The parameter change in Koha::Token should be applied to the calling
scripts.
Test plan:
Confirm that the different forms of the scripts modified by this patch
still work correctly.
Test the problematic behavior:
Open 2 tabs with in same user's session, go on the edit patron page
(memberentry.pl).
Log out and log in from the other tab.
Submit the form
=> Wrong CSRF token should be raised
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If the userid of the logged in user contains unicode characters, the token
will not be generated correctly and Koha will crash with:
Wide character in subroutine entry at /usr/share/perl5/Digest/HMAC.pm line 63.
Test plan:
- Edit a superlibrarian user and set his/her userid to '❤' or any other strings
with unicode characters.
- Login using this patron
- Search for patrons and click on a result.
=> Without this patch, you will get a software error (with "Wide
character in subroutine entry" in the logs).
=> With this patch, everything will go fine
You can also test the other files modified by this patch.
Signed-off-by: Karam Qubsi <karamqubsi@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
From the pod of Digest::MD5:
"""
Since the MD5 algorithm is only defined for strings of bytes, it can not
be used on strings that contains chars with ordinal number above 255
(Unicode strings). The MD5 functions and methods will croak if you try
to feed them such input data.
What you can do is calculate the MD5 checksum of the UTF-8
representation of such strings.
"""
Test plan:
- Set a MySQL/MariaDB password with unicode characters:
UPDATE user SET password=PASSWORD('❤') WHERE USER='koha_kohadev';
FLUSH PRIVILEGES
- Update your $KOHA_CONF file
- Restart Memcached
- Hit the files modified by this patch
=> Without this patch, you will get a software error (with "Wide
character in subroutine entry" in the logs).
=> With this patch, everything will go fine
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Edit: removed debugging leftover
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Removes template var csrf_error and associated handling.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Restested with opac and intranet: Still sends or dies elegantly..
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
No need to send OPACBaseURL to the template, if you load the Koha TT
plugin inside the template.
Test plan:
Send a few items in your cart from OPAC and intranet.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If you have no (valid) token, you will not be able to send the message.
Test plan:
[1] Verify if you can still send the cart from opac and intranet.
[2] While still being logged in, try to send the cart from opac by
using the following URL:
/cgi-bin/koha/opac-sendbasket.pl?email_add=you@somedomain.com&comment=csrf_test&bib_list=doesnotmatter&csrf_token=justsomeguess12345
This should now result in a csrf error.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Patch deals with opac and intranet variant.
If we authenticated the first time, it is not necessary to do it
a second time rightaway.
Replaces a call to get_template_and_user (including checkauth) by
gettemplate.
Also removes duplicate use C4::Biblio statements.
Test plan:
[1] Put a few books in the cart.
[2] Send the cart from OPAC.
[3] Send the cart from intranet.
Tested 3 patches together. Works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch includes:
[1] Add some logic to GetMarcNotes to embed the contents of MARC21 field
555$u in a html anchor tag.
[2] Add a unit test for GetMarcNotes in Biblio.t
[3] Remove calls to GetMarcNotes from sendbasket.pl (opac and staff).
A closer look revealed that the data was not used; the notes in the
mail of sendbasket are taken from GetBiblioData.
Test plan:
[1] Edit a record. Add one or two URLS in 555$u. Add something in 500$a too.
[2] Check if you can click the URLs in opac and staff detail tab Notes or
Descriptions.
[3] Run the unit test t/db../Biblio.t
[4] Add something in the cart. Click More Details and send the cart.
Verify that you have something in Notes (from 500$a).
Signed-off-by: Marc Veron <veron@veron.ch>
Followed test plan. Works as expected. QA tools OK.
Tested with all patches together, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
The sendbasket/sendshelf scripts and templates do not use email_sender
as a cgi parameter or as a template var. Probably a leftover from previous
changes.
Let's make Koha cleaner :)
Test plan:
[1] Send your cart from opac or staff.
[2] Send a shelf from opac or staff.
[3] Git grep email_sender. No results.
Followed test plan. Works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
The borrow permission was used but uselessly.
For instance, at the opac, the flagsrequired parameter was set to
'borrow' but the 'authnotrequired' was set also (which means no auth
required).
At the end, this permission was used at only 1 place: for the basket,
intranet side.
This can be replaced with the catalogue permission (which is used to
search).
Test plan:
1/ Confirm that you are able to show/download/sent the cart (intranet side)
with the catalogue permission.
2/ At the OPAC, you should be able to access the same pages as before
with any other permissions.
Concretely it is quite difficult to test this patch, you should have a
look at the code.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
http://bugs.koha-community.org/show_bug.cgi?id=9987
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This should fix the issue on other pages.
Test plan:
Try to download and export the basket (intranet+opac sides).
Re-tested for errors in comment #5, they do not longer appear.
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
When a basket/shelf is downloaded, items are embedded, but not when
sending it by email.
We would expect to get the same file.
Test plan:
On Opac and intranet:
1/ Add records with items to your basket and send it by email.
Verify the file contains items.
2/ Add records with items to a list and send it by email.
Verify the file contains items.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch fixes 2 places where mails were badly encoded:
1/ At the opac and the intranet, on sending baskets
2/ At the opac and the intranet, on sending shelf/list
Test plan:
Shelf/List:
- Create a list with non-latin characters in the name.
- Add some items containing non-latin characters in their content.
- Send the list by email
Basket/Cart:
- Add some items containing non-latin characters in their content to
your cart..
- Send the cart by email
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
To Test
1/ Edit the new systempreferences (ReplytoDefault and ReturnpathDefault)
2/ Optionally edit the branch the mail will be sent from, adding email addresses
3/ Send a cart from the public site (OPAC)
4/ Check that the mails have the correct From, Replyto and ReturnPath set
The rules are
If the values are set in the branch use that, else use the syspref
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Since we switched to Template Toolkit we don't need to stick with the
sufix we used for HTML::Template::Pro.
This patch changes the occurences of '.tmpl' in favour of '.tt'.
To test:
- Apply the patch
- Install koha, and verify that every page can be accesed
Regards
To+
P.S. a followup will remove the glue code.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
QP-encode both mail header and mail body when sending baskets or
shelves. There is no need to Encode qp-encoded strings.
Note that this does not solve all possible encoding problems in the mail
sent. This is related to decoding CGI parameters and use of TT. That
problem is addressed in bug 11944.
Test plan:
Verify if sending a basket from opac and staff still works.
Check if sending a shelf (list) from opac and staff still functions as
expected.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Cart/List sent form opac/staff works
No koha-qa errors
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
There is an encoding issue on the received mail.
Here, we have to keep the encode_qp in order not to break links (= is a
special char for email https://en.wikipedia.org/wiki/MIME#Encoded-Word).
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
When using quoted-printable data needs to be encoded accordingly.
Content-Transfer-Encoding: quoted-printable
Without the patch = in URLs or data will be interpreted as the beginning
of a special character resulting in broken URLs.
To test:
- Check diacritics in records display correctly
- Check various URLs with = to make sure they all work correctly
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
This is only a partial fix, as the subject line is not encoded,
but it is a huge improvement over what it was before.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
The dependency is not used in opac-sendbasket. But there is a require of HTML::FormatText in the code of Template::Plugin::HTMLToText.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
In order to prevent spamming using sendbasket.pl, some counter-measure are done:
- permit send basket only for authenticated user
- permit send basket only if basket contains items
- use username & email for 'Reply-To' field (with fallback to KohaAdminEmailAddress)
- add field X-Orig-IP with IP of sender
- add field X-Abuse-Report with KohaAdminEmailAddress
Note: we don't use forged 'To' address with patron email in order to
prevent be marked as spam (by SPF for example).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Fix basket email sent from OPAC. The email body is now generated HTML
(to be translatable), and converted into TEXT before beeing sent by
email.
To test that it works in other language than English, you have to update
your language .po file:
perl translate update de-DE
Then, translated strings coming from opac-sendbasket.tt, and install the
translation:
perl translate install de-DE
New dependency: Template::Plugin::HtmlToText
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
The fix for Bug 4289, "Add a syspref 'OpacPublic', to hide OPAC
search-bar and force authentication on all OPAC pages" incorrectly
made some page permissions dependent on the value of the OpacPublic
setting. Some pages should require authentication no matter what.
This patch returns opac-sendbasket.pl to the state it was in before
Bug 4289, Bug 4274 notwithstanding. I have added the authentication
requirement to opac-sendshelf.pl to match.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
1) sending cart requires login
2) sending shelf requires login
3) updating personal details requires login
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Do not misleadingly document or pass an unused second parameter
makes all calls use the single parameter call as the C4
routines already did
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
applied to git tag 'v3.02.00-rc'
Frédéric Demians:
- Rebased this patch to HEAD
- Solved a merge conflict
- The patch works as described here:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=4289
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Jared Camins-Esakov <jcamins@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
this patch restrict the send of baskets and shelves to authenticated users only, and show their surname/firstname in the e-mail, so the receiver will know who sent the list.
(cherry picked from commit f87b755228)
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Adds the author and added author fields to the email that is sent from the shopping cart. This makes the data sent via email consistent with the data that is viewed in the basket.
There is still a problem with author authority records other than 100 tags appearing correctly in the shopping cart.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Ensure that emails sent from lists and the cart in the
OPAC have the correct quoted-printable encoding. Otherwise,
if there is an equals sign followed by one or two characters
that look like hexadecimal digits in body of the email, the
results can look mangled in some email clients.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
this patch change the attachment encoding, else if the file is too large, koha throws an error.
This solution was found on koha list in a Joshua's e-mail
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Most Perl scripts (as opposed to modules) do
not need to require Exporter.
No user-visible or documentation changes.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
In OPAC, when cart is sent by email, the email contains an attachement:
an ISO2709 file with cart biblio records. Most users don't have a clue
what to do with this file.
This patch modifies opac-sendbasket.tmpl to clarify what the attachment is.
It also fix a bug in opac-sendbasket.pl which wasn't reading the template
section containing information about the basket:
Here is your cart, sent from the Koha Online Catalog... foo
It may be necessary to verify that template text is in 'valid' English...
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Moved following functions from C4::Biblio to
C4::Items:
GetItemStatus
GetItemLocation
GetLostItems
GetItemsForInventory
GetItemsCount
GetItemInfosOf
GetItemsByBiblioitemnumber
GetItemsInfo
get_itemnumbers_of
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
So this implies quite a change for files.
Sorry about conflicts which will be caused.
directory Interface::CGI should now be dropped.
I noticed that many scripts (reports ones, but also some circ/stats.pl or opac-topissues) still use Date::Manip.
* synch with rel_2_2. Probably the last non manual synch, as rel_2_2 should not be modified deeply.
* code cleaning (cleaning warnings from perl -w) continued