Commit graph

29826 commits

Author SHA1 Message Date
9dca694b04 Bug 16726: Do not display "You searched for:" if not needed
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-10-03 11:06:07 -03:00
7a60e52bd8 Bug 19276: Update the number of tests
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 19:39:34 -03:00
e09d233eee Bug 18120: Tidy up
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:13:13 -03:00
08b6f7799b Bug 18120: (QA followup) Add POD to controler class
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:13:13 -03:00
7367274c62 Bug 18120: (QA followup) 'vendors_manage' permission fits better than full acq
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:13:13 -03:00
Katrin Fischer
52c677166d Bug 18120: Update field descriptions
Trying to clarify some of the descriptions.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:13:13 -03:00
6d52d57fac Bug 18120: Add '/acquisitions/vendors' endpoint
This patch introduces an /acquisitions/vendors endpoint.
To test:
- Apply the patch
- Run:
  $ sudo koha-shell kohadev
 k$ prove t/db_dependent/api/v1/acquisitions_vendors.t
=> SUCCESS: Tests pass
- Sign off :-D

Sponsored-by: ByWater Solutions

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:13:13 -03:00
17764fbe90 Bug 18120: /acquisitions/vendors unit tests
This patch introduces unit tests that need to be passed by an
/acquisitions/vendors/ REST endpoint.

To test:
- Apply the patch
- Run:
  $ sudo koha-shell kohadev
 k$ prove t/db_dependent/api/v1/acquisitions_vendors.t
=> FAIL: The endpoint is not present, should fail.

Sponsored-by: ByWater Solutions

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:13:13 -03:00
269c21d984 Bug 19392: Clean-up behind auth_values_input_www.t
The two categories created by this test script are not removed

Test plan:
without this patch, the two authorised value categories 学協会μμ and
tòmas are not removed when the script finishes.
Now it does!

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:12:19 -03:00
b6f8cf4369 Bug 19391: (bug 19128 follow-up) Fix failing tests from auth_values_input_www.t
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:12:18 -03:00
995fb8c14f Bug 13912: DBRev 17.05.00.010
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 17:12:16 -03:00
5144cee9a9 Bug 13912: (QA followup) Make it explicit that syspref applies to MARC21
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 16:49:49 -03:00
6d818e1388 Bug 13912: (QA followup) Update database
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 16:49:48 -03:00
21ee44ff12 Bug 13912: Fix LOC link
Signed-off-by: m23 <black23@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 16:49:48 -03:00
5705c13d38 Bug 13912: Add DefaultCountryField008 syspref
This syspref is going to be used for populating field 008, range 15-17
with a desired default. It is currently hardcoded to 'xxu'. If not set,
it will still fallback to 'xxu'.

Signed-off-by: m23 <black23@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 16:49:48 -03:00
Julian Maurice
56a0aabc58 Bug 18422: (QA follow-up) Check if select2 is available before using it
cataloging.js might not always be loaded with select2.js, so we should
check its availability to prevent JS errors

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 16:49:48 -03:00
Oleg Vasylenko
2f5a319b0a Bug 18422 - Add Select2 to authority editor
Overview:
Repeat tag fails if authority field has select subfield (for example, UNIMARC 700$8, 800$a)
This patch adds Select2 to authority editor

Steps to Reproduce:
In authority editor repeat field that has select subfield

Actual Results:
Field does not repeat (copy is not created).
Console shows a js TypeError in cataloging.js: «$(...).select2 is not a function»

Expected Results:
Field will repeat (copy is created)

Additional Information:
Error happens in version 16.11+ after adding Select2 js functions. The easiest way to fix is to add Select2 to authority editor

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 16:49:48 -03:00
1e2e1247c9 Bug 19307: Mock the AllowFineOverride preference to ensure expected result
To test:
 1 - Set 'AllowFineOverride' to allow
 2 - prove t/db_dependent/Circulation/NoIssuesChargeGuarantees.t
 3 - 1 test fails
 4 - Apply patch
 5 - prove t/db_dependent/Circulation/NoIssuesChargeGuarantees.t
 6 - All tests pass
 7 - Set 'AllowFineOverride' to 'Don't allow'
 8 - Tests should still pass

Signed-off-by: David Bourgault <david.bourgault@inlibro.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 16:49:48 -03:00
1c328f3394 Bug 19344: DBRev 17.05.00.009
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 16:49:47 -03:00
e65ee89aae Bug 19344: Reorder lang and login_attempts in the [deleted]borrowers tables
Due to a bad rebase, the borrowers and deletedborrowers table structure
may different from a new install and upgraded install
For new installs, the order was: lang, login_attempts
For upgraded installs, it was lang, last_seen, login_attempts

After this patch, the order must be:
- last_seen
- lang
- login_attempts

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 13:05:22 -03:00
0aec9e11d5 Bug 19317: (bug 18966 follow-up) Remove leftover
Nothing important here, but this line should have been removed by bug
18966:

2177         # Update the fines
2178         $dbh->do(q|UPDATE accountlines SET issue_id = ? WHERE
issue_id = ?|, undef, $old_checkout->issue_id, $issue->issue_id);

The issue_id is now the same when moved from issues to old_issues. We do
not need to update the accountlines table.

No test plan here, you need to understand previous changes to validate
this patch.

Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 13:04:58 -03:00
bb61d5bc38 Bug 19276: (bug 17829 follow-up) Fix Statistic patrons behaviour
Bug 17829 must have been handle this specific case: GetMember set
category_type, but now $borrower is a Koha::Patron unblessed and does
not contain the category_type.
The fix is to call ->category->category_type on the Koha::Patron object
to be able to know if they are a statistic patrons.

Test plan:
Run the tests

Tests pass, as does QA test tool
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 13:03:56 -03:00
2b343df13e Bug 18999: (QA followup) ModReceiveOrder expects a hashref
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 13:03:38 -03:00
caef98c7f6 Bug 18999: Modified SQL query in GetBudgetSpent() in C4/Budgets.pm
Removed the SQL select condition 'AND closedate IS NOT NULL' because
this was not returning shippingcost values and it does not exist in the
SQL query to return the shipping cost in spent.pl

Also removed the retrieval of shipping cost and the associated addition
of item(s) cost and shipping cost in GetBudgetOrdered() in C4/Budgets.pm
to prevent the shipping costs being subtracted off the fund total twice

Test plan:
1. Go to Acquisition and create a currency, budget (make this value of
100), fund ( make this the value of 50), vendor (if
neccessary)

2. Create a basket and click 'Add to basket'

3. Add 2 items with the vendor price of 10

4. Click 'Receive shipment' and write in the shipment cost of 6

5. Click 'Finish receiving' and go back to Acquisitions

6. Notice the spent column value is 0.00 but if you click on the value then
the spent.pl page is displayed and shows that the shipment cost was 6.00

7. On the acquisition page also notice that the ordered column value is 26.00

8. Click on the name of the fund and notice the spent column value is
0.00 in the fund page table

9. Apply patch

10. Refresh acquisition page and notice that 6.00 is the value in the
Spent column and 20.00 is the value in the ordered column. Both of which
match the subtotal of the full-list tables displayed when you click on these
values

11. Also notice the spent value in the fund page table is 6.00

12 Observe the changes to GetBudgetSpent() and GetBudgetOrdered() C4/Budgets.pm and check they make sense

Sponsored-by: Catalyst IT

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 13:03:38 -03:00
90c5391b34 Bug 18999: (QA followup) Minor fixes for tests
Removed unneccessary declaration of $budget and changed
Koha::Acquisition::Order->new->insert into
Koha::Acquisition::Order->new->store as requested in tester feedback

Test plan:
1. Go into your koha-shell

2. set the PERL5LIB variable

3. Run t/db_dependent/Budgets.t

All tests should pass

Sponsored-by: Catalyst IT

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 13:03:38 -03:00
776692f311 Bug 18999: Add regression tests
Added regression test for GetBudgetSpent() and GetBudgetOrdered() into
the t/db_dependent/Budgets.t

Test plan:
1. Go into your koha-shell

2. set the PERL5LIB variable

3. Run t/db_dependent/Budgets.t

All tests should pass

Sponsored-by: Catalyst IT

Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 13:03:38 -03:00
Aleisha Amohia
89528af3b0 Bug 16463: Replace discharge link with error message if user has checked out items
To test:
1) Ensure the useDischarge syspref is enabled
2) Check out an item to a borrower
3) Log in to the OPAC as this borrower
4) Click the 'ask for a discharge' link in the nav
5) Click the 'Ask for a discharge' link
6) Notice you cannot be discharged because you have checkouts
7) Apply the patch, click the 'ask for a discharge' link in the nav
8) Notice the link has been replaced with an appropriate error message
9) Attempt to force the discharge URL:
/cgi-bin/koha/opac-discharge?op=request
10) Notice the message and you cannot be discharged.
11) Confirm that when you check in your item, the discharge link shows
again and works as expected.

Sponsored-by: Catalyst IT
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:37:00 -03:00
1404654d65 Bug 18318: Unicode support for Elasticsearch
You must install the icu plugin for elasticsearch
https://www.elastic.co/guide/en/elasticsearch/plugins/current/analysis-icu.html

Once installed, apply this patch
Reindex your data, deleting the existing indexes
perl /home/vagrant/kohaclone/misc/search_tools/rebuild_elastic_search.pl
-d
Find (or add) some titles with accented characters
Verify that a search for the exact character or the unaccented version
works

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:37:00 -03:00
Mark Tompsett
632e2ad51d Bug 19120: Leave cancelled ordered items alone when reopening basket
TEST PLAN
---------
1) Apply first patch
2) prove t/db_dependent/Acquisition/close_reopen_basket.t
   -- FAILS
3) Apply this patch
4) prove t/db_dependent/Acquisition/close_reopen_basket.t
   -- SUCCESS!
5) run koha qa test tools

Followed test plan, patch worked as described
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:37:00 -03:00
Mark Tompsett
d34fae9499 Bug 19120: Add tests to reproduce the problem
TEST PLAN
---------
1) apply this patch
2) prove t/db_dependent/Acquisition/close_reopen_basket.t
   -- FAILS!
   -- This proves the test works.
3) run koha qa test tools

Followed test plan, patch worked as described
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:37:00 -03:00
c7b2d9bcf3 Bug 19329: Update IntranetSlipPrinterJS system preference description.
Test plan:
0) Apply the patch
1) Go to administration -> system preferences -> staff client
2) Read the description by IntranetSlipPrinterJS and confirm it's right

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:37:00 -03:00
60a17c1b2b Bug 19372: (bug 15801 follow-up) pass selected frameworkcode to the template
Bug 15801 removes the 2 lines that were necessary to retrieve the
framework selected by the user and pass it to the template.
All bibliographic records created when adding an order to the basket
using an external source used the default framework.

Test plan:
Add an order to a basket from an external source
Select another framework than the default one
=> Without this patch, whatever the framework you picked, the default
one is used
=> With this patch applied the framework code you will pick will be used

Signed-off-by: Marijana Glavica <mglavica@ffzg.hr>

Signed-off-by: Marijana Glavica <mglavica@ffzg.hr>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:36:59 -03:00
ae02cf97e4 Bug 19366: Do not block patron's detail update if EmailMustBeUnique
If the pref PatronSelfRegistrationEmailMustBeUnique is set ("consider"),
a patron is not allowed to register with an existing email address.
The existing code is wrong and reject a patron that is updating their
personal details with "This email address already exists in our
database.", even if the patron did not modify their email address.

This is caused by the query we made, we must search for patron with this
email address but who is not the current patron.

Test plan:
- Set PatronSelfRegistrationEmailMustBeUnique to "consider"
- Register a new patron with an existing email address
=> you should not be allowed
- Use a non-existent email address
=> You should be allowed
- Edit your patron details
- Modify some infos
=> Should pass
- Modify your email address with an existing one
=> You should not be allowed to do that

Followed test plan, patches worked as described
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:36:59 -03:00
99f6e1adf3 Bug 19357: (bug 18260 follow-up) Remove non-relevant attributes
When created, batch_record_modification.tt has been based on
batch_delete_records.tt
These attributes are not used in the template and not set in the pl
script.
Since bug 18260, biblio is a Koha::Biblio and calling a non-existent
method will raise an error.

This patch get rid of the following error:
batch_record_modification.pl: Template process failed: undef error - The
method itemnumbers is not covered by tests!

Test plan:
Modify bibliographic records with the "Batch record modification" tool.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:36:59 -03:00
c84d03c582 Bug 15173: Restore SubfieldsToAllowForRestrictedEditing
Bug 7673 introduced SubfieldsToAllowForRestrictedEditing but bug 12176
broke it assuming that only selects were impacted by this feature.

Test plan:
Go back on bug 7673 and confirm that
SubfieldsToAllowForRestrictedEditing is working as expected with this
patch applied.

Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
For clarification, the item fields that are entered in
SubfieldsToAllowForRestrictedEditing should EXCLUDE the desired
fields you want to disable.

Test plan (updated to test the scenario in the bug Description):
1. Create a patron with only the following permissions:
    - catalogue (Required for staff login)
    - editcatalogue -> edit_catalogue
    - editcatalogue -> edit_items
    - editcatalogue -> edit_items_restricted
2. Navigate to Administration -> Global system preferences -> Cataloging
    -> Record Structure -> SubfieldsToAllowForRestrictedEditing
3. In the input field for SubfieldsToAllowForRestrictedEditing enter in
    all the 952 fields EXCEPT the ones desired to be disabled. In this
    case, we want to disallow editing of 952$2, 952$a, 952$b, 952$e, 952$h,
    and 952$o so we enter the following into the
    SubfieldsToAllowForRestrictedEditing (without quotes) "952$0 952$1
    952$3 952$4 952$5 952$7 952$8 952$c 952$d 952$f 952$g 952$i 952$j
    952$p 952$t 952$u 952$v 952$w 952$x 952$y 952$z"
4. Click Save all Cataloging preferences
5. Login to the staff client as the created restricted editing patron
6. Edit an item
7. Note that all fields except for the ones excluded from the syspref
    are editable

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:35:59 -03:00
12bd6358cf Bug 19323: subscription edit permission issue
If a librarian has edit_subscription but not create_subscription :
When trying to edit a subscription, after saving permission is denied.

This is because permissions in serials/subscription-add.pl depends on arg 'op' and on edit this arg starts with 'modify' but changes to 'modsubscription' when saving.

Test plan :
- Create a user with staff access
- Define its permissions on serials : only edit_subscription
- Edit a subscription
- Click 'Next'
- Click 'Test prediction pattern'
- Click 'Save subscription'
=> Without patch you get to page serials/subscription-add.pl with permission denied
=> With patch subscription is saved and you get to subscription details page

Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:35:59 -03:00
Dobrica Pavlinusic
f270c4a3b5 Bug 19334: Circulation history doesn't set biblionumber so left navigation is broken
Navigation on the left (Normal, MARC, etc...) needs biblionumber in
template variables to work.

Test:
1. go to checkout history for any biblio
2. verify that normal, MARC, etc links on the left no longer work
   due to missing biblionumber in URL
3. apply patch and test it again

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:35:58 -03:00
80fd5cd0db Bug 19116: Hold not set to waiting after transfer
Test plan:

0) Do not apply the patch
1) Place hold on item from another branch
2) Switch to that branch
3) Check them in at the other branch to set them into transport status (T)
4) Switch back to your homebranch
5) Check items in again, use the different confirm buttons and
    compare: Only "confirm and print" will be set to waiting, "confirm"
    remains in transport.
6) Apply the patch
7) Repeat 1-5 - now should work as expected - the hold is marked waiting
on "confirm" button too
8) Check the hold from the same branch, to make sure this doesn't add
regression

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:52 -03:00
a0c73b7bda Bug 19116: (followup) Add tests to highlight the problem in CheckReserves
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:52 -03:00
021d1d3714 Bug 19116: Unit tests
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:52 -03:00
357d51c8c4 Bug 19127: (follow-up) Fix Stored XSS in csv-profiles.pl
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:51 -03:00
Amit Gupta
b90662073f Bug 19127: Fix Stored XSS in csv-profiles.pl
To Test
1. Hit the page /cgi-bin/koha/tools/csv-profiles.pl?op=add_form
2. Add a text in the field Profile name, Profile description
   and Profile MARC fields that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:51 -03:00
914577fdb7 Bug 19108: (follow-up) Fix Stored XSS in biblio_framework.pl
Prevent software error
Template process failed: undef error - text: filter not found at
/home/vagrant/kohaclone/C4/Templates.pm line 121.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:51 -03:00
Katrin Fischer
624eb9e1f5 Bug 19108: (follow-up) Fix Stored XSS in fieldmapping.pl and items_search_fields.pl
To test:
- Add a framework with script in the description
- Access the Keywords to MARC mapping page
- Add an item search field where both name and label are script
- Try to edit/delete the added mapping

With the patch no script should be executed and everything
should still work ok.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:51 -03:00
Amit Gupta
a482880352 Bug 19108: Fix Stored XSS in biblio_framework.pl and marctagstructure.pl
To Test
1. Hit the page /cgi-bin/koha/admin/biblio_framework.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Click on Actions -> MARC structure
6. Apply patch and reload, the js is escaped

Fixed for both the pages biblio_framework.pl and marctagstructure.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:51 -03:00
Amit Gupta
ec85c6b0a2 Bug 19108: Fix Stored XSS in fieldmapping.pl
To Test
1. Hit the page /cgi-bin/koha/admin/fieldmapping.pl
2. Add a text in the field Field name that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:50 -03:00
Amit Gupta
6a68fd0330 Bug 19108: Fix Stored XSS in authtypes.pl
To Test
1. Hit the page /cgi-bin/koha/admin/authtypes.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:50 -03:00
Amit Gupta
b09750ca2b Bug 19108: Fix Stored XSS in classsources.pl
Fixed for both Classification sources & Classification filing rules

To Test
1. first case classification source: Hit the page
   /cgi-bin/koha/admin/classsources.pl?op=add_source
   second case classification filing rules:
   Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_sort_rule
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:50 -03:00
Amit Gupta
bfbba2339f Bug 19108: Fix Stored XSS in items_search_fields.pl
To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for new and edit page

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:50 -03:00
Amit Gupta
d1aa11c51c Bug 19108: Fix Stored XSS in oai_sets.pl
To Test
1. Hit the page /cgi-bin/koha/admin/oai_sets.pl
2. Click on New set
3. Add a text in the field setSpec, setName that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:47 -03:00