This adds a global flag that, when turned on, blocks expired staff members from logging into all Evergreen interfaces, including the public catalog.
I won't slap a pull request on this just yet, as I'm curious about whether there's any feedback on the general approach. Some notes on decisions I made:
* I went with a global flag rather than a library setting on the basis that this sort of security decision really ought to be a consortial policy.
* Expired staff users are locked out of /all/ interfaces to prevent creative use of the Evergreen login API to acquire an authtoken that would let the user into the staff interface anyway. This is in contrast to normal patrons, who remain allowed to log into the public catalog even if their account has expired.
* As a consequence of the above, a staff user is defined as somebody who has the STAFF_LOGIN permission.
I've pushed the following branch to the working repository:
user/gmcharlt/ lp1474029_ staff_expiry_ prevents_ login / https:/ /git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ gmcharlt/ lp1474029_ staff_expiry_ prevents_ login
This adds a global flag that, when turned on, blocks expired staff members from logging into all Evergreen interfaces, including the public catalog.
I won't slap a pull request on this just yet, as I'm curious about whether there's any feedback on the general approach. Some notes on decisions I made:
* I went with a global flag rather than a library setting on the basis that this sort of security decision really ought to be a consortial policy.
* Expired staff users are locked out of /all/ interfaces to prevent creative use of the Evergreen login API to acquire an authtoken that would let the user into the staff interface anyway. This is in contrast to normal patrons, who remain allowed to log into the public catalog even if their account has expired.
* As a consequence of the above, a staff user is defined as somebody who has the STAFF_LOGIN permission.