Commit graph

32 commits

Author SHA1 Message Date
Julian Maurice
96cc447045 Bug 25898: Prohibit indirect object notation
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-15 12:56:30 +02:00
4452036d1c
Bug 25009: Avoid leakages in opac-showmarc.pl
This patch cleans opac-showmarc.pl so it doesn't allow retrieving
records from import batches without requiring any permissions in the
OPAC.

it does so by just removing the code portion that does that.

It also cleans the record fetch operation and how the record processor
is initialized to it actually works :-D

To test:
1. Perform a successful Z39.50 search in cataloguing (this fetches 20
   records usually)
2. Query your DB for a valid import_record_id:
  $ koha-mysql kohadev
  > SELECT * FROM import_records LIMIT 1;
3. Notice some of the MARCXML details (title, author, etc), and the
   import_record_id
4. Point your browser to the opac-showmarc.pl URL like this:
   http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?importid=20
=> FAIL: You get the record! (Bonus: no field/subfield takes place)
5. Hide some obvious subfield on the framework for a known (to you)
   biblionumber
6. Point your browser to:
   http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?id=<biblionumber_here>
=> FAIL: No filtering takes place
7. Apply this patch
8. Repeat 4
=> SUCCESS: You get an error because you did a bad request (no id param)
9. Repeat 6
=> SUCCESS: Subfield filtering actually works!
10. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-27 10:44:10 +01:00
Mark Tompsett
9a76781f9e Bug 20083: (follow-up) use same logic in opac-showmarc
It was correctly pointed out that opac-showmarc would leak
the same way as catalogue/showmarc.pl, and so this patch
moves the authentication step up to the top where it
should be so as to prevent inappropriate data leaks.

TEST PLAN
---------
1) Set your OpacPublic system preference to Disabled
2) Open your OPAC and login
3) Find a biblio with items
4) Go to the opac details, particularly MARC view.
5) Copy the "view plain" shortcut link.
6) log out.
7) Paste the link into the address bar.
   -- the information will leak!
8) apply the patch
9) restart_all
10) Refresh the OPAC link
    -- log in screen will appear.
11) run koha qa test tools

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-04 15:45:34 -03:00
e9e5f3d380 Bug 19569: Set X-Frame-Options=SAMEORIGIN - opac-showmarc.ok
Before and after:
wget 'http://catalogue.kohadev.org/cgi-bin/koha/opac-showmarc.pl?id=1&viewas=html'
must be the same

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-01-09 17:23:14 -03:00
Mark Tompsett
d5986c9b97 Bug 19040: Refactor GetMarcBiblio parameters
Change parameters to a hashref.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks good to me.
Two calls in migration_tools/22_to_30 still in old style.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-25 10:23:42 -03:00
39487d634e Bug 11592: (QA followup) Add missing framework code to ViewPolicy filter calls
This patch adds the frameworkcode option param, using each record's frameworkcode
as expected by the filter. Otherwise the ViewPolicy filter falls back to the
default framework.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 11:54:22 +00:00
ea27569334 Bug 11592: (QA followup) Simplify code
Koha::RecordProcessor and the defined filters are supposed to bring us
joy and happiness. Let's keep the code compact, simple and clean.

This patch removes record cloning all over the place.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 11:54:22 +00:00
Mark Tompsett
6cbae9c3cb Bug 11592: Applying filtering to opac interface.
Applying the filtering and then...
Debugging opac/opac-detail.pl filtering
Debugging opac/opac-ISBDdetail.pl more
Debugging opac/opac-export.pl
Tweak opac/opac-export.pl fix variable declarations, conditional assignments
Debugging opac/opac-showmarc.pl

https://bugs.koha-community.org/show_bug.cgi?id=11592

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 11:54:21 +00:00
Mark Tompsett
16f74b546e Bug 11592: Updated License Text and use Modern::Perl
Why not clean up the License Agreement stuff while the files
are being changed? Used the current one found at:
http://wiki.koha-community.org/wiki/Coding_Guidelines#Licence

Changed the strict and warning lines into just a Modern::Perl.

Signed-off-by: Robin Sheat <robin@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 11:52:11 +00:00
Jonathan Druart
e20270fec4 Bug 11944: use CGI( -utf8 ) everywhere
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-01-13 13:07:21 -03:00
3cbf754702 Bug 13170 Remove of prog theme broke the OPAC's "view plain" option for MARC details
In the OPAC if you view the MARC details for a title (and have
OPACXSLTDetailsDisplay enabled) there is a "view plain" link which displays the
output of opac-showmarc.pl. This is broken in master: fixed by this patch.

Test plan:

(1) Set OPACXSLTDetailsDisplay to default
(2) Do a search on OPAC, then display a specific biblio record
(3) Click on MARC view tab. Then click on 'view plain' link. Nothing is
    displayed.
(4) Apply the patch. And refresh the MARC detail page.
(5) Click on 'view plain' link. Check that a plain text MARC record is
    displayed.

Signed-off-by: Chris <chris@bigballofwax.co.nz>

Note: This makes a small change to C4::Templates::themelanguage so that
it works with .xsl files too (They live in the xslt dir)

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>

Works as described, passes tests and QA script.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-11-04 18:52:53 -03:00
afd2418d73 Bug 11349: Change .tmpl -> .tt in scripts using templates
Since we switched to Template Toolkit we don't need to stick with the
sufix we used for HTML::Template::Pro.

This patch changes the occurences of '.tmpl' in favour of '.tt'.

To test:
- Apply the patch
- Install koha, and verify that every page can be accesed

Regards
To+

P.S. a followup will remove the glue code.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-17 11:05:49 -03:00
Julian Maurice
a0c17a8c3a Bug 12237: Remove the "horrible hack" in C4::Templates
Use C4::Languages::getlanguage() instead of
C4::Templates::_current_language()

Test plan:
1/ Set one of the 4 XSLT sysprefs to 'default'
2/ Go to the corresponding page
3/ Switch language and check that the right XSLT is used
4/ Set the same syspref to something with '{langcode}' in it. For
example:
"../koha-tmpl/opac-tmpl/bootstrap/{langcode}/xslt/UNIMARCslim2OPACDetail.xsl"
5/ Go back to the corresponding page
6/ Switch language and check that the right XSLT is used
7/ Change a compact.xsl for a language (for example
koha-tmpl/intranet-tmpl/prog/fr-FR/xslt/compact.xsl) to be able to see
differences
8/ Go to a biblio detail page in staff interface and click on "MARC
Preview: Show"
9/ Close the popup, switch language and click again on the same link
10/ Check that the correct XSLT is used.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Works as described following test plan.
No koha-qa errors

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
No problems found, passes tests and QA script.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-03 10:34:11 -03:00
3bcc032181 Bug 11826: Use XSLT handler object in showmarc, Record.pm
Modifies showmarc and opac-showmarc to use new XSLT handler.
Removes cardview.pl as obsolete script.
Modifies C4/Record.pm and a typo in the test Record.t.

Test plan:
[1] catalogue/showmarc: Go to Cataloging. Search. Click Card.
[2] opac-showmarc: Go to opac detail, MARC view.
    Open URL for plain view in new tab.
    Change URL: Change viewas=html to viewas=card
[3] Verify that there are no references in the codebase to cardview.pl
[4] C4/Record.pm: Run the Record.t test in db_dependent.
    This test uses marc2modsxml, triggering the change.
    Additional: export to MODS from opac-detail.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Views Ok. Test pass. No more cardview. No koha-qa errors

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-26 03:52:45 +00:00
Magnus Enger
b4f5fee48c Bug 10647 - Make OPAC MARC plain view work for all flavours of MARC
On "MARC view" in the OPAC, clicking on "Plain view" does not work
for UNIMARC and NORMARC.

To test:
- Make sure you have a UNIMARC or NORMARC setup
- Go to the "MARC view" of a record in the OPAC
- Click on "view plain" and observe the "Sorry, plain view is
  temporarily unavailable." error message
- Apply the patch
- Click on "view plain" and observe that a plain view of the MARC
  record is now displayed
- Sign off

I have only tested this on NORMARC, it might be good if someone
can test on UNIMARC.

Updated 2014-03-13: Incoroprates changes suggested by Marcel.
Test plan is the same as before.

Updated 2014-03-13: Tested in my UNIMARC system.
toggled opactheme to all three values, with OPACXSLTDetailsDisplay
and OPACXSLTResultsDisplay both set to default.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Tested with MARC21 and UNIMARC, passes all tests and QA script.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-03-14 14:50:13 +00:00
80bcbd7989 Bug 11329: Check for MARC record existence in opac-showmarc
Instead of just running as_formatted, check if GetMarcBiblio returned
a reference. If you e.g. did not pass an id, return 404 instead of 500.
Consistent with opac-export.pl

Test plan:
[1] Run opac-showmarc.pl with valid biblionumber in id parameter.
[2] Remove id parameter from URL. You should get a 404 now.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-01-17 15:26:35 +00:00
8129680afd Bug 9570 - view plain not working in ccsr
The code in opac-showmarc.pl isn't smart enough to find the xsl files in
the "default" (prog) theme if the ccsr theme is enabled, so the "view
plain" option on opac-MARCdetail.pl fails ever time.

This patch copies some path-handling code from XSLT.pm to improve xsl
file path handling when dealing with a "sub-theme."

To test, view the MARC view in the OPAC and click the "view plain" link.
This should work correctly in prog and ccsr themes and with different
languages enabled (keeping in mind the ccsr theme will fail in general
for languages other than en).

Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Checked plain view works in both prog and ccsr themes now.
All tests and QA script pass.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-07 09:33:57 -05:00
8c6da900f4 Bug 8872: Changes for opac-showmarc
Simplifies template (eliminating opac-bottom include).
Makes encoding for card and html view more consistent with approach in Templates module.
Rearranges a few lines in script for consistency and performance.

Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Passed-QA-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2012-11-06 07:29:01 -05:00
Jared Camins-Esakov
3739e6bd67 Bug 3652: close XSS vulnerabilities on biblionumber and authid
Previously we did not sanitize biblionumber and authids passed in by
the user.

To test:
1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a
   valid biblionumber for the 2).
2) Notice the presence of "2hi" on this page, and also on the ISBD and
   MARC views.
3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye
   (substituting a valid authid for the 2).
4) Notice the presence of "2bye" on this page.
3) Apply patch.
4) Notice that "2hi" and "2bye" strings are gone.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-10-24 15:23:50 +02:00
Chris Cormack
6f3123bbc6 Bug 6679 :[SIGNED-OFF] Fixing some perlcritic violations in the opac
signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
2012-04-10 13:45:00 +02:00
Maxime Pelletier
030fe0570f Bug 6972: Hardcoded template paths to en in showmarc
Couldn't help but reformat the indentation a bit.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Card view works correctly in cataloguing search.
Plain view/labelled show correctly in OPAC.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Fixing merge conflict.
2011-10-20 01:48:52 +13:00
a7d0255f19 Bug 6996: Encoding problem in opac-showmarc
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
No more encoding problems spotted.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-10-19 16:39:07 +13:00
Mason James
f46b03cf2d Bug 4289: 'OpacPublic' feature
applied to git tag 'v3.02.00-rc'

Frédéric Demians:

  - Rebased this patch to HEAD
  - Solved a merge conflict
  - The patch works as described here:
    http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=4289

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Jared Camins-Esakov <jcamins@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-01-19 14:30:34 +13:00
Chris Cormack
1729177587 Bug 5106: Tidy up code in opac-showmarc.pl 2010-12-21 17:12:49 +13:00
3f0eeb9c28 Proposed fix for Bug 5106 - Simplify MARC view choices in the OPAC (Conflict marker fix 2nd try)
- Eliminates the "Extended MARC View" tab
- Points the "MARC View" tab to opac-MARCDetail.pl as it is when XSLT is off
- Offers a "view plain" link on opac-MARCDetail.pl. Clicking this link
  replaces the standard labeled MARC view with an unformatted view similar to the
  one displayed in the pop-up modal MARC view.
- When viewing the "plain view," clicking the "view labeled" link will return
  you to the standard labeled MARC view.
- Adds a new XSL file for displaying MARC data in a slightly-more-formatted
  manner (compared to one big <pre></pre> block).

Removed a conflict marker line from Owen's patch (Marcel).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2010-12-21 17:01:33 +13:00
ce5e2429db fixing various links to point to *.koha-community.org
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-10-21 22:08:24 -04:00
6f14921479 Fix for Bug 4884, opac-showmarc.pl can't find compact.xsl
This patch implements Fridolyn SOMERS' suggested change
to the .xsl file path but copies compact.xsl from the
intranet template dir and points to that instead.

Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-06-23 22:46:58 -04:00
Lars Wirzenius
873a3cb9bc Fix FSF address in directory opac/
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-03-16 20:17:54 -04:00
Garry Collum
1ab0497f7e Bug 2505: Enabled warnings in opac-serial-issues.pl and opac-showmarc.pl
Enabled warnings and also fixed resulting 'unintialized value' warning in opac-showmarc.pl.

Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2009-08-09 15:15:10 -04:00
Galen Charlton
083e8d9a06 remove superfluous retrieval of $ENV{'REMOTE_USER'}
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2008-12-05 16:03:43 -06:00
Joe Atzberger
6e53a31357 Bug #2429, bad HTML from unclosed <head>.
Also some cleanup of opac-showmarc script including removing bogus
dependencies (DBI, CGI methods).  Should consider using C4::XSLT if
applicable.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2008-08-19 13:40:18 -05:00
Joshua Ferraro
faa9a39694 adding famfamfam iconset, improving isbn for amazon content, etc.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-04-07 21:20:22 -05:00