This patch clarifies the list of operators both in the validate routine
and in the swagger descrption block where we document this feature for
the end user.
JD amended patch: tidy
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
This patch adds regression tests. With the current codebase, the
malicious query returns a 200. It should be caught and a 400 needs to be
returned.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/api/v1/query.t
=> FAIL: It returns a 200
3. Once the rest of the patches are ready, repeat 2
=> SUCCESS: It returns a 400
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
This patch validates the plugin_name passed to plugin_launcher.pl
against the base path containing the "value_builder" directory.
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=29
3. Check that the tag editor for leader still works
4. Go to http://localhost:8081/cgi-bin/koha/cataloguing/additem.pl?biblionumber=29
5. Check that the pluginf or "Date acquired" still works
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Actually in _get_tt_params
The following query will delay the response
SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
SELECT 1
FROM
SELECT SLEEP( 6 ) x
) -- - )
To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
To test:
1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip'
Where the domain is one you can watch the logs from
2/ Upload this file as a cover image
3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames
4/ Choose process, check the logs of the webserver see the connection has been made
5/ Apply the patch
5/ Repeat 2 & 3 and see the filename is now escaped
6/ Choose process and check no errors but no no remote execution occurs
7/ Test uploading actual zip file and images still works
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch refactors checkpw_internal to remove the SQL code, use patron ojbects, and return the
patron that correctly matches the userid/caerdnumber when auth is successful
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch moves some patron fetching code in C4/Auth to use to patron returned from the validation
methods and only try to fetch the patron (to check if locked, update attempts, etc) if we didn't authenticate
To test:
1 - Set a user to have userid = BANANA password = Password1
2 - Set a user to have cardnumber = BANANA password = Password2
3 - Hit the patron authentication API:
http://localhost:8080/api/v1/auth/password/validation
with data:
{ "identifier": "BANANA", "password":"Password1" }
and:
{ "identifier": "BANANA", "password":"Password2" }
4 - Note you receive the same response for both
5 - Apply patch, restart all
6 - Repeat the API and confirm you get the correct patron for the password submitted
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
A Marcel's QA patch to Bug 36552 added use POSIX; in two spots.
In https://metacpan.org/pod/POSIX we read:
CAVEATS
Everything is exported by default (with a handful of exceptions). This is
an unfortunate backwards compatibility feature and its use is strongly
discouraged. You should either prevent the exporting (by saying use
POSIX ();, as usual) and then use fully qualified names (e.g.
POSIX::SEEK_END), or give an explicit import list. If you
do neither and opt for the default (as in use POSIX;), you will
import hundreds and hundreds of symbols into your namespace.
This patch fixes this.
No test plan.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8d9ccd6fc3)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ca023b334c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1137793e44)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit dcddcda37d)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Suspending a hold doesn't clear the date from the date picker. When another hold is suspended
the previously used date will show on the date picker but the value is not set on the hold.
Suspending the hold will suspend it indefinitely. Also the link "Clear date to suspend indefinitely"
will not clear the date picker. This patch will make both the Suspend button and the Clear date link
clear the dates from both the date picker and the variable passed on, making the suspending consistent
with what is seen on the date picker.
Test plan:
1) Place 3 holds on a patron.
2) Suspend a hold and set a date for it.
3) Suspend a second hold and notice the previously used date is shown on the date picker.
Note that the hold will be suspended indefinitely.
4) Open the suspending window for the third hold and pick a date. Click "Clear date to suspend indefinitely"
and note the date picker doesn't get cleared. The hold will be suspended indefinitely.
5) Apply patch.
6) Suspend a hold and set a date for it.
7) Suspend a second hold and notice the date picker does not have a preset date.
8) Pick a date and clear it with the "Clear date to suspend indefinitely link".
See that the date picker also gets cleared.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0f0479e87a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 44a26cbec7)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
t/db_dependent/Serials.t .. 2/57 Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Serials.pm line 2029.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 7d75ec3e26)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f41e739885)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
t/db_dependent/Holds/LocalHoldsPriority.t .. 1/7 Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
t/db_dependent/Holds/LocalHoldsPriority.t .. 2/7 Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
t/db_dependent/Holds/LocalHoldsPriority.t .. 5/7 Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
t/db_dependent/Holds/LocalHoldsPriority.t .. ok
All tests successful.
We didn't have the default values generated by the DBMS
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 6827c9061f)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 233e92f899)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
A simple direct fix for the height of the advanced editor's clipboard,
which is a <select size="10"> that's currently cut down to the height of
one thick line by CSS intended for non-multiple, non-sized selects with
dropdown menus.
Test plan:
1. Set the pref EnableAdvancedCatalogingEditor to Enable
2. Cataloging -> Advanced editor
3. Note the Clipboard is a single line tall
4. Apply patch, shift+reload Advanced editor
5. Note the Clipboard is ten lines tall
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 10a8dc5108)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0413d06b0e)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
I found the initial addition of 'or the branch chosen at login' to the
system preference description more misleading than the original. After
discussion on mattermost and with training staff here at PTFS the best
alternative we could come up with is proposed here.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 85735e86f4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit b478d91b59)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This adds a sort based on branchcode, it's a fallback for an edge case that should be rare
so I think is acceptable, as long as documented.
I added test coverage, but it may no longer be possible to encounter this scenario.
System preference descriptions are updated as well.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 46cecfdd72)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 7682763fca)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This could be considered a configuration flaw, but when:
StaffLoginBranchBasedOnIP enabled and not AutoLocation
or
AutoLocation enabledand no IP set in user's branch
AND
two branches have the same IP set
the user can be logged in randomly to one of the matching branches.
These test often pass, but will also randomly fail
Easier to verify with a one liner demonstrating current code:
perl -e 'use Koha::Libraries; use List::MoreUtils qw(uniq); my $branches = { map { $_->branchcode => $_->unblessed } Koha::Libraries->search->as_list }; my $branchcode="CPL"; warn Data::Dumper::Dumper( uniq( $branchcode, keys %$branches ));'
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 7e88035372)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit aa1c4c0281)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 6966fcc398)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 15bf32a50a)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
We are removing entirely the badly written test.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Note: We cannot test this properly when the search index refers to biblios
and items that do not exist in the database.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1251138528)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 98fa5f6b25)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Those are a pain really
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a77d74b903)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 78d1f934c2)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
While this is a new preference, this was the standard behavior for a long time. I think we should
default to enabled to restore previous behavior.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e48e3d02f3)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a479192e67)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
... and replace some branches with libraries.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0d4ee53198)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a6b9845ecf)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch adds a new system preference StaffLoginBranchBasedOnIP which restores the behaviour before bug 35918
of using the current IP to determine the user's logged in branchcode
To test:
1 - Get your current ip
2 - Set that IP for a library in the administration section
3 - Find a user account assigned to a different library that can login to staff side
4 - Login to staff as that user, select 'My library'
5 - You are logged in to the user's branch
6 - Apply patch, restart all
7 - Log out and back in, selecting 'My library'
8 - You are logged in to the user's branch
9 - Enable new system preference StaffLoginBranchBasedOnIP
9 - Log out and back in, selecting a different branch, noting the new warning below the library selection
10 - You are logged in to the branch with the matching IP
11 - Log out and back in, selecting 'My library'
10 - You are logged in to the branch with the matching IP
11 - Change your logged in branch
12 - Verify the selection sticks and you can perform staff actions in the chosen branch
13 - Change the IP of the library to one that doesn't match yours
14 - Verify you can log out and log back in and that selected branch is respected when your IP doesn't match library IP
Signed-off-by: Kristi Krueger <KKRUEGER@cuyahogalibrary.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 3a0d6f5d07)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6f4632ef04)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Argument "" isn't numeric in int
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 678e3f6e20)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4c4349dbdb)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Test plan:
Try passing page=x now and verify different behavior (no 500).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 90f0113557)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit d903ffd4e6)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
