Those files appear unmaintained and unusable with current
Koha and should be removed.
It appears at some point there was work done on a feature
to send SMS messages to a phone number using a form in
the tools area.
This has never been documented, files and git history
make it look like work remained unfinished.
sms/sms_listen_windows_start.pl
- targetted for Windows, which is not supported by Koha
00-strict.t
- reference to sms removed
sms/sms_listen.pl
- refers to a table sms_messages that doesn't exist
- uses getmember() that doesn't exist
sms/sms.pl
- script calls routines that no longer exist in SMS.pm
error_codes(), parse_phone(), write_sms()
- template sms-home.tt is not accessible form anywhere
in the templates
sms-home.tt
- see sms/sms.pl
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Makes sense. 00-strict.t runs OK after applying the patch.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Fixed whitespace for QA tools
Added a verbose note when template found
Only print 'Modifying MARC' if verbose
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
When importing large numbers of MARC records from a legacy LMS to Koha
using bulkmarcimport.pl, it did not make use of the MARC modification
templates in the system (which can be useful for coversion of 852
fields to 952 fields for item holdings for example). This patch allows
MARC modification templates to be used with bulkmarcimport.pl.
To test:
1) Apply patch.
2) Set up a MARC modification template (in Home > Tools > MARC
modification templates) to make some changes to imported MARC
records (for example copy a subfield).
3) Take a test set of MARC records that have fields matching the
template and import them using the bulkmarcimport.pl tool. For example
if these MARC records are in testrecords.mrc and the MARC modification
template is called testtemplate use something like:
perl misc/migration_tools/bulkmarcimport.pl -commit 1000 \\
-file testrecords.mrc -marcmodtemplate testtemplate
4) Check the imported records in Koha to see that the required
modifications have been applied when the MARC records are imported.
5) Sign off.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It seems better to display the warning if the user tries to enter too
many characters in the input.
Test plan:
With max=16
1. Copy/paste a string with 15, 16 and 17 characters
2. Enter a cardnumber of 15, 16, 17 characters
The warning should be displayed only the input overflows
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch displays a message if the user tries to enter more than the
max number of characters for a cardnumber.
To test:
1) Apply patch and go to Patrons -> New patron
2) Scroll down to Card number
3) Put in any characters. Notice that when you have entered the max
number of characters, you are unable to type any more.
4) Click out of the text field (so it loses focus), the error message will show up.
5) if you backspace some characters and click out of the text field
again, the message should disappear
Sponsored-by: Catalyst IT
Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
($max is the value of the max size of a card number)
- $max not hardcoded anymore in C4::Memeber
- $max now correctly adapts to the field of cardnumber in database
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
testplan
1 - Apply patch
2 - Run updatedatabase.pl
3 - Update dbix scheme
4 - set the value of CardnumberLength to a value between 16 and 32
5 - Check you can enter a propper cardnumber
(modify to 32 instead 20)
+ max value now depends on the database field value to
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Apply bug 19214 and bug 19215 to fix other issues with patron clubs
2) Create a club template that DOES NOT allow public enrollment
3) Create a club, enrol a user
4) Log in as that user to the OPAC
5) Go to 'your summary' and click the Clubs tab
6) Notice the broken table with empty column
7) Edit the club template to allow public enrollment
8) Notice the table is fixed - so this bug is just when the club does
not allow public enrollment
9) Apply the patch
10) Edit the club template to NOT ALLOW public enrollment
11) Confirm the table in the OPAC is now fixed and does not leave an
empty column
Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If the error code is not known or empty, provide the message too.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested this by adding a die on shelves.pl line 180 (my $added = eval ..)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Apply patch and go to Lists
2) Click on an existing list or create a new list
3) Add items by barcode, confirm this functionality still works
4) Trigger error messages (adding duplicate barcodes, barcodes that
don't exist) to confirm they still show as appropriate
5) Test adding by biblionumber, confirm this works as expected
6) Trigger error messages (adding duplicate biblionumbers, biblionumbers
that don't exist). Confirm wording is appropriate in messages.
7) Add both barcodes and biblionumbers at the same time, confirm this
works as expected
Sponsored-by: Catalyst IT
Signed-off-by: Israelex A Veleña for KohaCon17 <israelex19@gmail.com>
Signed-off-by: Israelex A Veleña for KohaCon17 <israelex19@gmail.com>
Signed-off-by: Harold <harold.sabanal@gmail.com>
Signed-off-by: macon lauren KohaCon2017 <caballeromaricon@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 17214: [FOLLOW-UP] Using Koha::Biblios instead of GetBiblio
Ready to test
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch contains the CSS file compiled from LESS.
Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
RM note: opac.css regenerated before push:
lessc --clean-css="--s0 --advanced --compatibility=ie7" bootstrap/less/opac.less > bootstrap/css/opac.css
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch:
- hides the dashboard if there is no dashboard information to display
- changes '5.00 due' to '5.00 due in fines and charges' for translation
- uses Koha::Holds in place of deprecated C4::Reserves methods
To test, confirm all the right information for holds still shows, and
confirm the dashboard is hidden if there are no checkouts, holds, fines
or overdues.
Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds some additional markup for applying styles to and the
corresponding CSS.
Also modified: Links to opac-user.pl should now open the correct tab.
To test, apply the patch and compile the modified LESS file. Clear your
browser cache if necessary. Follow the original test plan and confirm
that the revised links work correctly.
Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a summary to the OPAC once the user has logged in that
shows the users number of checkouts, overdues, holds pending, holds
waiting and total fines. We also have a syspref OPACUserSummary to turn
this feature on and off. Default is ON.
To test:
1) Apply patch and update database
2) Set up some checkouts, overdues, holds pending AND waiting and fines
for a user
3) Log into OPAC as that user, see summary. Confirm links all work as
expected
4) Confirm that if there are no checkouts / overdues etc that the link
disappears from the summary
5) Turn OPACUserSummary OFF and confirm the summary does not show on the
mainpage.
Sponsored-by: Catalyst IT
Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
[1] Replace corrosponding => corresponding
[2] Replace containts => contains
[3] Replace item_level-itypes => item-level_itypes
[4] Replace Managment => Management
[5] Replace should returns => should return
Test plan:
Note that this patch only deals with POD lines or test descriptions.
So there is nothing to test, just read the patch.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Patch amended by RM: The release notes should not be modified
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The crash is caused by comparing two datetimes where one datetime is
floating and the other one was not. In that case the floating is
converted. Note too that DateTime overloads comparison operators.
This patch clones the two dates first. Puts them in floating both. And
just after that starts comparing etc.
Similar small change in hours_between.
Adding a test where the parameters are swapped for days_between.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1 - Set TZ to America/New York
2 - Checkout item and set due date to '2016-03-09 02:29:00"
3 - Make sure fines are set for the item type, fine mode production,
calculate fines on return
4 - Check in item - invalid date time warning in logs
5 - Apply patch
6 - Check in item - no error
7 - prove t/Calendar.t
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 9031: Use floating instead of UTC
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Squashed the changes for Calendar.pm; will add a follow-up to finally
overcoming the crash on Invalid local time.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We do not need to change $ENV{TZ} or call tzset.
Pass $tz too for the second date.
Replace checking the datetime hash by delta calls.
Replacing the number of minutes.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
We will still crash with:
Invalid local time for date in time zone: America/New_York
But the changes in Calendar.pm will now resolve that.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Without the patch for Calendar.pm, this crashes on:
Invalid local time for date in time zone: America/New_York
But even with the original change to Calendar.pm, I would see:
Invalid local time for date in time zone: Europe/Amsterdam
Adding a follow-up for that.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If someone decide the reuse the template->param statement to pass values
to the template, we will get the same issue.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If you click Submit on the staff home page without entering a cardnumber, you will find these warnings in the log:
Problem = a value of override_high_holds has been passed to param without key at /usr/share/koha/masterclone/C4/Templates.pm line 137.
Problem = a value of nopermission has been passed to param without key at /usr/share/koha/masterclone/C4/Templates.pm line 137.
Use of uninitialized value $val in concatenation (.) or string at /usr/share/koha/masterclone/C4/Templates.pm line 137.
Problem = a value of has been passed to param without key at /usr/share/koha/masterclone/C4/Templates.pm line 137.
Cause is this call to $template->param:
$template->param(
CircAutocompl => C4::Context->preference("CircAutocompl"),
debarments => GetDebarments({ borrowernumber => $borrowernumber }),
todaysdate => output_pref( { dt => dt_from_string()->set(hour => 23)->set(minute => 59), dateformat => 'sql' } ),
has_modifications => $has_modifications,
override_high_holds => $override_high_holds,
nopermission => scalar $query->param('nopermission'),
In this specific case GetDebarments returns undef in list context (empty list),
so all items in the list shift one place.
Either we should force GetDebarments to return []; or we force scalar context in a construction like this. This patch does the last thing.
Note: The calls in memberentry.pl and moremember.pl are not affected.
Test plan:
[1] Do not apply. Click Submit without cardnumber. Check the log.
[2] Apply. Click Submit again without cardnumber. Check log.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds unit tests for the introduced changes in
build_query_compat.
It removes a warning too.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1 - Enable suppression
2 - Suppress some records
3 - Apply all the patches
4 - Reindex ES
5 - Search and don't get suppressed records
6 - Disable suppression
7 - Search and get all the records
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
OPAC: Both SearchEngine "Elasticsearch" and "Zebra" should work with
OpacSuppression set to "yes"
NB: OPAC suppression is not implemented for Elasticsearch
Signed-off-by: David Bourgault <david.bourgault@inlibro.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
TEST PLAN
----------
1/ configure a working 'GoogleOpenIDConnect' account
See comment #5 which also links back to
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16892#c3
2/ set 'OpacPublic' (under OPAC) to 'Disabled' and
'GoogleOpenIDConnect' (under Administration) to 'Yes'.
3/ log in user successfully via google-auth, observe redirect to
opac-user.pl (bad)
4/ apply patch
-- on kohadevbox remember to restart all! Plack is unforgiving. :)
5/ log in user successfully via google-auth, observe expected
redirect to opac-main.pl (good)
While I would normally suggest running koha qa test tools, because
this file doesn't end in .pl, it doesn't get picked up by them.
6/ perlcritic -4 opac/svc/auth/googleopenidconnect
-- notice this is a level better than required. :)
This also eyeballs easily well.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Patch applies and functions as described. I agree with you that importing NULL itemtypes is possible Marcel. A higher importance level makes sense.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If the logged in patron does not have the necessary permission we should
not redirect to circulation.pl but moremember.pl instead
Test plan:
With the borrowers permission, you should be able to edit a patron and
be redirect to the moremember page
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Regression introduced by bug
commit 141200794d
Bug 15295: Koha::Libraries - Remove GetBranchCategories
The intranet advanced search page offers to search for groups of
libraries, even if the pull down is empty as no library groups have
been defined.
Test plan:
- Go to the adv search page at the intranet
- Without library group you must not see the "Groups of libraries"
dropdown list
- With at least a library group you must see it
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The "does not match" condition does not behave as expected.
We want it to process the action if the subfield exists and that the
value does not match a given pattern.
Test plan:
Be creative and write different template actions using the "does not
match" condition.
Using the "Batch record modification" and the "Show MARC" popup, confirm
that the processed record is the one you are expecting.
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Message pops up for all instances of cloning now.
Works as expected.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch introduces a Javascript security question which is displayed
to the user when they try to clone a circulation rule to a specific
branch when the rule is a 'Standard rule for all libraries"
The rationale for this patch is when the cloning takes place it
overwrites the existing rules of the destination branch and there is no
notification of this to the user. Therefore by implementing this patch
the user is asked if they want to clone the rule (if the rule is
standard accross all libraries) and are told that it
will overwrite the rules in the destination branch.
Test plan:
1. Create a circulation rule for all libraries
2. Make sure the 'select a library' option is set to 'Standard rules for all
libraries"
3. Click the 'Clone' button and notice that the cloning takes place
without any warning that it will overwrite the rules of the destination
branch
4. Apply patch
5. Return to the circulation and fine rules page
6. Repeat step 2
7. Click the clone button and notice a alert box appears asking if you
are sure you want to clone the standard rule to the destination branch.
Note: The name of the destination branch is included in the alert.
Also note that the user is informed of the consequences of performing
the action, i.e. that it will overwrite the existing rules in the
destination branch
8. Click 'Cancel' and notice that no cloning occurs
9. Click the clone button again and this time click 'OK' and notice
that the cloning takes place
10. Return to the Circulation and fine rules page and set the 'Select a
library' option to the name of an individual branch
11. Click the clone button and notice that the clone action takes place
Sponsored-By: Catalyst IT
Signed-off-by: David Bourgault <david.bourgault@inlibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The form provided on top of the page if Koha find a duplicate
patron is not closed. This cause some trouble.
Test plan:
- Edit the syspref IntranetUserJS and type the following code:
"$(document).ready(function() {
$("#memberentry_library_management").insertBefore("#memberentry_identity");
});"
- create a patron so that Koha will warn you about a duplicate one,
- click on "Not a duplicate. Save as new record",
- you should get error(s) about empty field(s).
Note that now, the library management part's fields are empty or
reset to default
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There are several ways to mark an item an lost:
- item list view (catalogue/moredetail.pl, "Items" tab)
- cataloguing (cataloguing/additem.pl)
- Batch item modification tools (tools/batchMod.pl)
- The long overdue cronjob (misc/cronjobs/longoverdue.pl)
So far only the cronjob is configurable, the others mark the item as
returned (does the checkin).
This behaviour should be controlable using a syspref, to let libraries
choose what fit best for them.
Test plan:
Use the 2 options of the pref, mark checked out items as lost using the
different possibilities, and confirm that the behaviours make sense to
you
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Patch applies and functions as described.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
While editing a record in the staff client, if you clone a repeatable
dropdown subfield the cloned subfield's tag is empty. This can result
in data loss if the record is saved, re-opened, and saved yet again.
This patch (originally written by Sophie MEYNIEUX for bug 17818) fixes that.
Test plan:
0) [PREREQUISITE] In your MARC framework (Home > Administration > MARC
bibliographic framework) ensure that you have at least one subfield
of a particular tag linked to an authorised value (e.g. in UNIMARC,
tag 700 subfield 4 is 'Relator Code' and can be linked to CCODE for
testing purposes). This is so that the relevant subfield will be a
dropdown menu and not a textbox.
1) In the Staff Client, edit an existing record or create a new one.
Then, try to clone any subfield that is a dropdown menu. Observe
that the cloned subfield's tag is empty.
2) Apply the patch.
3) Hit CTRL-F5 in your browser (to ensure cataloging.js is re-loaded)
and try to clone a dropdown menu subfield again. This time the tag
is cloned as well.
Working as intended.
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
https://bugs.koha-community.org/show_bug.cgi?id=16503
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Security bug, trivial changes, no need to provide procedure for script
kiddies.
Test plan:
Pay fines using the different options from the "Pay fines" tab.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Follow the test plan in comment #20.
Also tweaked string, because it was really 'or' before too.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended text in added comment.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
From the plack-error.log:
CGI::param called in list context from package CGI::Compile::ROOT::usr_share_koha_masterclone_opac_opac_2dpassword_2drecovery_2epl line 129, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
TEST PLAN
---------
It is assumed you have set the OpacResetPassword to 'allowed',
and likely in combination with OpacPasswordChange to 'Allowed'.
You will have two patrons: one with and another without
any email address entered. You will want to test this test plan
with both patrons.
$ git checkout -b bug_18956 origin/master
Prepend the following as understood between step sections:
opac -> forgot password and then enter...
correct login/cardnumber, it will email
delete from borrower_password_recovery;
correct email, it will email
delete from borrower_password_recovery;
correct login/cardnumber && correct email, it will email
delete from borrower_password_recovery;
wrong login/cardnumber && correct email, error page as expected
delete from borrower_password_recovery;
correct login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;
wrong login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;
submit empty -- INTERNAL SERVER ERROR?!
delete from borrower_password_recovery;
-- None of the above step sections displayed email.
correct login/cardnumber, it will email
correct login/cardnumber again, but it leaks email address!
delete from borrower_password_recovery;
correct email, it will email
correct email again, but it leaks login/cardnumber!
delete from borrower_password_recovery;
$ git bz apply 18956
-- choose interactive, and choose this counter patch.
repeat the same test set again
-- no leaks will occur, error message pages returned should
be reasonable, code should read reasonably.
run koha qa test tools.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
category is send back to the template, it must be escaped
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>