Commit graph

812 commits

Author SHA1 Message Date
Aleisha Amohia
b56c19528e Bug 19258: Prevent warn when reversing a payment
The following warn is triggered when I click the Reverse button next to
an individual payment on the Account tab:
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_boraccount_2epl line
63, this can lead to vulnerabilities. See the warning in "Fetching the
value or values of a single named parameter" at /usr/share/perl5/CGI.pm
line 436.

To test:
1) Go to a members detail page in staff side, create a manual invoice,
pay it
2) Go to the Account tab, click Reverse next to the payment you just
made
3) Notice warns
4) Apply patch and repeat steps 1 & 2
5) Warns should be gone

Sponsored-by: Catalyst IT

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-07 14:39:09 -03:00
Aleisha Amohia
ddf494b18f Bug 19258: Preventing warns when paying a fine or charge from Pay selected button
The following warns are triggered when I click the Pay selected button:
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 267,
this can lead to vulnerabilities. See the warning in "Fetching the
value or values of a single named parameter" at
usr/share/perl5/CGI.pm line 436.
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line
273, this can lead to vulnerabilities. See the warning in "Fetching
the value or values of a single named parameter" at
/usr/share/perl5/CGI.pm line 436.

To test:
1) Go to a members detail page in staff side and create a manual
invoice
2) Go to the pay fines tab, select the fine you just created and click
Pay selected
3) Notice warns
4) Apply patch and repeat steps 1 & 2
5) Warns should be gone

Sponsored-by: Catalyst IT

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-07 14:39:09 -03:00
Aleisha Amohia
693cc1122b Bug 19258: Prevent warns when writing off an individual fine
The following warns are triggered when I click the Write Off button next
to an individual fine or charge:
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 171,
this can lead to vulnerabilities. See the warning in "Fetching the
value or values of a single named parameter" at
/usr/share/perl5/CGI.pm line 436. (this shows many times)
Use of uninitialized value in subroutine entry at
/usr/share/perl5/URI/Escape.pm line 184.

To test:
1) Go to a members detail page in staff side and create a manual
invoice
2) Go to the pay fines tab, click the Write off button next to the
invoice you just created
3) Notice warns
4) Apply patch and repeat steps 1 & 2
5) Warns should be gone

Sponsored-by: Catalyst IT

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-07 14:39:09 -03:00
Aleisha Amohia
9ffda7a7bc Bug 19258: Prevent warn when paying a fine or charge
To test:
 1) Go to a members detail page in staff client
 2) Select the Fines tab in the left pane
 3) Select the Create manual invoice tab below the button menu bar
 4) Create a fine and click save (e.g. Type: Fine, Amount: 5.00)
 5) Select the Pay fines tab below the button menu bar
 6) Click Pay on the item
 7) Blank the staff error log
 8) click confirm
    -- staff error log has message
 9) apply this first patch
10) repeat steps 3-8
    -- staff error log is blank
11) run koha qa test tools

Sponsored-by: Catalyst IT

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-07 14:39:09 -03:00
Katrin Fischer
82f183c5ea Bug 19129 - Clean up Details tab for Organisation patrons
Problem: A patron category "I" would cause display problems
on the details in the intranet. This is because the templates
confused patron category "I" with patron type "I" (organisation).

Patch:
- Cleans up variable confusion between categorycode and
  categorytype.
- The template contained code to change the labels below
  the address to 'Organisational phone:" etc., I have removed
  this part as it does not match the edit form anymore.
- Initials, date of birth and gender are still hidden for
  organisation - matching the edit form.

Bonus:
- The patron category description was missing on the
  right and left side of the details tab. Now it displays.
- Fixes some html issues:
  - doubled up class attribute in a tag
  - doubled up </li></li>

To test:
- Create 3 patrons
  - patron category code doesn't matter, but category type organisation
  - patron category code 'I', category type NOT organisation
  - patron category code NOT I, category type NOT organisaton
- Check details tab in patron account in staff for all 3
  - Verify patron category description shows correctly
  - Verify information added to the account displays correctly
    (phone numbers, emails, ...)

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-01 13:02:23 -03:00
831d75d09c Bug 19208 - Pay select option doesn't pay the selected fine
The "Pay selected" option on the Fines tab in the borrower account page doesn't work as intended.
The fine on top of the list gets the amount deducted, even if another fine is choosen from the list.

Test Plan:
1) Create two or three fines, using the Create manual invoice function.
2) Choose one of the fines (not the one on the top) and click Pay selected
3) Pay a partial amount
4) Go back to the Pay fines tab an notice that the fine you selected has not changed. Instead, either the top fine or the total (see attachment) has ben affected.
5) Apply this patch
6) Repeat steps 1-3
7) Note the correct fine is paid

Signed-off-by: Andreas Hedström Mace <andreas.hedstrom.mace@sub.su.se>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-01 13:00:04 -03:00
86e8612c02 Bug 19205 - Pay selected fine generates 500 error
Using the pay selected option from the borrowers account, to pay for one specific fine among other gives a 500 error, despite the payment going through.

Test Plan:
1) Add two fines using the Create manual invoice function.
2) Select one fine and "pay selected".
3) Pay a part of the amount.
4) Note error
5) Apply this patch
6) Repeat steps 1-3
7) No error!

Signed-off-by: Andreas Hedström Mace <andreas.hedstrom.mace@sub.su.se>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-30 15:05:22 -03:00
Amit Gupta
fbdfbc64f0 Bug 19079 - XSS Flaws in Membership page
1. Hit /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
   xx - is a borrowernumber
2. Notice the java script is executed.
4. Apply patch.
5. Reload page, and hit the page again /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
   xx - is a borrowernumber.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00
01e02364c9 Bug 19080: Fix perlcritic in routing-lists.pl
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-25 11:03:37 -03:00
2480474cdf Bug 19080: Fix member vs borrowernumber in delmember
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-25 11:03:37 -03:00
9af6c4e34b Bug 19080: Handle non-existing patrons gratefully
This is a recurrent bug we have over the last years. When a script is
called with non-existent borrowernumber it will crashes.
We need to handle this gracefully instead of letting the script crashes.

On bug 18403 a new subroutine is added to the codebase
(output_and_exit_if_error) to handle this kind of errors correctly.
Since it is not pushed yet, I propose to just redirect to a script that
handle it correctly (circulation.pl) instead of adding this message to
all these scripts.

Test plan:
Hit different scripts from the members module and pass a non-existent
borrowernumber.
You must be redirected to circulation.pl with a friendly message.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-25 11:03:37 -03:00
a66c0b1dd7 Bug 18469: QA Follow-up
Restore datepicker class
Use Koha.Preference
Copy changes to moremember

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-15 12:17:43 -03:00
1da4721551 Bug 17829: (follow-up) Move GetMember to Koha::Patron - routing-lists.pl
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-09 16:52:21 -03:00
Aleisha Amohia
7ed66a6c8a Bug 18858: Prevent warn when deleting a borrower debarment
To test:
1) Look at intranet log
2) Go to delete a debarment on a borrower
3) Notice warn
4) Apply patch
5) Add a new debarment
6) Delete this debarment
7) Notice warn is gone

Sponsored-by: Catalyst IT

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-13 18:23:29 -03:00
9cad748de7 Bug 17829: (followup) Fix small rebasing errors
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-10 13:14:34 -03:00
2b90ea2cb0 Bug 17829: Move GetMember to Koha::Patron
GetMember returned a patron given a borrowernumber, cardnumber or
userid.
All of these 3 attributes are defined as a unique key at the DB level
and so we can use Koha::Patrons->find to replace this subroutine.
Additionaly GetMember set category_type and description.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-10 13:14:19 -03:00
bbe2216887 Bug 17738: Replace GetReservesFromBorrowernumber with Koha::Patron->get_holds
This patch replace the different calls to GetReservesFromBorrowernumber
with a calls to Koha::Patron->get_holds.
In some places we need to get a restricted set of holds, that's why we
process a search on this holds returned by ->get_holds (on the found
status for instance).

The changes are quite trivial and reading the diff should be enough to
catch bugs.

Test plan:
I would suggest to test this patch with patches from bug 17736 and bug 17737,
to place different kind of holds (biblio and item level, future and
past).
Then do a whole workflow to detect bug, view a record, delete record,
order, place a hold on an item which has been ordered, etc.
The hold's informations should always be the same without or without
these patches.

Tested both patches together, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
2017-07-05 13:42:52 -03:00
ca0bde1e7e Bug 17843: [QA Follow-up] Some polishing
Resolve warning from members/summary-print.pl:
    "my" variable $itemtype masks earlier declaration in same scope

Test if find returns a Koha object in GetDescription.
Test if find returns a Koha object too in shelves.pl. While testing, I had
a crash on a biblioitem with itemtype NULL (bad record, but these things
tend to happen somehow.)
Can't call method "imageurl" on an undefined value at virtualshelves/shelves.pl line 253.
Same for opac/opac-shelves.pl.

Note: Did not add tests everywhere but generally, I have the impression that
we do not sufficiently test on the results of Koha::Object->find. Mostly we
just assume that it will find a record. Several reports include fixes to
resolve that wrong assumption.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
2017-07-05 13:42:21 -03:00
091d6c513b Bug 17843: Replace C4::Koha::getitemtypeinfo with Koha::ItemTypes
The C4::Koha::getitemtypeinfo subroutine did the almost same job as
GetItemTypes. On top of that it returned the imageurl value processed by
C4::Koha::getitemtypeimagelocation.
This value is only used from the 2 [opac-]shelves.pl scripts. Then it's
better not retrieve it only when we need it.

Test plan:
Play with the different scripts touched by this patch and focus on item
types. The same description as prior to this patch must be displayed.
Note that sometimes it is not the translated description which is
displayed, but that should be fixed on another bug report. Indeed we do
not expect this patch to change any behaviors.

Signed-off-by: Lari Taskula <lari.taskula@jns.fi>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
2017-07-05 13:42:21 -03:00
bb22703dca Bug 18179: Update existing calls
This patch updates the existing occurrences of ->find called in a list
context.
There are certainly others that are not easy to catch with git grep.
Test plan:
Confirm that the 4 modified scripts still works as expected.

We need this one ASAP in master to make sure we will not get other
side-effects of this kind and to catch possible uncaught occurrences
before the release.

Tested scripts changed by this patch, they work as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-06-05 11:35:58 -03:00
a80366439e Bug 18632: Remove 'CGI::param called in list context' warnings
Once again, after bug 16154 and bug 16259 we need to remove more
occurrence of CGi->param called in list context.
Refer to bug 15809 for more information.

Test plan:
Make sure you do not see the error on the modified scripts.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-28 22:25:22 -04:00
87bb59304e Bug 18647: Resolve internal server error on category_type
See bug 18552. When we resolved the housebound_role bug, the hash got
filled correctly again. And this revealed that the (second) call to
Koha::Patrons->find was not appropriate. It can be removed, as Jonathan
explained on the report.

Note: Commit 95429af685 added this call, but
it was hidden until the template variable hash got fixed.

Test plan:
Restart Plack and go to patron details again.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-20 13:57:14 +00:00
49253ace12 Bug 18552: [QA Follow-up] Resolve warnings
Like:
Problem = a value of AutoResumeSuspendedHolds has been passed to param without key at /usr/share/koha/masterclone/C4/Templates.pm line 137.
Problem = a value of relatives_borrowernumbers has been passed to param without key at /usr/share/koha/masterclone/C4/Templates.pm line 137.

Problem is functions returning undef in list context (in this case
housebound_role).
No need to call Patrons::find a second time.

Note: The call of GetDebarments in the first patch suffered from this too.
It is in a fine place now too. But strictly speaking, should not have been
moved.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-19 10:35:48 -04:00
Aleisha Amohia
f2dee024a7 Bug 18552: Borrower debarments not showing on member detail page
To test:
1) Go to a borrowers details page and create a manual restriction
2) Notice the restriction shows at the top of the page but the
restriction tab says the member is currently unrestricted
3) Apply patch and refresh page
4) Restrictions tab should now correctly show debarments and correct
number is shown
5) Confirming deleting and adding restrictions still works as expected

Sponsored-by: Catalyst IT

Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-19 10:35:48 -04:00
4e31223aa0 Bug 18554: Adjust a few typos including responsability
typo responsability
typo defautl in authorities.pref
typo reveived in t/db_dependent/Acquisition.t
typo ;; in advance_notices.pl
typo Stopping in restart_indexer (koha-indexer)
typo instutitional in moremember.pl
typo Corretly (Biblio.t)
typo periodicy in help serials

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-09 21:03:22 +00:00
40cd76882e Bug 17762: Add the lang attribute to the patron form
Not the opac because we do not want the patron to modify it, they won't
be necessary translated.

Sponsored-by: Orex Digital

Signed-off-by: Hugo Agud <hagud@orex.es>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-09 20:56:40 +00:00
c1d9a7dab7 Revert "Bug 18179: Update existing calls"
This reverts commit 2a2b973911.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-28 12:48:56 -04:00
Baptiste Wojtkowski
54bb284a60 Bug 18110: Corrected display address format
- minor changes on address format
- corrected member-password so that steetnumber is given to the template

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-28 08:50:19 -04:00
95429af685 Bug 12461 - Add patron clubs feature
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
   * Here you can add fields that can be filled out at the time
     a new club is created based on the template, or a new enrollment
     is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-28 08:37:44 -04:00
2a2b973911 Bug 18179: Update existing calls
This patch updates the existing occurrences of ->find called in a list
context.
There are certainly others that are not easy to catch with git grep.
Test plan:
Confirm that the 4 modified scripts still works as expected.

We need this one ASAP in master to make sure we will not get other
side-effects of this kind and to catch possible uncaught occurrences
before the release.

Tested scripts changed by this patch, they work as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-28 06:48:31 -04:00
185dc7f45a Bug 18423 - Followup - enable Add child button for institutional borrowers
If they can have guarantors and we shwo the button on one page I think
we should in fact show it on all.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-21 07:42:58 -04:00
b81a18ea39 Bug 18423 - Add 'Add child' button to files, housebound, and deletemem pages
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-21 07:42:58 -04:00
b689c6f9fe Bug 18423 Follow-up - Add 'Add child' button to statistics tab
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-21 07:42:58 -04:00
d18f30eb3f Bug 18423 follow up - fix display off add child on members/notices.pl
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-21 07:42:58 -04:00
e28f19f0a8 Bug 18423 - Add child button not always appearing - problem in template variable
This patch removes the retrieval of the syspref borrowerRelationship
from the scripts and moves it to a check using the Template Toolkit
plugin

To test:
1 - Apply patch
2 - Ensure 'Add child' button displays appropriately on all member pages.

Tested 3 pateches together, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-21 07:42:57 -04:00
d4c3bbb597 Bug 15498: Do not display sql csv profiles
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-31 11:13:48 +00:00
b0dc5fc0f3 Bug 15498: Let the user choose the CSV profile to export circ history
The way the export options are displayed at the bottom of the checkouts table
was not consistent.
Prior to this patch set, they are display if ExportRemoveFields or
ExportWithCsvProfile is set.
It does not make any sense, the user could want to export the checkouts in
iso2709 format without having to define a csv profile and fill the pref.

Moreover the behavior of this pref did not match its description: it's used as
a default CSV profile when exporting records from the export tools or the
command line.

This patch set adds a new pref ExportCircHistory and remove
ExportWithCsvProfile. The new pref is set if ExportWithCsvProfile or
ExportRemoveFields were set.
A new dropdown list with the CSV profile list will be displayed in the
export area, at the bottom of the checkouts table.

Note that now --csv_profile_id is mandatory for the export command line
(misc/export_records.pl) if the export format is csv.

Test plan:
0/ Do not execute the DB entry
1/ Clear both ExportWithCsvProfile and ExportRemoveFields prefs
2/ Execute the DB entry
3/ ExportCircHistory should not be set and the export options should not
be displayed at the bottom of the checkouts table.
4/ Remove the pref
  DELETE FROM systempreferences WHERE variable='ExportCircHistory';
and reinsert the previous one, with a value:
  INSERT INTO systempreferences (variable, value) VALUES
  ('ExportWithCsvProfile', 'something');
Execute the DB entry again
=> The now pref should be now set
5/ Export some checkouts using the CSV entry
6/ Note that the export tool and commandline script still work using the
csv format. You have to provide a --csv_profile_id option to make it
work.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-31 11:13:47 +00:00
574d48362d Bug 18124: Change the calls to generate and check CSRF tokens
The parameter change in Koha::Token should be applied to the calling
scripts.

Test plan:
Confirm that the different forms of the scripts modified by this patch
still work correctly.

Test the problematic behavior:
Open 2 tabs with in same user's session, go on the edit patron page
(memberentry.pl).
Log out and log in from the other tab.
Submit the form
=> Wrong CSRF token should be raised

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-30 09:07:09 +00:00
afb7b7dc2d Bug 13757: Better display for attr changes in members-update.pl
This patch changes the way changed attributes are displayed for the
staff user to make the decision to approve (or not) the changes.

Regards

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-24 18:45:17 +00:00
c8889f0ff7 Bug 13757: (followup) Only touch opac_editable attributes
As reported by Owen, the members-update.pl was showing every attributes
the patron has (display issue) instead of showing only those affected by
the changes.

This patch fixes this by filtering the patron's attributes by opac
editability.

It also fixes Koha::Patron::Modification->approve so it only clears the
attributes with the updating 'code' and leaves the others untouched.
As its been coded so far (until someone refactors it all) the
Koha::Patron::Modification object needs to contain all the attributes
for a specific code. And it comes from parsing the UI's input.

Tests for Koha::Patron::Modification->approve to come.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-24 18:45:01 +00:00
925e664f42 Bug 13757: (followup) Staff interface changes
This patch adds proper extended attributes display and handling on the
patron modifications moderation page (members-update.pl).

It also adds changes checking to the opac-memberentry.pl page so it
only saves a modification request if there are changes (it only checked
regular fields and not the extended ones).

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-24 18:44:59 +00:00
Kyle M Hall
8255344215 Revert "Bug 12461 - Add patron clubs feature"
This reverts commit 4f1eefdbb8.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-02-26 20:41:27 -05:00
4f1eefdbb8 Bug 12461 - Add patron clubs feature
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
   * Here you can add fields that can be filled out at the time
     a new club is created based on the template, or a new enrollment
     is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
2017-02-23 19:42:36 +00:00
745c4c3da6 Bug 17933: Do not instanciate a patron if not needed
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-02-17 11:22:09 +00:00
Dobrica Pavlinusic
083a8f7b72 Bug 17933 - Internal software error when searching patron without birth date
When patrons don't have date of birth (which is not required) patron
search results on moremember page produce internal server error since we
can't convert MySQL invalid date 0000-00-00 to datetime object and
call strfdate on it.

Additionally, since we assign dates to template variables and after
than assign whole $data hash to template, later assigment overrides
previous one, so we see birth date field even for patrons which don't
have one.

This patch fixes both of those problems.

Test:
1. edit patron and remove it's birth date
2. try to search for it, and verify server error
3. apply patch
4. repeat search for patron and verify that it works and doesn't
   have enpty birth date field

Signed-off-by: Grace McKenzie <grace.mcky@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-02-17 11:22:09 +00:00
0b2393cd65 Bug 18033: Remove duplicate code in paycollect.pl
Test plan:
0) apply the patch
1) try to pay individual fee, with full amount and partial amount
   it should work the same as before patch

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-02-07 16:15:39 +00:00
0c3c162f76 Bug 17905: FIX CSRF in member-flags
If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible

The exploit can be simulated triggering
    /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian

Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:24:12 +00:00
bcf9fdafab Bug 17588: ->get_issues has been replaced with ->checkouts
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-20 14:25:35 +00:00
90f9a3c6ac Bug 17588: get_account_lines->get_balance has been replace with account->balance
On previous bugs

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-20 14:25:35 +00:00
45cee0cec8 Bug 17588: Koha::Patrons - Move GetMemberIssuesAndFines
The GetMemberIssuesAndFines subroutine used to retrieve the issues,
overdues and fines for a given patron. Most of the time, only 1 or 2 of
these values were used.
This patch removes this subroutine and uses the new get_issues,
get_overdues and get_balance method from Koha::Patron and Koha::Account::Lines.

Test plan:
1/ Add overdues, issues and fines to different patrons
2/ On the checkout, checkin and patron search result and the patron
detail pages, these 3 informations, if displayed before this patch, must be
correctly displayed.
3/ Use the batch patron deletion tool and make sure that patrons with a
balance > 0 are not deleted

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-20 14:25:34 +00:00