Really bad design, NEVER retrieve the logged in user from the CGI
param!
See comment 1 for more info
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit c92d38a6c603278e0d253c6e29731380c017ebb7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
These files needed the addition of 'use C4::Auth qw( check_cookie_auth
);'.
To test, apply the patch and restart services.
- If necessary, enable the LocalCoverImages system preference.
- Open the browser console and then the "Network" tab. You can click
"Images" to filter for the correct kind of request.
- Perform a catalog search. After the search has loaded, check that
there are no 500 errors in the Network tab.
- Go to Cataloging -> Label creator.
- If necessary, create a label batch and add some items.
- Export your batch and test both the "Download as CSV" and "Download as
XML" links. Both should trigger the correct download.
- Go to Serials -> Claims, and select a vendor with late issues.
- Select all late issues and click "Download selected claims" at the
bottom of the page.
- Your CSV file should download correctly.
The file acqui/check_uniqueness.pl has been corrected as well but I'm
not sure how to test it!
Signed-off-by: danyonsewell <danyonsewell@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 747f513231)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01b22fb71d)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 72cead50b4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This change includes the Koha::Token changes which uses
Koha::Session for generating and checking CSRF tokens.
0. Apply the patch and koha-plack --restart kohadev
1. Setup Keycloak OIDC SSO according to "Testing SSO"
wiki guide
2. In a regular window go to http://localhost:8080
3. In a private window go to http://localhost:8080 and click
the SSO "Log in with..." button, but don't log into Keycloak
4. In the regular window, login locally, and navigate to 5-6 pages
5. In the private window, log into Keycloak
6. Note that you are redirected back to Koha and logged in
successfully (no wrong_csrf_token error).
Signed-off-by: Olivier Hubert <olivier.hubert@inlibro.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 46c0419a11)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 19f79fa606)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
During the installer process there is a bunch of warnings
"Use of uninitialized value $storage_method in string eq at"
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit e2440f2c61)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a42bce58b2)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 922928eb7d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Will need this on follow-up bugs.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 56d8ac2476)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit be03ca910f)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ac8c0a8a4a)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.
Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0e6537d199)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f927343a88)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit e19e066b4a)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Running cataloguing pluings (in cataloguing/value_builder) now requires
authentification.
This patch adds in failing unit tests a mock of C4::Auth::check_cookie_auth
Test with:
prove t/db_dependent/FrameworkPlugin.t t/db_dependent/Koha/UI/Form/Builder/Biblio.t t/db_dependent/Koha/UI/Form/Builder/Item.t t/db_dependent/Serials.t
(cherry picked from commit f8a23b8ef4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
suite
This patch harmonizes the hook name and parameters with the rest of the
codebase.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ qa
=> SUCCESS: All looks green, and tests still pass (i.e. they were
correctly adjusted to the new schema).
3. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 353f510c14)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch implements a hook allowing record modification right before
they are written on the DB. The idea is that a plugin could be used to
add machine-generated fields/subfields.
To test:
1. Apply the unit tests patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/Koha/Plugins/Biblio_and_Items_plugin_hooks.t
=> FAIL: Tests fail! The hook is not implemented so the desired results
don't appear (added fields/subfields).
3. Apply this patch
4. Repeat 2
=> SUCCESS: It works!
5. Run:
k$ qa -c 2
=> SUCCESS: All green!
6. Sign off :-D
Sponsored-by: Theke Solutions
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e78b7bdbe5)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This can certainly be improved to adjust the permissions, but at least
they are no longer opened to the world..
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 496c8c4e2d9199a38c796fdd6f63d89d8c6b215d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 309e976765f593d6ec2b857295dc58e57d58900e)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Installer scripts cannot be run from the UI:
debian/templates/apache-shared-intranet.conf:RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 6d61091f1ac8e66d2fdaac9a31530dfc7a7eb5fc)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 2cb014d18387eb87387f6a2dae34f5d16d774303)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
It is not used, if we need it back it must be moved to misc.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90fe13e23976e2de81adc14fbabfb99660320989)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 917889bc77029ee632748e444523047b1aceed03)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This "plugin system" is only used for the itemtypes report. We can
simply remove the reports/manager.pl script and this plugin in favor of
a dedicated report.
Test plan:
Same behaviour expected before and after this patch
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 499fe0bea7d995358bd45da2bea7058d803f2b4e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e2c5e7b88bb9bbc2888129a8f782841f6f5fcff9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
http://localhost:8081/cgi-bin/koha/docs/CAS/CASProxy/examples/proxy_cas.pl
Test plan:
Hit the link
=> Erk
Copy the apache config to /etc/koha/apache-shared-intranet-git.conf
restart_all
Hit the link
=> 404
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0cf08303932eea945d5c90cca0d5ca18fe8923d6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01f70904548e64c73f0ddd81a5559b5c3c69b620)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
fragment. It should be URI-encoded.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5409e17fb5abe0130f3cb2cd6c3d2a7707a5b251)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Fixed some typos in bug numbers and text.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2e18611b7d8527c7ff9253a7669aad2c13a5afb0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
To avoid injection of template toolkit code
from database fields that are controlled by
untrusted sources.
Test plan:
* review subtest 'Template toolkit syntax in
parameters' in t/db_dependent/Letters.t
* Run the unit test:
prove t/db_dependent/Letters.t
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 07ac3b0b9450f812bb48cfecf7bf3f47f63279b5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 20353e094a952f506b9be7f21740e1001fbdeb69)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Test Plan:
1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e2)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Test Plan:
1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e2)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch just tidies the moved blocks to get us past the QA script
check.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit b577b65670)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1f182d45ab)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Currently we get the userenv before we have set it correctly for the session
To test:
1 - Sign in as a user with fast cataloging permission
2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
3 - Check the link, it should have your current signed in barcode
4 - Sign in to a different browser with a different user and at a different branch
5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
6 - It may have your branch, but it may also have the other user's branch from the other window
7 - Keep entering gibberish to get a link until one user has the correct branch
8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90b6f68616)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 26722f2a08)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Adapt code to the change of return value type of checkpw
introduced in bug 34893
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 3280e5a99d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
clubs-tab get the patron's id from the parameter. At the OPAC we must
use the one from the logged in user, to prevent leak to other users
Test plan:
Have 2 clubs: A, B
Enroll to A with patron borrowernumber=1
Enroll to B with patron borrowernumber=2
Log in with patron 1 and hit:
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1
=> OK
Now hit
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2
=> oops
Apply this patch, try again.
The "borrowernumber" parameter is no longer used to fetch the club list.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e51ef7ef76a4ee523b302d724d80118185030e60)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This patch makes objects.find implicitly update the passed
*$result_set* to use search_limited. This way no object leaks could
happen without noticing.
To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Tests fail because search_limited is not used
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass! Results are correctly filtered based on userenv!
5. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 1f1f0837cd2058ff8e953e6ae719c7513ad35927)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 36a1b9e4df)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch updates the jQuery validation plugin in both the staff
interface and the OPAC to the latest version, 1.20.0.
To test, apply the patch and clear your browser cache if necessary.
Test various pages in the staff client to confirm that form validation
works as expected:
- Patron password change form:
- Password must conform to minPasswordLength
- Password must not contain leading/trailing spaces
- Passwords must match
- Administration -> Add or edit budget:
- Description, start date, and end date are required
- Start date must be before end date
- Administration -> Add or edit Z39.50/SRU server:
- Server name, hostname, port, and database are required
- Port, rank, and timeout must be a number
Perform the same check of the "Change password" form in the OPAC.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 8deffec3155f54b7209f1465942fd8fbea23da5e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 8c18a73493)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Note: This is handled now just like opac-reserve.
Test plan:
Disable ArticleRequests and hit the page.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8afcbe0bbb556cb19ff2e33e56cf3bcb8dd13d11)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c4d3486511)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.
To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
branchip: 172.18.0.4
Connect and select CPL. Randomly FFL will be picked instead.
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4efe74fe12075298680965db3605f717f1da10d0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
