Commit graph

26990 commits

Author SHA1 Message Date
06d1259e56 Bug 16992: FIX CSRF in member-password.pl
If an attacker can get an authenticated Koha user to visit their page with the
url below, they can change patrons' passwords
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

Test plan:

Trigger
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:34:02 +00:00
2785183a6b Bug 16992: [QA Follow-up] Member-password should pass an userid
If we do not fill a new userid, we should keep the old one.
Script member-password should pass that to Koha::Patron.
Otherwise things go wrong.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Without this patch, you could effectively disable a login.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
2016-08-10 13:34:01 +00:00
01e041ca40 Bug 7441 - DBRev 16.06.00.013
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:28:20 +00:00
86144a65e0 Bug 16929: [QA Follow-up] Add dependency for Bytes::Random::Secure
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:26:00 +00:00
0fe7a4aa8e Bug 16929: [QA Follow-up] Shortcut methods and use statements
Resolves the following comments:

I'd prefer to see a generate_csrf method than a CSRF flag.
It'd be better to use instead of require the 2 modules.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:26:00 +00:00
523d0be9dc Bug 16929: Prevent opac-memberentry waiting for random chars
Move calls to WWW::CSRF to Koha::Token.
Send a safe random string to WWW::CSRF instead of letting CSRF make a
blocking call to Bytes::Random::Secure. If your server has not enough
entropy, opac-memberentry will hang waiting for more characters in
dev/random. Koha::Token uses Bytes::Random::Secure with the NonBlocking
flag.

Test plan:
[1] Do not yet apply this patch.
[2] If your server has not enough entropy, calling opac-memberentry may
    take a while. But this not may be the case for you (no worries).
[3] Apply this patch.
[4] Verify that opac-memberentry still works as expected.
[5] Run t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Yes, my server had entropy trouble (reason for finding the problem).
This patch resolves the delay.

Tested all 3 patches together, works as expected.
Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:25:59 +00:00
09d0b1310b Bug 16993: Fix CSRF in memberentry.pl
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' passwords or other
patrons'details

members/memberentry.pl?op=save&destination=circ&borrowernumber=3435&password=ZZZ&password2=ZZZ&nodouble=1

Test plan:

Trigger
members/memberentry.pl?op=save&destination=circ&borrowernumber=42&password=ZZZ&password2=ZZZ&nodouble=1

=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: removed the commented use Digest::MD5-line.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:25:25 +00:00
Mirko Tietgen
893f6cc263 Bug 17087 - Set Test::WWW::Mechanize version to 1.42
This was set to a version that is not available in Wheezy or Jessie.
The version is not required, the only change to 1.42 (packaged for
Wheezy and Jessie) is a fix for Windows, see
http://cpansearch.perl.org/src/PETDANCE/Test-WWW-Mechanize-1.44/Changes

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:23:43 +00:00
Mark Tompsett
22c851cc2f Bug 10148: Marc21 field 007 builder improper reload values
The more correct solution is fix that template file.
However, in the mean time, this works.

TEST PLAN
---------
 1) find a record
 2) edit record
 3) click value builder for 007
 4) change everything to pipes as much as possible.
    (use Motion Picture to get all 00-22 values)
 5) save
    -- should save just fine.
 6) click the value builder again
    -- OOPS! Bad reload.
 7) prove t/db_dependent/FrameworkPlugin.t
    -- NOISY 007 messages.
 8) apply patch
 9) click the value builder again
    -- good reload
10) prove t/db_dependent/FrameworkPlugin.t
    -- No noise related to 007.
11) run koha qa test tools.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:22:27 +00:00
b543fa74fe Bug 17038: Fix XSS in catalogue/search.pl
Test plan:
Search for something like:
  \";alert(1)//135

=> Without this patch you will see the alert
=> With this patch, no more alert

Note that this fix the parameters idx, q and op

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:20:51 +00:00
96a9c2715e Bug 17036: Fix XSS in circulation.pl
Test plan:
Enter the following in the "Check out" tab:
"><script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:20:07 +00:00
12b4c83f5a Bug 17021: Fix XSS in circ/returns.pl
Test plan:
Enter the following in the barcode input:
<script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:18:54 +00:00
1ea1504c30 Bug 17025: Fix XSS in serials-search.pl
Test plan:
Hit
  /serials/serials-search.pl?ISSN_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1
  /serials/serials-search.pl?title_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:17:19 +00:00
f3a8e5a411 Bug 17029: Fix XSS in catalogue/*detail.pl
Hit
  /cgi-bin/koha/catalogue/detail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/ISBDdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/MARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/moredetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/labeledMARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:15:50 +00:00
Katrin Fischer
821cb91a80 Bug 7441: QA follow-up - Add note about missing NORMARC support
Adds a note about missing support for NORMARC (only supports
MARC21 and UNIMARC) to the system preference text.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:14:22 +00:00
492d79a7df Bug 7441 - Followup search results showing wrong branch [UNIMARC]
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
  Playing with OPACResultsLibrary syspref, biblio with items having different
  home/holding library are displayed properly.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:14:20 +00:00
4db2e745e2 Bug 7441 - search results showing wrong branch?
When you search in the OPAC it shows you the HOME branch on the location
in XSLT, but if you click through to the detail page it shows you the
CURRENT BRANCH in the holdings table which is very confusing to patrons.
I don't know what's the right solution - home or holding branch, but they
should be the same in both places for the patron's sake. If you do the same
search in the staff client you see the right branch info on the search results
and on the detail page.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Search the catalog, you search should include results with items
   that have different home and holding libraries.
4) The results should look the same as before the patch
5) Change the system preference OPACResultsLibrary to "current location"
6) Refresh your page of search results
7) The results show now show the holding library instead of the home library

Signed-off-by: Barbara Walters <bwalters@ncrl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:14:19 +00:00
26f20d64cb Bug 17069: Koha::Patron::Category->store must default checkprevcheckout to 'inherit'
Creating a new patron category raises an error "An error occurred when updating
this patron category. Perhaps it already exists."
DBIx::Class does not default to the value defined at the DB devel if the
key checkprevcheckout has been passed to the constructor.
We may need to provide a global fix for this kind of issue: if a column
is defined as "not null" but has a default value, the constructor
(Koha::Object->new) should not pass it to the DBIx::Class constructor
(even if assuming that null means default is a terrible mysqlism).

Test plan:
Create a new patron category.

Works as expected.
Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:12:34 +00:00
5b4259be9c Bug 6499: [QA Follow-up] Trivial adjustments
Removes commented line from bib1.att.
Adjust OCLC-number to Other-control-number in comment of ccl properties.
No need to explicitly add 035$a and $z if you index 035 completely in
record.abs as well as biblio-koha-indexdefs.xml.
Rerun koha-indexdefs-to-zebra.xsl on index defs.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-09 10:13:11 +00:00
Barton Chittenden
84f51549c9 Bug 6499: Add Zebra index "Other-control-number" covering MARC21 035$a, 035$z and 035 (entire tag)
1) Apply patch
2) Make sure that you have a bib that has MARC21 035$a (and possibly also 035$z) populated.

pre 3) Replace all modified zebra files and restart zebra server

3) Rebuild zebra: misc/migration_tools/rebuild_zebra.pl -x -b -z
4) Add the following to the intranetuserjs syspref:

$(document).ready(function(){
    // Add Other Control Number to advanced search
    if (window.location.href.indexOf("catalogue/search.pl") > -1) {
        $(".advsearch").append('<option value="Other-control-number">Other Control Number</option>');
    }
});

5) Do an advanced search, select "Other Control Number" from the search menu, then add the Other Control Number in 035$a for the bib specified in step 1.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Works, no koha-qa errors

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-09 10:13:10 +00:00
Mirko Tietgen
7f50e9f686 Bug 17062 - debian/control.in update: change maintainer
Changing the package maintainer and removing a whitespace in debian/control.in.
Regenerated debian/control from that, which also adds libhtml-parser-perl because of bug 16971.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 14:32:00 +00:00
Mirko Tietgen
8102098fa6 Bug 17019 - debian/changelog update
This has not been updated for a while. I plan to add the stable
releases.

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 14:30:55 +00:00
Mirko Tietgen
3c9eace41a Bug 17043 - Readonly deps
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 14:26:34 +00:00
Mirko Tietgen
fd2f15c486 Bug 17043 - master control file
latest control file update

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 14:26:33 +00:00
Mirko Tietgen
347c3b68d7 Bug 17043 - debian/list-deps fixes, master edition
This makes debian/list-deps ready for Debian Jessie
and adds small fixes I already use for package releases.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 14:26:32 +00:00
e4bb70a447 Bug 17030: Make REST api available on packages with plack enabled
This patch is the starting point for making the REST api available
on Plack.

What it does:
- It creates the /api/v1/app.pl mount point in plack.psgi
- It enables the ProxyPass and ProxyPassReverse directives so it
  is reached through Plack.
- It sets rewrite rules so we can use the 'pretty' urls (i.e.
  /api/v1/patrons instead of /api/v1/app.pl/api/v1/patrons).

To test:
- Grab the following files, and put them in /etc/koha (overwrite the existing ones)
  debian/templates/apache-shared-intranet-plack.conf
  debian/templates/apache-shared-opac-plack.conf
- Tweak your /etc/koha/sites/kohadev/plack.psgi file so the API-related stuff
  is present on your file.
- Make sure Plack is enabled for the instance:
  $ sudo koha-plack --enable kohadev
  $ sudo koha-plack --restart kohadev
  $ sudo service apache2 restart
- Follow the previous patch test plan, but use this URLs (no pretty URL):

  http://localhost:8080/api/v1/app.pl/api/v1/patrons/50
  http://localhost:8081/api/v1/app.pl/api/v1/patrons/50
=> SUCCESS: You get a JSON response from the API [1]
- Not use this URLs:
  http://localhost:8080/api/v1/patrons/50
  http://localhost:8081/api/v1/patrons/50
=> SUCCESS: You get a JSON response from the API [1]
- Sign off :-D

[1] this patch made a bug visible (the session is lost when accessing the API through
Plack) but it shouldn't prevent its inclusion because the API right now is not even available
as default for developers to test or fix it.

Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 13:17:35 +00:00
6e38b8b60f Bug 17030: Enable REST api on packages
This patch enables access to the REST API endpoint on packages setup.
It does so, by patching the shared apache-shared-intranet.conf and
apache-shared-opac.conf.

You can build your own master packages with this patch applied, or just:

- Grab
  debian/templates/apache-shared-intranet.conf
  debian/templates/apache-shared-opac.conf
and overwrite their counterparts in /etc/koha on a packages setup. For example
in kohadevbox.
- Have Koha loaded with all default data
- Create a superlibrarian user for you
- Login to the intranet and the OPAC
- Point your browser to:
  http://localhost:8080/api/v1/patrons/51
=> SUCCESS: You get JSON data, for the patron you requested
  http://localhost:8081/api/v1/patrons/51
=> SUCCESS: You get JSON data, for the patron you requested
- Sign off :-D

Note: I use the HTTPRequester addon for Firefox, re-using the CGISESSID value from the
browser session cookie, in the headers.

Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 13:17:34 +00:00
Mirko Tietgen
30474a3215 Bug 17065 - Rename C4/Auth_cas_servers.yaml.orig
C4/Auth_cas_servers.yaml.orig gets cleaned away after every package build because
of the .orig extension. This patch moves it.

It is only a sample file, there is no functionality to test. Just verify that the
file is there with the new name after you applied the patch.

Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 13:16:36 +00:00
Mirko Tietgen
3964fac311 Bug 17064 - Delete backup marc21_framework_DEFAULT.sql~ file
This .sql~ backup file should not have been committed.

Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 13:15:29 +00:00
Mirko Tietgen
bbaaabd1da Bug 17013 - build-git-snapshot: add basetgz parameter and update master version number
This adds a basetgz parameter to specify a pbuilder image.
I use this to build against different distributions.

This also updates the version number for master builds to 16.06.

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-08 13:13:24 +00:00
phette23
17a5ef5119 Bug 17068: empty <li> in opac-reserve.tt
empty HTML list item on 'holds' page, to test:
- sign in as user
- attempt to place hold
- view source in between 'holds note' textarea & <!-- ITEM HOLDS --> comment
- note empty <li>
- apply patch
- repeat process above up until patch
- no more empty <li>

Signed-off-by: Jason Robb <jrobb@sekls.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-05 07:26:21 +00:00
Zeno Tajoli
d0f2bad12e Bug 16585: Update Italian installer sample files for 16.05
With this patch all sample/defintions .sql files are updated and translated into Italian
(if you select italian during web installation).

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-05 06:11:11 +00:00
Mark Tompsett
6b3a04da6a Bug 16622: some tests triggered by prove t fail for unset KOHA_CONF
TEST PLAN
---------
1) unset KOHA_CONF
2) prove t
   -- 00-load.t dies miserably
3) prove t/Creators.t
   -- fails
4) apply patch
5) prove t
   -- noisy, but all tests successful
6) prove -v t/Creators.t
   -- 2 skipped tests
7) run koha qa test tools

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-05 06:09:58 +00:00
Lari Taskula
92b36fb717 Bug 17041: Fix missing properties in patron.json
Swagger definition for patron was missing two properties.

Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-05 06:08:12 +00:00
Lari Taskula
2ea99517ae Bug 17042: Fix missing column in hold.json
Swagger definition for hold was missing a property.

Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-05 06:06:22 +00:00
72d92be918 Bug 17044: Fix wrong destination for 'api' directory
The original Makefile.PL tweak missed to trim the directory name thus
repeating the 'api' directory like in 'api/api'.

To test:
- Make a standard install (for example in /usr/share/koha
=> FAIL: check /usr/share/koha/api/api exists
- Make a single install (for example in /home/tcohen/koha-single)
=> FAIL: check /home/tcohen/koha-single/api/api exists
- Apply the patch
- Make a standard install (for example in /usr/share/koha
=> SUCCESS: check /usr/share/koha/api exists and doesn't contain a nested 'api' dir
- Make a single install (for example in /home/tcohen/koha-single)
=> SUCCESS: check /home/tcohen/koha-single/api exists and doesn't contain a nested 'api' dir
- Sign off :-D

Note: this affects the packages too, as the standard install is used as a basis.
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-05 04:32:36 +00:00
Nicole C Engard
ebaa3543d6 Bug 16727: Clarify upload category note
This patch clarifies the note on the upload tool
that states that no categories are defined.

To test:

* Log in to Koha
* Confirm that you have no values set for the UPLOAD
  authorized value category
* Visit Tools > Upload
* Check the warning note for typos
* Add a authorized value category for UPLOAD
* Visit Tools > Upload
* Confirm that note is replaced

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 21:29:51 +00:00
Hector Castro
e8d4c634b4 Bug 16861: (followup)Translatability: remove fa-hand-o-down icon
Remove fa-hand-o-down icon accoring with QA comment 5

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 21:24:57 +00:00
Hector Castro
5f3baecf42 Bug 16861: Translatability: Fix separated "below" in circulation.tt
This patch propose to fix this two entries in PO files:

"See highlighted items" and "below"

Also add some Font Awesome Icons

To test:
-Apply patch 16810 on top and this patch
-Go to a patron who has overdues
-See the link "See highlighted items below" with a hand down icon
-Look the new plus icon to "Add a new message" to the patron.
-Add a few messages and notice about the trash icon in "Delete" links

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 21:24:56 +00:00
Mark Tompsett
ef07389220 Bug 16864: Silence warnings in t/db_dependent/ILSDI_Services.t
prove t/db_dependent/ILSDI_Services.t
generates noisy output as a result of the ambiguous context
of two $cgi->param() calls.

By storing into scalar variables, and then using the scalar
variables, the code maintains readability and fixes the problem.

TEST PLAN
---------
1) prove t/db_dependent/ILSDI_Services.t
   -- noisy.
2) apply patch
3) prove t/db_dependent/ILSDI_Services.t
   -- not noisy
4) run koha qa test tools

Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 20:06:07 +00:00
Mark Tompsett
1be7fb5e12 Bug 16868: Silence error t/db_dependent/Linker_FirstMatch.t
When the auth_header table has records which exclude 1xx and
2xx tags, the $bibfield doesn't match anything. This in turn
sets it to undef, which triggers an error on the next line
killing the test.

This was completely refactored to provide the data necessary
for the tests to pass, and to be more comprehensive (both MARC
and UNIMARC are tested). The tests are then run.

C4::Headings::authorities is mocked, so that this test is not
dependent on a search engine.

TEST PLAN
---------
1) back up DB
2) DELETE FROM auth_header;
3) SOURCE auth_header.sql;
   -- the provided file
4) prove t/db_dependent/Linker_FirstMatch.t
   -- should barf before running all the tests
5) apply all patches
6) prove t/db_dependent/Linker_FirstMatch.t
   -- should work happy
7) run koha qa test tools
8) restore your backup

Followed test plan, behaves as expected.
Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 20:04:24 +00:00
Marc Véron
13004a8c64 Bug 16871: Translatability: Avoid [%%-problem and fix related sentence splitting in catalogue/detail.tt
In koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt,
fix line splitted TT directives and sentence splitting leading
to translatability problems. (See first comment).

To test:
- Apply patch
- Go to detail pages of biblios with waiting holds
- Verify that messages in column 'Status' are OK
- Examine code in patch to make sure that the simplification in logic
  makes sense and that no TT directive is splitted
- Bonus test:
  - Go to folder misc/translator. Run perl translate create xx-XX
  - Verify that monster mentioned in first comment no longer exists
    (in po/xx-XX-staff-prog.po)

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised

Amended for wording (comment #5) 2016-07-26 mv

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 20:01:31 +00:00
92626f55c8 Bug 16971: Missing dependency for HTML::Entities
This module is already used in opac-password-recovery.pl.
It is loaded in Acquisition, but not used (anymore?).
It is not yet listed in PerlDependencies.

Note: The module is packaged for Debian Wheezy and Jessie.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 19:44:03 +00:00
Jesse Weaver
d475dae773 Bug 16818: External auth redirect broken under Plack
Test plan:

0) Have either CAS or Shibboleth authentication enabled under Plack.
1) Hover over the authentication link on the staff client or OPAC, and
   notice that it has either '.../opac/...' or '.../intranet/...' instead
   of '.../cgi-bin/koha/...'. (This will be a complete dealbreaker for CAS
   authentication.)
2) Apply patch.
3) Check links again; they should now have the correct paths.

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Did not test CAS or Shibboleth, but no regression found.

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 19:42:44 +00:00
6122b8fe6e Bug 16830: (followup) Remove weird character from warning in rebuild_zebra.pl
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 19:41:42 +00:00
87bcaa7df3 Bug 16830: Remove -x usage on koha-indexer
This patch just does that, and removes it from the comment on /etc/default/koha-common

To test:
- Apply the patch
- Run:
  $ vagrant ssh ; cd kohaclone
  $ sudo debian/scripts/koha-indexer --stop kohadev
  $ sudo debian/scripts/koha-indexer --start kohadev
=> SUCCESS: Verify no warning is shown on the indexer-output.log file
- Sign off

https://bugs.koha-community.org/show_bug.cgi?id=16830

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 19:41:41 +00:00
Chris Cormack
28eae42d2d Bug 16975 : @INC should not have '.' as its last entry
To Test
1/ Try using a plugin
2/ Apply patch
3/ Test plugin still works

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 19:39:11 +00:00
9bdea2e369 Bug 16878: Fix XSS in opac-memberentry
The vars are gotten from the url and sent to the template as it. They
must be escaped.

Test plan:
I have not managed to create the original issue, so there is no test
plan for the XSS fix, but you can confirm there is no regression.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 19:22:00 +00:00
91bc9451d0 Bug 16988 - Suspending a hold with AutoResumeSuspendedHolds disabled results in error
iUnless AutoResumeSuspendedHolds is enabled, attempting to suspend a
hold from reserve/request.pl results in the following error:

The given date (undefined) does not match the date format (us) at
/home/vagrant/kohaclone/Koha/DateUtils.pm line 152.

Test Plan:
1) Enable SuspendHoldsIntranet
2) Disable AutoResumeSuspendedHolds
3) Attempt to suspend or unsuspend a hold
4) Note the error
5) Apply this patch
6) Repeat step 3
7) The hold should suspend or resume correctly

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Megan Wianecki <mwianecki@mtpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 19:20:22 +00:00
c63d0b311b Bug 17022: Fix XSS in circ/branchtransfers.pl
Test plan:
Enter the following in the barcode input:
    <script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 19:19:23 +00:00