The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?
This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).
To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl and add a line after: CGI->new:
warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl - only "Something's wrong" - you no longer see any user info
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
WNC amended patch: tidied
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
To prevent XSS
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Really bad design, NEVER retrieve the logged in user from the CGI
param!
See comment 1 for more info
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
1) Set borrower surname to:
<script>alert("here comes trouble");</script>
2) Save, nothing happens
3) Enable showLastPatron
4) Reload patron
5) Note the alert popup
6) Apply this patch
7) Reload patron
8) No alert!
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
When using the opac trusted checkout feature it is possible to enter non existant or partial barcodes to check out items.
Testplan:
a) set System preference OpacTrustedCheckout to Allow
b) go to http://localhost:8080/ and login with koha / koha
c) click Self Checkout in navigation bar
d) enter barcode 1234
e) result: Item '39999000011234' was checked out
apply patch and reload the page
a) now enter barcode 1234
b) result: Item '1234' not found
c) enter 39999000011234
d) result: Item '39999000011234' was checked out
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Setting field "Protected" as hidden in patron entry/modification
form via BorrowerUnwantedField syspref doesn't work. Form is
missing condition "UNLESS noprotected".
To test:
1. From BorrowerUnwantedField, check field "Protected" as hidden.
2. Either attempt to create a new patron or modify existing one.
=> Note that "Protected" is still displayed in the form.
3. Apply this patch.
4. Navigate back to create/modify patron form.
=> Note that "Protected" is no longer displayed.
5. Uncheck field "Protected" from BorrowerUnwantedField.
=> Field should now be displayed in create/modify form.
Sponsored-by: Koha-Suomi Oy
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
I checked the UNIMARC authResults counterpart file. And it only
contained a single case of generated elements like the previous patch.
To test:
1. On latest main
$ ktd --shell
k$ cd misc/translator/po
k$ git fetch
k$ git reset --hard origin/main
k$ cd /kohadevbox/koha
k$ gulp po:update --lang es-ES
k$ cd misc/translator/po
k$ git add -u ; git commit -mWIP --no-verify
2. Apply this patches
3. Run:
k$ cd /kohadevbox/koha
k$ gulp po:update --lang es-ES
k$ cd misc/translator/po
k$ git diff
=> SUCCESS: Notice CSS class names are not translated anymore
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch makes the XSLT contain HTML tags instead of building them
from scratch with static attribute values. This made it awkward for
translators as CSS classes ended up being extracted for translation
purposes. Plus, there's no need to spend CPU cycles on static content
generation.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
The main entry form of corporate names (110), uniform titles (130), topical
terms (150), geographical names (151), and genre/form (155) are not indexed
with 'Match' search field in Elasticsearch standard mapping. As a result,
the respective records are not present on the result list when performing
an 'All headings' search for the authority records with the main heading form
(MARC 21).
Test plan
=========
0. Have a test installation with Elasticsearch.
1. In Authorities, make an 'All headings' search for a main entry
form from the corporate names, uniform titles, topical terms,
geographical names, or genre/form
--> e.g., in ktd: UK Archiving. You will get no results.
2. Apply the patch, reindex with:
sudo koha-elasticsearch --rebuild -r -a kohadev
3. Repeat the test. You should see 'UK Archiving' on the result list.
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We can get into a scenario what a user cannot stay logged in for more than a single page load.
If AutoLocation is enabled with branch IP addresses being set to a space, you will be logged out with every page load.
Test Plan:
1) Set your branch ip to a space
2) Enable AutoLocation
3) Restart all the things!
4) Log out
5) Log in
6) Browse to another page
7) You are logged out
8) Apply patch
9) Repeat 1-6
10) You are not logged out!
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1- Find or create a circulation rule with a 'Holds allowed (total)' limit of 3 (or another number) and no value in 'No automatic renewal after (hard limit)'
2- Select to edit the rule, and note that 'No automatic renewal after (hard limit)' box in the editing line is now populated with a date
3- Note also that 'Holds allowed (total)' is empty in your editing line
4- If you save your edits without clearing the new 'No automatic renewal after (hard limit)' date, it will save as part of the rule. Also, 'Holds allowed (total)' will save as Unlimited unless you re-add your numerical value.
5- APPLY PATCH
6- Try again, the values should save corrected and not erroneously fill the No automatic renewal after (hard limit) column.
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We were no longer getting a match here and so ended up with 2 forms on
the budget page (where we have two modals for patron: owner and users).
Caught be selenium tests patrons_search.t :
Error while executing command: element not interactable: Element <a class="patron_name patron_preview" href="/cgi-bin/koha/circ/circulation.pl?borrowernumber=511"> could not be scrolled into view
It fixes the following UI issues:
When you open a modal, start a search, close the modal
open the other modal search: the results from the other modal were shown
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
The aside element is now a parent of the form block, in
patron-search.inc (BLOCK patron_search_filters).
On members/members-home.pl there were 2 nested aside
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Previous patch "Bug 35362: (follow-up) Fix guaruntor preview modal close in test"
didn't adjust the other occurrences.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch updates the test files to correctly create authorities and/or correctly
mock the needed data for authorities.
the tests in t/db_dependent/Authority/Merge.t cover the case of 'Default' authorities
which don't have valid headings - so I had to add handling for blanking the heading field
when Default type is used.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
The JavaScript for approving or rejecting tags in the staff interface's
tag review interface lacked a CSRF token for the POSTed requests. This
patch adds the token for "approve" and "reject" operations.
To test, apply the patch and clear your browser cache if necessary.
- If necessary, enable tags in system preferences.
- Log in to the OPAC and submit multiple tags on various records.
- In the staff interface, go to Tools -> Tags.
- Test the process of approving and rejecting tags by clicking the
buttons in each row of the table of tags.
- The browser console should show no errors, and the lists of approved
and rejected tags should correctly show the tags you moderated.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Testing plan:
1. Start up KTD with Elasticsearch: ktd --es8 up
2. Apply the patch and restart everything (restart_all).
3. Reset the mappings: Administration > Catalog > Search engine configuration (Elasticsearch) > Reset mappings (at the bottom of the page)
4. Reindex: koha-elasticsearch --rebuild -d -b -a kohadev
5. Alternative to steps 3 and 4: reset_all
6. Update the visibility for 254$a in the default framework so that it is visible in the Editor (OPAC, Staff interface should already be selected).
7. Add a new record using the default framework and put a term in 254$a, such as 'Full score'.
Sponsored-by: Education Services Australia SCIS
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch adds the authority search header include to the authorities
editor page.
To test, apply the patch and go to Authorities -> New authority.
There should now be a set of authority search forms at the top of the
page.
Signed-off-by: Michelle Spinney <mspinney@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Enable EnableItemGroups and EnableItemGroupHolds
2. Go to the OPAC and log in as a patron
3. Go to any record that doesn't have grouped items and try to place a hold
4. Click on "Show more options"
5. See "Request specific item group:" and dropdown
6. APPLY PATCH
7. Try again, this time if the record has no item groups you should not see the dropdown at all.
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Add edit buttons for patron flags in attention box and show
flag status in detail view
To test:
1) Go to patron details for a patron with address in
doubt and card lost flags set and verify these are
highlighted under "Library use" and the patron messages
has edit buttons that links to the modfiy patron page.
Sponsored-by: Gothenburg University
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
1. Apply patch
2. Do an item search and notice the column containing the item number
Signed-off-by: Michelle Spinney <mspinney@clamsnet.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This follow-up:
1. Updates the OPACAuthorIdentifiersAndInformation system preference
description.
2. Changes the OPAC heading used on the bibliographic record and
authority record detail pages from "Author identifiers/information"
to "Author information". Identfiers are a subset of author information
and having just "Author information" is sufficient. In addition,
the authority record doesn't have to include identifiers.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
The values were correctly inserted but the display was not sorting
correctly
Signed-off-by: Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
With this patch the different info can be ordered when editing the
syspref
Sponsored-by: Orex Digital
Signed-off-by: Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch merge the previous patch attempt with the existing OPACAuthorIdentifiers syspref.
It creates a new syspref OPACAuthorIdentifiersAndInformation and remove
OPACAuthorIdentifiers.
"identifiers" become an entry of the new syspref.
Test plan:
Select some entries in OPACAuthorIdentifiersAndInformation
Edit an authority record and enter data in the corresponding subfield
(the list is on the syspref entry)
Go to the biblio detail page or the authority detail page at the OPAC
and notice that the info you selected are correctly displayed.
Sponsored-by: Orex Digital
Signed-off-by: Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Sponsored-by: Orex Digital
Signed-off-by: Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch removes unwanted whitespace between the tabs and the tab content
Test plan:
1) Enable the ERM module and navigate to the eUsage > Reports sections
2) Observe the whitespace between the tabs and the content
3) Apply patch and run yarn build
4) Hard refresh the page, the whitespace should be gone
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
1) Look at the patch diff and observe that the commented out code has been removed
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bug 31123 added new feature with preference ContentWarningField.
Add this behavior to UNMARC XSLT files.
This patch adds new template 'tag_content_warning' in UNIMARCslimUtils.xsl
called in results and details pages.
New field is placed after 3xx.
Test plan (in both interfaces OPAC and staff):
1) Create a new field 599 in framework
2) Set system preference ContentWarningField to 599
3) Edit a record to add a 599 with text in $a$b and an URL in $u
4) Perform a search to find this record
=> Check you see content_warning: <a href="$u">$a</a> $b
5) Click on details page
=> Check you see content_warning: <a href="$u">$a</a> $b
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch exposes existing bookings as info dots in the flatpickr
Signed-off-by: Esther <esther@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Written patch to add flag to both koha-dump and koha-run-backups.
Test plan:
1. do a sudo koha-dump and sudo koha-run-backups and check the contents of the .tar.gz backup in /var/spool/koha/instance/ and verify logs are in there
2. apply this patch
3. this time do sudo koha-dump --exclude-logs and sudo koha-run-backups --exclude-logs and check the contents of the .tar.gz backup in /var/spool/koha/instance and verify nothing from /var/log/koha is in there.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch DRY's out the code by migrating the transient_result div into
the now widely included messages.inc include.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch changes the class of the success message from "success"
(which is a Bootstrap class) to "message" which is the class we use
elsewhere in Koha for this kind of informational message.
The patch adds the same dialog markup to labeledMARCdetail.tt.
The patch also trims trailing whitespace from place_booking_modal.js
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch restores the lost behaviour that a successful add/edit of a
booking via the 'Place booking' modal should notify the end user that
the submission was sucessful.
Test plan
1) Set an item as bookable to expose the 'Place booking' button
2) Place a new booking from the following pages and confirm that you
now recieve feedback.
* Catalog > Title > Details
* Catalog > Title > MARC details
* Catalog > Title > ISBD details
* Catalog > Title > Item details
* Catalog > Title > Bookings
3) Edit a booking on the 'Catalog > Title > Bookings' page and confirm
you now recieve feedback.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
It happens that librarians, by mistake, open a biblio editor putting in the
URL, by hand, the biblionumber prefixed with a blank (e.g.
.../addbiblio.pl?biblionumber= 123 -- mind the space before 123).
In such a case the editor opens with the right biblio record (i.e. 123)
but, after saving the record, the content of the biblionumber MARC
field (999 $c for a standard MARC 21 installation) results modified and
contains additional initial blanks.
Moreover, while using ES and making a search for the record (with title,
author etc.) we get two records on the result list (instead of one).
This is because in the addbiblio.pl script $biblionumber is taken (and
continuously used) directly from CGI parameter, without any
validation and/or correction.
Test plan:
==========
0. Have a test installation with ES.
1. Open a biblio record in the editor with an added space before
biblionumber value, e.g.:
http://ktd:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber= 123
Save the record.
2. From the Normal view choose Save -> MARCXML. Open the saved file in
your favourite editor. You should see, at the end, something like:
<datafield tag="999" ind1=" " ind2=" ">
<subfield code="c"> 123</subfield>
(mind the space before 123).
This is not right.
3. Make a search with the title or author's name from the record (e.g.
Henning Mankell for the record 123 from the default ktd data set).
You should get two records instead of one (while using ES).
4. Apply the patch, restart_all. Repeat p. 1 and 2 with a different
biblionumber. Notice the unchanged (i.e. without spaces) value
of 999 $c subfield in the exported record and only one record
as a result of a search.
WNC amended patch - rebased, added conditional in case no bib, moved comments to their own lines
Sponsored-by: Ignatianum University in Cracow
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
It happens that librarians to save time open an authority editor by putting
in the URL, by hand, the authid prefixed, by mistake, with a blank (e.g.
.../authorities.pl?authid= 100 -- mind the space before 100). In
such a case the editor opens with the right auth record (i.e. 100) but,
after saving the record, the content of the authid MARC field (001 for
a standard MARC 21 installation) results modified and contains
additional initial blanks.
Moreover, if the heading (1XX field) was modified in the authority record
during such an edit, the changes will not propagate to the linked
bibliographic records. And won't in the future.
This is because in the authorities.pl script $authid is taken (and
continuously used) directly from CGI parameter, without any
validation and/or correction (line 540 in the current main branch).
Test plan:
==========
1. Open an auth record in the editor with an added space before
authid value, e.g.:
http://ktd:8081/cgi-bin/koha/authorities/detail.pl?authid= 100
Modify the heading field -- in the ktd data set:
150 Computerized typesetting
Save the record.
2. a) Open the record for editing again--see the space added before
the authid in field 001. Close the editor (with Cancel).
b) Try to go to the linked biblio records with Used in X records.
Note no results, if using ES.
c) Remove the space before authid (after an:) in the URL.
Go to the linked biblio records. See that the content of
the field controlled by the modified auth record did not
update.
3. Apply the patch; restart_all.
4. Repeat p. 1 and 2 with a different authid. Everything should
be OK now.
Sponsored-by: Ignatianum University in Cracow
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
