Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Change #7571

Category None
Changed by Galen Charlton <gmcohnoyoudont@equinoxinitiative.org>
Changed at Wed 10 Feb 2021 15:44:44
Repository git://git.evergreen-ils.org/Evergreen.git
Project Evergreen
Branch master
Revision 18f5404261b3ed2e97ba5d00d4761a0b43b7157f


LP#1474029: teach Evergreen how to prevent expired staff from logging in
This patch adds the ability to prevent staff users whose
accounts have expired from logging in. This is controlled
by the new global flag "auth.block_expired_staff_login", which
is not enabled by default. If that flag is turned on, accounts
that have the `STAFF_LOGIN` permission and whose expiration date
is in the past are prevented from logging into any Evergreen
interface, including the staff client, the public catalog, and SIP2.

It should be noted that ordinary patrons are allowed to log into
the public catalog if their circulation privileges have expired. This
feature prevents expired staff users from logging into the public catalog
(and all other Evergreen interfaces and APIs) outright in order to
prevent them from getting into the staff interface anyway by
creative use of Evergreen's authentication APIs.

Evergreen admins are advised to check the expiration status of staff
accounts before turning on the global flag, as otherwise it is
possible to lock staff users out unexpectedly.

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org>
Signed-off-by: Bill Erickson <berickxx@gmail.com>

Changed files