We deal with that in the middleware, we don't want 403.pl to early exit.
If we notice that we actually need it (for other scripts), we could
eventually add a new flag to get_template_and_user to skip the CSRF check,
or build the template without using get_template_and_user for errors/*
scripts.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The easiest here is to not empty 'op' but instead redirect to an error
page.
Minor changes: to keep the patch simple it removed the 'dev only' error and
display the error for non-dev installs. It should not be a problem
anyway and will prevent errors to be hidden in the log.
We could make KOHA_ERROR an arrayref, but later (we don't need it now
anyway).
Note that the OPAC still not benefit from a friendly specific error for
invalid token.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
GET svc/authentication will return a CSRF token in a response header
POST svc/authentication requires a CSRF token which can be sourced
from the response header of GET svc/authentication or some other
place like the meta element on a HTML page
Note: misc/migration_tools/koha-svc.pl is a simple script which
can be used to practically evaluate svc/authentication and svc/bib
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Suggestion to move the CSRF check to CGI->new so that we will check it
for every request, and it will cover svc scripts as well (they are not
using get_template_and_user).
The token will be retrieve from the param list *or the csrf_token
header* (do we want to name it x-koha-csrf-token instead?).
This will be done for *every* request that are not GET: CSRF token is now
required everywhere CGI is used (side-effects possible?).
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
I *think* this change fixes a bug when starting the installer with an
expired session. I am no longer able to reproduce the problem however.
Just skip if it does not make sense.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If the cookie contain an expired sessionID we need to create another
one to correctly generate the CSRF token.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Hum this didn't make sense. We are not checking credentials after
checkauth.
This patch is suggesting to rename "userid" and "password" parameters
from login forms to "login_userid" and "login_password" to not interfere
with other parameters with the same name.
This looks quite correct, however I am seeing
"The form submission failed (Wrong CSRF token)."
in the log after a successful login. Which feels wrong, what's
happening?
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We should no longer need to check CSRF token from pl files
TODO - there is a change for some files where we returned 403
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Not sure this is the right place in get_template_and_user
Will have to test login and 2FA
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.
Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It seems safer to pass the logged in user and session info at the end of
the sub.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.
To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
branchip: 172.18.0.4
Connect and select CPL. Randomly FFL will be picked instead.
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.
We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.
There are still 3 left:
1.
733 # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace
2.
806 # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.
3.
828 # Patron does not have the borrowers permission
Same as 2.
2. and 3. should be investigated a bit more.
This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.
Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Adapt code to the change of return value type of checkpw
introduced in bug 34893
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch introduces some tests on the current (and new) behavior for
the `checkpw` function.
I needed it to better understand if an edge case was actually possible
(it wasn't).
Found a really minor annoyance for the internal check with expired
password not returning the $patron object for consistency with the other
use cases.
I think this method deserves (at least) changing the return value to a
sane data structure. But that's not target for backporting to stable
releases. So a separate bug.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Imagine we have a set of users. Some of those users have a NULL userid. We then call AuthenticatePatron from ILS-DI for a patron with a NULL userid, but a valid cardnumber. We call checkpw, which returns the cardnumber and userid. We then call Koha::Patrons->find on the userid *which is null*, meaning the borrowernumber returned is not the correct one, but instead the earliest patron inserted into the database that has a NULL userid.
Test Plan:
1) Give three patrons a userid and a password
2) From the database cli, set all patrons's userid to null
Run this query: update borrowers set userid = null;
3) Call AuthenticatePatron with username being the 1st patron cardnumber,
and password being the password you set for that patron
http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=AuthenticatePatron&username=kohacard&password=koha
4) Note you get back a borrowernumber for a different patron. Refresh the page and the number is correct.
5) Do the same with the 2nd patron. Same issue at 1st and correct number after.
6) Apply this patch
7) Restart all the things!
8) Do the same with the 3rd patron.
9) Note you get the correct borrowernumber! :D
10) prove t/Auth.t t/db_dependent/Auth_with_ldap.t t/Auth_with_shibboleth.t t/db_dependent/Auth_with_cas.t
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch adds further delivery details to the notices tab in patron
details in the staff client.
Once a message is sent, we display the 'from:', 'to:' and 'cc:'
addresses in the 'Delivery note' column when they exist.
Test plan
1. Enable KTD to send email [1] (without email configured the
delivery note displayed "Unhandled email failure, check the logs for
further details").
2. Add email addresses to two patrons and to KohaAdminEmailAddress,
and run misc/cronjobs/process_message_queue.pl after generating
notices.
3. For the two patrons with email addresses, make one a guarantor.
4. Sent Welcome messages (Patron account > More > Send welcome email) -
nothing in delivery note column.
5. Checkout out an item to the guarantee (item checkout email enabled) -
nothing in delivery note column.
6. Send the notices by running misc/cronjobs/process_message_queue.pl
again.
7. Now the 'Delivery note' columns should contain from:, to: and cc:
address details.
[1] Option 1 - smpt-sink (aka the sandboxes way)
- Install the postfix package inside ktd (sudo apt install postfix)
When asked in the wizard, I named mine 'local'
- Start smpt-sink with
`nohup smtp-sink -u root -D mail 127.0.0.1:25 100 </dev/null >/dev/null 2>&1 &`
Option 2 - To test sending emails using a Google account:
- Set up an App password for your Google Account
- Edit /etc/koha/sites/kohadev/koha-conf.xml file and add this
configuration near the end (where <user_name> = your Google email
address; <password> = your APP password, not your Google account
password):
<smtp_server>
<host>smtp.gmail.com</host>
<port>587</port>
<timeout>5</timeout>
<ssl_mode>STARTTLS</ssl_mode>
<user_name>GOOGLEACCOUNTUSER</user_name>
<password>GOOGLEAPPPASSWORD</password>
<debug>1</debug>
</smtp_server>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
Compile module, run qa tools.
Search for the use of C4::Items in C4/Biblio.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Resolve:
[2024/01/18 11:31:24] [WARN] Use of uninitialized value $hits in numeric eq (==) at /usr/share/koha/opac/opac-search.pl line 612.
[2024/01/18 11:31:24] [WARN] Use of uninitialized value $times in subtraction (-) at /usr/share/koha/C4/Search.pm line 1715.
Test plan:
Look for a few search expressions without results.
Check log without and with patch.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
[2024/01/18 11:52:40] [WARN] Argument " " isn't numeric in numeric eq (==) at /usr/share/koha/C4/Koha.pm line 600.
[2024/01/18 11:52:40] [WARN] Argument " " isn't numeric in numeric eq (==) at /usr/share/koha/C4/Koha.pm line 659.
Note: According to the code in MARC::Field the indicator returned cannot be undef. So we do not return new
uninitialized warnings.
Test plan:
Check your log before and after patch.
Possibly you may need to create a record with spaces as field indicators.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
C4/Utils/DataTables/VirtualShelves.pm: "@order_by" is declared but not used at line 86, column 9. Unused variables clutter code and make it harder to read. (Severity: 3)
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
"Renew All" -function aka. 65-66-messages work like this: 66-return messages has renewed items in BM-fields and non-renewables go into BN-fields.
If all items were renewable, then the reply message looks like:
Reply:
13.07.2022 10:06:17:530 OUTESTI1 6610005000020220713 100616AOOUPK|BM564N15977171|BM564N09203960|BM564N23261720|BM564N25161958|BM564N23455012|C4::SIP::SIPServer=HASHC4::SIP::SIPServer=HASHAY6AZCEFE
If items include renewables and non-renewables, the response includes the renewed items first, then a HASH mixed into the first BN-field, then rest of the renewed ones like they should show in BN-fields and after that, anohter HASH:
13.07.2022 14:41:32:610 OUTESTI1 6610003000420220713 144130AOOUPK|BM564N23455012|BM564N23261720|BM564N25161958|C4::SIP::SIPServer=HASHBN564N09203960|BN564N04191259|BN564N15977171|BN564N13788332|C4::SIP::SIPServer=HASHAY8AZC7C5
If all loans were unrenewable (this test included just one item), you first get a HASH in a BN-field, and another at the end.
13.07.2022 14:49:00:037 OUTESTI1 6610000000120220713 144858AOOUPK|C4::SIP::SIPServer=HASHBN564N19874533|C4::SIP::SIPServer=HASHAY9AZDD3B
Our self checkout/checkin machine can handle/parse these reply messages correctly, but this might not be the case with all self checkout/checkin devices.
Test Plan:
1) Unit test patch
2) prove t/db_dependent/SIP/Message.t
3) Note failures
4) Apply this patch
5) prove t/db_dependent/SIP/Message.t
6) Tests pass!
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: lmstrand <lmstrand@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
In automatic item modifications by age missing,
conditions can be on columns of tables items or biblioitems.
Table biblio is missing.
Test plan :
1) Create an automatic item modifications by age with a condition on a column of biblio table
2) Create a record and item matching the rule
3) Run misc/cronjobs/automatic_item_modification_by_age.pl -c -v
=> Check only matching items are impacted
Signed-off-by: Philip Orr <philip.orr@lmscloud.de>
Bug 32029: (follow-up) unit test
Signed-off-by: matthias le gac <matthias.le-gac@inlibro.com>
Bug 32029: (follow-up) tidy
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
In the sub the userId was given, but the cardnumber was expected, therefore at every login the cardnumber changed to the userId.
To test:
1. Login to the OPAC with an LDAP account that has a cardnumber which is different to the userId
2. Check the patron record's cardnumber.
3. The cardnumber should equal to the userId
4. Apply the patch.
5. Login to the OPAC with an LDAP account that has a cardnumber which is different to the userId
6. Check the patron record's cardnumber.
7. The cardnumber should be the same as before
Signed-off-by: Alexander Wagner <alexander.wagner@desy.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Extra test plan:
1. Apply the regression tests
2. Run:
$ ktd --shell
k$ prove t/db_dependent/Auth_with_ldap.t
=> FAIL: Tests fail! 'cardnumber' incorrectly overwritten
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests now pass!
5. Sign off :-D
Signed-off-by: Alexander Wagner <alexander.wagner@desy.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
And remove C4::Utils::DataTables, which should no longer be reused
anyway.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We are having reports that AllowItemsOnHoldCheckoutSCO and AllowItemsOnHoldCheckoutSIP no longer work. It appreas that in CanBookBeIssued, the ignore reserves check was changed from "check reserves unless the ignore reserves flag was passed" to "check reserves unless the ignore reserves flag was passed *and* we have a recall". I think this was a logic mistake and we want to check reserves unless we have an ignore flag *or* there is a recall.
Test Plan:
1) Enable AllowItemsOnHoldCheckoutSCO
2) Place a hold on an item
3) Attempt to check that item out to another patron
4) Note the checkout is blocked
5) Apply this patch
6) Restart all the things!
7) Attempt the checkout again
8) The checkout now succeeds!
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Enable the ILS-DI system preference.
2. Place a hold for a patron and put it in transit.
Place another hold for a patron that is available for pickup at the local branch.
And then select an item that is available for checkout but don’t change the status for it.
3. Go to your testing OPAC and make an ILS-DI “Get Availability” call using
the item ids of the three items you worked with in step 2.
(i.e. http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=GetAvailability&id=321+323+214&id_type=item)
4. Notice that the availability status for all three items is showing as available.
The item in transit and the item with a local hold should have a status
of not available and a message of why they are not available.
5. Apply the patch
6. Use restart_all.
7. Refresh the page and notice that the statuses are now correct.
The item in transit has a status of not available and an availability
message of “In transit”.
The item with the local hold has an availability status of not
available with an availability message of “On hold”.
Finally the available item is correctly showing up as available.
8. Sign off and have a wonderful day. :)
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
When importing a staged file we commit every 50 records
For an authority import we are also merging, which can affect many more biblios, and these all end up in the transaction.
This can cause tables locks and issues across Koha
Test Plan:
1) Apply this patch
2) prove t/db_dependent/ImportBatch.t
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
prove -v t/db_dependent/Authority/Merge.t
Signed-off-by: David Nind <david@davidnind.com>
Amended-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Replace $biblio->id with $biblio->biblionumber
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Set a book items notforloan status as -1 and set the AllowNotForLoanOverride system preference to 'Allow'
2. Add the following lines to UpdateNotForLoanStatusOnCheckin (the
formatting and indentation is important to keep):
BK:
-1: ONLYMESSAGE
3. Check a book item out for patron.
4. Check book item in.
=> Description of notforloan status should be displayed under 'Check in message'.
=> Confirm notforloan status HAS changed.
5. Apply patch and update database if needed
6. Set book items notforloan status as -1 (or create new one)
7. Check book item out for patron.
8. Check book item in.
=> Description of notforloan status should be displayed under 'Check in
message'.
=> Confirm notforloan status HAS NOT changed.
Also prove t/db_dependent/Circulation/issue.t
Sponsored-by: Catalyst IT, New Zealand
Signed-off-by: Anneli Österman <anneli.osterman@koha-suomi.fi>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This fixes current buggy behaviour - when BlockReturnOfLostItems is enabled, no transfer should be triggered and the lost status should be retained.
To test:
1. Go to Koha Administration -> Global system preferences
2. Set the BlockReturnOfLostItems system preference to Block
3. Enable the AutomaticItemReturn system preference (this is simply to make testing a bit faster)
4. Take note of your logged in library
5. Search for an item where the home library is NOT the same as your logged in library
6. Edit this item and give it a lost status
7. Check in the item
8. Notice the item is returned and a transfer is automatically triggered
9. If you go to the item record page, the lost status has been remove
10. Apply the patch and restart services
11. Edit the item again and give it a lost status. This will also cancel the transfer
12. Check in the item
13. Confirm the transfer is NOT triggered and the lost status is retained as expected.
14. Go back to system preferences and disable the BlockReturnOfLostItems system preference (set to "Don't block")
15. Check in the item
16. Confirm the transfer is triggered and lost status is removed
17. Confirm tests pass
prove t/db_dependent/Circulation/Returns.t
prove t/db_dependent/Circulation/Branch.t
Sponsored-by: Pymble Ladies' College
Signed-off-by: Esther <esther@bywatersolutions.com>
Signed-off-by: Kelly <kelly@bywatersolutions.com>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
