Commit graph

136 commits

Author SHA1 Message Date
76075976ea
Bug 36679: Prevent SCO login for the AnonymousPatron
1. Make sure AutoSelfCheckAllowed is Allowed and AutoSelfCheckID and AutoSelfCheckPass are in use.
2. Make sure AnonymousPatron is pointed to an account.
3. Set SelfCheckoutByLogin to cardnumber.
4. Verify that if you go to the anonymous patron account in the staff interface, you cannot checkout items.
5. Go to the selfcheck path of the library.  It should auto login.  Put in the cardnumber for the anonymous user.
6. Proceed to check out items!
7. APPLY PATCH, restart_all
8. Try step 5 again, you should not be able to log in as the AnonymousPatron. Instead you should be redirected to OPAC home page
9. Switch SelfCheckoutByLogin to 'username and pasword'.
10. Again try to log in as the AnonymousPatron, you should not be able to.
11. Make sure you can login as a regular patron when SelfCheckoutByLogin is set to 'cardnumber' and when it is set to 'username and pasword'.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-06-10 16:20:58 +01:00
Aleisha Amohia
d8baa5090b
Bug 32256: Use a new SCOBatchCheckoutsValidCategories syspref
So that this functionality can be controlled separately from staff-side batch checkouts

Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-05-08 18:23:55 +02:00
b138519d2b
Bug 32256: (QA follow-up) Tidy sco-main.pl
This tidies the whole file as the patchset touched so much that we
basically needed to tidy all to make the QA scripts clean.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-05-08 18:23:55 +02:00
Aleisha Amohia
bb059abe90
Bug 32256: Handle batch error messages better
This enhancement modifies the self-checkout script to better handle 'impossible' and 'needs confirmation' checkout messages.

Test with a combination of barcodes that would invoke these messages, for example:
- impossible: barcode doesn't exist
- impossible: barcode is for a 'notforloan' item type
- impossible: debt
- needs confirmation: barcode already checked out, i.e. confirm renewal

Include barcodes that should have successful checkouts too.

Also, test with the following sysprefs:
- BatchCheckouts: enabled
- BatchCheckoutsValidCategories: none selected

Confirm SCO does not have a multi-line text area for more than one barcode, and doesn't accept more than one barcode.

Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-05-08 18:23:54 +02:00
Aleisha Amohia
3c57d0f3db
Bug 32256: Display barcodes not checked out in batch
This patch encourages the user to check out certain items individually if they fail to be checked out in a batch.

This way they will be presented with more useful error messages.

To test:

1 - Enable BatchCheckouts, select nothing in BatchCheckoutsValidCategories
2 - Find three barcodes
3 - log into SCO with a user in category Patron, paste the barcodes separated by newlines and submit. confirm one item is succcessfully checked out and the other two barcodes are listed in the pop-up, encouraged to try checking out individually.
4 - select Patron in BatchCheckoutsValidCategories
5 - log into SCO with your Patron user again, confirm you can check out multiple items at a time

Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-05-08 18:23:54 +02:00
Aleisha Amohia
e9f387cfc3
Bug 32256: (follow-up) Use correct patron category
This patch ensures we check the categorycode of the patron trying to issue the items is valid (based on BatchCheckoutsValidCategories), rather than the categorycode of the AutoSelfCheckAllowed patron.

To test:

1 - Enable BatchCheckouts, select nothing in BatchCheckoutsValidCategories
2 - confirm AutoSelfCheckAllowed is allowed and contains the username and password for the self_check user. Confirm self_check user is in category Staff
3 - log into SCO with a user in category Patron, confirm you can only check out 1 item at a time
4 - select Patron in BatchCheckoutsValidCategories
5 - log into SCO with your Patron user again, confirm you can check out multiple items at a time

Sponsored-by: Koha-US
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-05-08 18:23:53 +02:00
Aleisha Amohia
6a70c126d1
Bug 32256: Enable batch checkout using self-checkout
This patch allows more than one item to be scanned and processed at once in Koha's self-checkout module. The items in the batch will still be handled one-by-one, so if any item in the batch requires confirmation (i.e. to be renewed or returned) or is impossible to check out, the process will stop at that item. Any items earlier in the list will be processed, but any items coming after in the list will be ignored. This feature uses the existing BatchCheckouts and BatchCheckoutsValidCategories system preferences to determine if batch checkouts should be allowed.

To test:
1) Open the staff interface. Go to Koha Administration -> Global system preferences. Search for "BatchCheckouts". Confirm BatchCheckouts syspref is disabled, and no categories are selected for the BatchCheckoutsValidCategories syspref.
2) In another tab, open the OPAC self checkout (found out OPACBaseURL/cgi-bin/koha/sco/sco-main.pl) and log in
3) Confirm the self-checkout works as normal for checking out, returning or renewing one item at a time
4) Go back to the staff interface tab (you may need to log back in). Enable the BatchCheckouts syspref but leave the BatchCheckoutsValidCategories syspref empty.
5) Refresh the OPAC self checkout tab. The barcode input field will now be bigger to support a list of barcodes. Enter a list of barcodes separated by newlines and Submit.
6) Only the first barcode should be processed. This is because no categories are valid for BatchCheckouts.
7) Go back to the staff interface tab (you may need to log back in). Select at least your patron category for the BatchCheckoutsValidCategories syspref and Save.
8) Refresh the OPAC self checkout tab. Enter a list of barcodes separated by newlines and Submit. Confirm all valid items are checked out as expected.
9) Test with a few items that are notforloan or would not be valid checkouts. Confirm they are not checked out, but other valid items in the batch are checked out successfully.
10) Test with a batch where one of the items is already checked out to the patron. The batch should get blocked at this item as the self-checkout asks for confirmation.
11) Test with both renewing and returning of items that are already checked out to the patron. This will only work with one item at a time and later items in the list will be ignored.

Sponsored-by: Koha-US
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-05-08 18:23:52 +02:00
52098e0dc1
Bug 36349: Remove passing CGI params from sco/printslip.pl
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-04-05 11:51:08 +02:00
5c634ee597
Bug 36349: Fix AutoSelfCheckAllowed
Move the check to C4::Auth.

Yes, it's not nice, I didn't expect to add exception to this code, and
it's adding more ugly code to get_template_and_user, but... Suggestions
welcome!

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-04-05 11:51:08 +02:00
3f9b523bc5
Bug 34478: Fix sco-patron-image.pl access control regression
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:59:42 +01:00
ea6842ea21
Bug 34478: Manual fix - Fix controller op handling of self-checkout
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:59:12 +01:00
8b69d0b4d3
Bug 34478: Manual fix - Fix session cookie management of self-checkout
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:59:11 +01:00
4354a4c172
Bug 34478: Manual fix - Remove csrf_token from GET to sco-patron-image.pl
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:59:10 +01:00
314fe71ff8
Bug 34478: Remove check_csrf from pl files
We should no longer need to check CSRF token from pl files

TODO - there is a change for some files where we returned 403

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:01 +01:00
7e7159bf58
Bug 34478: Remove generate_csrf from pl
We do not longer need to generate_csrf from pl files

TODO - members/boraccount.tt and sco/sco-main.tt needs to be adjusted

Bug 34478: [TO SQUASH] Remove generate_csrf from pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:56 +01:00
8c801ea132
Bug 34557: Add SCOLoadCheckoutsByDefault system preference
This patch adds a enw system preference SCOLoadCheckoutsByDefault

When enabled, a patron's list o fcurrent checkouts will be loaded when the sign in to the SCO
module. If disabled, they will see link to load their checkouts. In either case, a new section
is added to the SCO to show a brief display of the last checked out it

To test:
1 - Enable WebBasedSelfCheck system preference
2 - Browse to:
    http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
3 - Sign in the SCO user (or enable AutoSelfCheck)
4 - Sign in as a user with several items checked out
5 - Confirm you see a list of items checked out
6 - Apply patches, updatedatabase, restart_all
7 - 'Finish' and login patron to SCO again
8 - Confirm you still see the list
9 - 'Finish'
10 - Chenge the system preference
11 - Sign in to SCO, confirm checkouts do not load
12 - Confirm you see 'Load your checkouts' link
13 - Check an item out
14 - Confirm you see the last checkout, but not a list
15 - Attempt to checkout an item that cannot be checked out
16 - Confirm "Return to account summary" does not load checkouts
17 - Click "Load your checkouts"
18 - Confirm they load
19 - Check out another item, confrim they remain and are updated
20 - Checkout an item that cannot be issued
21 - Confirm 'Return to account summary' loads the checkouts again

Signed-off-by: Andrew Auld <andrew.auld@ptfs-europe.com>
Signed-off-by: AndrewA <andrew.auld@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-11-08 11:41:11 -03:00
David Gustafsson
f726558510
Bug 32496: Reduce unnecessary unblessings of objects in Circulation.pm
Refactor the most performance critical subroutines in Circulation.pm
to take objects instead of unblessed ones to reduce unnecessary
unblessings and generally clean up the code.

To test:

1) Ensure the following tests all pass:
  t/db_dependent/Circulation.t
  t/db_dependent/Circulation/CalcDateDue.t
  t/db_dependent/Circulation/CheckIfIssuedToPatron.t
  t/db_dependent/Circulation/GetPendingOnSiteCheckouts.t
  t/db_dependent/Circulation/GetTopIssues.t
  t/db_dependent/Circulation/IsItemIssued.t
  t/db_dependent/Circulation/MarkIssueReturned.t
  t/db_dependent/Circulation/ReturnClaims.t
  t/db_dependent/Circulation/Returns.t
  t/db_dependent/Circulation/SwitchOnSiteCheckouts.t
  t/db_dependent/Circulation/TooMany.t
  t/db_dependent/Circulation/dateexpiry.t
  t/db_dependent/Circulation/issue.t
  t/db_dependent/Circulation/maxsuspensiondays.t
  t/db_dependent/Circulation/transferbook.t
  t/db_dependent/Circulation_holdsqueue.t
  t/db_dependent/DecreaseLoanHighHolds.t
  t/db_dependent/Holds/DisallowHoldIfItemsAvailable.t
  t/db_dependent/Holds/RevertWaitingStatus.t
  t/db_dependent/ILSDI_Services.t
  t/db_dependent/Illrequests.t
  t/db_dependent/Koha/Account/Line.t
  t/db_dependent/Koha/Biblio.t
  t/db_dependent/Koha/Items.t
  t/db_dependent/Koha/Object.t
  t/db_dependent/Koha/Patrons.t
  t/db_dependent/Koha/Pseudonymization.t
  t/db_dependent/Koha/Template/Plugin/CirculationRules.t
  t/db_dependent/Letters/TemplateToolkit.t
  t/db_dependent/Members/GetAllIssues.t
  t/db_dependent/Members/IssueSlip.t
  t/db_dependent/Patron/Borrower_Discharge.t
  t/db_dependent/Patron/Borrower_PrevCheckout.t
  t/db_dependent/SIP/ILS.t
  t/db_dependent/Holds.t
  t/db_dependent/Holds/LocalHoldsPriority.t
  t/db_dependent/Holds/HoldFulfillmentPolicy.t
  t/db_dependent/Holds/HoldItemtypeLimit.t
  t/db_dependent/Reserves/GetReserveFee.t
  t/db_dependent/api/v1/return_claims.t
  t/db_dependent/api/v1/biblios.t
  t/db_dependent/api/v1/checkouts.t
  t/db_dependent/Reserves.t
  t/db_dependent/HoldsQueue.t
  t/db_dependent/selenium/regressions.t
  t/db_dependent/Koha/Plugins/Circulation_hooks.t
  t/db_dependent/Koha/Plugins/Recall_hooks.t
  t/db_dependent/Koha/Recalls.t
  t/db_dependent/Koha/Recall.t
  t/db_dependent/Circulation/_CalculateAndUpdateFine.t

Sponsored-by: Gothenburg University Library

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-09-22 10:52:39 -03:00
7afbba200d
Bug 33444: Update AddRenewal to take a hashref of params
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Removed skip_record_index => 1 from automatic_renewals.pl. See BZ.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-07-19 12:06:52 -03:00
David Gustafsson
ddc2906b77
Bug 31735: Avoid re-fetcing objects from database by passing them directly instead of ids to various subroutines
To test:

1) Run the following test and make sure all pass:
  t/db_dependent/api/v1/biblios.t
  t/db_dependent/api/v1/checkouts.t
  t/db_dependent/api/v1/return_claims.t
  t/db_dependent/Circulation/CalcDateDue.t
  t/db_dependent/Circulation/CheckIfIssuedToPatron.t
  t/db_dependent/Circulation/dateexpiry.t
  t/db_dependent/Circulation/GetPendingOnSiteCheckouts.t
  t/db_dependent/Circulation/GetTopIssues.t
  t/db_dependent/Circulation_holdsqueue.t
  t/db_dependent/Circulation/IsItemIssued.t
  t/db_dependent/Circulation/issue.t
  t/db_dependent/Circulation/MarkIssueReturned.t
  t/db_dependent/Circulation/maxsuspensiondays.t
  t/db_dependent/Circulation/ReturnClaims.t
  t/db_dependent/Circulation/Returns.t
  t/db_dependent/Circulation/SwitchOnSiteCheckouts.t
  t/db_dependent/Circulation.t
  t/db_dependent/Circulation/TooMany.t
  t/db_dependent/Circulation/transferbook.t
  t/db_dependent/DecreaseLoanHighHolds.t
  t/db_dependent/Holds/DisallowHoldIfItemsAvailable.t
  t/db_dependent/HoldsQueue.t
  t/db_dependent/Holds/RevertWaitingStatus.t
  t/db_dependent/Illrequests.t
  t/db_dependent/ILSDI_Services.t
  t/db_dependent/Items.t
  t/db_dependent/Koha/Account/Line.t
  t/db_dependent/Koha/Acquisition/Order.t
  t/db_dependent/Koha/Biblio.t
  t/db_dependent/Koha/Holds.t
  t/db_dependent/Koha/Items.t
  t/db_dependent/Koha/Item.t
  t/db_dependent/Koha/Object.t
  t/db_dependent/Koha/Patrons.t
  t/db_dependent/Koha/Plugins/Circulation_hooks.t
  t/db_dependent/Koha/Pseudonymization.t
  t/db_dependent/Koha/Recalls.t
  t/db_dependent/Koha/Recall.t
  t/db_dependent/Koha/Template/Plugin/CirculationRules.t
  t/db_dependent/Letters/TemplateToolkit.t
  t/db_dependent/Members/GetAllIssues.t
  t/db_dependent/Members/IssueSlip.t
  t/db_dependent/Patron/Borrower_Discharge.t
  t/db_dependent/Patron/Borrower_PrevCheckout.t
  t/db_dependent/Reserves/GetReserveFee.t
  t/db_dependent/Reserves.t
  t/db_dependent/rollingloans.t
  t/db_dependent/selenium/regressions.t
  t/db_dependent/SIP/ILS.t
  t/db_dependent/Holds.t
  t/db_dependent/Holds/LocalHoldsPriority.t
  t/db_dependent/Holds/HoldFulfillmentPolicy.t
  t/db_dependent/Holds/HoldItemtypeLimit.t
  t/db_dependent/Circulation/transferbook.t
2) Performe one or more checkouts for a patron, making sure
  that the circulation rules allows for renewals (for example by
  setting an earlier due-date).
3) Log in as this patron in OPAC and make sure the list of
  checkouts is displayed correctly, and that renewing an issue
  still works.

Sponsored-by: Gothenburg University Library
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-05-12 12:40:21 -03:00
c6366c6d68
Bug 19188: Use the Price template plugin with_symbol => 1
To make it displayed correctly depending on the configuration of the
currency

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-01-31 10:49:33 -03:00
Jenny Way
5eab08cc2e
Bug 19188: Self checkout missing currency symbol
Test plan:
1. Under administration and system preferences, enable WebBasedSelfCheck
2. In OPAC give user fine by going to 'my account' at top right
3. Then under fines tab 'create manual invoice'
4. Make sure this amount is more than noissuescharge which can be
   changed under system preferences
5. Go to the web based self check from the OPAC URL
6. Log in as your user
7. Try to check out an item
7. Error 'Item cannot be checked out' should occur
8. With the patch, the currency symbol should show for the amount.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-01-31 10:49:33 -03:00
Lari Strand
6d3314354e
Bug 31496: Fix branch in printslip.pl to logged in staff user's library
When you print a receipt slip in SCO, the library/branch you are at
in should be fetched from the logged in staff member's data (staff login
done before entering SCO view) instead of the patron's own who has signed
in to the SCO. Printing a slip shows patron's own home branch in the slip
as the branch they're in. This causes confusion with patrons who want to
print receipts/slips.

Test plan:
1) Make sure the staff user's library (used to login into SCO patron
   view) is not the same as the patron's who is logging into SCO
2) Print a slip in SCO and notice patron's home library printed on the slip
3) Apply patch
4) Print a slip in SCO and notice the library is now the staff user's library
   used to sign in to SCO patron view.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-09-26 10:52:42 -03:00
1b92fd78fd
Bug 27342: Remove dbh from C4::Auth
We must not pass $dbh but retrieve it when needed instead

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-08-16 10:45:41 -03:00
59ff962caa Bug 26019: Koha should set SameSite attribute on cookies
This patch modifies the way Koha sets cookies so that the "sameSite"
attribute is explicitly set to "Lax." This option is chosen because it
is the value which is currently assumed by browsers when the sameSite
attribute is not set.

To test, apply the patch and restart services.

- Log in to the staff interface and open your browser's developer tools.
  - In Firefox, look for a "Storage" tab.
  - In Chrome, look for an "Application" tab.
- Under "Cookies," click the URL of the staff interface.
- You should see all the cookies which are set for that domain.
- The CGISESSID cookie should have sameSite set to "Lax."

- Go to Cataloging -> New record.
  - Check the "marcdocs" and "marctags" cookies.
- Switch to the Advanced MARC editor (you may need to enable
  theEnableAdvancedCatalogingEditor preference).
  - Check the "catalogue_editor" cookie.
- Add a new item to an existing bibliographic record.
  - Check the "LastCreatedItem" cookie which is set after you save the
    new item.
- Go to Authorities -> Authority search.
  - In authority search results, click "Merge" from the "Actions" menu
    next to one of the results..
    - Check the "auth_to_merge" cookie.
- Go to Administration -> MARC bibliographic framework
  - Choose "MARC structure" from the menu corresponding to one of the
    frameworks.
  - Check the "Display only used tags/subfields" checkbox.
    - Check the "marctagstructure_selectdisplay" cookie.
- Go to Circulation -> Check out to a patron with checkouts.
  - Check the "Always show checkouts immediately" checkbox.
    - Check the "issues-table-load-immediately-circulation" cookie.
- Go to Tools -> Patron clubs. You will need at least one active club
  with one or more patrons enrolled.
  - From the list of clubs, click Actions -> Search to hold.
    - Check the "holdforclub" cookie.
- Go to Tools -> Batch item modification and submit a batch of items.
  - Uncheck one or more checkboxes in the "Show/hide columns" area.
    - Check the "showColumns" cookie.
- View a patron -> Search to hold.
  - Check the 'holdfor' cookie.
- With WebBasedSelfCheck enabled, log in to the self-checkout page.
  - Check the "JWT" cookie.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-04-13 15:55:38 +02:00
d753755590 Bug 30199: Do not generate jwt if patron does not exist
This is a follow-up patch for bug 29543. If an invalid cardnumber has
been used we should not generate a token.

Test Plan:
1. Set SelfCheckoutByLogin to 'cardnumber'.
2. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
3. Enter an invalid carnumber like 'thisisabadcardnumber'
4. See the appropriate message "Sorry The userid thisisabadcardnumber was not found in the database. Please try again."
5. Try again with a different cardnumber and notice the same exact error message including the 'thisisabadcardnumber' cardnumber.
6. Apply this patch
7. Restart all the things!
8. Repeat steps 2-4
9. Try again with a different cardnumber, you should now see the correct
   cardnumber!

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-03-24 14:22:10 -10:00
7ea17a2422 Bug 29966: Dont pass authnotrequired true and flags together
Test plan:
Logout in OPAC.
Goto sco help page.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-09 22:01:36 -10:00
0757b0976f Bug 30045: (bug 29543 follow-up) Fix SCO print slip
Certainly since bug 29543 and bug 29914.

We should do the same authentication check than sco-main.pl, and also
make sure to generate the checkout history only for the logged in patron
(the OPAC one, not staff member)

Test plan:
Use the different combinations of the SCO config (AutoSelfCheckAllowed,
SelfCheckoutByLogin and WebBasedSelfCheck) and confirm that this patch
fixes the SCO print slip feature.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-09 15:36:24 -10:00
b80fda78d9 Bug 29543: Prevent user to checkin or renew items they don't own
Checkin or renew must be restricted to the items they own.

Test plan:
Create an item with barcode bc_1
Check it in to user A
Login to SCO with user B
Get the token using the browser dev tool, from the cookie
Hit (replace $JWT)
    /cgi-bin/koha/sco/sco-main.pl?jwt=$JWT&op=renew&barcode=bc_1
    /cgi-bin/koha/sco/sco-main.pl?jwt=$JWT&op=returnbook&barcode=bc_1

You should see an error message

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-02 21:05:29 -10:00
78815e9777 Bug 29543: Enforce authentication for self-checkout
The self-checkout feature is assuming a patron is logged in if patronid
is passed. It also assumes that "We're in a controlled environment; we
trust the user", which is terribly wrong!

This patch is suggesting to generate a JSON Web Token (JWT) to store in
a cookie and only allow action (renew, check in/out) is the token is
valid. The token is only generated once the user has been authenticated
And is removed when the user finish the session/logout.

Test plan:
You must know exactly how the self-checkout feature works to test this patch.
The 4 following sysprefs must be tested:
 SelfCheckoutByLogin, AutoSelfCheckAllowed, AutoSelfCheckID, AutoSelfCheckPass
Confirm that you can renew, checkin for the items you own, and checkout new items.
Confirm that you are not allowed to access other account's info.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-02 21:05:29 -10:00
66c895eb12 Bug 29543: Remove inputfocus variable
It's not used in template

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-02 21:05:29 -10:00
820a2bb4e0 Bug 29543: Remove borrower variable
It's not needed, we have $patron

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-02 21:05:29 -10:00
18c1500772 Bug 28211: Replace use of call_recursive() with call()
This is based on Julian's idea on bug 28026 where we could get rid of call_recursive by passing refs as arguments to call.

Test Plan:
1) Apply this patch
2) prove t/db_dependent/Koha/Plugins/Plugins.t
3) prove t/db_dependent/Koha/Plugins/Barcode_transform_hooks.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-18 11:28:41 +02:00
4f533776c6 Bug 26352: Switch from using call() to call_recursive()
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-06 14:56:09 +02:00
aea8ce7fcc Bug 26352: Add plugin hooks to transform patron barcodes
Some of our partners have unusual barcode requirements that have
required us to transform scanned barcodes using javascript. This is not
the most reliable method. It would make more sense to have Koha
transform the barcodes on the backend using a plugin. We should add
hooks to transform and generate new item and patron barcodes.

Test Plan:
1) Apply this patch
2) Download and install the Barcode Transformer plugin
   https://github.com/bywatersolutions/koha-plugin-barcode-transformer/releases/download/v1.0.1/koha-plugin-barcode-transformer-v1.0.1.kpz
3) Go to the plugin configuration page, set the configuration to the example configuration from the same page
4) In the patron search and anywhere else you can scan a patron
   cardnumber, type in some cardnumbers but prefix them with A and postfix
   them with A or B, e.g. A12345A, A12345B
5) Note the letters are removed by Koha!
6) Try a cardnumber like X123456Y
7) Note Koha converts it to Z13456Z

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-06 14:56:09 +02:00
b2b1483f4d Bug 26351: Add plugin hooks to transform item barcodes
Some of our partners have unusual barcode requirements that have
required us to transform scanned barcodes using javascript. This is not
the most reliable method. It would make more sense to have Koha
transform the barcodes on the backend using a plugin. We should add
hooks to transform and generate new item and patron barcodes.

Test Plan:
1) Apply this patch
2) Download and install the Barcode Transformer plugin
   https://github.com/bywatersolutions/koha-plugin-barcode-transformer/releases/
3) Go to the plugin configuration page, set the configuration to the example configuration from the same page
4) In the item barcode field on the checkin and checkout pages,
   and anywhere else you can scan an item barcode, type in some
   valid barcodes, but prefix them with X and postfix them with
   Y, e.g. X123456Y
5) Note the letters are removed by Koha!

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: (QA follow-up) Fix QA script issue

* Fixes issue with barcode generate stub so perlcritic is happy
* Removes extra semicolon from return call in configure method

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: Add unit tests

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: (QA follow-up) Remove unused method barcode_transform

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: (QA follow-up) Rename barcode_transform to item_barcode_transform

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: (QA follow-up) Barcodes inputted into Koha should always pass though barcodedecode

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: (QA follow-up) Catch one last case of itemBarcodeInputFilter

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: (QA follow-up) Fix Checkouts.t

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: Use call_recursive() as a replacement for call()

The method `call()` is not sufficient for barcode transformations. It's
possible that more than one barcode transformation plugin will be
installed. The `call_recursive()` method takes the output of the first
plugin and uses it as the input for the next plugin and so on. This allowes
each plugin to see the current version of the barcode and modify it if
necessary.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 26351: Fix t/db_dependent/Koha/Plugins/Circulation_hooks.t

Bug 26351: Revert improper change to unit test, fix number of tests

Bug 26351: Remove uneeded use Koha::Plugins statements

Left over from previous changes

Bug 26351: Add missing barcodedecode import

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-06 14:56:09 +02:00
9d6d641d1f Bug 17600: Standardize our EXPORT_OK
On bug 17591 we discovered that there was something weird going on with
the way we export and use subroutines/modules.
This patch tries to standardize our EXPORT to use EXPORT_OK only.

That way we will need to explicitely define the subroutine we want to
use from a module.

This patch is a squashed version of:
Bug 17600: After export.pl
Bug 17600: After perlimport
Bug 17600: Manual changes
Bug 17600: Other manual changes after second perlimports run
Bug 17600: Fix tests

And a lot of other manual changes.

export.pl is a dirty script that can be found on bug 17600.

"perlimport" is:
git clone https://github.com/oalders/App-perlimports.git
cd App-perlimports/
cpanm --installdeps .
export PERL5LIB="$PERL5LIB:/kohadevbox/koha/App-perlimports/lib"
find . \( -name "*.pl" -o -name "*.pm" \) -exec perl App-perlimports/script/perlimports --inplace-edit --no-preserve-unused --filename {} \;

The ideas of this patch are to:
* use EXPORT_OK instead of EXPORT
* perltidy the EXPORT_OK list
* remove '&' before the subroutine names
* remove some uneeded use statements
* explicitely import the subroutines we need within the controllers or
modules

Note that the private subroutines (starting with _) should not be
exported (and not used from outside of the module except from tests).

EXPORT vs EXPORT_OK (from
https://www.thegeekstuff.com/2010/06/perl-exporter-examples/)
"""
Export allows to export the functions and variables of modules to user’s namespace using the standard import method. This way, we don’t need to create the objects for the modules to access it’s members.

@EXPORT and @EXPORT_OK are the two main variables used during export operation.

@EXPORT contains list of symbols (subroutines and variables) of the module to be exported into the caller namespace.

@EXPORT_OK does export of symbols on demand basis.
"""

If this patch caused a conflict with a patch you wrote prior to its
push:
* Make sure you are not reintroducing a "use" statement that has been
removed
* "$subroutine" is not exported by the C4::$MODULE module
means that you need to add the subroutine to the @EXPORT_OK list
* Bareword "$subroutine" not allowed while "strict subs"
means that you didn't imported the subroutine from the module:
  - use $MODULE qw( $subroutine list );
You can also use the fully qualified namespace: C4::$MODULE::$subroutine

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-16 08:58:47 +02:00
6f204fdf96 Bug 28591: Don't pass debug to get_template_and_user
There is a "debug" parameter we are passing from the controller scripts
to C4::Auth::get_template_and_user, but it's not actually used!

Test plan:
Confirm the assumption
Review the changes from this patch

Generated with:
perl -p -i -e 's#\s*debug\s*=\>\s*(0|1),?\s*##gms' **/*.pl

git checkout misc/devel/update_dbix_class_files.pl # Wrong catch
+ Manual fix in acqui/neworderempty.pl

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-22 12:04:32 +02:00
Andrew Isherwood
887022e0d2 Bug 24083: (follow-up) Make requested changes
This commit makes the changes requested in comment #120

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-11-11 16:09:58 +01:00
Andrew Isherwood
e429d90fb3 Bug 24083: (follow-up) Include SelfCheckInModule
As highlighted by Katrin, the selfcheckin module was not aware of this
work. This commits gives it awareness of the too_unseen renew error and
the "seen" argument that can be passed to AddRenewal

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-11-11 16:09:58 +01:00
Julian Maurice
96cc447045 Bug 25898: Prohibit indirect object notation
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-15 12:56:30 +02:00
7a7a0a2474 Bug 19382: Add ability to block guarantees based on fees owed by guarantor and other guarantees
Some libraries would like to not only block the circulation of a guarantor based on fines owed by guarantees, but would also like to block circulation for all guarantees as well. Basically, if a family as a whole reaches a certain threshold of fines, the entire family will be blocked from checking out items.

Test Plan:
1) Apply this patch
2) Set NoIssuesChargeGuarantorsWithGuarantees to $14
3) Create a family of four ( 2 guarantors, 2 guarantees ) where the parents guarantee both children
4) Give 3 of the 4 a $5 fine
5) None of them should be able to check out items

Signed-off-by: Barbara Johnson <barbara.johnson@bedfordtx.gov>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-14 14:50:07 +02:00
dc02192eb7 Bug 25261: (QA follow-up) Catch attepts to return via SCO
This patch adds a block to capture attempts to return items with
attached materials when checking in via the self checkout when the
relevant system preference is set.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-01 10:33:10 +02:00
be379b664c Bug 25261: (QA follow-up) Capitalize return of needsconfirm
This patch capitalizes the 'ADDITIONAL_MATERIALS' key in the
needsconfirm hash return value for CanBookBeIssued to restore
consistency with previous code and ensure SIP Checkout works as
expected.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-01 10:33:10 +02:00
334c8e94c1 Bug 25261: (QA follow-up) Add handling to SCO
Test plan
1/ Enable the feature as per previous patches
2/ Attempt to checkout an item with materials attached via the SCO
3/ Note that the checkut is blocked with the message 'Item must be
issued at a circulation desk'
4/ Signoff

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-01 10:33:10 +02:00
24556e73d2 Bug 26301: Use CanBookBeRenewed when renewing via self-checkout
Currently, if you have OverduesBlockCirc set to "Ask for confirmation"
and OverduesBlockRenewing set to "allow renewing", you get caught
in a loop where you can never renew an overdue material.

This patch uses CanBookBeRenewed for renewals, rather than CanBookBeIssued,
which means the correct rules are applied to the correct scenario.

To test:

a. Set OverduesBlockCirc to "Ask for confirmation"
b. Ensure "OverduesBlockRenewing" set to "allow renewing"
0. Apply the patch
1. Checkin item barcode 3999900000001
2. Go to http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=51
3. Checkout item barcode 3999900000001 to 1 year ago
4. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
5. Login as the "koha" user
6. Click on "Renew item"
7. Note that the item is renewed

8. Checkin item barcode 3999900000001
9. Go to http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=51
10. Checkout item barcode 3999900000001 to 1 year ago
11. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
12. Login as the "koha" user
13. Type "3999900000001" into the box under "Scan a new item or enter its barcode"
14. Click "Submit"
15. Note the system says the item is already checked out and it prompts
you to click "Renew item" in this screen
16. Click "Renew item"
17. Note the system says "Item renewed" near the top of the screen, and the "Due"
date near the bottom of the screen is more recent than the original due date

18. Checkin item barcode 3999900000001
19. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
20. Login as the "koha" user
21. Type "3999900000001" into the box under "Scan a new item or enter its barcode"
22. Click "Submit"
23. Note the system says "Item checked out" and the item appears in the checkouts
at the bottom of the screen

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-18 11:08:35 +02:00
638786e719 Bug 24663: Remove authnotrequired if set to 0
It defaults to 0 in get_template_and_user

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
081a4c75be
Bug 25147: (RM follow-up) Update pref references.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-17 09:03:47 +01:00
da5024e5c2
Bug 22943: (QA follow-up) Add new cases
A few additional cases were introduced since the original bug was
authored. This patch simply catches those cases and makes the same
change.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-16 11:00:30 +00:00
Hayley Mapley
619d6362ce
Bug 22943: Renames the in_ipset function to in_iprange in C4::Auth
Bug 14407 introduced a new system preference to allow limiting the
online self checkout system to an IP or IP Range. The function that
handles this is called in_ipset, which is the name of a linux tool. To
stop confusion, this patch renames the function to 'in_iprange', and the
variable 'ipset' within it to 'iprange'.

To test, follow the test plans outlined in Bug 14407 and confirm that
everything works as expected.

Sponsored-by: Catalyst IT
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-16 11:00:21 +00:00
950074fa7e
Bug 23049: Update debit_type_code 'Res' to 'RESERVE'
This patch updates all cases where debit_type_code was 'Res' to
'RESERVE' which is more informative and consistent with the new style
guidelines.

The patch also ensure all calls to add_debit with a type or 'reserve'
now pass the capitalised code instead.

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-24 17:24:18 +01:00