This patch adds a new default TICKET_ASSIGNED notice to be used with
catalog concerns to notice the assigned staff user when a ticket has
been assigned to them.
Test plan
1) Run the database update and confirm that the new notice has been
added to the database (If on the sandboxes, skip to the next patch)
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1) In acquisitions, have a vendor with an item (or items) in their basket. Search for this vendor.
2) From the actions column, select the arrow and then press 'Close this basket'
3) Clicking on this option will not close the basket and brings us to the wrong page
4) Apply patch
5) Try to close the basket again, and this time, it is closed successfully
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
When one tries to clear the rule they are editing in circulation
rules page via "Clear" button, dropdown selectors aren't populated
with default value (first on the list).
To reproduce:
1. Select a rule to edit.
2. Press "Clear" button to return edit rows values back to default values.
=> Values in dropdowns aren't set back as default, instead they have
same values as rule you edited before pressing "Clear".
3. Apply this patch.
4. Select rule to edit, then press "Clear".
=> Dropdowns now have default values.
Sponsored-by: Koha-Suomi Oy
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
1) Create a background job
2) Go to the background jobs page
3) See your job listed
4) Unselect "include_last_hour" from the filter
5) Verify that the job is not listed
6) Apply the patch
7) perl build-resources.PL
8) Repeat steps 1-3
9) Verify that the job is now listed
10) prove t/db_dependent/Koha/BackgroundJobs.t
11) Verify that the tests pass
Sponsored-by: Koha-Suomi Oy
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
When trying to filter holds to pull using the dropdown filter for Pickup Location, the dropdown has "None" as the only available option because of incorrect column index in ppendingreserves.tt
To reproduce:
1. Place a hold and go to Circulation -> Holds to pull.
2. Use a dropdown filter for Pickup Location, see that only "None" is available to pick, meaning you can't use the filter.
3. Apply the patch.
4. Do the step 2 again and ensure that there's also an option for that hold's pickup location.
Signed-off-by: Eric Garcia <cubingguy714@gmail.com>
Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
1. Run unit tests
ktd --shell
prove t/SimpleMARC.t
Sponsored-by: Education Services Australia SCIS
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
1. Apply patch and restart services
2. Create a MARC modification template with the action:
Copy and replace field 001 to 099$a unless 099$a exists
3. Perform a Batch record modification using your MARC modification template from #2
4. Confirm that the template has successfully moved the 001 control field value to the 099$a subfield
Sponsored-by: Education Services Australia SCIS
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We use Section to distinguish Residential from ETF Open University;
This patch adds Section to the breadcrumb and title where appropriate.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Make sure that the system preference ‘HidePatronName’ is set to
‘Show’
2. Select a patron that has a primary email address set in their
contact information.
1. Place a hold for that patron
3. Build the holds queue: perl /kohadevbox/koha/misc/cronjobs/holds/build_holds_queue.pl
4. Check the holds queue and notice that the patron column includes the
patron’s email
5. Click on the hyperlinked email. It will open a new email with the
subject of "Hold item: (your biblio title)"
6. Disable the ‘HidePatronName’ system preference
1. Check the holds queue again and notice that no contact
information can be seen for the patron
7. Sign off and have an amazing day :D
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
With ElasticSearch enabled,
* Perform a search using the default sort order
(i.e. 'relevance').
* Verify that no warnings are generated in
plack-intranet-error.log
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch correct a typo in the SMSSendAdditionalOptions system
preference description.
To test:
1. Apply patch
2. Go to Administration > System preferences
3. Search for SMSSendAdditionalOptions
4. Read the description, make sure there are no spelling or grammar
error
Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
1. Apply patch
2. Rerun and make sure the error "Use of uninitialized value $sub6 in pattern match (m//) at /usr/share/koha/lib/Koha/SearchEngine/Elastricsearch.pm" is no longer present.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Initial testing done, it works well, needs an additional sign off from an external party
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch updates the cash register statistics template so that they
use the new WRAPPER for displaying breadcrumbs.
To test, apply the patch and test page and its variations.
Breadcrumbs should look correct, and each link should be correct.
- Reports ->
- Cash register statistics
- Results
Sponsored-By: Athens County Public Libraries
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test Plan
1. Go to Tools -> Notices and slips -> New notice
2. Select Acquisition
3. Click on the Koha module label
4. The corresponding drop down field should activate (greyed)
Signed-off-by: Sam Lau <samalau@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This change consistently sends the Csrf-Token in the request header.
Previously, one POST sent it in the request body, while the other POST
sent it in the request header. Since we're using an API, it's best
for us to always send it in the request header
Test plan:
0. Apply the patch
1. perl ./misc/migration_tools/koha-svc.pl \
http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml
2. perl ./misc/migration_tools/koha-svc.pl \
http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml
3. Note that the following appears in STDOUT and there is no 403 error:
"update 29 from bib-29.xml"
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This change fixes the Koha::SVC to store the CSRF token for
the authenticated session for further POSTing.
Test plan:
0. Apply the patch
1. perl ./misc/migration_tools/koha-svc.pl \
http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml
2. perl ./misc/migration_tools/koha-svc.pl \
http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml
3. Note that the following appears in STDOUT and there is no 403 error:
"update 29 from bib-29.xml"
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch updates the javascript overriding the form submission when reports have multi select parameters.
When there are more than one multi selects, and the user selcts one value from each, it skips updating the value of the select, so it doens't send duplicate parameters anymore.
If there are no selections made it will pass '%' for all values. This allows the multi select to be optional in the report. If no selections are made it is assumed that you are not using that parameter to limit the report.
Test plan:
1. Go to Reports and create a report from SQL
select *
from items
where
homebranch in <<Libraries|branches:in>>
and
itype in <<Item type|itemtypes:in>>
3. Run the report but pick only 1 library and 1 item type
4. Click the "Show SQL code"
5. Notice that the two parameters were filled correctly
6. Run the report again with zero selections
7. Click the "Show SQL code"
8. Notice that the '%' is used for the parameter
9. Run the report again with combinations of single, multiple and zero selections
10. confirm the SQL code is generated as you would expect.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Find a bib record with more than one item
2. Click on the barcode of an item to show the item details page
--> The item details page shows the details of all items, though it does
jump to the correct item
3. Apply patch
4. Reload the bib record, and click the barcode again
--> The item details page shows only the chosen item, with a link above
to show all items
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Follow same test plan as before, but attempt to delete a 'All' entry in 'Default article request fees'.
Notice it blows up before this patch. It works as expected after the patch.
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This was introduced by bug 34478.
To test:
Follow the test plan as before, but test for several different patron categories
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This is what we're doing here:
- Creating a new mixin called ExtendedAttributes.pm
- Moving the extended_attributes 'join' logic out of REST/Plugin/Query and instead applying it to the aforementioned Mixin. Moving this to this level allows for this consistent behavior to happen on all search queries including, but not limited to, search queries happening on the REST API.
- Applying this Mixin to Patrons and ILL::Requests (we don't apply it to AdditionalFields.pm here yet because no AdditionalFields supporting classes have the extended_attributes accessor yet, I'll tackle this when rebasing 35287)
- The aforementioned mixin does the following:
-- Generates dynamic accessors for extended_attributes e.g. if there is a borrower attribute with code 'height', the 'extended_attributes_height' accessor is generated dynamically if a search with 'prefetch'=>'extended_attributes' AND the extended_attribute.code = 'height' is performed.
-- Rewrites the 'join' entries in the query to have the aliases as above.
-- Rewrites the WHERE conditions to match the above ruleset.
Example:
A DBIX search query as follows:
[
{
'-and' => [
[
{
'extended_attributes.attribute' => { 'like' => 'abc%' },
'extended_attributes.code' => 'CODE_1'
}
],
[
{
'extended_attributes.code' => 'CODE_2',
'extended_attributes.attribute' => { 'like' => '123%' }
}
]
]
}
]
Results in the following SQL:
SELECT
`me`.`borrowernumber`
FROM
`borrowers` `me`
LEFT JOIN `borrower_attributes` `extended_attributes_CODE_1` ON (
`extended_attributes_CODE_1`.`borrowernumber` = `me`.`borrowernumber`
AND `extended_attributes_CODE_1`.`code` = ?
)
LEFT JOIN `borrower_attributes` `extended_attributes_CODE_2` ON (
`extended_attributes_CODE_2`.`borrowernumber` = `me`.`borrowernumber`
AND `extended_attributes_CODE_2`.`code` = ?
)
WHERE
(
(
(
`extended_attributes_CODE_1`.`attribute` LIKE ?
AND `extended_attributes_CODE_1`.`code` = ?
)
AND (
`extended_attributes_CODE_2`.`attribute` LIKE ?
AND `extended_attributes_CODE_2`.`code` = ?
)
)
)
What fixes the performance issue that originated this work is the 'AND `extended_attributes_CODE_1`.`code` = ?' that was missing on the LEFT JOIN.
All of the above is explained using Borrowers and Borrower attributes, but it all also applies to ILL::Requests and ILL::Request::Attributes.
Co-authored-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
prove t/Koha/REST/Plugin/Query.t
prove t/db_dependent/Koha/Objects/Mixin/ExtendedAttributes.t
Co-authored-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch fixes the addPatronDebit route so that the librarian that caused the debit is taken from either the requests payload user_id or if not set from the api user.
Test plan:
a) enable system preference RESTBasicAuth
b) use a REST client to send a POST request with the following JSON body to http://localhost:8081/api/v1/patrons/5/account/debits
{
"amount": 1.23,
"description": "some description",
"internal_note": "internal_note",
"type": "MANUAL"
}
Authentication username and password is "koha"
c) verify that "user_id" is the same as patron_id in response.
d) send a different request including user_id to the same endpoint
{
"amount": 1.23,
"description": "some description",
"internal_note": "internal_note",
"type": "MANUAL",
"user_id": 19
}
e) verify that "user_id" is the same as patron_id in response.
f) apply patch and repeat step b) and d)
e) verify that user_id in b) is now 51 (which is the borrowernumber of koha user)
f) verify that user_id in d) is now 19 as defined in request
g) recheck on http://localhost:8081/cgi-bin/koha/members/accountline-details.pl?accountlines_id=<account_line_id> (from response) that column Librarian now says the user from user_id
h) sign off :)
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Go to System Preferences > find and enable "Use cash registers"
2. Go to Administration > "Cash registers" and create a new cash register
3. Go to Tools > "Transaction history for" > "Record cashup"
4. Click "Record cashup"
5. Modal with change: "Confirm" should be yellow and primary.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch corrects two instances in patron-search.inc where there were
two class attributes on one input. Combining the two class names under
one class attribute seems to fix the focus problem.
The patch also updates the global JS giving focus to elements with a
"focus" class so that it only targets elements which are visible. This
prevents the browser from trying to put focus on a field in a hidden
modal.
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Acquistions -> Budgets -> Funds -> Planning, select any option
2. In the toolbar see Export, and click Submit and see a 500 error
3. Apply patch, restart_all
4. Repeat steps 1-2
5. Notice the 500 error is gone and the CSV is exported properly
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Acquistions -> Budgets -> Funds -> Planning, select any option
2. In the toolbar see Export, and click Submit and see a 500 error
3. Apply patch, restart_all
4. Repeat steps 1-2
5. Notice the 500 error is gone and the CSV is exported properly
Notes:
Is there a reason we call exit(1) after exporting the csv?
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Some libraries do not use cardnumbers for their patrons, but would still like to be able to batch
modify patrons from reports.
Borrowernumber is going to be authoritative - every borrower will have one - so if this column is
included in the results we should offer batch modification. If we have cardnumber, we can use that.
If we have both, we should use borrowernumber
To test:
1 - Write a report like:
SELECT cardnumber FROM borrowers ORDER BY rand() LIMIT 35
2 - Run report
3 - Click "Batch operations.." -> "Batch patron modification"
4 - Confirm it works
5 - Edit report:
SELECT borrowernumber FROM borrowers ORDER BY rand() LIMIT 35
6 - Run report
7 - No option for batch modifying patrons
8 - Apply patch
9 - Run report
10 - The option for batch modificatoin now shows
11 - Confirm both batch operation types work from report
12 - Edit report:
SELECT cardnumber,borrowernumber FROM borrowers ORDER BY rand() LIMIT 35
13 - Run report
14 - Confirm both batch operations work
Signed-off-by: Laura ONeil <laura@bywatersolutions.com>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch creats a new form for image deletion that is submitted via the 'Delete' button on the modal.
To test:
1) Turon on the 'patronimages' sys pref
2) Visit a patron page, you should see an image module on the left.
3) Click on the image to edit it. Upload a new image.
4) Edit the image again, press delete and confirm the popup.
5) Note that it will not let you delete because of the required file.
6) Apply patch
7) Attempt to delete again, this time it is successful.
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
There is a bug preventing manually created providers from being edited. This patch fixes that issue and allows providers to be edited if they have been created manually
Test plan:
1) Create a data provider in the ERM manually using the Create manually option
2) Click to edit that provider
3) The form will not load
4) Apply patch and run yarn build
5) Hard refresh the browser
6) The form should now load correctly
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch makes some improvements to the edit form for data providers. It delays page display until the counter registry has responded and also improves the display of the "create manually" and "Create from registry" buttons
Test plan:
1) Create a Data provider in the ERM module
2) Click to edit that new provider
3) The page will load and there will be a slight delay before the Data provider name input is populated
4) The "Create manually" button will also be visible
5) Apply patch and yarn build
6) Hard refresh the browser and repeat steps 1 and 2
7) This time when the page loads the provider name should be prepopulated and no manual creation button will be visible
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Without this patch, deleting a record source will delete the associated
biblio_metadata rows, which is a severe data loss.
This patch makes the constraint restrict this action.
To test:
1. Add a record source
2. Set the record source to some records
$ koha-mysql kohadev
> UPDATE biblio_metadata SET record_source_id='your source id' WHERE
biblionumber=1;
3. Delete the record source
=> FAIL: Record metadata deleted
4. Apply this patch
5, Run:
$ ktd --shell
k$ updatedatabase
=> SUCCESS: DB update goes well
6. Repeat 1~3 with another record
=> SUCCESS: Source cannot be deleted if there are linked records
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Janusz Kaczmarek <januszop@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Searching for reports on Mana currently fails by sending a POST to
svc/mana/search without a CSRF token. There's no reason to POST, it's
just sending a search string.
1. Enable Mana: Reports - lower right is a blue Knowledgebase box with
a link to Change your Mana KB settings
2. Switch Use Mana KB to Yes, click Save, below that give it a name and
email, Send to Mana KB
3. Reports - Use saved - New report - New SQL from Mana
4. Enter any keyword to search, get a 403 forbidden error
5. Apply patch, restart_all, Shift+Reload the page to clear cache
6. Enter any keyword likely to return results, like select, get results
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch modifies the patron entry template to avoid a CSRF error when
clicking the "Edit existing record" button after a duplicate patron is
found. The operation should be GET and thus can be a link.
To test, apply the patch and go to Patrons.
- If you aren't using the default testing data you should first locate
an existing patron record so you can refer to the details.
- Start the process of creating a new patron record.
- Use the existing patron's data to fill out the form.
- With the default data you can use:
- Surname: Bennett
- First name: Pamela
- Date of birth: 09/16/1946
- Any random new card number
- When you click "Save" you should get a duplicate patron warning:
"Duplicate patron record?"
- Click "It is a duplicate. Edit existing record."
- You should be taken to the edit form for the existing patron.
Sponsored-by: Athens County Public Libraries
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Johanna Räisä <johanna.raisa@gmail.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
The new validation in the REST API will no longer allow
the operator "in". Consequently, it has to be replaced
with the allowed "-in".
Test plan:
* Open an invoice and click "Go to receipt page" and
on any basket click "receive" and make sure the dialog
box appears.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1 - Enable Pseudonymization in system preferences
NOTE: See bug 28911 for bcrypt setup
2 - Issue an item to a patron
3 - View the patrons checkouts
4 - Check the box under 'Renew'
5 - Renew selected items
6 - Internal server error
7 - Apply patch
8 - Restart all
9 - Repeat 4&5
10 - Success!
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Rebased-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To Test:
1. Go to /cgi-bin/koha/circ/overdue.pl
2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'»
3. Apply the filter
==> It takes 10 seconds, sleep(10) is executed
4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value
5. select the option from the filter and Apply the filter
==> It takes 10 seconds, sleep(10) is executed
we can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch
6. Apply the patch
7. Repeat step 1,2,3
==> it doesn't take 10 seconds, the injected sql is not executed
8. Repeat step 5
==> it doesn't take 10 seconds, the injected sql is not executed
9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch
==> it doesn't take 10 seconds, the injected sql is not executed
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch clarifies the list of operators both in the validate routine
and in the swagger descrption block where we document this feature for
the end user.
JD amended patch: tidy
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>