Commit graph

23 commits

Author SHA1 Message Date
4390b7be04 Bug 28785: Adjust check_cookie_auth calls
The previous patch makes check_cookie_auth return the session instead of
$sessionID, so we are adjusting the different calls to prevent
confusion.
However they are mainly used to check the authentication status and
don't care about this second variable.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-18 11:28:41 +02:00
3a6bb271c4 Bug 17600: Fix other occurrences in svc
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-26 16:41:07 +02:00
Julian Maurice
96cc447045 Bug 25898: Prohibit indirect object notation
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-15 12:56:30 +02:00
638786e719 Bug 24663: Remove authnotrequired if set to 0
It defaults to 0 in get_template_and_user

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
9a23ba3166
Bug 24964: Do not filter patrons after they have been fetched
The svc/members/search script is called in different places.
In some places (Set owner for a fund, add users to a fund, or set a
manager to a suggestion), we need patrons to be filtered depending on
the permissions they have.
For instance you can only set a fund's owner with a patron that has
acquisition.order_manage.

Currently we have fetching X (default 20) patrons, then filter them
depending on their permission.
Says you have 3 patrons that have the correct permissions but are not in
the 20 first patrons, if you do not define a search term, the search
result will be empty.

This is not ideal and we should filter when requesting the DB.

Test plan:
- Have more than 20 patrons, remove them their permissions
- Create 3 more:
1 superlibrarian
1 with the full acq permission
1 with acquisition.order_manage
- Create a fund and set a owner
- Search for patrons, without specifying a search term (to get them all)
=> Without this patch the new patrons you created are not displayed
=> With this patch they are!

Same test plan apply to set a manager to a suggestion (freshly pushed,
see bug 23590), with suggestions and suggestions.suggestions_manage

Note: The code has been written that way to rely on
C4::Auth::haspermission, but the SQL query is quite trivial and the gain
is important.

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-27 08:35:03 +00:00
0359a04bf8
Bug 22529: Use new C4::Auth::haspermission from svc/members/search
The svc/members/search script can be used to retrieve patrons with a
specific permission. This feature is only used once, to link patrons to
funds.
The code in the script is duplicated from what we have in
C4::Auth::haspermission, and it makes sense to clean it.

Test plan:
Create a fund and add users to this fund.
When you search for users you must only have a list of patrons with the
acquisition.order_manage permission.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Works as described. No errors
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-04 16:14:32 +00:00
7d8b96803f
Bug 24545: Fix license statements
Bug 9978 should have fixed them all, but some were missing.
We want all the license statements part of Koha to be identical, and
using the GPLv3 statement.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-24 13:31:26 +00:00
0d26aa77e7 Bug 22483: Restore svc/members/search
This script used to pass 'undef' to haspermission, this patch restores
that behaviour.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-09 05:16:40 -03:00
cc67ff26aa Bug 22483: Explicitly ban 'undef' as a valid $flagsrequired
Before bug 22031 the haspermission subroutine signature allowed for
passing 'undef' to mean 'any permission' in $flagsrequired.  This feels
like a mistake and was only in practical use in two places in the
codebase.

This patch explicitly forbids this practice (`*` may be used to the same
result and is more explicit in it's nature) and replaces the two
instances of it's use.

Test Plan
1. Before this patch, the API tests are all failing with authentication
errors
2. After this patch the API tests should now all pass.
3. t/db_dependent/Auth/haspermission.t should continue to pass (with one
addition subtest added herin)
3. /svc/members/search is not unit tested. Please check that patron
searching still yields results in the UI after this patch.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2019-03-08 15:26:04 -03:00
4bc92169dc Bug 18403: Update permissions - borrowers => 1|* becomes borrowers => 'edit_borrowers'
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.

Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
  borrowers => 1
and
  borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:37 -03:00
2b90ea2cb0 Bug 17829: Move GetMember to Koha::Patron
GetMember returned a patron given a borrowernumber, cardnumber or
userid.
All of these 3 attributes are defined as a unique key at the DB level
and so we can use Koha::Patrons->find to replace this subroutine.
Additionaly GetMember set category_type and description.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-10 13:14:19 -03:00
9b34b07d62 Bug 17375: Search by dateofbirth - handle invalid dates
Prevent internal software error when searching patron with invalid birth date

To reproduce:

- Go to Home > Patron
- Expand patron search (click on + at the left of the search button)
- In drop down 'Search fields', select 'Date of birth'
- Enter a valid date (e.g. 11.02.1995 if syspref 'dateformat' is set to dmydot)
Result: Search works OK
- Enter an invalid date, e.g. 11.02 or abcd...
Result: Internal server error

- Do a patron search with many results
- Use filter on results screen, select 'Date of birth' as search field and
  enter an invalid date to search (e.g. 'a')
Result: Endless message 'Processing'

To test:
- Apply patch
- Repeat steps above
- In both cases, you should get "No results"

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Lucio Moraes <lmoraes@catalyst.net.nz>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-27 13:18:32 +00:00
70498b1566 Bug 16476: Do not call CGI->param in list context, some more
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-05-16 17:11:46 +00:00
Marc Véron
a71cc14a52 Bug 14782: Add possibility to search patrons using the username (userid)
This patch makes it possible to search for users using the username (userid / login name).

To test:

- Apply patch
- Do searches from Home > Patrons
- Search after a full username or parts of a username with Search fields = Standard and Search fields = Userid
- Perform the searches from the top bar (expand with [+]) and from the "Filters" part at the left
- Make sure that other searches behave as before

Signed-off-by: Joonas Kylmälä <j.kylmala@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
2015-09-16 10:36:56 -03:00
Jonathan Druart
a6c9bd0eb5 Bug 9978: Replace license header with the correct license (GPLv3+)
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

http://bugs.koha-community.org/show_bug.cgi?id=9987

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-20 09:59:38 -03:00
Jonathan Druart
2639357767 Bug 13891: DataTables server-side processing - budget users
This first patch remove the previous way to search for users to link to
budgets.

Test plan:
1/ Edit or create a fund
2/ Edit the owner of this fund a select a patron
3/ Add 1+ users to the user lists of this fund

Tested together with other patches.
Signed-off-by: Marc Veron <veron@veron.ch>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-13 10:55:13 -03:00
Jonathan Druart
481479fe62 Bug 12648: Fix conflict with bug 12833
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-03-11 11:47:37 -03:00
Jonathan Druart
8e91a0f01d Bug 12648: The users added to basket should have a permission
Before this enh, the users to add to a basket should have the
acquisition.order_manage permission.
This patch reintroduces this behavior.

The code in acqui/add_user_search.pl was never used. The filter should
be done in the members/search service.

But it is not possible easily to filter using a sql query, so the filter
is done after. This means that we cannot use the DT pagination
(otherwise the results will become inconsistent).

Test plan:
1/ On adding patrons to a basket, verify that the search patron results contain
patron with the acquisition.order_manage permission.
2/ Verify that all patrons are return on the 'normal' patron search and
when adding patrons to an order.

Signed-off-by: Paola Rossi <paola.rossi@cineca.it>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-03-11 11:47:35 -03:00
Jonathan Druart
bb1beb4f5d Bug 12648: Refactoring to prepare user search for reuse
A previous enhancement allows to link basket with patrons.
Next patches will use the same way to link order with patrons.

In order to avoir c/p of code, this patch refactores this part of code.

Test plan:
1/ Verify there is no regression on adding/modifying users to a basket.
(acqui/basket.pl?basketno=XXX, "Managed by", "Add user").
2/ Note that you get a friendly message if the user is already present in the
list and when the user has correctly been added to the list.
3/ Note that the list uses the member search service (ie. DataTable +
serverside processing).

Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-03-11 11:47:25 -03:00
Jonathan Druart
0f3a04609c Bug 13232: Search patrons by a first letter should not redirect to a patron detail page
Bug 12833 allows to find a patron with his cardnumber.
But this won't never append if the firstletter parameter is given.

Actually the firstletter param is the only one to take into account if
it exists.

Test plan:
Search patrons by a first letter and verify that the feature is back.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

To reproduce the problem you need at least one borrower with a blank
cardnumber

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
works as descrobed, no problems found.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-11-14 09:33:00 -03:00
Jonathan Druart
0965dfcc15 Bug 12833: Patron search should search on extended attributes
Before Bug 9811, the patron search searched on extended attributes.

This patch restore this behavior.

Test plan:
0/ Create a patron attribute PA
1/ Create a patron A (cardnumber CNA) with PA="foo"
2/ Create a patron B (cardnumber CNB) with PA="foo bar"
3/ Search for CNA should redirect on the patron detail page.
4/ Search for "foo" should display the search result with 2 results.

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
'Searchable' patron attributes can now be searched for again.
Works as described, passes stests and QA script.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-09-09 10:08:59 -03:00
Olli-Antti Kivilahti
a660d2208b Bug 9811 - datetime does not respect DateFormat-system prefrence
To test:
Try searching by the date of birth using the left filter column. Good luck.

After applying this patch:
You can search using your preferred DateFormat.

Merci bocu

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-01 09:58:11 -03:00
Jonathan Druart
24d6d83ada Bug 9811: Patron search improvement
This patch add DataTables using server-side processing for the patrons
search.

It adds:
- 1 module C4/Utils/DataTables/Members.pm
- 2 services svc/members/search and svc/members/add_to_list
- 1 template members/tables/members_results.tt
- 1 new practice which is to add template for DataTables in a
  subdirectory named 'tables'.

Impacted scripts: members/members-home.pl and members/members.pl

To go further: We can imagine that all patrons searches use the same
service with no big changes: 1 little template creates a JSON file and
to implement DataTables on the template page, that's all.

Amended patch: Since bug 10565 has been pushed, these patches don't
apply cleanly. I had to rewrite a part of the patron list feature.
I removed the choice to add all resultant patrons from a search. I think
this choice is useless with this patch: we are able to display the
number of patrons we want and to select all of them.

Test plan:
- Check that there is no regression on searching patrons.
- Try filters on the left of the screen.
- Try to sort each column.
- Try the "Browse by last name" links.
- Check that the "Clear" button clears yours filters.
- Try with IndependantBranches ON and OFF.
- Verify this feature does not break the patron list feature (cf bug
  10565).

Signed-off-by: Cedric Vita <cedric.vita@dracenie.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script, couldn't find any regressions
or problems. Some notes left on the bug.

Bug 9811: Add unit tests for C4::Utils::DT::Members

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>

Bug 9811: QA followup

- removes 2 tabs
- removes mysqlisms
- add sort on borrowernotes
- fix wrong capitalization
- cat => Category

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Thx for fixing these!

Bug 9811 - multilines notes brakes JSON

In new patron search feature, the search results are fetched using Ajax and returned in JSON format.
The JSON is created by TT using koha-tmpl/intranet-tmpl/prog/en/modules/members/tables/members_results.tt.
One of the fields is the borrower notes. When this notes contains several lines, the JSON is broken.

This patch uses TT fileters to consert in notes linefeeds into HTML line break (html_line_break) and then remove linefeeds (collapse).

Test plan :
- perform a member search that does not return a borrower with a circ note
- edit one of the borrowers returned by this search
- enter serveral lines of text in "Circulation note" and save
- reperform the member search
=> circ note is well displayed on several lines

Bug 9811: use count(primary_key) instead of count(*)

Bug 9811: A limit clause should be always added.

By default, we want to retrieve 20 first results.

Bug 9811: Load the page without any data.

Displaying the first 20 patrons is not useful. With this patch, the
table is hidden and no record is retrieved by default.
On the same way, the existing side effect on redirect disappears.

Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
-------------
-TEST REPORT-
-------------
For the filter: Tested all the search fields, branches, search type.
Found a bug with "date of birth", followup provided.
Tested display limits and verified that AJAX-queries are
  efficient (using LIMIT clause) to not stress DB needlessly.
Tested adding Patrons to a list.
A good feature, which seems to work quite well.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Adding my test plan to the last patch of this bug.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-01 09:57:09 -03:00