To test:
Verify that different values in 'CardnumberLength' system preference
display correctly in the self reigstration form
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
Enable self registration
Make sure cardnumber is not in
'PatronSelfRegistrationBorrowerUnwantedField'
Enter an invalid or used cardnumber
Submit form
Note errors appears correctly but cardnumber is not editable
Apply Patch
Enter an invalid or used cardnumber
Submit form
Note errors appears correctly and cardnumber is editable
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To reproduce:
- In Staff client, go to Administration > EDI accounts
- Click "+ New account"
Result: Internal Server Error
Plack error log says:
Can't call method "param" on an undefined value at /home/marc/koha/admin/edi_accounts.pl line 157
To test:
-Apply patch
- Add an EDI account
- Edit an EDI account
- Delete an EDI account
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Set min version for libmojolicious-perl to 6.0 and regenerate debian/control
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Same as previous patch but for the staff interface
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
At the OPAC, if a user manipulate the URL to show a list (s)he is not
allowed to view, the list's name will be displayed anyway.
Test plan:
- Create a private list with user A
- Copy the op=view URL and access it with user B logged in
=> Without this patch, you will see the rss icon, the list's name and
the "add list" button
=> Without this patch, only the "unauthorized" box will be displayed
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
On bug 17210, the selector .addtoshelf should not have caught the
.addtoshelf nodes from the result list.
To fix this, we just need to make the selector more specific (and cannot
reuse it without more changes, the biblionumber variable is not the same
- vs SEARCH_RESULT.biblionumber).
Test plan:
Make sure the 2 links (from detail and search result) "Save to lists"
and "Save to your lists" work as expected.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
catalogue a bibliographic record with a isbn=
</title><script>alert('XSS')</script>
Go on the detail pages.
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
catalogue a bibliographic record with a author=
</title><script>alert('XSS')</script>
Go on the detail pages.
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
catalogue a bibliographic record with a title=
</title><script>alert('XSS')</script>
Go on the detail pages.
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
This of course means that any html in the title will no longer be
evaluated. :
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
In the Staff client, the 'New patron attribute type' button in the Patron
attribute types page does not work. This patch fixes that.
Test plan:
1) In the Staff client, go to Home > Administration > Patron attribute types,
and click on the 'New patron attribute type' button. You cannot create a
new patron attribute type and you get the following Software error:
Not a HASH reference at [...]
2) Apply the patch.
3) Repeat step 1). The 'New patron attribute type' button now works.
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 13799 introduced the api_secret_passphrase on source installs, but missed to do so on packages.
This patch introduces the entry on the template koha-conf-site.xml.in file, and
patches koha-create so it generates a randomized string (64 chars) to put in it.
To test:
- Apply the patch
- Grab the new template file:
$ sudo cp kohaclone/debian/templates/koha-conf-site.xml.in \
/etc/koha
- Create a new instance:
$ kohaclone/debian/scripts/koha-create --create-db blah
=> SUCCESS: The script runs fine, /etc/koha/sites/blah/koha-conf.xml
contains the api_secret_passphrase entry.
- Sign off :-D
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes Memcached configurations from the shipped apache files.
Note: testing is not actually needed for this patch, as it is really trivial. But I
include testing steps, just in case QA members require it.
To test:
- Apply the patch
- Do a (standard/dev/single) Koah install
=> SUCCESS: Verify the resulting koha-httpd.conf file doens't include memcached data
- Have a packages install
- Replace
* /etc/koha/apache-site-https.conf.in
* /etc/koha/apache-site.conf.in
with the ones from this patch
- Create an instance
=> SUCCESS: The apache configuration doesn't include memcached configurations
- Sign off :-D
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch introduces the memcached_servers and memcached_namespace
configuration entries as expected by 11921.
Note: better test this one and the followup together to ease the process.
To test:
- Do a source Koha install (dev, standard, single)
=> SUCCESS: The resulting koha-conf.xml file includes the memcached_* entries
which are filled with the right values.
- In kohadevbox (packages setup):
- Replace /etc/koha/koha-conf-site.xml.in with the one from this patch
- Create a new koha instance
=> SUCCESS: The instance's koha-conf.xml includes the relevant entries
- Sign off
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the need for Carp::Always in .../Reserves/MultiplePerRecord.t
which is not actually used.
It also removes 'undef' from Koha::Holds::forced_hold_level's last return, to comply with
our QA rules.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Reported by Katrin:
Example:
- on shelf holds allowed
- holds allowed 5
- holds on same record allowed 5
- FORCE item level holds
On a record with only one item, you can only place a record level hold
in OPAC now - which is against your circulation conditions.
Another example:
- record with 2 items
- circulation rules as above, 1 hold allowed on the record
- Item level holds: forced
I can only place record level holds in OPAC and staff. At the moment, I
am not able to place item level holds in any circumstances in my
installation.
Test Plan:
1) Apply the unit test patch
2) prove t/db_dependent/Reserves/MultiplePerRecord.t
should fail
3) Apply the second patch
4) prove t/db_dependent/Reserves/MultiplePerRecord.t
should pass
5) Attempt to replicate one of the examples above, you should be unable to
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Barton Chittenden <barton@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds the --test option switch to the overdue_notices.pl script
so it can be ran without doing any actual action.
To test:
- Have a patron with overdue items (simulate a checkout for a past date. Note it implies
that the circ rules are defined so the patron is overdue)
- Run:
$ sudo koha-shell kohadev
koha-dev$ misc/cronjobs/overdue_notices.pl --test
=> SUCCESS: The script is ran but the patron isn't debarred and no notice messages are queued.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Barton Chittenden <barton@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
We should at least report some grand totals when fixing fine records.
This patch also includes some cosmetic whitespace swapping.
Turned one last into an if statement.
Added a copyright statement too.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The location of the script in misc/maintenance would be fine for
running it from the command line. But it will be a problem for several
install types when running it from the web installer.
Files from misc/maintenance go to bin/maintenance in a package install,
not to mention other installs than a dev install.
This patch moves the script to installer/data/mysql. Already there are two
other scripts run by upgradedatabase. I would rather move these three
scripts somewhere else, but we c/should do that on another report.
Fixed a small typo in a message too.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(plus warnings for 16.05+ production setups possibly already affected)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
- all non-fatal output redirected to STDOUT (as there is an intention
to run this script from updatedatabase.pl)
- added borrowernumber and itemnumber equality checks to the SELECT
statement in getFinesForChecking() - accountlines.issue_id alone is not
entirely trustworthy (because InnoDB forgets it's highest auto_increment
after server restart), in some rare cases it may point to some random
issue for different patron and different item
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
External maintenace script for fixing unclosed (FU), non accruing fine
records which may still need FU -> F correction post-Bug 15675.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch modifies the acquisitions uncertain prices template to remove
event attributes onclick and onchange.
Also changed on the uncertain prices page: Added a label to the orders
filter, removed redundant form submit function.
- Locate a vendor which has orders with uncertain prices
- Click the 'Uncertain prices' tab in the left-hand sidebar
- Enter invalid data in the "price" field for any order. Confirm that an
error is triggered when the field loses focus.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
QA Revision: Corrected input type of submit button.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the use of 'onclick' from the acquisitions transfer
order process. The patch also modifies the style of some links and
buttons to conform with current guidelines.
- Locate an open basket with items in it
- Click the 'Transfer' link for a title in the basket
- In the pop-up window:
- Confirm that the 'Cancel' button at the bottom of the window is a
Bootstrap-style button.
- Search for a vendor; Confirm that the 'Choose' link is a
Bootstrap-style button.
- Choose a vendor; Confirm that the 'Choose' link on the following
page is a Bootstrap-style button.
- Confirm that clicking the 'Choose' button transfers the item to the
correct basket.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch modifies the funds administration page and other files
related to the process of searching for and selecting fund owners and
users in order to remove the use of event attributes like 'onclick.'
Also changed in this patch: I have revised the way the "select owner"
and "select user" controls look. They are now links with Font Awesome
icons.
- Go to Administration -> Funds and open a fund for editing.
- Test the process of adding and updating an owner:
- Click the 'Select owner' link.
- Search for and select an owner in the pop-up window.
- Save the fund and verify that the owner was saved correctly.
- Perform the same test with the 'Remove owner' link.
- Use the same process to test the addition and removal of users.
- Confirm that the 'Remove' link works correctly before and after
submitting the form to save changes to the fund.
This patch changes a file which is used by both the funds template and
the template used when setting a guarantor on a patron. To test the
changes in that context:
- Open a 'child' type patron record.
- Under 'Guarantor information,' test the process of setting and
removing a guarantor to confirm that data is saved correctly.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This is a followup to rescue the bug.
To test: Follow test plan from comment #1
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Some librarians find it useful to know what category a patron is before
confirming a reserve or transfer from the checkin screen.
This patch adds the patron category to the hold and transfer popups
to the patron information already displayed. The li tags that contain
the patron category have the class "patron-category" to allow this data
to be easily hidden.
Test Plan:
1) Apply this patch
2) Trap a hold for a patron, note the patron category is now displayed
3) Trap a hold for pickup at another loation, note the patron category
is now displayed
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 9754 added the -p|--purge-all option to koha-remove, but this
was not documented in the man page. This patch fixes that.
To test:
Run these commands and look at the formatted man page:
$ xsltproc /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl \
debian/docs/koha-remove.xml
$ man -l koha-remove.8
Make sure this test passes:
$ prove -v xt/verify-debian-docbook.t
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test Plan:
1) Choose a bib record that has the default framework.
2) Add a second record using that fast add framework.
3) Merge the records; switch to "Using framework: Default", and choose the original record (i.e. the one that had the default framework) as the merge reference. Clicking 'Next' will trigger the error.
4) Apply this patch
5) Repeat steps 1 - 3, no error should occur
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
REPLICATE ISSUE:
1. Map biblio.frameworkcode to 999$b
2. Map biblio.biblionumber to 999$c
3. Add a record with something in 999$b
4. 999$b is removed by C4::Biblio::AddBiblio()
After this patch, the field used by biblio.biblionumber or biblioitems.biblioitemnumber
is not removed and created anew, thus dropping all existing additions.
There is no point in dropping the field in any case, since we can just replace
the existing subfields in-place with no need to recreate the whole field.
UNIT TESTS INCLUDED
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch makes a minor change to the markup to make the button in the
confirmation dialog conform to the appearance of similar buttons.
To test, follow the original test plan for this bug and verify that the
"OK" button in the dialog looks correct.
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
In previous versions of Koha, if a hold canceled from the "Holds over" tab had other holds on it,
the librarian would be alerted with the message "This item is on hold for pick-up at your library"
and directed to check it in to fill the next hold. This no longer happens.
Test Plan:
1) Apply this patch
2) Find a hold that has been waiting too long
3) Cancel that hold via waitingreserves.pl
4) Note you get the message "This item is on hold for pick-up at your library"
5) Confirm the ok button redirects you to the correct tab
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42
Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.
Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert
Note that the cardnumber var was not escaped neither, it's now.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch only fixes encoding of file
installer/data/mysql/it-IT/necessari/sample_numberpatterns.sql
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
More changes to de-DE files
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
More changes to it-IT files
Checked marc21 and unimarc files
unimarc_relatorterms.sql had bad encoding, others minor
errors
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Mostly fixes bad values in auth files ( '' -> 0 )
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
More changes to pl-PL files
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
More changes to nb-NO files
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
More changes to es-ES files
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Needs Bug 13669
This patch fix web installer for
de-DE, es-ES, fr-CA, nb-NO and pl-PL
To test:
1) Apply patch
2) Try web installer for any/all listed languages.
a) de-DE, es-ES, fr-CA and pl-PL
There must be no problems for marc21 + all sample files
b) nb-NO
There must be no problems for normarc + all sample files
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Needs Bug 13669
Rewrite autorites_norme_unimarc.sql to
use only one INSERT IGNORE.
New load method complains about duplicate keys,
and both auth files are mandatory!
Also removed blank space from sample_labels.sql
Tested with unimarc_complet and all sample files.
To test
1) Apply the patch
2) Try fr-FR web installer, unimarc_complet + all sample files
There must be no errors
Don't know if fr-FR marc21 and unimarc_lecture_pub are used,
need a look from french users.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Unless it's an hourly loan, date due should not display the time part
(23:59).
Because of bad code in GetPendingIssues, date_due is replaced with a
DateTime object and is copied into date_due_sql.
We need to use this date_due_sql to correctly display the date due in
the sco module.
Test plan:
1/ Enable WebBasedSelfCheck syspref
2/ Check out an item to User A -- Do not use an hourly loan.
3/ Log in to Koha self check ( {OPAC URL}/cgi-bin/koha/sco/sco-main.pl).
4/ Enter User A's cardnumber.
Without this patch, checkouts are
MM/DD/YYYY 12:00 AM (Timeformat: 12 hour)
or MM/DD/YYYY 00:00 (Timeformat: 24H)
With this patch applied, only the date is displayed
Followed test plan, works as expected.
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
