We should no longer need to check CSRF token from pl files
TODO - there is a change for some files where we returned 403
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We do not longer need to generate_csrf from pl files
TODO - members/boraccount.tt and sco/sco-main.tt needs to be adjusted
Bug 34478: [TO SQUASH] Remove generate_csrf from pl
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Rather than test that nothing is returned, we want to test that the terms are filtered as expected. This also avoids the possibility of the tests failing in a db where there is a record for Donald Duck
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We are dealing ok with ES exceptions for biblio records search,
catching them and raising them to the end user. But we don't for
authorities, where we explode with an ugly 500.
Test plan:
Search for "(term_1*) AND (-) AND (term_2*)" in the authority search and
notice that you don't get a 500 but an error instead saying that you
should try again
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Both Elastic and Zebra search_auth_compat return a hash key
authid for a result.
Test plan:
Remove an authority that should be in your results list.
Note that it is no longer marked as pending, but just not displayed.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
When an authority is removed from the result list it is not removed from
the search engine yet.
This patch suggests to add a note in the summary column to tell the user
that the deletion is pending.
Test plan:
1 - Go to authorities home and perform a search;
2 - Delete any authority;
3 - After the confirmation, the page is refreshed but still contains the
deleted authority, with a red note explaining that the deletion is
pending.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch only affects authority search results in the staff interface.
It adds a new system preference AuthorityXSLTResultsDisplay. If set,
each authority search result MARCXML will be transformed using the XSLT
at the given filename or URL. The output will be displayed in place of
the default summary.
If errors occur, the XSLT is ignored and the default summary is
displayed.
The syspref value can contain {langcode} and {authtypecode} which will
be replaced by the appropriate value (resp. current language and
authority type code)
Test plan:
1. Apply patch and run updatedatabase
2. Verify that authority search results are not affected yet.
3. Create an XSLT file (for instance in
/home/koha/xslt/en/GEOGR_NAME.xsl)
4. Set AuthorityXSLTResultsDisplay syspref value to
/home/koha/xslt/{langcode}/{authtypecode}.xsl
5. Do an authority search that returns GEOGR_NAME results. Verify that
the summary matches what you expect from your XSLT
6. Do an authority search that returns authorities of other types.
Verify that the default summary is displayed.
Example of a minimal XSLT:
<?xml version='1.0' encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:marc="http://www.loc.gov/MARC21/slim"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output omit-xml-declaration="yes"/>
<xsl:template match="marc:record">
<xsl:element name="div">
<xsl:attribute name="class">
<xsl:text>authority-summary</xsl:text>
</xsl:attribute>
<xsl:value-of
select="marc:datafield[@tag='151']/marc:subfield[@code='a']"/>
</xsl:element>
</xsl:template>
</xsl:stylesheet>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
On bug 17591 we discovered that there was something weird going on with
the way we export and use subroutines/modules.
This patch tries to standardize our EXPORT to use EXPORT_OK only.
That way we will need to explicitely define the subroutine we want to
use from a module.
This patch is a squashed version of:
Bug 17600: After export.pl
Bug 17600: After perlimport
Bug 17600: Manual changes
Bug 17600: Other manual changes after second perlimports run
Bug 17600: Fix tests
And a lot of other manual changes.
export.pl is a dirty script that can be found on bug 17600.
"perlimport" is:
git clone https://github.com/oalders/App-perlimports.git
cd App-perlimports/
cpanm --installdeps .
export PERL5LIB="$PERL5LIB:/kohadevbox/koha/App-perlimports/lib"
find . \( -name "*.pl" -o -name "*.pm" \) -exec perl App-perlimports/script/perlimports --inplace-edit --no-preserve-unused --filename {} \;
The ideas of this patch are to:
* use EXPORT_OK instead of EXPORT
* perltidy the EXPORT_OK list
* remove '&' before the subroutine names
* remove some uneeded use statements
* explicitely import the subroutines we need within the controllers or
modules
Note that the private subroutines (starting with _) should not be
exported (and not used from outside of the module except from tests).
EXPORT vs EXPORT_OK (from
https://www.thegeekstuff.com/2010/06/perl-exporter-examples/)
"""
Export allows to export the functions and variables of modules to user’s namespace using the standard import method. This way, we don’t need to create the objects for the modules to access it’s members.
@EXPORT and @EXPORT_OK are the two main variables used during export operation.
@EXPORT contains list of symbols (subroutines and variables) of the module to be exported into the caller namespace.
@EXPORT_OK does export of symbols on demand basis.
"""
If this patch caused a conflict with a patch you wrote prior to its
push:
* Make sure you are not reintroducing a "use" statement that has been
removed
* "$subroutine" is not exported by the C4::$MODULE module
means that you need to add the subroutine to the @EXPORT_OK list
* Bareword "$subroutine" not allowed while "strict subs"
means that you didn't imported the subroutine from the module:
- use $MODULE qw( $subroutine list );
You can also use the fully qualified namespace: C4::$MODULE::$subroutine
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There is a "debug" parameter we are passing from the controller scripts
to C4::Auth::get_template_and_user, but it's not actually used!
Test plan:
Confirm the assumption
Review the changes from this patch
Generated with:
perl -p -i -e 's#\s*debug\s*=\>\s*(0|1),?\s*##gms' **/*.pl
git checkout misc/devel/update_dbix_class_files.pl # Wrong catch
+ Manual fix in acqui/neworderempty.pl
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It defaults to 0 in get_template_and_user
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1 - Apply patch, update database
2 - Note new syspref 'DumpSearchQueryTemplate'
3 - Leave it off
4 - Enable DumpTemplateVariablesOpac and Staff
5 - Search on staff and opac
6 - View the source
7 - Search for 'search_query' - you shouldn't find it
8 - Enable the new pref
9 - Repeat, but you should find the query
10 - Test staff/opac search and advanced search, cataloguing search, authority search, authfinder search, adding to a basket form a new biblio
11 - All should work and show the query
12 - This will work under both ES and Zebra
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Test plan:
1. Review code of the following files and confirm that 'use Modern::Perl;' is used in place of
'use strict; use warnings;'
auth_finder.pl
authorities-home.pl
authorities.pl
blinddetail-biblio-search.pl
detail-biblio-search.pl
detail.pl
export.pl
merge.pl
merge_ajax.pl
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Instead of dying!
Test plan:
Assuming you have a patron with borrowernumber=51 and another one that
can be deleted with borrowernumber=42
- authorities-home.pl
* Delete an authority record
* hit /cgi-bin/koha/authorities/authorities-home.pl?op=delete
- basket/sendbasket.pl
* Send a basket to someone
* hit /cgi-bin/koha/basket/sendbasket.pl?email_add=1
- members/apikeys.pl
* Generate and delete an API key for a patron
* hit /cgi-bin/koha/members/apikeys.pl?patron_id=51&op=delete
- members/deletemem.pl
* Delete a patron
* hit /cgi-bin/koha/members/deletemem.pl?member=42&op=delete_confirmed
- members/mancredit.pl
* Add a manual credit
* hit /cgi-bin/koha/members/mancredit.pl?borrowernumber=51&add=1
- members/maninvoice.pl
* Add a manual invoice
* hit /cgi-bin/koha/members/maninvoice.pl?borrowernumber=51&add=1
- members/member-flags.pl
* Change permissions for a patron
* hit /cgi-bin/koha/members/member-flags.pl?member=51&newflags=1
- members/member-password.pl
* Change the password for a patron (from the staff interface)
* hit /cgi-bin/koha/members/member-password.pl?member=51&newpassword=aA1
- members/memberentry.pl
* Edit some patron's info
* hit /cgi-bin/koha/members/memberentry.pl?borrowernumber=51&op=save
- members/paycollect.pl
* Pay an individual fine
* hit something like /cgi-bin/koha/members/paycollect.pl?borrowernumber=51&pay_individual=1&accounttype=L&amount=1.00&amountoutstanding=1.00&accountlines_id=157&paid=1
You may need to edit some values
- tools/import_borrowers.pl
* Import some patrons
* hit /cgi-bin/koha/tools/import_borrowers.pl?uploadborrowers=1
- tools/picture-upload.pl
* Upload an image for a patron
* You will need to edit the html content
hit Home › Tools › Upload patron images
then locate the csrf_token input and modify its value
Note for QA:
- Opac is not done as blocking_errors.inc does not exist for this
interface
- ill/ill-requests.pl
I did not manage to replace this occurrence
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 20261 introduced an error because search_auth_compat responded
differently for ES and Zebra, now bug 19365 fixed the underlying
difference. This patch restores previous code to fix pagination.
Additionally we add a fix for 10000+ results in ES and remove a double
import of C4::Auth
To test:
1 - Perform an authorities search with 1+ pages using Zebra
2 - Page through results, note you are only offseeting by 1 each time
3 - Perform an authorities search with 10,000+ results in ES
4 - Click on the last page and get an error
5 - Apply patch
6 - Retry Zebra search
7 - Results should paginate correctly
8 - Clicking on last page should return last results
9 - Retry ES results
10 - Results should paginate correct
11 - Clicking on last page should return last results
Signed-off-by: Ere Maijala <ere.maijala@helsinki.fi>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test:
1 - prove t/db_dependent/Koha/Z3950Servers.t
2 - Load cataloging and authority home pages
3 - Verify you can add form z395 on each page
4 - Delete all z3950 servers
5 - Viery option to add from Z3950 is removed on both pages
Signed-off-by: Jesse Maseto <jesse@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
- apply this patch,
- do a search that return more than 20 results,
- click on page 2,
- check that you get results,
- check other pages if possible
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This is a QA follow-up of bug 19436, submitted separately for ease of
backporting it. (The bug was not raised by 19436.)
Obviously, the number of authority servers not biblio servers should
be the key factor for showing or hiding the button for new authority
records via Z39.50/SRU.
Trivial fix.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
[1.] Load the patch and make sure you have some Z39.50/SRU servers
(Administration => Z39.50/SRU servers administration)
[2.] Then go to authorities and notice that the 'New from
Z39.50/SRU' button is there
[3.] Next go to cataloging and notice that the 'New from Z39.50/SRU'
button is there too
[4.] Now make sure you have no Z39.50/SRU servers (remove the
servers)
(Administration => Z39.50/SRU servers administration)
[5.] Go to authorities and notice that the 'New from Z39.50/SRU'
button is not there
[6.] Lastly go to cataloging and notice that the 'New from Z39.50/SRU'
button is not there too
:)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
I added a missing [% END %] during signoff. Hope no one minds!
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We will need a few additional parameters for merge later on. This patch
puts the original parameters in a parameter hash.
For the same reason DelAuthority gets a parameter hash here.
Note: We remove the second parameter from the DelAuthority call in
authorities/authorities-home.pl here. It was not used and could have
presented problems in the future.
Test plan:
[1] Run t/db_dependent/AuthoritiesMarc.t.
[2] Run t/db_dependent/Authorities/Merge.t.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Without this patch, it is possible to delete authority records with URL
manipulation.
Like: /cgi-bin/koha/authorities/authorities-home.pl?op=delete&authid=[XXX]
Test plan:
[1] Go to Authorities. Search for some authorities (without links).
[2] Delete an authority. Should work.
[3] Apply patch.
[4] Construct an URL like above to delete another authority. Should fail.
Under Plack this results in an internal server error, the log tells
you: Wrong CSRF token.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Amended the test plan.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
At the intranet, the pagination has been broken by bug 12478 (Elastic
Search). There was a confusion between the offset and the page number.
At the OPAC, it is broken since bug 2735 which has mimicked the intranet
script.
Test plan:
Search for a term which will return more than 1 page of results.
Click on the second page
=> Without this patch, the first result of the second page is the second
result of the first page
=> With this patch applied, the offset will be corrected
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This allows sorting to be configured within a field. For example, while
many values are included for search on author, sorting should only be
done on the main entry values. This permits that by have a sort value,
which can be true, false, or null. true and null are pretty much the
same, but false means that a field isn't available for sorting on. By
default (null), fields can be sorted on.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Some issues with sort order though.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
The commit b5ecefd485
Date: Mon Feb 3 18:46:00 2003 +0000
had a funny description:
Added function to check if a MARC subfield name is "koha-internal"
(instead of checking it for 'lib' and 'tag' everywhere); temporarily
added to Koha.pm
"Temporarily", since 2003, everything is relative, isn't it? :)
The thing is that GetMarcStructure returns hash like
field_200 => {
subfield_a => {
%attributes_of_subfield_a
},
%attributes_of_field_200
}
The attributes for field_200 can be 'repeatable', 'mandatory', 'tag', 'lib'.
We don't want to loop on these values when looping on subfields.
Since there are just { k => v } with v is a scalar (string), it's easier
to test if we are processing a subfield testing the reference.
At some places, we don't need to test that, we are looping on values
from MARC::Field->subfields which are always valid subfields.
Test plan:
1/ Edit items using the batch item mod tool
2/ display and edit items via the cataloguing module.
You should not see any changes between before and after the patch
applied.
Tech notes:
We need to check what we are processing when we loop on 'subfields' from
GetMarcStructure, not from MARC::Field->subfields.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
These 2 subroutines are now not necessary anymore, we can use
Koha::Authority::Types to retrieve the authority types.
This patch won't be easy to test. Indeed, a lot of file are updated.
To test it I would suggest to focus on the merge authority
You should also confirm that the authtypecode and the authtypetext
values are correctly displayed when navigating in the authority module.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
http://bugs.koha-community.org/show_bug.cgi?id=9987
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
To reproduce, edit, index notice with utf-8 char and search for it
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Since we switched to Template Toolkit we don't need to stick with the
sufix we used for HTML::Template::Pro.
This patch changes the occurences of '.tmpl' in favour of '.tt'.
To test:
- Apply the patch
- Install koha, and verify that every page can be accesed
Regards
To+
P.S. a followup will remove the glue code.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Like OPAC, the search history is now available for intranet. This
is controlled by the EnableSearchHistory system preference.
Test plan:
1/ Switch on the 'EnableSearchHistory' syspref.
3/ Launch some biblio and authority searches.
4/ Go on your search history page (top right, under "Set library").
5/ Check that all yours searches are displayed.
6/ Click on some links and check that results are consistent.
7/ Delete your biblio history searches.
8/ Delete your authority searches history searches.
9/ Launch some biblio and authority searches
10/ Play with the 4 delete links (current / previous and biblio /
authority).
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
In current implementation (mostly commented out in this patch)
uses heuristic to guess which strings need decoding from utf-8
to binary representation and doesn't support utf-8 characters
in templates and has problems with utf-8 data from database.
With this changes, Koha perl code always uses utf-8 encoding
correctly. All incomming data from database is allready
correctly marked as utf-8, and decoding of utf8 is required
only from Zebra and XSLT transfers which don't set utf-8 flag
correctly.
For output, standard perl :encoding(utf8) handler is used
so it also removes various "wide character" warnings as side-effect.
Test scenario:
1. make sure that you have utf-8 characters in your biblio
records, patrons, categories etc.
2. try to search records on intranet and opac which contain
utf-8 characters
3. install language which has utf-8 characters, e.g. uk-UA
dpavlin@koha-dev:/srv/koha/misc/translator(bug_6554) $
PERL5LIB=/srv/koha/ perl translate install uk-UA
4. switch language to uk-UA and verify that templates
display correctly
5. test search and Z39.50 search and verify that caracters
are correct
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
I followed the test plan, adding utf-8 characters to library names,
patron categories, titles, and authorized values. I tried the uk-UA
translation and everything looked good.
When performing Z39.50 searches for titles containing utf-8 characters I
got results which were still occasionally contaminated with dummy
characters [?] but I assume this is Z39.50's fault not the patch's.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Already signed, add mine.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
The correct tab is now visible on load. The problem with authtypecode
showing up in the search box is specific to UNIMARC, so I could not
check that it was gone, but I am comfortable signing off on this.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Makes clicking a Delete link refresh the search that
was performed so that the results are still on the screen.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Works as advertised. Very usefull. Still the issue that indexing being
not in real time, the search result displays the just deleted authority.
But there is no way to do better.
UNIMARC is the only marcflavour that does not already have an option
for searching all authority types, so check that the marcflavour is
UNIMARC before displaying the additional "All authority types" option.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.
---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.
For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").
This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).
Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...
SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.
Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Fixed obvious warnings generators in scripts
with mismatched comparisons or undefined variables
removed temporary variable selected while ensuring the
comparison it represented was between two defined variables
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Most Perl scripts (as opposed to modules) do
not need to require Exporter.
No user-visible or documentation changes.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
The AddStatement op is an archaism from 2.2 that
has not been used in the templates for at least a
year.
No documentation changes.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
finalresult contained the whole list and not only the useful results.
resultlist contained only 19 elements. adding one
parameters passed through pages contained also empty parameters deleting them.
Conflicts:
C4/AuthoritiesMarc.pm
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>