Commit graph

52462 commits

Author SHA1 Message Date
bb69578db0
Bug 34478: Add 'op' to opac-user.tt
Bug 34478: [TO SQUASH] Add 'op' to opac-user.tt

Bug 34478: [TO SQUASH] Add 'op' to opac-user.tt

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:58 +01:00
a3c0c92508
Bug 34478: Add missing CSRF token to POST forms
This is the result of
  % perl csrf_add_missing_csrf.pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:57 +01:00
7e7159bf58
Bug 34478: Remove generate_csrf from pl
We do not longer need to generate_csrf from pl files

TODO - members/boraccount.tt and sco/sco-main.tt needs to be adjusted

Bug 34478: [TO SQUASH] Remove generate_csrf from pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:56 +01:00
8596861127
Bug 34478: Replace csrf_token input with include file - manual
A couple of left not caught by the previous regex

Still TODO:
% git grep csrf_token **/*.inc **/*.tt
still shows example that needs to be replaced, later (because we use GET)

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:55 +01:00
4481fb3377
Bug 34478: Replace csrf_token input with include file
perl -p -i -n -e 's#<input type="hidden" name="csrf_token" value="\[% csrf_token \| html %]" />#[% INCLUDE '\''csrf-token.inc'\'' %]#g' **/*.tt **/*.inc

This should have actually been done at the same time as
  "Bug 30524: (QA follow-up) Only generate CSRF token if it will be used"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:55 +01:00
8e3901342a
Bug 34478: Replace get with post when needed
This is what has been marked as done in "csrf_get.txt"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:54 +01:00
0631153f06
Bug 35955: Add tests
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:53 +01:00
108c955eac
Bug 35955: Cache CSRF token in template plugin
This change uses the Koha::Cache::Memory::Lite cache to
cache the CSRF token, so that it is only generated once,
and is re-used by the Koha::Template::Plugin::Koha object
throughout the entire template processing for the HTTP request.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:52 +01:00
e2440f2c61
Bug 36098: Default to 'file' if pref does not exist
During the installer process there is a bunch of warnings
  "Use of uninitialized value $storage_method in string eq at"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:51 +01:00
c42ede262a
Bug 36098: (follow-up) extend test to check driver
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:33 +01:00
5572567143
Bug 36098: Fix storage_method pass
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:32 +01:00
56d8ac2476
Bug 36098: Allow to pass storage_method
Will need this on follow-up bugs.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:32 +01:00
09de3f820b
Bug 36098: (QA follow-up) Add POD to Koha::Session
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:31 +01:00
0e6537d199
Bug 36098: Add Koha::Session module to ease session handling
This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.

Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:30 +01:00
7c54394383
Bug 35935: Ensure login branch will be used after incorrect login
If a different branch is selected after an incorrect login, the previous
branch will be used.

To recreate:
* login with foo/bar, select CPL => FAIL
* login with koha/koha, select another branch => OK but CPL is picked!

It was caused by a dup of "branch" in CGI param list (and first was
picked).

This patch patch also removes "koha_login_context" to not have it twice.
You can also open the source of the page to confirm that form#loginform
contains "branch" and "koha_login_context" in hidden inputs.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested in KTD. Works as advertised.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:29 +01:00
7d95c64048
Bug 36092: Pass sessionID at the end of get_template_and_user
It seems safer to pass the logged in user and session info at the end of
the sub.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:28 +01:00
3a053ebdf9
Bug 36092: Pass the sessionID from checkauth if we hit auth
If we hit the auth page we were not passing sessionID to the template

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:27 +01:00
1bc2f8cf1b
Bug 36092: Add test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:27 +01:00
c0d5013f2e
Bug 35918: Fix auto library connect (AutoLocation)
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.

To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
  branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
  branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
  branchip: 172.18.0.4

Connect and select CPL. Randomly FFL will be picked instead.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:26 +01:00
837d04527a
Bug 35918: Add test
Signed-off-by: Magnus Enger <magnus@libriotech.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:25 +01:00
200799c11e
Bug 35890: Add tests for AutoLocation
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:24 +01:00
e59623bfc2
Bug 35890: Reject login if IP is not valid
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:23 +01:00
8fb9b814aa
Bug 35904: (QA follow-up): tidy up code
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:22 +01:00
a82772d7ec
Bug 35904: Make C4::Auth::checkauth testable easily
This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.

We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.

There are still 3 left:
1.
733         # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace

2.
806         # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.

3.
828         # Patron does not have the borrowers permission
Same as 2.

2. and 3. should be investigated a bit more.

This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.

Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:21 +01:00
16a648e9ca
Bug 35904: Remove var loggedin
It is never used and add confusion

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:21 +01:00
05dad853b7
Bug 36019: Remove dead code in tags/review
Since bug 20489 it is no longer possible to login with the DB user.
At the time, get_template_and_user returned borrowernumber=0 in this case.

In tags/review.pl we have:
  $borrowernumber == 0 and push @errors, {op_zero=>1};

This condition is never met, and op_zero related code can be removed in the template.

Test plan:
Confirm the above

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:20 +01:00
097a27e932
Bug 36017: Remove dead code in admin/clone-rules
Since
  commit 61628c97c2
  Bug 18936: (follow-up) Add cloning of circulation rules back to Koha

There are some dead code in admin/clone-rules.

"result" is always passed to the template.

Test plan:
Confirm the above and that cloning rules from the circ rules page still
works correctly.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:19 +01:00
4b6508e7ea
Bug 35949: Remove useless code pointing to branchreserves.pl in request.tt
messagetransfert is never set (it is from circ/waitingreserves.pl, `git grep messagetransfert`) and branchreserves.pl does not exist!

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:18 +01:00
fc19c774fd
Bug 34426: (QA follow-up) Polishing xt script
Test plan:
Run it again. Same results?

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:17 +01:00
31edf8d1b9
Bug 34426: Add xt/find-missing-csrf.t
Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:16 +01:00
Andreas Jonsson
fee4368cd8
Bug 35930: Add guards for plugins_enabled
The 'new' method in Koha::Plugins returns undefined if
plugins are disabled.  Therefore, calls to this method
must be guarded by a check that plugins actually are enabled.

Test plan:

* Code inspection of patch, alternatively
* Activate the ill system by installing a backend such as
  koha-illbackend-libris:
  https://github.com/Libriotech/koha-illbackend-libris
* Make sure plugins are disabled in koha-conf.xml
* In the staff interface, go to ILL requests.
* The page should load without getting an error 500.

PA amended commit message: This is not related to ILL backends being plugins or not
This is about ILL batches, where checking for metadata enrichment plugins was missing 'enable_plugins' guard
Additionally, unrelated to batches, it's also about ILLAvailability, where checking for ILL availabililty plugins was missing enable_plugins guard

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Hans Pålsson <hans.palsson@hkr.se>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 13:28:30 +00:00
b577b65670
Bug 35518: Tidy the moved blocks
This patch just tidies the moved blocks to get us past the QA script
check.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 13:27:14 +00:00
90b6f68616
Bug 35518: Check authentication and set userenv before fetching userenv variables
Currently we get the userenv before we have set it correctly for the session

To test:
 1 - Sign in as a user with fast cataloging permission
 2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
 3 - Check the link, it should have your current signed in barcode
 4 - Sign in to a different browser with a different user and at a different branch
 5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
 6 - It may have your branch, but it may also have the other user's branch from the other window
 7 - Keep entering gibberish to get a link until one user has the correct branch
 8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
 9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 13:27:03 +00:00
a77adbe76e
Bug 36034: Add test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 10:32:04 +00:00
Andreas Jonsson
5f9e9e5df2
Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw
Adapt code to the change of return value type of checkpw
introduced in bug 34893

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 10:27:47 +00:00
989daca8f0
Bug 29002: Remove whitespace only lines
Jonathan highlighted some trailing whitespace.. I only see a few cases
where a line only contains whitespace and I didn't see these caught by
the QA script at the time of submission.

Anyway, this removes the spaces
2024-02-06 13:14:29 +00:00
d130a6c66b
Bug 35962: (bug 35843 follow-up 2) Fix BackgroundJob.t on D10
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-02-06 08:52:36 +01:00
12b6c0e67d
Bug 34893: Unit tests for C4::Auth::checkpw
This patch introduces some tests on the current (and new) behavior for
the `checkpw` function.

I needed it to better understand if an edge case was actually possible
(it wasn't).

Found a really minor annoyance for the internal check with expired
password not returning the $patron object for consistency with the other
use cases.

I think this method deserves (at least) changing the return value to a
sane data structure. But that's not target for backporting to stable
releases. So a separate bug.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 17:31:48 +01:00
2b54d3c82b
Bug 34893: (QA follow-up) Tidy code for qa script
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 17:31:47 +01:00
11e919cc19
Bug 34893: Add checkpw change to REST API
This patch adds the checkpw return value change to the REST API
route for validating user identifiers and password.

Test plan:
0. Apply patch
1. prove t/db_dependent/api/v1/password_validation.t

Bonus points:
1. koha-plack --reload kohadev
2. Enable syspref RESTBasicAuth
3. curl -XPOST -H "Content-Type: application/json" \
-u <staff_userid>:<staff_password> \
-d '{"identifier":"<cardnumber>","password":"<password>"}' \
http://localhost:8081/api/v1/auth/password/validation
4. Validation doesn't fail. It gives you cardnumber, patron_id, userid

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 17:31:47 +01:00
c1b94fc011
Bug 34893: ILS-DI can return the wrong patron for AuthenticatePatron
Imagine we have a set of users. Some of those users have a NULL userid. We then call AuthenticatePatron from ILS-DI for a patron with a NULL userid, but a valid cardnumber. We call checkpw, which returns the cardnumber and userid. We then call Koha::Patrons->find on the userid *which is null*, meaning the borrowernumber returned is not the correct one, but instead the earliest patron inserted into the database that has a NULL userid.

Test Plan:
1) Give three patrons a userid and a password
2) From the database cli, set all patrons's userid to null
   Run this query: update borrowers set userid = null;
3) Call AuthenticatePatron with username being the 1st patron cardnumber,
   and password being the password you set for that patron
   http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=AuthenticatePatron&username=kohacard&password=koha
4) Note you get back a borrowernumber for a different patron. Refresh the page and the number is correct.
5) Do the same with the 2nd patron. Same issue at 1st and correct number after.
6) Apply this patch
7) Restart all the things!
8) Do the same with the 3rd patron.
9) Note you get the correct borrowernumber! :D
10) prove t/Auth.t t/db_dependent/Auth_with_ldap.t t/Auth_with_shibboleth.t t/db_dependent/Auth_with_cas.t

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 17:31:46 +01:00
795387f519
Bug 34893: Add unit tests
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 17:31:46 +01:00
3584cd7edb
Bug 32474: (follow-up): Tell the tests to wait for the intercepted request responses
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 13:37:03 +01:00
d7669ae2a9
Bug 35962: (bug 35843 follow-up) Fix BackgroundJob.t on D10
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-02 09:32:28 +01:00
269d6f6444
Bug 35940: Close modal before typing
Tests currently fail due to a modal remaining open. This patch closes the modal to make the tests pass

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-01 16:45:19 +01:00
f1b32b5316
Bug 35940: (bug 35477 follow-up) Fix cypress tests
AssertionError: Timed out retrying after 10000ms: Expected to find element: `main div[class='dialog message']`, but never found it.

We moved from message to alert.

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-01 16:45:18 +01:00
1c7a5bcf11
Bug 35506: Move the checkouts table load delay logic out of document ready
== Test plan ==
0. Have Selenium running
   ktd --selenium up
1. prove t/db_dependent/selenium/regressions.t
2. It should still work

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-02-01 14:11:00 +01:00
daeccd84c6
Bug 34862: (follow-up) Fix some misplaced messages and add missing
This patch fixes some templates where the messages include was appearing
in the wrong place, for instance above the left-hand sidebar instead of
at the top of the main content.

The patch also adds the new include to some templates which lacked it.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-01-31 14:44:46 +01:00
e37ec44cb5
Bug 34862: Manual changes
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-01-31 14:44:45 +01:00
7f06a4bd00
Bug 34862: Add messages.inc
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-01-31 14:44:44 +01:00