This patch addresses the lack of sanitization of the "notes" field on
the OPAC "View Interlibrary loan request" page.
To test:
- Apply the patch
- As an OPAC user, create an ILL request
- Navigate to the request's "View Interlibrary loan request" page
- Add the following note:
Hello
<h1>TESTING</h1>
<script>alert('pwned');</script>
- Click "Submit modifications"
- TEST: Observe, when the page reloads, only the following is preserved in the
"Notes" textarea:
Hello
TESTING
- As a staff user, naviate to the ILL requests table
- Select "Manage request" for the request you created
- TEST: Observe that the Notes field only contains:
Hello
TESTING
- TEST: Observe that no Javascript alert is displayed
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
To test:
Make a record with a URL that has a UTF8 character, such as:
http://some.nonexistent.tld/MāoriWomenAotearoa.pdf
Run the check-url-quick.pl job, notice it dies at that URL
Apply this patch
Test again, it should work.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch removes the 'using_https' check in OPAC templates in calls to
Syndetics resources. Instead, https is always used.
To test, apply the patch and enable Syndetics-related preferences. View
the following pages in the OPAC:
- Bibliographic detail page
- Browse shelf section of the bibliographic detail page
- Search results
- List contents
- Recent comments
- Recent comments RSS
- User summary page
- Circulation history
NOTE: I tested with made-up Syndetics credentials. This means my changes
didn't make the template explode, but it doesn't confirm conclusively
that the resources work.
Signed-off-by: John Doe <you@example.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
There's a typo for 'locause', this should be 'localuse'.
Also, 'Credit*' is never used.
Signed-off-by: Maryse Simard <maryse.simard@inlibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Same as bug 21085.
When cities are defined, there is a select with name="select_city" added
to the DOM and its value will be passed to memberentry.pl
We must remove it from the attribute list before creating the
Koha::Patron object
No property select_city for Koha::Patron at
/usr/share/perl5/Exception/Class/Base.pm line 73
Test plan:
Define cities
Add or edit a patron, save
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 17234 made an effort to remove the ALTER IGNORE from updatedatabase.pl so that it could work with Mysql 5.7. But new entries have since been added to it:
Bug 12395 - 18.06.00.005
Bug 19524 - 18.06.00.006
Bug 13560 - 18.06.00.008
This is corrected using column_exists to validate the existence of the new columns before ALTER
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Basically the idea is:
1. Undefined subroutine &C4::Items::ModZebra called at /home/vagrant/kohaclone/C4/Items.pm line 302.
=> Then use C4::Items before C4::Biblio
2. Undefined subroutine &C4::Circulation::GetItem called at /home/vagrant/kohaclone/C4/Circulation.pm line 1290
=> Then use C4::Circulation before C4::Items
And sometimes these 2 rules do not work...
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
- Try a simple search (OPAC or staff) like "title:foo",
- click on a facet: badaboum!
- apply this patch,
- retry
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
It's a follow-up of
commit 9c6f634469
Bug 16912: Koha::Patrons - Move AddEnrolmentFeeIfNeeded to->add_enrolment_fee_if_needed
One of the known issue:
> update categories set enrolmentfee=2;
The use misc/devel/create_superlibrarian.pl to create a new
superlibrarian patron
Signed-off-by: Victor Grousset <victor.grousset@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
koha_1 | # Looks like you planned 20 tests but ran 9.
koha_1 |
koha_1 | # Failed test 'approve tests'
koha_1 | # at t/db_dependent/Koha/Patron/Modifications.t line
259.
koha_1 | [Something went wrong]# Looks like your test exited with
255 just after 5.
koha_1 | [21:13:47] t/db_dependent/Koha/Patron/Modifications.t
.....................
"Something went wrong" should never been thrown,
Koha::Patron::Modification->approve raises $@, but it's not defined, it
should raise $_ instead
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
The table is removed just before, this clause is useless.
It also fixes a test:
t/db_dependent/Creators/Lib.t .. 1/645
# Failed test 'get_table_names return all tables matching'
# at t/db_dependent/Creators/Lib.t line 1258.
# Structures begin differing at:
# $got->[10] = 'aqinvoice_adjustments'
# $expected->[10] = 'aqinvoices'
# Looks like you failed 1 test of 645.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
When ->store is called on an existing patron we must not save the
password, but keep the one in DB instead.
There is a dedicated method (update_password) to call when the password
need to be updated
Signed-off-by: John Doe <you@example.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: John Doe <you@example.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: John Doe <you@example.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
When the user is not superlibrarian or has the manage_suggestions
permission, the suggestion box on the left of the acq start page
needs to be hidden.
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Without this patch only catalogue permission was required
for managing suggestions. This patch adds a new permission
in the acquisition module do manage suggestions and updates
staff user permissions accordingly.
To test:
- Make sure there is a pending suggestion
- Create a few users with different permission sets:
- User 1: only catalogue
- User 2: any acquisition permission
- User 3: cataloguing permission
- Check all of them can access: /cgi-bin/koha/suggestion/suggestion.pl
- Apply the patch
- Verify all of them now have the suggestions_manage permission
- Verify everything displays correctly on:
- intranet start page
- patron account in staff
- acquisition start page
- suggestion page (try to access by URL too)
- Remove suggestions_manage for a staff user
- Repeat tests above, access should be denied/links not visible
Bonus:
- Fixes the link on the acquisition start page for late orders
to mage the permissions of the page itself: order_receive
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
It's safer to send what we need from C4::Auth it's needed from a whole
module.
The SELECT COUNT(*) query will only be done when needed (so not made
from scripts outside of circ)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
1. body tag was missing
2. make "Date" column sortable correctly
3. remove CDATA and type="text/javascript"
4. Handle server-side errors
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
3. In the JS console: "ReferenceError: $ is not defined", I did not
investigate it.
Where do you see this in the console? I cannot recreate on opac-user.pl
or on circ/checkout-notes.pl.
5. The alert id=error is displayed then hide in JS, but it's then
displayed half a second. We should hide it by default (css)
Fixed in this patch
6. I would move the "mark seen" and "mark not seen" buttons at the
top of the table
Fixed in this patch
8. Cursor on "Select all" and "Clear all" links must be adjusted
Fixed in this patch
9. $(".btn-xs").click(function(event){
The selector should be $("button.seen, button.notseen"), you
do not want to apply this function to all other btn-xs on
the page (maybe there are only two for now, but who knows
later?)
Fixed in this patch
12. Important: When a note is updated, it's still marked as
seen. Is it the expected behavior?
I don't see this behaviour. When a note is updated it is
marked as not seen.
opav/svc/checkout_notes:79: $issue->set({ notedate =>
dt_from_string(), note => $clean_note, noteseen => 0
})->store;
13. What will happen when hundred of notes will be on this
table? Not blocker but we will need a "hide seen" buttons to
filters the already seen notes.
Added in this patch
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch includes some changes required on comment 57:
1. Bad resolution conflict, permission self_checkout is re-add
2. The IGNORE modifier is missing in the INSERT statement
4. When I hit /circ/checkout-notes.pl from the side bar, the page displays "Checkout notes", nothing else. We should add "There is no checkout notes".
7. I would display the table on the confirmation screen as well
10. html filters are missing
11. span element should surround translatable string, to help translators
14. patron-title.inc must be used to display patron's info
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Fixing the comments in Comment 42
Ready to test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
See Comment 27
This is ready to be tested.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Marcel, can you please have a look at this patch. I tried to implement
the change
my @notes = $schema->resultset('Issue')->search({ 'me.note' => { '!=', undef } }, { prefetch => [ 'borrower', { item => 'biblionumber' } ] });
to
my @notes = Koha::Checkouts->search({ 'me.note' => { '!=', undef } }, { prefetch => [ 'borrower', { item => 'biblionumber' } ] });
but am having problems on the template side. I can access the item and
biblio information about the issue, but not the borrower information,
even though the query is definitely pulling it correctly. Any
suggestions or ideas as to why this breaks?
This patch also adds the implementation of the circSidebar.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds a user permission for managing issue notes, and a 'noteseen'
column to the issues table.
To test:
1) Apply Bug 14224 first
2) Apply this patch, update database, rebuild schema.
3) Restart koha-common and memcached
4) Turn on AllowCheckoutNotes syspref if haven't already
5) Issue two items to two different users (one item each)
6) Log into the OPAC as one of the users and add an issue note to their
issue
7) Log out and log back into the OPAC as the other user
8) Disable Javascript
9) Refresh opac-user.pl
10) Leave a checkout note on their issue
11) Enable javascript and log into the Staff Client as a superlibrarian
user
12) Go to your user's account and edit their permissions to have
everything ticked EXCEPT circulate->manage checkout notes.
13) Go to main intranet page. There should be no message saying
'checkout notes pending'.
14) Go to circulation home page. There should be no link to Checkout notes.
15) Go back to user's permissions and tick circulate->manage checkout notes.
16) Go back to main intranet page. There should now be a message at the
bottom saying 'Checkout notes pending: 2'
17) Go to circulation home page. There should be a link to Checkout notes
with a 2 next to it. Click this link
18) Attempt to mark an checkout note as seen. This should update the status
of the checkout note to 'seen' and disable to 'mark as seen' button while
enabling the 'mark as not seen' button.
19) Test both buttons with both issues.
20) Test select all and clear all buttons
21) Confirm that buttons at the bottom are only enabled if a checkbox is
checked
22) Try selecting both issues and using the buttons at the bottom to
mark multiple issue notes at once.
23) Confirm the barcode link to the item works as expected.
24) Confirm the cardnumber link to the user works as expected.
25) Confirm all table details show correctly.
Sponsored-by: Catalyst IT
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amended patch: Remove self-checkout permissions
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
It is a real pain to debug selenium errors, especially when it is
not reproducible locally.
This patch capture a screenshot when an error occurred and upload it
using the excellent lut.im service provided by framasoft
(We could host our own later).
Test plan:
Modify a selenium script to make it fails (search for find_element)
You will see a stack trace followed by a link to framapic.org
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Some libraries are paperless and require all payment receipts to be emailed. Koha should give libraries the option to send email receipts if a patron has an email address. If a notice for the type of "credit" exists ( payment or writeoff ), then an email receipt will be sent.
These notices only support Template Toolkit syntax.
Test Plan:
1) Apply this patch and dependencies
2) Add the two new notices, you can find them in installer/data/mysql/en/mandatory/sample_notices.sql
3) Note two new notices exist in the notices editor, ACCOUNT_PAYMENT and ACCOUNT_WRITEOFF
4) Find or create a patron with an email address that owes some amount of money
5) Make a payment for one or more fees
6) Note a new email is queued for the patron
7) Make a writeoff for one or more fees
8) Note a new new email is queued for the patron
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch corrects referential problems which caused the script to
"re-use" images as well as other sorts of bad image behaviour.
To test:
1. Ensure that you can reproduce the original bug or some variation thereof
using the steps described in either of these two comments:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8604#c0https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8604#c6
NOTE: This is not an easy bug to reproduce.
2. Once you can reproduce the bug, apply this patch and follow the same steps
used to reproduce the bug.
3. Observe that the symptoms are corrected.
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Christian Stelzenmüller <christian.stelzenmueller@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Reproduced the bug and resolved it with this patch.
Code is hard to read; exact cause of the problem was not fully uncovered.
Fixed spelling 'Destory' => 'Destroy'
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test:
1 - prove -v t/db_dependent/Search.t
2 - Koha asks "Why am I getting these crazy facets!?!"
3 - Apply patch
4 - prove -v t/db_dependent/Search.t
5 - Koha purrs (tests pass)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
There is a missing optgroup closing tag in orderreceive.tt. It doesn't
actually cause any display issues (at least in modern browsers), but
it's invalid markup, so this patch fixes it.
_TEST PLAN_
0. Add a budget and add a fund
1. Add a vendor
2. Add a basket
3. Add an order to a basket
4. Close the basket
5. Receive the order
6. Make sure the budget and fund both display when selecting the fund
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
If you use -update but do not find matches (or did not want to match), you
should not call those routines. We should warn and skip this record.
Adding a warn at the start that the choice of options may not be smart.
Note that this needs further attention somewhere else. You could mix
-update with -insert for instance and still see some problems. (May depend
on items with unique barcode etc.)
Test plan:
Run -update without match or isbn.
Or run -update -isbn with a non-matching ISBN.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
The following code was never reached, since $isbn was not filled.
if (!$biblionumber && $isbn_check && $isbn) {
$sth_isbn->execute($isbn);
($biblionumber,$biblioitemnumber) = $sth_isbn->fetchrow;
}
Solution: Fix the code with two $isbn declarations. Move the checkisbn
condition a level deeper.
Test plan:
Run misc/migration_tools/bulkmarcimport.pl -file bib726.utf8 --update -isbn
Since you do not match on biblionumber, the ISBN should match.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>