view your account, which is where the 'change password' link is normally found. 5) Try to access the page to change your password directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap Patron A's borrowernumber in). Confirm you are forced to a login screen. 6) Apply this patch and restart services. Go back to the mainpage logged in as Patron A. 7) Click the menu with your username in the top-right of the window. Notice there is now a 'Change password' menu link. Go to 'change password'. 8) Confirm you are now shown a page to change your password. Change your password, and confirm you are redirect to the mainpage. 9) Try to access the page to change someone else's page directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap some other borrowernumber in). Confirm you are redirected to a 404. 10) Log out and log back in as your original borrower. Confirm you are able to change your password as normal. Sponsored-by: Education Services Australia SCIS Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Andrew Fuerste-Henry <andrew@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andrew@bywatersolutions.com --- Comment #4 from Andrew Fuerste-Henry <andrew@bywatersolutions.com> --- I don't know that we can assume any user that can log into the staff client should be able to change their own password. For example, many libraries create shared logins for the circulation desk, where multiple people use the same account and any individual changing the password would be quite disruptive. Whether or not users can change their password via the OPAC is governed by the OpacPasswordChange system preference. This enhancement should contain either a comparable syspref for the staff interface or a new user permission to change one's own password. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 --- Comment #5 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Having multiple people using one account sounds like it's own security risk... I don't think we should compromise on functionality to support that use case. The real issue is what David has mentioned in Comment 1. If a person can log into the staff client, it's illogical to then have to direct them to the OPAC (another site) to change their own password. Many Koha libraries don't use the OPAC, or if they do, they may have OpacPasswordChange disabled, and then what? Additionally, I can't think of any online accounts I have where I can't change my own password on the site I've logged into. I don't believe we need to wrap this in a syspref or new permission. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- (In reply to Aleisha Amohia from comment #5)
Having multiple people using one account sounds like it's own security risk... I don't think we should compromise on functionality to support that use case.
Agreed. While account sharing is a common practice, it isn't one that we should encourage or support. (In reply to Andrew Fuerste-Henry from comment #4)
Whether or not users can change their password via the OPAC is governed by the OpacPasswordChange system preference. This enhancement should contain either a comparable syspref for the staff interface or a new user permission to change one's own password.
That's a good point too though. I suppose it is a fairly significant feature change, and we do tend to make new features opt-in. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Andrew Fuerste-Henry <andrew@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #7 from Andrew Fuerste-Henry <andrew@bywatersolutions.com> ---
I suppose it is a fairly significant feature change, and we do tend to make new features opt-in.
If nothing else, this is true. You are proposing a large behavior change. Our established practice is to make such things optional. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 --- Comment #8 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 135087 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=135087&action=edit Bug 30700: (follow-up) Add system preference StaffLoginResetPassword This syspref wraps around the functionality added for patrons with the 'catalogue' permission to reset their own password via the staff client. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Séverine Queune <severine.queune@bulac.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |severine.queune@bulac.fr Status|Needs Signoff |Patch doesn't apply --- Comment #9 from Séverine Queune <severine.queune@bulac.fr> --- Hi Aleisha, I got this error trying to install the patch : Apply? [(y)es, (n)o, (i)nteractive] y Applying: Bug 30700: Allow staff users to change their password via staff client Applying: Bug 30700: (follow-up) Add system preference StaffLoginResetPassword error: sha1 information is lacking or useless (installer/data/mysql/mandatory/sysprefs.sql). error: could not build fake ancestor Patch failed at 0001 Bug 30700: (follow-up) Add system preference StaffLoginResetPassword hint: Use 'git am --show-current-patch=diff' to see the failed patch I'd be happy to test this new feature when it's fixed ! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #134772|0 |1 is obsolete| | --- Comment #10 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 135173 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=135173&action=edit Bug 30700: Allow staff users to change their password via staff client Patrons who can log into the staff client (have the 'catalogue' permission) should be able to change their own password. To test: 1) Create a user with only 'catalogue' permissions (Patron A) 2) Log in to the staff client as Patron A 3) Click the menu with your username in the top-right of the window. Click the 'your account' menu link. 4) Confirm you are forced to a login screen, so you cannot view your account, which is where the 'change password' link is normally found. 5) Try to access the page to change your password directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap Patron A's borrowernumber in). Confirm you are forced to a login screen. 6) Apply this patch and restart services. Go back to the mainpage logged in as Patron A. 7) Click the menu with your username in the top-right of the window. Notice there is now a 'Change password' menu link. Go to 'change password'. 8) Confirm you are now shown a page to change your password. Change your password, and confirm you are redirect to the mainpage. 9) Try to access the page to change someone else's page directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap some other borrowernumber in). Confirm you are redirected to a 404. 10) Log out and log back in as your original borrower. Confirm you are able to change your password as normal. Sponsored-by: Education Services Australia SCIS Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #135087|0 |1 is obsolete| | --- Comment #11 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 135174 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=135174&action=edit Bug 30700: (follow-up) Add system preference StaffLoginResetPassword This syspref wraps around the functionality added for patrons with the 'catalogue' permission to reset their own password via the staff client. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #135174|0 |1 is obsolete| | --- Comment #12 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 135176 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=135176&action=edit Bug 30700: (follow-up) Add system preference StaffLoginResetPassword This syspref wraps around the functionality added for patrons with the 'catalogue' permission to reset their own password via the staff client. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA --- Comment #13 from Owen Leonard <oleonard@myacpl.org> --- I don't understand what's going on here, which may just be me: if ( !$patron->has_permission({ borrowers => 'edit_borrowers' }) ) { print $input->redirect("/cgi-bin/koha/mainpage.pl"); } But when I change a patron's password when logged in as a superlibrarian I'm redirected to the main page rather than back to their account. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 --- Comment #14 from David Cook <dcook@prosentient.com.au> --- (In reply to Owen Leonard from comment #13)
I don't understand what's going on here, which may just be me:
if ( !$patron->has_permission({ borrowers => 'edit_borrowers' }) ) { print $input->redirect("/cgi-bin/koha/mainpage.pl"); }
But when I change a patron's password when logged in as a superlibrarian I'm redirected to the main page rather than back to their account.
Looks like Koha::Patron->has_permission uses C4::Auth::haspermission, which has this line: return $flags if $flags->{superlibrarian}; So if you're a superlibrarian then that should be returning true. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff --- Comment #15 from Aleisha Amohia <aleisha@catalyst.net.nz> --- (In reply to Owen Leonard from comment #13)
But when I change a patron's password when logged in as a superlibrarian I'm redirected to the main page rather than back to their account.
Sorry Owen I wasn't able to reproduce this ... When I'm logged in as a superlibrarian and click Change password I'm not redirected to the mainpage. Then when I reset the password, it is successful and I'm still not redirected to the mainpage. Can you please test again? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com --- Comment #16 from Lucas Gass <lucas@bywatersolutions.com> ---
But when I change a patron's password when logged in as a superlibrarian I'm redirected to the main page rather than back to their account.
This is the behavior I get as well. When I reset someone else's password as a superlibrarian I am redirected back to the staff main page. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Emmanuel Bétemps <e.betemps@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |e.betemps@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Hammat wele <hammat.wele@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hammat.wele@inlibro.com Status|Needs Signoff |Failed QA --- Comment #17 from Hammat wele <hammat.wele@inlibro.com> --- After apply this patch: - When i click on the menu with my username 'Patran A' in the top-right there is no link 'Change password' as expected. - I can directly access to http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X and change the 'Patran A' password - But i can also access to http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X of other users and i'm not redirected to a 404 page as expected. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #135173|0 |1 is obsolete| | --- Comment #18 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 153248 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=153248&action=edit Bug 30700: Allow staff users to change their password via staff client Patrons who can log into the staff client (have the 'catalogue' permission) should be able to change their own password. To test: 0) Apply the patch, install database updates, restart services. Go to System preferences and enable the StaffLoginResetPassword system preference. 1) Create a user with only 'catalogue' permissions (Patron A) 2) Log in to the staff client as Patron A 3) Click the menu with your username in the top-right of the window. Click the 'your account' menu link. 4) Confirm you are forced to a login screen, so you cannot view your account, which is where the 'change password' link is normally found. 5) Try to access the page to change your password directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap Patron A's borrowernumber in). Confirm you are forced to a login screen. 6) Apply this patch and restart services. Go back to the mainpage logged in as Patron A. 7) Click the menu with your username in the top-right of the window. Notice there is now a 'Change password' menu link. Go to 'change password'. 8) Confirm you are now shown a page to change your password. Change your password, and confirm you are redirect to the mainpage. 9) Try to access the page to change someone else's page directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap some other borrowernumber in). Confirm you are redirected to a 404. 10) Log out and log back in as your original borrower. Confirm you are able to change your password as normal. Sponsored-by: Education Services Australia SCIS Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #135176|0 |1 is obsolete| | --- Comment #19 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 153249 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=153249&action=edit Bug 30700: (follow-up) Add system preference StaffLoginResetPassword This syspref wraps around the functionality added for patrons with the 'catalogue' permission to reset their own password via the staff client. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 --- Comment #20 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 153250 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=153250&action=edit Bug 30700: (follow-up) Redirect to patron page after changing password This patch ensures the logged in user is redirected to the patron detail page after successfully changing another patron's password (rather than the homepage). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Sam Lau <samalau@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Sam Lau <samalau@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #153248|0 |1 is obsolete| | --- Comment #21 from Sam Lau <samalau@gmail.com> --- Created attachment 153290 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=153290&action=edit Bug 30700: Allow staff users to change their password via staff client Patrons who can log into the staff client (have the 'catalogue' permission) should be able to change their own password. To test: 0) Apply the patch, install database updates, restart services. Go to System preferences and enable the StaffLoginResetPassword system preference. 1) Create a user with only 'catalogue' permissions (Patron A) 2) Log in to the staff client as Patron A 3) Click the menu with your username in the top-right of the window. Click the 'your account' menu link. 4) Confirm you are forced to a login screen, so you cannot view your account, which is where the 'change password' link is normally found. 5) Try to access the page to change your password directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap Patron A's borrowernumber in). Confirm you are forced to a login screen. 6) Apply this patch and restart services. Go back to the mainpage logged in as Patron A. 7) Click the menu with your username in the top-right of the window. Notice there is now a 'Change password' menu link. Go to 'change password'. 8) Confirm you are now shown a page to change your password. Change your password, and confirm you are redirect to the mainpage. 9) Try to access the page to change someone else's page directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap some other borrowernumber in). Confirm you are redirected to a 404. 10) Log out and log back in as your original borrower. Confirm you are able to change your password as normal. Sponsored-by: Education Services Australia SCIS Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Sam Lau <samalau@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Sam Lau <samalau@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #153249|0 |1 is obsolete| | --- Comment #22 from Sam Lau <samalau@gmail.com> --- Created attachment 153291 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=153291&action=edit Bug 30700: (follow-up) Add system preference StaffLoginResetPassword This syspref wraps around the functionality added for patrons with the 'catalogue' permission to reset their own password via the staff client. Signed-off-by: Sam Lau <samalau@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Sam Lau <samalau@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #153250|0 |1 is obsolete| | --- Comment #23 from Sam Lau <samalau@gmail.com> --- Created attachment 153292 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=153292&action=edit Bug 30700: (follow-up) Redirect to patron page after changing password This patch ensures the logged in user is redirected to the patron detail page after successfully changing another patron's password (rather than the homepage). Signed-off-by: Sam Lau <samalau@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Patrons who can log into |Patrons who can log into |staff client should be able |staff interface should be |to change their own |able to change their own |password |password -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #153290|0 |1 is obsolete| | --- Comment #24 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Created attachment 156512 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156512&action=edit Bug 30700: Allow staff users to change their password via staff client Patrons who can log into the staff client (have the 'catalogue' permission) should be able to change their own password. To test: 0) Apply the patch, install database updates, restart services. Go to System preferences and enable the StaffLoginResetPassword system preference. 1) Create a user with only 'catalogue' permissions (Patron A) 2) Log in to the staff client as Patron A 3) Click the menu with your username in the top-right of the window. Click the 'your account' menu link. 4) Confirm you are forced to a login screen, so you cannot view your account, which is where the 'change password' link is normally found. 5) Try to access the page to change your password directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap Patron A's borrowernumber in). Confirm you are forced to a login screen. 6) Apply this patch and restart services. Go back to the mainpage logged in as Patron A. 7) Click the menu with your username in the top-right of the window. Notice there is now a 'Change password' menu link. Go to 'change password'. 8) Confirm you are now shown a page to change your password. Change your password, and confirm you are redirect to the mainpage. 9) Try to access the page to change someone else's page directly http://localhost:8081/cgi-bin/koha/members/member-password.pl?member=X (swap some other borrowernumber in). Confirm you are redirected to a 404. 10) Log out and log back in as your original borrower. Confirm you are able to change your password as normal. Sponsored-by: Education Services Australia SCIS Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Sam Lau <samalau@gmail.com> Rebased-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #153291|0 |1 is obsolete| | --- Comment #25 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Created attachment 156513 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156513&action=edit Bug 30700: (follow-up) Add system preference StaffLoginResetPassword This syspref wraps around the functionality added for patrons with the 'catalogue' permission to reset their own password via the staff client. Signed-off-by: Sam Lau <samalau@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #153292|0 |1 is obsolete| | --- Comment #26 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Created attachment 156514 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156514&action=edit Bug 30700: (follow-up) Redirect to patron page after changing password This patch ensures the logged in user is redirected to the patron detail page after successfully changing another patron's password (rather than the homepage). Signed-off-by: Sam Lau <samalau@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #156513|0 |1 is obsolete| | --- Comment #27 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Created attachment 156515 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156515&action=edit Bug 30700: (follow-up) Add system preference StaffLoginResetPassword This syspref wraps around the functionality added for patrons with the 'catalogue' permission to reset their own password via the staff client. Signed-off-by: Sam Lau <samalau@gmail.com> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #156514|0 |1 is obsolete| | --- Comment #28 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Created attachment 156516 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156516&action=edit Bug 30700: (follow-up) Redirect to patron page after changing password This patch ensures the logged in user is redirected to the patron detail page after successfully changing another patron's password (rather than the homepage). Signed-off-by: Sam Lau <samalau@gmail.com> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |victor@tuxayo.net QA Contact|testopia@bugs.koha-communit |victor@tuxayo.net |y.org | Status|Signed Off |Failed QA --- Comment #29 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Works as expected, here is a 2nd signoff :) I couldn't get it to change the password of another user via editing and resending the POST query 😈 and the code looks well guarded against that 👍 Code looks good functionally. I found this: `print $input->redirect(...)` followed by `exit;` is used in many other pages to make guard closes. So it seems to me we can avoid wrapping the whole happy path in an `else {...}` That also avoids the need to indent tons of lines. Or to choose to not do it which makes perltidy complain a lot. And about much more than actually changed lines. So just some polishing and it will be good :) I'll go ask about what should be the default value of StaffLoginResetPassword for new installs and existing installs. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #30 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- The approach here feels a bit like a workaround. member-password: flagsrequired => { borrowers => 'edit_borrowers' }, Shouldnt we lower that permission? And then there is moremember. It also needs edit_borrowers. Which is a bit weird for your own account. Should we rework the checks there a bit to include seeing your account (including password change)? If we do so, there is no need to add another link (we already have my account). And no pref is needed as well. Currently, you can set a user to Staff access. He has the account link. But if he clicks, he gets No permission. Not user friendly. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 --- Comment #31 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to Marcel de Rooy from comment #30)
The approach here feels a bit like a workaround.
member-password: flagsrequired => { borrowers => 'edit_borrowers' }, Shouldnt we lower that permission?
Maybe we could make it 'edit_borrowers or circulate_remaining_permissions' which are the 2 permissions most of the pages use that have the 'change password' button. We don't have a real 'view borrowers' right now.
And then there is moremember. It also needs edit_borrowers. Which is a bit weird for your own account. Should we rework the checks there a bit to include seeing your account (including password change)?
We could make it so you can see your own with catalogue maybe, but it feels like this would be for a separate bug. 2FA uses catalog - but how do you get there in the first place if you can't access pages that have the button?
If we do so, there is no need to add another link (we already have my account). And no pref is needed as well.
I think allowing a user to change their own password could be done without a preference. Since we started using Koha this has only caused confusion.
Currently, you can set a user to Staff access. He has the account link. But if he clicks, he gets No permission. Not user friendly.
I think we should try not to get out of scope here and maybe move some weirdness to a separate bug. But adjusting the permission checks and maybe even forego the pref would make sense to me. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|aleisha@catalyst.net.nz |koha-bugs@lists.koha-commun | |ity.org --- Comment #32 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Cool that approach sounds fine. I won't have capacity to work on a new approach so I've unassigned myself, if anyone is able please feel free to implement. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30700 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|victor@tuxayo.net |testopia@bugs.koha-communit | |y.org -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org