The current stable version of Koha 16.05.4 ships with some 548 system preferences. These are stored in the ‘
systempreferences‘ table in the database. Inside the Koha staff client, they are accessed by visiting the Home > Administration > Global system preferences menu link. If this is the first time you are hearing about system preferences in Koha or you are not deeply familiar with them, it is suggested that you familiarize yourself with this chapter section of the Koha 16.05 manual.
The objective here is not prevent someone’s use of Free Software, but rather to ensure they are only committing pre-validated changes to the production server. Changes have consequences and whoever makes them should be fully aware of the impact of these changes.
While Koha’s per user access control feature does provide a way to allow or withhold an user’s access to view / edit the system preferences, it does so with an “all or none” approach i.e. either the user has access to *all* the system preferences or none. This lack of access control granularity can prove to be slightly undesirable under certain circumstances. For example, you want that certain settings should *not* be changed or not changed accidentally or not changed without first testing and validating the change on a staging system. In our case, on our managed systems we do not want the designated superlibrarian user at the client’s end to make changes to say the
OpacNavBottom system preferences on the production VM, without first testing the changes on a test VM.
We implemented the setting specific ‘lockdown’ in the system preference settings using a bit of jQuery and CSS.
First we identified the selectors we needed in order to enable the lockdown. The easiest (and recommended) way to do this is to ‘inspect‘ your target (i.e. ones you want to lock down) DOM elements on the System Preference administration page(s). As mentioned before we want to lockdown the following sysprefs: IntranetUserJS, IntranetUserCSS, OPACUserJS, OPACUserCSS, opacheader, opaccredits, OpacNavBottom. Looking at the DOM made it clear that we needed to work with the following
id based selectors –
The next step was to decide how tight we want to make the ‘lockdown’. We did not want it airtight, so here is what we did. We left the IntranetUserJS and IntranetUserCSS only disabled, but the rest we removed their respective textarea elements from the loaded DOM. Had we wanted things really tight, we could have do that same for the two disabled ones.
Note: Should you use
.remove()on all the elements above instead of setting the attribute to disabled, then the only way to get access to them would be by directly editing the IntranetUserJS syspref’s value in the database.
We will also add hints to the
label so that users can understand why they are not able to access the setting. See the green arrow on the left above for the code. Once done, save the
IntranetUserJS syspref and exit. We are done.
Checking our work so far
Let us search for the
OPACUserCSS system preference. We will see (as given below) that the editable
textarea element is no longer present. Note the “Click to collapse” text without the editable textarea element holding the actual setting value. Also there is now a small lock icon against the label with the text explaining why the edit window is not present.
Unlocking the ‘lockdown’
What we have implemented so far will prevent someone with system preference edit permission from accidentally editing the ‘locked’ system preferences from the Admin page. In order to “unlock“, first we need to access the
IntranetUserJS syspref which we had only
disabled in this case.
Unlocking – Step #1
Right click on the
IntranetUserJS syspref and select Inspect
Unlocking – Step #2
Double-click to select the
disabled="disabled" attribute of the textarea element.
Unlocking – Step#3
disabled attribute, the textarea element should now look like this.
Unlocking – Step #4
Close the Developer tools window, but *do not* move out of the
IntranetUserJS syspref yet! We still have work to do. You will see that the textarea is no longer disabled and is now open for editing. In order to remove the ‘lockdown’ on our system preferences, we need to comment out the jQuery code we had added earlier. We do this simply by wrapping the relevant code inside a C style
/* [...] */ comment block. See the green arrows in the image below:
Unlocking – Step#5
IntranetUserJS syspref and now try to access the
OPACUserCSS syspref again. As you can see from the image below, the system preference is no longer locked and now open for editing.
Once we are done with making necessary changes we may wish to again ‘lockdown‘ the settings. We simply need to go back and edit the
IntranetUserJS syspref and un-comment the locking code by removing the C style comment markers. Easy Peasy!