Change #7571
| Category | None |
| Changed by | Galen Charlton <gmc@equinoxinitiative.org> |
| Changed at | Wed 10 Feb 2021 15:44:44 |
| Repository | git://git.evergreen-ils.org/Evergreen.git |
| Project | Evergreen |
| Branch | master |
| Revision | 18f5404261b3ed2e97ba5d00d4761a0b43b7157f |
Comments
LP#1474029: teach Evergreen how to prevent expired staff from logging in This patch adds the ability to prevent staff users whose accounts have expired from logging in. This is controlled by the new global flag "auth.block_expired_staff_login", which is not enabled by default. If that flag is turned on, accounts that have the `STAFF_LOGIN` permission and whose expiration date is in the past are prevented from logging into any Evergreen interface, including the staff client, the public catalog, and SIP2. It should be noted that ordinary patrons are allowed to log into the public catalog if their circulation privileges have expired. This feature prevents expired staff users from logging into the public catalog (and all other Evergreen interfaces and APIs) outright in order to prevent them from getting into the staff interface anyway by creative use of Evergreen's authentication APIs. Evergreen admins are advised to check the expiration status of staff accounts before turning on the global flag, as otherwise it is possible to lock staff users out unexpectedly. Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org> Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org> Signed-off-by: Bill Erickson <berickxx@gmail.com>
Changed files
- Open-ILS/src/c-apps/oils_auth_internal.c
- Open-ILS/src/sql/Pg/950.data.seed-values.sql
- Open-ILS/src/sql/Pg/upgrade/XXXX.data.block_expired_staff_login_flag.sql
- docs/RELEASE_NOTES_NEXT/Architecture/Block_Login_of_Expired_Staff_Accounts.adoc