Commit graph

21 commits

Author SHA1 Message Date
Julian Maurice
96cc447045 Bug 25898: Prohibit indirect object notation
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-15 12:56:30 +02:00
eaee34f47a
Bug 24018: Remove die "Not logged in"
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-01-20 14:03:49 +00:00
607c66e436 Bug 18403: Fix few errors found with hit_pages.t
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:43 -03:00
cee2cf9ff9 Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"

Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.

Changes in discharge.pl are mainly indentation changes.

With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:38 -03:00
4bc92169dc Bug 18403: Update permissions - borrowers => 1|* becomes borrowers => 'edit_borrowers'
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.

Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
  borrowers => 1
and
  borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:37 -03:00
Te Rauhina Jackson
f2502c9499 Bug 20009: use Modern::Perl in Members perl scripts
Test Plan:
Check the following files have been updated from
use strict;
use warnings;
to
use Modern::Perl;

boraccount.pl
default_messageprefs.pl
deletemem.pl
files.pl
mancredit.pl
maninvoice.pl
member-flags.pl
member-password.pl
memberentry.pl
members-home.pl
members-update-do.pl
moremember.pl
notices.pl
pay.pl
paycollect.pl
printfeercpt.pl
printinvoice.pl
printslip.pl
readingrec.pl
routing-lists.pl
setstatus.pl
update-child.pl

Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-05 09:46:44 -03:00
f48409bb8d Bug 16911: Rename extend_subscription with renew_account
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-09 09:45:32 +00:00
e4e90ea0da Bug 16911: Koha::Patrons - Move ExtendMemberSubscriptionTo to ->extend_subscription
This patch moves the code from C4::Members::ExtendMemberSubscriptionTo
to Koha::Patron->extend_subscription.

The expected behavior is:
When a new patron is created, the enrolment period defined for the
patron category is used unless an enrolment period date is defined. In
that case, this date is used.
When an account is renewed, the pref BorrowerRenewalPeriodBase is used to
determine if the subscription is renewed from today or from the day when his/her
account has expired.

Test plan:
Confirm that the behavior is correct before this patch and that it's
still the same after this patchset applied.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-09 09:45:32 +00:00
653d305452 Bug 14910: Redirect to the circulation module after a renew
iIf a patron is renewed from the circulation module, the librarian
should be redirected to the circulation module.
This works correctly if the renew is done from the patron module
(members).

This is caused by a typo in the template: desintation vs destination.

This patch also removes the cardnumber parameter to the setstatus.pl
script, it is not needed given that borrowernumber is always passed.

This has a good side-effect, it will fix bug 14691. The cardnumber does
not exist anymore, so no need to escape it :)

Test plan:
0/ Do not apply this patch
1/ Create a patron with a cardnumber with a quote (rm'me) and another
one without a quote (rmme)
2/ Go on the checkouts page (circ/circulation.pl)
3/ Renew the 2 patrons
=> With rm'me you are redirected to the circ module - ok
=> With rmme you are redirected to the member module - nok
4/ Go on the patron detail page (members/moremember.pl)
5/ Renew the 2 patrons
=> you are redirected to the member module - ok
6/ Delete the patrons
=> Nothing happend with rm'me, there is a JS error on the page - nok
=> rmme is deleted - ok

7/ Apply the patch and recreate rmme
8/ Repeat 2, 3, 4, 5
=> You are redirected to the correct module
9/ Delete the patrons
=> They are successfully deleted

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Followed the test plan, works as advertised. (I did have some problems
initially, but that was caused by me not using the interface in
English...)

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
2015-10-02 14:22:16 -03:00
Jonathan Druart
a6c9bd0eb5 Bug 9978: Replace license header with the correct license (GPLv3+)
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

http://bugs.koha-community.org/show_bug.cgi?id=9987

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-20 09:59:38 -03:00
Jonathan Druart
e20270fec4 Bug 11944: use CGI( -utf8 ) everywhere
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-01-13 13:07:21 -03:00
Galen Charlton
259163d1d7 Bug 9406: ensure confirmation of patron renewal is displayed
When renewing a patron from the patron details page, ensure that
the "Patron's account has been renewed until XXX" is actually
displayed.

This patch introduces a was_renewed CGI and template parameter
to clarify the intent of the relevent template sections.

To test:

- Before applying the patch, renew a patron from the patron
  details page and verify that you don't see the renewal confirmation.
- After applying the patch, renew the patron from the details page
  and verify that the "Patron's account has been renewed until XXX"
  message shows up.
- Renew the patron from the checkout page and verify that the confirmation
  message shows up.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Message now displays for both tabs.
Fixed tab to make QA script pass.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-30 21:22:00 -04:00
Fridolyn SOMERS
ab0b5b5283 Bug 9953 - When OpacMaintenance breaks lifting debarment
When OpacMaintenance is on, any opac page will redirect to maintenance.pl.
Some pages of intranet have the same behavior and you get 404 error.
This is because in checkauth, if type arg is undefined it is "opac" by default.

This patch adds type arg in all intranet calls of checkauth.

Test plan :
- Set syspref OpacMaintenance=Show
- Go to a borrower page
- Click on "Fines" and "Create manual invoice"
- Enter an amount and save
=> Check you go to members/boraccount.pl and not maintenance.pl with 404 error

OK

- Click on "Fines" and "Create manual credit"
- Enter an amount and save
=> Check you go to members/boraccount.pl and not maintenance.pl with 404 error

OK

- Edit borrower
- Set "Restricted" to yes and save
- Click on "Lift restriction" in messages
=> Check you keep in member page and not maintenance.pl with 404 error

OK

- Edit borrower
- Set "Expiry date" to a day in the past and save
- Click on "Renew" in messages
=> Check you keep in member page and not maintenance.pl with 404 error

OK

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Good catch, a tricky bug.
http://bugs.koha-community.org/show_bug.cgi?id=9952

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Removed a few tabs from mancredit.
All tests and QA script pass now.
Good test plan.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-30 17:08:27 -04:00
8fd75227fc Bug 6261 [Revised] Consolidate patron toolbar include files
The staff client has two almost identical include files which
can be consolidated: circ-toolbar.inc and members-toolbar.inc.
This patch marges the slight differences between them and
eliminates circ-toolbar.inc, that being the one which was used
on fewer pages.

In order to accommodate the different "destination" variable
for operations which redirect back either to circ or patrons,
circulation.pl defines "destination" in the template.

Revision corrects a redirect error in setstatus.pl which
predates this patch but which never showed up until now.

To test, perform various operations from the toolbar on at least
two pages: circulation.pl and moremember.pl.

Operations: Edit, add child, duplicate, change password, print (all
options), search to hold, renew, set permissions, delete, update child
to adult, and export checked-in barcodes. In most cases simply
confirming that the link takes you to the right place is enough.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2012-12-27 18:36:42 -05:00
Robin Sheat
4cbeeedbe8 Bug 6296: allow users to be authenticated by SSL client certs
This adds a new syspref: AllowPKIAuth. It can have one of three states:
* None
* Common Name
* emailAddress

If a) this is set to something that's not "None", and b) the webserver
is passing SSL client cert details on to Koha, then the relevant field
in the user's certificate will be matched up against the field in the
database and they will be automatically logged in. This is used as a
secure form of single sign-on in some organisations.

The "Common Name" field is matched up against the userid, while
"emailAddress" is matched against the primary email.

This is an example of what might go in the Apache configuration for the
virtual host:

    #SSLVerifyClient require # only allow PKI authentication
    SSLVerifyClient optional
    SSLVerifyDepth 2
    SSLCACertificateFile /etc/apache2/ssl/test/ca.crt
    SSLOptions +StdEnvVars

The last line ensures that the required details are
passed to Koha.

To test the PKI authentication, use the following curl command:
    curl -k --cert client.crt --key client.key  https://URL/
(look through the output to find the "Welcome," line to indicate that a user
has been authenticated or the "Log in to Your Account" to indicate that a
user has not been authenticated)

To create the certificates needed for the above command, the following series
of commands will work:
    # Create the CA Key and Certificate for signing Client Certs
    openssl genrsa -des3 -out ca.key 4096
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    # This is the ca.crt file that the Apache config needs to know about,
    # so put the file at /etc/apache2/ssl/test/ca.crt

    # Create the Server Key, CSR, and Certificate
    openssl genrsa -des3 -out server.key 1024
    openssl req -new -key server.key -out server.csr

    # We're self signing our own server cert here.  This is a no-no in
    # production.
    openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
        -set_serial 01 -out server.crt

    # Create the Client Key and CSR
    openssl genrsa -des3 -out client.key 1024
    openssl req -new -key client.key -out client.csr

    # Sign the client certificate with our CA cert. Unlike signing our own
    # server cert, this is what we want to do.
    openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key \
        -set_serial 02 -out client.crt
    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
    # In theory we can install this client.p12 file in Firefox or Chrome, but
    # the exact steps for doing so are unclear, and outside the scope of this
    # patch

Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Tested with Common Name and E-mail authentication, as well as with PKI
authentication disabled. Regular logins continue to work in all cases when
SSL authentication is set to optional on the server.

Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
QA comment: synchronized updatedatabase.pl version of syspref with sysprefs.sql
version, to avoid divergent databases between new and upgrading users.
2012-03-19 17:02:44 +01:00
Paul Poulain
1fe3514c3c Bug 6328 fine in days does not work
Some code coming from BibLibre has been lost in the process of inclusion in
3.4. The result is that fine in days does not work at all (you can setup rules,
but it does nothing)

Step to reproduce:

- Koha > Admin > circ rules > set 1 day fine every day of overdue for default
  rule
- Issue a book return date last week
- check-in the book => no debarment is set

The following patch will fix all of those problems by :

* updating borrowers.debarred to a date field (instead of tinyint). It contains
  the limit of the debarment
* changing API of DebarMember and UpdateBorrowerDebarred to pass a date
* display debarrdate where applicable. Note that a debarrdate of 31/12/9999 is
  considered as unlimited and not displayed
* added a debarrcomment, usefull to explain why a patron is debarred (this is
  independant from debarrdate changes and can be used when placing an unlimited
  debarment too)

[2011-05-12] F. Demians. It works as described. And I can confirm this
functionality is impatiently awaited by French libraries since one year. Thanks
BibLibre for the good work and for contributing this code.

Bug 6328 Followup--update DB structure

Thanks Katrin.

Bug 6328: make comment a textbox / fix debar by notice trigger

Debarring by notice triggers was broken, because the new function
expects a date as second parameter.

The comment field in patron account details was a very long text field.
Patch changes it to be a textbox instead.

Bug 6328: Lift debarment leaves patron account

'Lift debarment' redirects to an empty circulation page.

BZ6328 follow-up 3

Fixes comment 23 from Fernando L. Canizo : when the patron was debarred and debar removed
he still could not check-out.

The changes in the IsMemberBlocked (that were on biblibre/master) were lost somewhere
The sub was still checking for old_issues instead of calling CheckBorrowerDebarred
to get a debardate if applicable

Note : this bug was appearing only is you had issuing rules defined for itemtype/categorycode/branch.
Seemed to work if you had only default rules. That's probably why it hadn't been spotted before

BZ6328 follow-up 4
Comments fron Zeno Tajoli: The patch is OK and I sign-off it. Two little changes done on
installer/data/mysql/kohastructure.sql and installer/data/mysql/updatedatabase.pl

Signed-off-by: koha <koha@kohabase.localdomain>
2011-11-25 14:00:47 +01:00
Paul Poulain
ddbedbfc2f Bug 4330 : Adding some copyright BibLibre statements 2011-03-21 10:57:20 +13:00
Lars Wirzenius
e8df566734 Fix FSF address in directory members/
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-03-16 20:17:55 -04:00
Garry Collum
7f25142410 Bug 2505: Added warnings to members/members-home.pl and members/setstatus.pl
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2009-09-29 19:11:34 -04:00
0e675ef820 - Changes to the way patron renewals are handled. Circulation page now offers 'renew' link alongside warning about patron expiration (as in dev_week), using the new setstatus script.
- Member pages now use member toolbar include instead of circ one
- setstatus.pl now uses 3.0's patron renewal function
- Adding missing item-bullet.gif (Bug 1659)

Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-17 19:24:49 -06:00
Joshua Ferraro
6f28205b09 adding setstatus.pl from dev_week
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-14 11:56:21 -06:00