[Koha] Fwd: Including Login to access the OPAC

Rick Welykochy rick at praxis.com.au
Mon Nov 2 22:50:21 NZDT 2009 

Anselm Olweny wrote:

> When cataloguing I included the url to the full text which I have
> stored in the docs directory above in the field 856$u. Specifically
> the url looks like this
> http://10.2.1.64/opac-tmpl/prog/docs/filename.pdf
> 
> I am able to download the full text from the opac. I have also
> adjusted authnotrequired => 1 to   => 0 in  the scripts
> found at /usr/share/koha/opac/cgi-bin
> 
> However, When I simply enter the url
> "http://10.2.1.64/opac-tmpl/prog/docs/filename.pdf" in the browser
> address bar I am able to access the full text without being required
> to login.
> 
> I would also like to secure the full texts. Kindly assist by advising
> what I need to do to secure the full texts.

The scripts are secured since the perl script actually checks the flag
"authnotrequired" and it takes action accordingly to redirect to the login
page if the user has not logged in.

But when you enter the URL of a document that is not a Koha perl
script, there is nothing checking that the user has logged in.

One simple but inconvenient solution is to add HTTP Basic Authentication
(Apache's mod_auth) to the directory

/usr/share/koha/opac/htdocs/opac-tmpl/prog/docs,

but this is fraught with problems, i.e.

  1. you have to duplicate the borrowers table usernames and passwords
     in a htpasswd file

  2. the user has to re-enter their login details when the browser
     pops up the Basic Authentication dialogue.

  3. the login sequence in item 2 above doesn't fit in with the usual
     work flow and look 'n' feel of Koha.

Item 1. above can be alleviated by using an Apache module called
mod_auth_mysql, of which there are several. One example that seems
recent is at

<http://www.heuer.org/mod_auth_mysql/>

Item 2. is more complex, but there is probably a solution that involves
using mod_auth_mysql plus a cookie generation mechanism that ensures
the user is logged into Koha with a proper cookie, or session ID.

Item 3. would take more work but is prolly the best solution. Have
mod_auth_mysql redirect to the login page and remember which
document was request. The document is returned once the user logs in.

This sounds like a nifty project for Koha, the ability to add
static content that falls under the same login authentication
as the scripted areas. But a bit of work!


cheers
ricky




-- 
_________________________________
Rick Welykochy || Praxis Services

You got to keep repeating things over and over and over again for the
truth to sink in, to kind of catapult the propaganda.
      -- George W Bush

More information about the Koha mailing list