Security.t does not pass anymore ;)
Due to bug 23290 the tests now trigger an additional runtime error that
we should also catch to let the tests pass again.
Test plan:
Run t/db_dependent/Koha/XSLT/Security.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Test plan:
Run t/db_dependent/Koha/XSLT/Security.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Test plan:
Run it!
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This follow-up refines the change made in the former patch.
See also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838097https://rt.cpan.org/Public/Bug/Display.html?id=118032
We do not want to depend now on the exact LibXML version, so we will
disable expand_entities unless it is explicitly enabled via the config
variable koha_xslt_security. (Allowing us to test if bad things will be
caught.)
The options key is now always added to the Security object.
The return from set_parser_options has been removed to allow disabling when
there is no koha-conf entry (which probably is the normal situation).
Test plan:
[1] Test the first example patch with and without the other patches (excl.
the second example). Toggle expand_entities in koha-conf. Restart
Plack and flush the cache each time. Evaluate results with the
commit message of first example.
[2] Test both example patches with/without other patches.
Toggle expand_entities. Restart etc. Evaluate results with commit
message of second example (check tmp/breached.txt).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Since libxml2 disables it now by default, we need to enable it for testing.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Until now Base did not yet use Security. The security lines are removed
from Base here by calls to Security.
A new test must be added still.
Test plan:
Ensure that t/db_dependent/XSLT_Handler.t still passes.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Also adds a temporary stub for Koha::XSLT_Handler referring to Base.
This will be removed later.
Test plan:
Run t/db_dependent/XSLT_Handler.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This is just a git move. Cannot be tested. (Easier for QA.)
The next patch adjusts paths etc. in the module.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The problem is that administrators can provide XSLTs that
can read from the server and network and write to the server. The
This patch prevents the Koha::XSLT_Handler from running
XSLT stylesheets that call actions such as read_file, write_file,
read_net, and write_net as documented at
https://metacpan.org/pod/XML::LibXSLT#XML::LibXSLT::Security
(Previous tests suggested issues with XML external entities
causing read file like vulnerabilities but these were not
reproducible)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
File adjust to run tests and be executed on all our codebase.
Test plan:
- Apply this patch without the other one
- run the tests
=> Several failures
- apply the other patch
- run the tests
=> Should pass now
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Bug 9978 should have fixed them all, but some were missing.
We want all the license statements part of Koha to be identical, and
using the GPLv3 statement.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Might be a rebase problem. Not sure if I look at the third patch.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To make qa tools happy again.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch changes the database update so that the system preference is
copied to news items in all installed languages, not just those enabled
in the OPAC.
Signed-off-by: Lisette Scheer <lisettes@latahlibrary.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This follow-up uses the updates introduced by Bug 23253 as a model for
improving the display of opacheader. Adding the OpacHeader variable
allows the template to check for its existence and display some
container markup around opacheader if it exists. This will help ease the
transition for libraries who depend on the #opacheader id for styling.
To test, apply the patch and test the OPAC with an 'opacheader' item
defined. The content should be displayed on the page inside '<div
id="opacheader"></div>.'
Delete the 'opacheader' news item and reload the OPAC page. There should
no longer be an #opacheader div.
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Lisette Scheer <lisettes@latahlibrary.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch makes a number of improvements and ties up some loose ends
where the old system preference usage wasn't getting replaced.
- Removes news-specific code for defining the language of news
items queried for the OPAC home page. An identical language variable
is already defined globally.
Previous to this patch an 'opacheader' news item would only appear on
the OPAC home page. Now it should appear on all OPAC pages.
- Changes the database update so that 'opacheader' news
items will be inserted with a default title, matching the interface's
requirement that the title field be populated.
- The database update will also now insert the old opacheader system
preference contents into the news item for all active languages as
defined in the 'opaclanguages' system preference. This helps match
the previous behavior in which the opacheader contents were the same
for all languages.
- Adds support for the new opacheader news item to the self checkout,
self check-in, and OPAC maintenance pages.
- Updates sysprefs.t which was using the opacheader preference to test
on. I've changed it to use URLLinkText instead.
- Removes the addition of the opacheader system preference from the
installation SQL file.
Signed-off-by: Lisette Scheer <lisettes@latahlibrary.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch builds on Bug 22318 to move the opacheader system preference
into the Koha news system, making it possible to have language- and
library-specific content.
It extends the original patch by adding an option to the template plugin
specifying whether the content title should be shown (probably should be
a flag in opac_news). It also adds a wrapper div with the content
location as the ID (e.g. 'opacheader'). This will make it slightly more
backwards-compatible with CSS customizations.
To test you should have some content in the opacheader system
preference. Apply the patch and run the database update process.
- Go to the OPAC and confirm that the content which was previously in
the opacheader system preference now displays correctly where it was
before.
- In the staff client, go to Tools -> News and verify that the content
from opacheader is now stored in a news item with the location
'opacheader_en.'
- Go to Administration -> System preferences and confirm that the
opacheader preference has been removed.
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Lisette Scheer <lisettes@latahlibrary.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Bug 15497 introduced the ability to limit item types by library.
However, the text next to the 'Library limitation' selection field on
the item type form mentions authorized values and is confusing.
The current text reads: "Select 'All libraries' if this authorized value
must be displayed all the time. Otherwise select libraries you want to
associate with this value."
This patch updates the text on the item type add or edit form for the
'Library limitation' field to something more understandable.
To test:
1) Apply the patch
2) Go to Administration > Basic parameters > Item types
3) Click 'Edit' for any item type
4) The text next to the 'Library limitation' field should now show
"Select 'All libraries' if all libraries use this item type. Otherwise,
select the specific libraries that use this item type."
5) Sign off
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch makes the Koha::Object(s) derived classes expose information
about prefetch-able relations. This is then used by a new helper to
generate the prefetch information for the DBIC query.
To test:
1. Apply this patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/Object* \
t/db_dependent/Koha/REST/Plugin/Objects.t \
t/Koha/REST/Plugin/Query.t
=> SUCCESS: Tests pass!
3. Sign off :-D
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adds tests for the introduced methods.
To test:
1. Run the tests :-D
=> SUCCESS: They pass!
2. Sign off :-D
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adds the ability to compress/uncompress
translations files.
On update/install the files are uncompressed first
The only gain is to use less space.
To test:
1) Apply the patch
2) Go to misc/translator
3) Try it
$ ./translate compress fr-FR (check po/*.gz)
$ ./translate uncompress fr-FR ( check normal files)
4) Try again with verbose mode
$ ./translate compress fr-FR -v (list compressed files)
$ ./translate uncompress fr-FR -v (list uncompressed files)
5) Try update compressed files
$ ./translate compress fr-FR
$ ./translate update fr-FR (result is uncompressed)
6) Try install compressed files
$ ./translate compress fr-FR
$ ./translate install fr-FR
7) Try compress all
$ ./translate compress (add '-v' for verbose output)
8) Try uncompress all
$ ./translate uncompress (add '-v' for verbose output)
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Bouzid Fergani <bouzid.fergani@inlibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
$patron->{items} contains the borrowers checkouts as an array of hashes
{ barcode => $item->barcode }
When printing to log we assumed these were only barcodes
This patch pushes the current checkout as a hash and maps the values retrieved to a string
To test:
1 - Enable SIP debug mode
2 - Perform multiple checkouts for a patron
3 - Note the messages like:
koha koha_sip_koha[13575]: ILS::Checkout: patron 123 has checked out HASH(0x55a5b187f858), HASH(0x55a5b1896ad0), HASH(0x55a5b18a6cf0), 7826832
4 - Apply patch
5 - Restart all the things
6 - Do some checkouts via SIP
6 - Messages should now have barcodes
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Without it, catalogue/detail.pl dies (and probably other scripts too)
Test plan:
1. Uninstall GD, reload starman
2. Go to catalogue/detail.pl. Confirm that it dies
3. Reinstall GD, reload starman
4. Go to catalogue/detail.pl. Confirm that it work normally
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Since these operations impact on the resultset, the counts should be
saved before.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Bouzid Fergani <bouzid.fergani@inlibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Argument "" isn't numeric in subtraction (-) at /usr/share/koha/Koha/Patrons.pm line 290.
Coming from an empty or undefined FailedLoginAttempts.
Test plan:
Verify that Koha/Patrons.t still passes.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Bouzid Fergani <bouzid.fergani@inlibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The warn must be done in the cronjob.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Followed this test plan (with two follow-ups applied):
[1] Prefs: UnsubscribeReflectionDelay=1, PatronAnonymizeDelay=2, PatronRemovalDelay=3, FailedLoginAttempts was undef
[2] Pick borrower and set expiry to NOW-2, and lock him (login_attempts=-1) Could be achieved too by settings FailedLoginAttempts and trying wrong passwords. Run cleanup job:
Locked 0 patrons
Anonymized 1 patrons
Deleted 0 patrons
[3] Pick borrower, set expiry to NOW-3. Run cleanup job:
Locked 0 patrons
Anonymized 0 patrons
Deleted 1 patrons
Signed-off-by: Bouzid Fergani <bouzid.fergani@inlibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To prevent invalid values in this pref (and so on the server), we should
make this input readonly on the syspref page.
The sysprefs related to Hea should be edited from the dedicated page, so
also adding a note about that.
Test plan:
Search syspref with "UsageStats"
Notice the note about the admin page
Notice the UsageStatsGeolocation input is now readonly (and resized, to
display the whole value when filled)
Signed-off-by: Maryse Simard <maryse.simard@inlibro.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
misc/cronjobs/update_totalissues.pl when issuing statistics table, no-incremental, has a problem for biblio with multiple items.
The first SQL query gets the biblios linked to items with issues in statistics :
SELECT
biblio.biblionumber, COUNT(statistics.itemnumber)
FROM
biblio
LEFT JOIN
items
ON
(biblio.biblionumber=items.biblionumber)
LEFT JOIN
statistics
ON
(items.itemnumber=statistics.itemnumber)
WHERE
statistics.type = 'issue'
$limit
GROUP BY
biblio.biblionumber
The second SQL query is :
SELECT
biblio.biblionumber, 0
FROM
biblio
LEFT JOIN
items
ON
(biblio.biblionumber=items.biblionumber)
LEFT JOIN
statistics
ON
(items.itemnumber=statistics.itemnumber)
WHERE
statistics.itemnumber IS NULL
GROUP BY
biblio.biblionumber
The problem is that this second query will set to 0 where ANY item has no entry in statistics table.
So when running it sets 0 to the biblio that had a value from first
query.
I think the best fix is to use "WHERE statistics.type = 'issue'" inside que JOIN :
LEFT JOIN statistics ON (items.itemnumber=statistics.itemnumber AND statistics.type = 'issue')
Test plan :
1) Begin with an empty database
2) Create a biblio 1 with no items
3) Create a biblio 2 with 3 items
4) Create a biblio 3 with 2 items
5) Checkout and checkin all items of biblio 2
6) Checkout and checkin the firt item of biblio 3
7) run misc/cronjobs/update_totalissues.pl --use-stats -v
8) Check biblio 1 has biblioitems.totalissues = 0
9) Check biblio 2 has biblioitems.totalissues = 3
10) Without patch the biblio 3 has biblioitems.totalissues = 0
11) With patch the biblio 3 has biblioitems.totalissues = 1
12) Check misc/cronjobs/update_totalissues.pl --incremental is OK
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The SIP server does not calculate and pass a priority to AddReserve, which causes the hold to be given priority 1.
Test Plan:
1) Place a hold via SIP for a record with existing holds
2) Note the new hold is top priority
3) Apply this patch
4) Restart SIP
5) Repeat step 1
6) New hold should be last priority
Signed-off-by: Christofer Zorn <Christofer.Zorn@ajaxlibrary.ca>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To test:
1 - Set OpacPublic syspref to 'Disable'
2 - Log in to OPAC
3 - Log out
4 - Try to log in again
5 - No error, but you get the login form again
6 - Apply patch
7 - Repeat
8 - This time you can log in again
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
If the list is empty, the toolbar does not render correctly.
Buttons are displayed instead of links, also the "Sort" is displayed
when it should not
Test plan:
- Create a new list, do not add items
- Notice that the toolbar now renders correctly
- Use the different link to create/edit/delete
- Confirm that the sort link is not displayed
- Add a new item
- Confirm that the toolbar is looking the same as before
Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To test:
- Search Admin->System preferences for 'RoundFinesAtPayment'
- Note it is listed under self-check
- Apply patch
- Restart/refresh
- Note it is now under Accounting -> Policy
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Set the e-mail headers Mailer-X and MessageID by Koha,
to gain a better positive score from the spam filter.
To test:
1) Let Koha send an e-mail message.
2) Check the header of this e-mail message with your e-mail client.
There should be no X-Mailer header with value 'Koha'. If there
is an MessageID header, it is probably set by the MSA, e.g. Exim.
Example:
Message-Id: <E1iyZRY-0006XT-0t@FQDN>
3) Apply patch.
4) Repeat step 1.
5) Check the header of the new e-mail message with your e-mail client.
There should be a X-Mailer header with value 'Koha' and a MessageID
header with a value set by Koha.
Example:
X-Mailer: Koha
Message-Id: <15807387030.B731e.18490@FQDN>
6) Sign off.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adds the following fields to the circ rule step in the
onboarding tool:
- holds allowed (total)
- holds allowed (daily)
- holds per record (count)
To test:
1) Apply patch, drop and recreate database, restart memcached and refresh page
2) Go through the installer and get to the final step of the onboarding
tool
3) Confirm the above fields are now available to set in your circulation
rule
4) Save and log in to Koha
5) Go to Admin -> Circ and fines rules
6) Confirm the fields saved correctly
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
When adding MARC modification template (MMT) actions, if a subfield
value of 0 (zero) is entered it will not show up in the action's
description upon saving. Also, if you try to modify an authority or
biblio record using actions that refer to subfield 0 the procedure
will fail.
This patch fixes that.
Test plan:
0) Create a MARC modification template and add some actions to it,
ideally testing all action types (Delete/Add new/Update existing
or add new/Move/Copy/Copy and replace); make sure you input a 0
(integer zero) in the text box for the subfield value(s).
1) As you save each action, observe that subfield 0 ($0) is missing
from the action description.
2) Home > Tools > Batch record modification: try to modify a biblio-
graphic record using the modification template you just created.
Observe that you get an error in the system logs if you click on
'Show MARC' or 'Modify selected records'.
3) Apply the patch.
4) Repeat steps 0-2. The subfield value ($0) should be displayed in
the action description and the Batch record modification should
work without problems.
Signed-off-by: Lisette Scheer <lisettes@latahlibrary.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The unit tests related to MARC modification templates need to be
updated with extra tests specific to actions involving subfield 0.
Test plan:
0) Apply the patch.
1) Run the updated unit tests, they should pass without any errors:
$ prove t/SimpleMARC.t
$ prove t/db_dependent/MarcModificationTemplates.t
Signed-off-by: Lisette Scheer <lisettes@latahlibrary.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
It was noted, that 'sub fund' might be a better term to use than
'child fund'. So this patch changes it.
To test, check with and without patch:
- Add a budget in acquisitions
- Add a fund in acquisitions
- Add a sub/child fund to your fund (label of menu item #1)
- Edit your first fund, check option to update owners of
sub/child funds (#2)
- Try to delete your 'parent' fund (tooltip #3)
- Click on the greyed out entry (alert ÃÃ#4)
If you like the change, please sign-off. If you think otherwise,
please comment on the bug report.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
