Commit graph

88 commits

Author SHA1 Message Date
Didier Gautheron
3d0da68d5a Bug 25982: OPAC shelves RSS link output is xml
Output rss feed as text/xml

Test plan:
1) have books entered
2) log in create a list
3) add books to list
4) display list in OPAC
5) click the RSS link button.
   -- output is displayed as html text
6) apply patch
7) repeat steps 4&5
   -- output is displayed as xml tree

Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-07-30 17:44:27 +02:00
2a216e206c
Bug 25416: Let OPAC XSLTs know if the context is an anonymous session
This patch makes use of the 'variables' parameter in XSLTParse4Display
method in the different places that it is used in the OPAC. It does by
passing this parameter with

    anonymous_session => 1|0

The value will depend on the output from get_template_and_user (i.e. if
there's a returned borrowernumber).

A special case takes place in search results, as the call to
XSLTParse4Display happens in C4::Search::searchResults. So a new
parameter 'xslt_variables' is added to it.

To test:
1. Apply the [DO NOT PUSH] patch
2. Open the OPAC in your browser
3. Try detail pages, search results, tags and lists/shelves pages with
   or without an active session
=> FAIL: It always says (somewhere) 'Anonymous session: Yes'
4. Apply this patch, restart_all
5. Repeat 3
=> SUCCESS: It will tell the Yes/No correctly regarding anonymous
sessions!
6. Sign off :-D

Sponsored-by: Universidad ORT Uruguay
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-05-15 09:33:22 +01:00
564736a76a
Bug 23482: Fix BakerTaylor cover images on lists
While this needs a username/pass to fully test, it should be possible to
verify the code changes by comparing to opac-results code

To test:
1 - Enable BakerTaylor images
2 - Enter your usernme and password
3 - Do not fill the BookStore URL
4 - Verify OPAC covers are working
5 - Save some times with covers to a public list
6 - Verify they do not display in list
7 - Apply patch
8 - Verify images now work

Signed-off-by: Kelly McElligott <kelly@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-21 15:44:01 +00:00
0a07597f20
Bug 17896: Remove duplicated use statements
and remove uneeded '&'

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-21 15:43:57 +00:00
2dc33d4df2
Bug 17896: load BakerTaylor module with use
We are incinsistent here, Amazon and Syndetics module are always loaeded in some places
BakerTaylor is conditional everywhere, and causes issues under plack

For simplicity sake I think we should just load this (small) module where it might be needed

To test:
1 - Disable Baker and Taylor images
2 - Restart plack
3 - Visit opac-readingrecord, opac-detail, opac-search, opac-shelves, opac-user
    Log in to opac
    Virew your reading history
    Make/view a list
    Search the catalog
    Look at an individual title
4 - Enable BakerTaylorEnabled
    If you don't have Baker and Taylor credentials, simply fudge them with bad data and enable
5 - Repeat steps above, in the word of Joubu "Kaboom"
6 - Apply patch
7 - Repeat 1-4
8 - You shoudl be able to load all the pages after enabling the pref

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-21 15:42:58 +00:00
ee8a9a6af5
Bug 24249: OPAC lists page should require login for login-dependent operations
This patch modifies opac-shelves.pl so that login is required if the
requested operation is anything but "view" and "list."

The patch also modifies a couple of "Log in to create a new list" links
so that they point to the list creation form instead of opac-user.pl.

To test, apply the patch and go to the main lists page (the list of
lists) in the OPAC while not logged in.

 - Click the "Log in to create a new list" link.
 - Log in.
 - You should be taken to the "Create a new list" form.
 - Also test the "New list" link shown in the toolbar when you're
   viewing the contents of a list.
 - When not logged in click the "Lists" menu in the page's header menu.
   Clicking "Log in to create a new list" should take you to the login
   form and then to the list creation form.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-19 11:14:18 +00:00
82716a0172
Bug 23084: Replace grep {^$var$} with grep {$_ eq $var}
We certainly faced 3 similar bugs due to this syntax: bug 23006, bug
22941 and bug 17526.

To prevent other issues related to this syntax this patch suggests to
replace them all in one go.

Test plan:
Confirm that the 2 syntaxes are similar
Eyeball the patch and confirm that there is no typo!

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-17 10:44:45 +00:00
dde8ea09fc
Bug 18936: (QA follow-up) Remove 2 new occurrences of Koha::IssuingRules
Fix conflict with bug 13121

Signed-off-by: Joonas Kylmälä <joonas.kylmala@helsinki.fi>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-04 09:56:30 +00:00
Jesse Weaver
1c43a26525
Bug 18936: (follow-up) Fix tests, replace old get_onshelfholds_policy method
Signed-off-by: Minna Kivinen <minna.kivinen@hamk.fi>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@helsinki.fi>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-04 09:56:25 +00:00
07d2a419f3
Bug 13121: Move search results "action" links ("Place hold," "Add tag," etc) into include file
This patch moves markup for controls repeated across several OPAC
templates into a single include: Place hold, Request article, Add tag,
Save to lists, and Add to cart.

To test, apply the patch and view the following OPAC pages:

 - Search results
 - Shelf contents view
 - User tags list

On each of these pages all the controls should work correctly:

 - Place hold
 - Request art
 - Add tag
 - Save to lists
 - Add to cart

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-01-29 09:04:14 +00:00
bebdbd535b
Bug 23913: Use a single menu to sort lists in the OPAC
This patch modifies the sorting form on the OPAC list contents view so
that the two menus (sort field and direction) are combined into one.
This makes it consistent with the sort menu on the search results page.

To test, apply the patch and view a list with multiple titles on it.

Test the "Sort by" menu, trying all the various options. Confirm that
the pre-selected item in the sorting menu is correct after each re-sort.

Edit the list to change the default sorting and verify that the "Sort
by" menu reflects your selection.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-01-02 14:39:06 +00:00
558929d85d
Bug 22445: Custom cover images - opac shelves
Test plan:
Add a bibliographic record (that has a custom image) to a shelf,
view the shelf (OPAC).
You should see the image.

Sponsored-by: Orex Digital
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Kyle Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-22 15:02:49 +01:00
Ere Maijala
a1a05db1b6
Bug 11529: Add templates for biblio title display. Unify display.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-08-05 15:03:19 +01:00
Ere Maijala
4ea26c0a69
Bug 11529: Use new biblio fields whenever possible
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-08-05 15:03:17 +01:00
Mark Tompsett
42a26a7580
Bug 17526: Change grep to deal with malformed sortfield
Giving sortfield a malformed value when viewing lists results in
Internal Server Error.

eg.
http://localhost:8080/cgi-bin/koha/opac-shelves.pl?op=view&shelfnumber=1&sortfield=title(

Note the trailing (

Before Patch: kaboom
apply patch
restart
After Patch: No kaboom

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-06-18 10:03:54 +01:00
7bed2a3fe6 Revert "Bug 22478: (QA follow-up) Handle category in opac-shelves like a boolean"
This reverts commit 375dd35d53.

https://bugs.koha-community.org/show_bug.cgi?id=22836
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-15 10:56:48 +00:00
375dd35d53 Bug 22478: (QA follow-up) Handle category in opac-shelves like a boolean
The category parameter should be restricted to 1 or 2 (private/public). In
order to keep same behavior, no parameter means 1 (private).
Note: Adding the same line in intranet counterpart.

Test plan
[1] Check for category empty, '1a', '11' etc. And with script ;)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-02 13:40:26 +00:00
d99d32d033 Bug 8995: (follow-up) Add tests, move open_url/coins routines to Koha namespace
Test plan:
1) Ensure the COinS span tag is still included on this pages. You need
to look into html source and search for span tag with class 'Z3988',
   which has COinS string in title.
   Staff client:
       catalogue -> ISBDdetail
       catalogue -> MARCdetail
       catalogue -> detail
       virtualshelves -> shelves
    OPAC (you should have COinSinOPACResults system preference enabled):
        opac detail
        opac search
        opac shelves
2) Run tests:
prove t/Biblio.t t/db_dependent/Biblio.t t/db_dependent/Koha/Biblio.t

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested with all 9 current patches. Works as advertised, including
OPACURLOpenInNewWindow. If a record has no items, no OpenURL link
is displayed. All the suggested tests pass. I did not test with
XSLT turned off.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-29 15:34:10 +00:00
31c29fd31f Bug 21206: Replace C4::Items::GetItem
Note: This is here for information purpose, feel free to test it if you
wan to play with it.

TODO: C4::Reserves::_get_itype is not longer in use

No more GetItem must be returned by:
git grep GetItem|grep -v GetItemsAvailableToFillHoldRequestsForBib|grep
-v GetItemsForInventory|grep -v GetItemsInfo|grep -v
GetItemsLocationInfo|grep -v GetItemsInCollection|grep -v
GetItemCourseReservesInfo|grep -v GetItemnumbersFromOrder|grep -v
GetItemSearchField|grep -v GetItemTypesCategorized|grep -v
GetItemNumbersFromImportBatch|cut -d':' -f1|sort|uniq

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-02-26 13:24:07 +00:00
20cba0d295 Bug 21629: Use cn_sort instead of itemcallnumber when displaying a list
DBMS can sort callnumbers correctly using cn_sort. We should use it
showing a list's content.

Test plan:
- Add items with callnumber to a list
- Display the list
- List the content by callnumbers
=> Confirm that the records are correctly sorted by callnumber

Signed-off-by: Myka Kennedy Stephens <mkstephens@lancasterseminary.edu>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-26 17:09:51 +00:00
Maryse Simard
d352b3c9c6 Bug 19039: (follow-up) Results of virtual shelves (lists) not sortable by date
In the staff client, when viewing the content of a list, it can be sorted by 'title', 'author' or 'call number' but not by 'date added'.

    This patch adds 'date added' as an option for default sorting of lists. It also makes it available as a sorting option while viewing lists.

    Test plan:
    In the staff client and the opac:
    1) View a list containing several items
      => Notice that you can't sort by 'date added'
    2) Try to edit the list or create a new one
      => Notice you can't choose date added as the default sort order
    3) Apply the patch
    4) When viewing the list you should now be able to sort by date added
      => Make sure it orders correctly
    5) Edit or create a list and choose date added as default sorting order
      => Make sure it uses date added as default
      => On the staff client: test that the filter for 'sort by' works for date added
      => On the opac: test that, while viewing the contents, choosing 'default sorting' in the dropdown menu sorts correctly

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-24 16:23:27 +00:00
39e1fbcbe9 Bug 19301: Move C4::Reserves::OnShelfHoldsAllowed to get_onshelfholds_policy
Following the pattern introduced by bug 19300, we are going to move the
OnShelfHoldsAllowed logic to Koha::IssuingRules->get_onshelfholds_policy

Test plan:
Make sure the onshelfholds policy is correct when placing a hold

Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-13 13:36:00 -03:00
db14275db4 Bug 19298: Placing a hold from a list at the OPAC should respect issuing rules
The issuing rule retrieve to know if a hold can be placed on a record of
a list is not correct.

Test plan:
0/ With item-level_itypes = item level
1/ Define a item.itype=BK and biblioitems.itemtype=CF
2/ Create a default rule to allow on shelf holds
3/ Create a specific rule for CF with on shelf holds="If any
unavailable"
4/ Add this bibliographic record to a list and view the list
=> Without this patch you will not see "Place hold"
=> With this patch applied you will see the "Place hold" button,
respecting the correct issuing rule

Followed test plan, patches worked as described.

Note: Just to clarify the test plan slightly in step 4 where it says you will not see 'Place Hold' it means to
the left of the 'Save to another List' link below the item availability
in the opac-shelves.pl page. Not the 'Place hold' button in the grey
page header box.

Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-10-25 12:14:39 -03:00
Mark Tompsett
d5986c9b97 Bug 19040: Refactor GetMarcBiblio parameters
Change parameters to a hashref.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks good to me.
Two calls in migration_tools/22_to_30 still in old style.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-25 10:23:42 -03:00
2b90ea2cb0 Bug 17829: Move GetMember to Koha::Patron
GetMember returned a patron given a borrowernumber, cardnumber or
userid.
All of these 3 attributes are defined as a unique key at the DB level
and so we can use Koha::Patrons->find to replace this subroutine.
Additionaly GetMember set category_type and description.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-10 13:14:19 -03:00
6eade474ed Bug 18276: Remove GetBiblioFromItemNumber - Easy ones
The subroutine C4::Biblio::GetBiblioFromItemNumber was wrong for several
reasons:
- badly named, we can get biblio info from a barcode
- SELECT * from items, biblio and biblioitems
makes things hard to follow and debug, we never know where do come from
the value we display
- sometimes called only for trivial information such as biblionumber,
author or title

This patchset suggests to replace it with calls to:
- Koha::Items->find for item's info
- $item->biblio for biblio's info
- $item->biblio->biblioitem for biblioitem's info

Test plan:
Item's info should correctly be displayed on the following pages:
- circulation history
- transfer book
- checkin
- waiting holds

QA will check the other changes reading the code, it's trivial

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-10 12:22:29 -03:00
ca0bde1e7e Bug 17843: [QA Follow-up] Some polishing
Resolve warning from members/summary-print.pl:
    "my" variable $itemtype masks earlier declaration in same scope

Test if find returns a Koha object in GetDescription.
Test if find returns a Koha object too in shelves.pl. While testing, I had
a crash on a biblioitem with itemtype NULL (bad record, but these things
tend to happen somehow.)
Can't call method "imageurl" on an undefined value at virtualshelves/shelves.pl line 253.
Same for opac/opac-shelves.pl.

Note: Did not add tests everywhere but generally, I have the impression that
we do not sufficiently test on the results of Koha::Object->find. Mostly we
just assume that it will find a record. Several reports include fixes to
resolve that wrong assumption.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
2017-07-05 13:42:21 -03:00
091d6c513b Bug 17843: Replace C4::Koha::getitemtypeinfo with Koha::ItemTypes
The C4::Koha::getitemtypeinfo subroutine did the almost same job as
GetItemTypes. On top of that it returned the imageurl value processed by
C4::Koha::getitemtypeimagelocation.
This value is only used from the 2 [opac-]shelves.pl scripts. Then it's
better not retrieve it only when we need it.

Test plan:
Play with the different scripts touched by this patch and focus on item
types. The same description as prior to this patch must be displayed.
Note that sometimes it is not the translated description which is
displayed, but that should be fixed on another bug report. Indeed we do
not expect this patch to change any behaviors.

Signed-off-by: Lari Taskula <lari.taskula@jns.fi>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
2017-07-05 13:42:21 -03:00
a58aca056b Bug 18228: Implement the new columns in code
The two new columns as mentioned in the commit message of the table
revision must be used in the codebase now.

Highlighting some changes in Koha::VirtualShel[f|ves]:
[1] Additional methods is_public and is_private.
[2] Method add_biblio did not check permissions. Does now. No impact on the
    interface, but one call in the unit test was affected.
[3] Method remove_biblios is signficantly simplified. Removed a FIXME.
[4] Method can_biblios_be_removed now redirects to can_biblios_be_added.
    A followup report may deal with unifying those routines.
[5] Condition in get_some_shelves changed.
[6] The reference to allow_add in get_shelves_containing_record can simply
    be removed.

opac-shelves.pl and shelves.pl now pass the default setting of Owner only
to the template.
Templates shelves.tt and opac-shelves.tt now include the new permission
field with three choices as mentioned in the table revision patch.

opac-addbybiblionumber.pl and addbybiblionumber now need a check on
allow_change_from_owner; search conditions slightly adjusted to the new
permission scheme.

Test plan:
When we refer to visibility in the test plan, please check the Add to-combo
on opac search results and staff results. And check opac-addbybiblionumber
by clicking Save to Lists from opac results.
The step 'Check delete' means: open the list in opac and check if you see
the Delete button below the entries (only check, do not delete).

[ 1] Create private list I01 (perm=Owner)
[ 2] Check visibility: Seen.
[ 3] Add a book. (Change by owner should be allowed.)
[ 4] Check delete: Yes.
[ 5] Edit list I01, set perm=Nobody
[ 6] Check visibility: Not seen.
[ 7] Check delete: No.
[ 8] Share list I01 with another patron.
[ 9] Check visibility for the other patron: Not seen.
[10] Check delete for the other patron: No.
[11] Change permission of list I01 to Anyone (by owner).
[12] Check visibility for the other patron: Seen.
[13] Let other patron add a book (change is allowed).
[14] Let owner delete the same book again (change allowed).

[15] Create public list U01 (perm=Owner)
[16] Check visibility: Seen.
[17] Add a book. (Change by owner should be allowed.)
[18] Login as other user. Check visibility: Not seen. Check delete: No.
[19] Change permission of U01 to Nobody (by owner)
[20] As owner: Check visibility: Not seen. Check delete: No.
[21] As other user: Check visibility: Not seen. Check delete: No.
[22] Create public list U02 (perm=Anyone)
[23] Add a book by owner.
[24] Delete the same book by other user. Add another book.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jesse Maseto <jesse@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2017-07-05 13:35:23 -03:00
Mark Tompsett
f3167a5259 Bug 18560: RSS link in opac shelves is broken
TEST PLAN
---------
1) have books entered
2) log in create a list
3) add books to list
4) display list
5) click the RSS link button.
   -- bad HASH error.
6) apply patch
7) repeat steps 4&5
   -- readble junk without error messages.
8) run koha qa test tools

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-12 08:45:02 -04:00
cb4fa17a27 Bug 17901: Force context to scalar
See bug 15809 for more references.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:20:49 +00:00
45cffd874c Bug 17901: Fix possible SQL injection in shelf editing
It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1

Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.

However it would be good to limit the possible values for sortfield.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:20:48 +00:00
ef0b0f13fc Bug 17094: Make Koha::Virtualshelf methods return Koha::Objects-based objects
Instead of DBIx::Class objects.

Test plan:
1/ Add content to a list and share it with another patron
2/ Try to view the list with the other patron
3/ download and send a shelf and check if the biblio list is correct
4/ prove t/db_dependent/Virtualshelves.t should return green

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 13:14:46 +00:00
31ca4849ef Bug 17316: Do not display the list's name if the user does not have permission - OPAC
At the OPAC, if a user manipulate the URL to show a list (s)he is not
allowed to view, the list's name will be displayed anyway.

Test plan:
- Create a private list with user A
- Copy the op=view URL and access it with user B logged in
=> Without this patch, you will see the rss icon, the list's name and
the "add list" button
=> Without this patch, only the "unauthorized" box will be displayed

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:13:58 +00:00
39487d634e Bug 11592: (QA followup) Add missing framework code to ViewPolicy filter calls
This patch adds the frameworkcode option param, using each record's frameworkcode
as expected by the filter. Otherwise the ViewPolicy filter falls back to the
default framework.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 11:54:22 +00:00
ea27569334 Bug 11592: (QA followup) Simplify code
Koha::RecordProcessor and the defined filters are supposed to bring us
joy and happiness. Let's keep the code compact, simple and clean.

This patch removes record cloning all over the place.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 11:54:22 +00:00
Mark Tompsett
cadf5aea81 Bug 11592: MARCView and ISBD followup
There are still some leaks, but it is not as a result
of the filter, but rather a result of poorly written
template files.

Bug fixing template files is beyond the scope of this
set of patches.

TEST PLAN
---------
 1) Backup your DB
 2) run the following SQL on your DB.
    > UPDATE marc_subfield_structure set hidden=-8;
    -- this should set EVERYTHING to hidden across the board.
 3) In staff client, set OPACXSLTDetailsDisplay to blank
 4) In OPAC, view any detail.
    -- Normal view may mostly leak values still.
    -- MARC view may leak values.
    -- ISBD view may leak values.
 5) In staff client, set OPACXSLTDetailsDisplay to default
 6) In OPAC, view any detail.
    -- same issues as step 4
    -- 'View Plain' may leak too.
 7) 'Save record' -> 'Dublin Core'
 8) Apply this patch
 9) run koha qa test tools
    -- should be fine
10) prove -v t/db_dependent/Filter_MARC_ViewPolicy.t
    -- should pass
    -- this proves Koha/Filter/MARC/ViewPolicy.pm tweaks too
11) In OPAC, view any detail.
    -- Normal view:
       -- Material type comes from the LEADER field.
       -- Lists this is on will still display
       -- 'Tags from this library' will still display
       -- Item information in table will still display
          (THIS IS BEYOND SCOPE)
    -- MARC view:
       -- Record number is leaked
          (THIS IS BEYOND SCOPE)
       -- 'View plain' leaks LEADER field.
    -- ISBD view may leak field headings, but not values.
       (THIS IS BEYOND SCOPE)
12) In staff client, set OPACXSLTDetailsDisplay to blank
13) In OPAC, view any detail.
    -- same kind of output as step 10
14) 'Save record' -> BIBTEXT
    -- Should be next to nothing leaked.
15) 'Save record' -> Dublin Core
    -- Should be the same or less leaked between the two versions.
    -- (XML FILTERING IS BEYOND SCOPE)
16) In the staff client, go view the same record.
    -- it should be mostly hidden in ISBD View.
17) run the following SQL on your DB.
    > UPDATE marc_subfield_structure set hidden=1;
    -- this should set EVERYTHING to hidden in OPAC, but not
       the STAFF across the board.
18) Refresh the staff ISBD page
    -- values should reappear.
19) View the ISBD details in the OPAC
    -- values should still be hidden.
20) Check out the OPAC Cart and List
    -- while the intermediate pages may still leak
       the download links should leak very minimally.
    -- (CARTS AND LISTS ARE BEYOND SCOPE, THOUGH
        THE INTRANET ISBD AND SOME CART/LIST STUFF
        WERE FIXED BECAUSE OF THE GetISBDView REFACTOR)

Expectations:
Before Patch - all the OPAC Detail pages will display things
After Patch - all the OPAC Detail pages will display much less,
              and hopefully nothing (though there are known limits).
              the ISBD detail page in the Staff client will be
              filtered as well based on STAFF settings.
              The saving/exporting should generate nearly empty
              files.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 11:54:22 +00:00
609f537128 Bug 15485: (QA followup) Simplify logic and use *ResultsDisplay value during upgrade
This patch makes the new sysprefs work as the previously defined. Instead of falling back
to what *ResultsDisplay is set, it now has its own 'default' (that still defaults to the
*Results*.xslt).

The default values are set to 'default' as the rest of XSLT-related sysprefs, and the upgrade
picks whatever is set in OPACXSLTResultsDisplay and XSLTResultsDisplay so current behaviour
is preserved.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
New XSLTs for Lists work as advertised

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 13:30:31 +00:00
add61ef614 Bug 15485: (QA followup) Fix behaviour and default values
Jonathan noticed the current behaviour is that the lists rendering
falls back to the XSLTResults, and if not defined (i.e. != 'default' and
!= some_path) it falls back to a legacy display (non-XSLT).

The patchset changed this behaviour because 'default' is not a valid value
for the lists. So it should fallback to the current behaivour (i.e. Results
XSLT configuration) if not defined. This patch fixes this by adding
 || C4::Context->preference('XSLTResultsDisplay')
(and the OPAC counterpart).

It also fixes minor glitches on the update message (oops) and bad default value
in sysprefs.sql  for 'XSLTListsDisplay'.

Thanks Jonathan!

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 13:30:31 +00:00
04143f6a9c Bug 15485: Use lists-specific XSLT sysprefs
This patch makes the shelves.pl (staff) and opac-shelves.pl scripts
use the new sysprefs for specifying custom XSLTs for lists display.

XSLT.pm is patched so it defaults to the corresponding *Results.xsl
files if none is specified.

To test:
- Create a list
- Open the list in the staff interface
- On a new tab, open the list in the OPAC.
- Apply this patches
=== default behaviour
- Open the list (both opac and staff) on new tabs
=> SUCCESS: They look exactly the same (hint: the syspref is set to ''
   so it should fallback to using the one we were using.
=== using the new functionality
- Create custom XSLTs for lists, for example:
  $ cd /home/vagrant/kohaclone/koha-tmpl/opac-tmpl/bootstrap/en/xslt
  $ cp MARC21slim2OPACResults.xsl MARC21slim2OPACLists.xsl
- Edit your sysprefs, setting OPACXSLTListsDisplay to:
  /home/vagrant/kohaclone/koha-tmpl/opac-tmpl/bootstrap/{langcode}/xslt/MARC21slim2OPACLists.xsl
- Reload the OPAC list view
=> SUCCESS: Looks exactly as before
- Make some minor tweak (for example in line 423 replace
  <xsl:text> </xsl:text>
for
  <xsl:text> BLAH </xsl:text>
- Reload the list
=> SUCCESS: BLAH shows in several places on the title.
- Repeat for the staff interface
- Sign off :-D

So we can now set custom XSLTs for lists.

Sponsored-by: Carnegie Stout Library

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Deb Stephenson <DStephen@dubuque.lib.ia.us>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 13:30:30 +00:00
a484334fed Bug 15263: (QA followup) Make *shelves.pl use the new API
This patch makes the lists work as the search results for rendering on
XSLT-driven context. No behaviour change is expected.

To test:
- Apply the patch
- Navigate lists (OPAC and intranet)
=> SUCCESS: the only difference is speed (faster)
- Sign off :-D

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-05-04 13:40:35 +00:00
f3e4b5bbb6 Bug 16154: CGI->multi_param - Force scalar context
This patch replaces the occurrences of
  $template->param( foo => $cgi->param('foo') );
with
  $template->param( foo => scalar $cgi->param('foo') );

perl -p -i -e 's/(\s*=>\s*)\$(cgi|input|query)\->param\(/$1scalar
\$$2\->param\(/xms' **/*.pl

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-04-26 23:16:43 +00:00
66aacace08 Bug 16154: CGI->multi_param - Declare a list
This patch replaces the occurrences of
  my @foo = $cgi->param('foo');
with
  my @foo = $cgi->multi_param('foo');

perl -p -i -e
's/^(\s*my\s*@\w+\s*=\s*)\$(cgi|input|query)\->param\(/$1\$$2\->multi_param\(/xms'
**/*.pl

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-04-26 23:16:42 +00:00
Alex Arnaud
8c807b9466 Bug 16296 - Fix records displaying in virtualshelves
Test plan:
- Empty OPACXSLTResultsDisplay system preference,
- select a virtual shelf in the dropdown list "Lists" on navigation bar
  (Or create one and add records),
- check that records are correctly displayed (title, author, publisher
  etc...).

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Display is now correct
No errors

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-04-22 22:50:41 +00:00
6303016736 Bug 16143: Make opac-shelves.pl generate OPAC itype images path
This patch makes icons point to the OPAC path instead of intranet's.

To test:
- On current master/3.22.x
- Have some itemtypes with icons set
- Have some biblios matching the itemtypes
- Add them to a public list
- Do a search in the OPAC for any of those biblios
=> SUCCESS: icons show correctly
- Choose the list
=> FAIL: icons fail to show, URL points to /intranet-tmpl/....
- Apply the patch, reload
=> SUCCESS: icons show correctly
- Sign off :-D

Sponsored-by: American Numismatic Society

NOTE: I had to set item-level_itypes to 'biblio record'
      in order to trigger this. My icon's showed, but the
      path was wrong. This patch corrects it.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-03-24 15:34:38 +00:00
d9b39d2553 Bug 15811: follow-up Bug 4912: Redirect to the appropriate view after editing/deleting a list
Test plan:
1/ At the opac, go on the the list home page (opac-shelves.pl)
2/ Click on 'new list', create a list and save
=> You should be redirect to the list
3/ Click on edit, save
=> You should be redirect to the list
4/ Delete the list
=> You should be redirect to the list
5/ Edit a list from the list view, save
=> You should be redirect to the list
6/ Click on a list link (op=view)
7/ Edit the list, save
=> You should be redirect to the 'show' view
8/ Delete list
=> You should be redirect to the list

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-24 01:32:23 +00:00
d6329e4f96 Bug 15810: Make sure the CGI->param is not called in a list context when creating private shelves
This patch fixes the following bug:
If OpacAllowPublicListCreation is set to "not allow", the creation of a
private list raises an error at the OPAC.

CGI->param is called in a list context and some parameters are not
filled from the template if the pref is set to "not allow".
To make sure we don't have a "Odd number of elements in anonymous hash",
we force the context to scalar.

Test plan:
1/ Set OpacAllowPublicListCreation to "not allow"
2/ Create private and public lists at the OPAC and the intranet
=> Everything should work fine with this patch applied

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-22 20:32:18 +00:00
71d4942c30 Bug 15760: Fix order by direction for shelves
The order_by parameters should not be "$direction $order_by" with
quote_names enabled. The correct syntax is { -$direction => $order_by }

Test plan for Opac + Staff interfces:
Sort list by title or whatever and change the direction

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-11 19:42:31 +00:00
6a2bf8d31b Bug 4912: Redirect to the appropriate view after editing/deleting a list
There are 2 places where a list can be edited/deleted: on the list view
and the list content view. After the edition, the user expect to be
redirect to the previous page.
This patch implements that.

Test plan:
At the OPAC, delete and edit a list from the 2 differents places.
Confirm that you are redirect to the page you come from.

With patch, redirects work as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-01-27 02:34:40 +00:00
2923cfdff4 Bug 6322 - It's possible to view lists/virtualshelves even when virtualshelves is off
If the user knows the URL for OPAC lists they can access them even with
the virtualshelves preference turned off. This patch copies the solution
added to opac-topissues.pl by Bug 10595 and applies it to OPAC lists
pages.

To test, apply the patch and set the virtualshelves system preference to
"don't allow."

- Navigate to /cgi-bin/koha/opac-shelves.pl. You should be redirected to
  an Error 404 page.
- Also check:
  - /cgi-bin/koha/opac-shareshelf.pl.
  - /cgi-bin/koha/opac-downloadshelf.pl
  - /cgi-bin/koha/opac-sendshelf.pl
  - /cgi-bin/koha/opac-addbybiblionumber.pl
- Turn virtualshelves back on. Access to lists and list sharing should
  be restored.

Signed-off-by: Aleisha <aleishaamohia@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-01-27 02:31:42 +00:00