A primary key error can be thrown when an item number is included in a new title hash. We need the item creation to ignore an itemnumber even if it is included in a MARC Framework
Test plan:
1) Edit the MARC framework relating to books (BKS in KTD)
2) In the 952$9 field (Koha itemnumber (autogenerated)), change the value of "Managed in tab" to "items (10)"
3) In the catalog, find a record that uses that MARC framework
4) Click "New" and choose to add a new item
5) Enter a barcode and click the "Add & duplicate" button
6) The page will refresh and an item will have been added
7) Enter a new barcode and click the same button again
8) An error will be thrown
9) Click the back button in the browser
10) Apply patch and restart_all
11) Click the add and duplicate button again
12) This time no error will be thrown and the page will refresh with another new item added
13) Sign off!
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
These values are stored at the order level, not per item. This patch simply sets the order values from the values retrieved from MarcFieldsToOrder even inf MarcItemFields to order is being used for other fields
To test:
Setup -- Set systempreferences below
MarcFieldsToOrder:
price: 949$g
quantity: 949$k
budget_code: 949$l
discount: 949$m
sort1: 949$n
sort2: 949$q
MarcItemFieldsToOrder:
homebranch: 949$a
holdingbranch: 949$b
itype: 949$y
nonpublic_note: 949$x
public_note: 949$z
loc: 949$c
ccode: 949$8
notforloan: 949$7
uri: 949$u
copyno: 949$t
price: 949$g
replacementprice: 949$v
itemcallnumber: 949$o
quantity: 949$k
budget_code: 949$l
Stage the attached bib-303.marcxml file
Add to basket from the staged file
Note that discount and sort1 and sort2 are not populated per the Marc
Apply patch, restart all
Stage and add to basket again
Confirm discount and sort1 and sort2 are populated correctly
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Since bug 34303 the test suite (when ran on jenkins) is no longer testing Perl::Critic
koha_1 | fatal: Not a valid object name master
koha_1 | [14:58:14] t/00-testcritic.t
We are not cloning the whole repo and "master" is not available. Additionally we do not want to test master's files on stable branches anyway...
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Make sure that you do not have borrowr 51.
Run t/db_dependent/Koha/Patron.t.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
No further changes.
Test plan:
Run t/db_dependent/Prices.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Run t/Prices.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Move everything in one subtest
Test plan:
Run t/Prices.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
__() should be used in .js files, not .tt files
To test, apply the patch and update a translation, e.g. fr-FR:
> cd misc/translator
> perl translate update fr-FR
- Open the corresponding .po file for JavaScript strings, in this case
misc/translator/po/fr-FR-staff-prog.po
- Confirm that the strings are now in the .po file for translation. You
should find the lines in the commit
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
1. Navigate to Acquisitions and load the suggestions management page
2. Ensure that there are some suggestions in the table
3. Observe that the default sort is on the "Suggester Category" column
4. Apply Patch
5. Observe that the default sort is now on the "Suggested on" column
instead
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch fixes a couple of inconsistencies in the debit types
administration page, making sure the page title, breadcrumb
navigation, and page headers are consistent with each other.
To test, apply the patch and go to Administration -> Debit types. Test
each variation of the page:
- Main page
- New debit type
- Modify debit type
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fix inconsistencies in cash register page titles, breadcrumbs, and
header
This patch fixes a couple of inconsistencies in the cash register
administration page, making sure the page title, breadcrumb
navigation, and page headers are consistent with each other.
To test, apply the patch and go to Administration -> Cash register. Test
each variation of the page:
- Main page
- New cash register
- Modify cash register
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This fixes a typo in a message used in the advanced cataloguing
editor when macros are converted from being stored in the browser to
being stored in the database (bug 17268 - Advanced cataloging editor
- rancor - macros are lost when browser storage cleared).
Test plan:
1. Search for 'brower' in the codebase - there should be one occurance:
grep -rn --exclude=*.po brower *
2. Apply the patch.
3. Run the search in step 1 again, there should now be no occurances.
4. Review the diff for the patch a nd make sure that the change makes
sense.
5. Sign off! 8-)
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste-Henry <andrewfh@dubcolib.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This fixes issues with the tests caused by:
Bug 32496: Reduce unnecessary unblessings of objects in Circulation.pm
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
GetDebarments was removed and replaced by $patron->restrictions.
The tests needed some adjustments to reflect that change.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes some typos in test and update message that were highlighted
by the QA tools.
Add missing bug number to the atomic update file.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Add tests, remove ODueDebarmentRemovalAllowUnrestricted syspref and instead
modify AutoRemoveOverduesRestrictions to have a third option
Signed-off-by: Michaela <michaela.sieber@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
How to test:
1) Run tests in t/db_dependent/Circulation/MarkIssueReturned.t
Sponsored by: Gothenburg University Library
Signed-off-by: Michaela <michaela.sieber@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Instead of the fallback to 51, we pass a borrower that has
permission for editing items.
Test plan:
Do not apply patch.
Run test without a borrower 51 in db. (FAIL)
Apply patch.
Run test again. (PASS)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Run t/db_dependent/Koha/Item.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This is the case for subtest: attributes_from_api() tests.
Test plan:
export TZ='Europe/Amsterdam'
prove t/db_dependent/Koha/Object.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
See also bug 34930. Using same approach.
Test plan:
export TZ='Europe/Amsterdam'
prove t/db_dependent/Koha/Patrons.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch removes the use of event attributes (onclick, onchange) from
the OPAC lists template. These events are defined now along with the
other in-page JS.
The patch also removes a "delete list" button which was only shown
when viewing an empty list and which was redundant.
To test, apply the patch and log into the OPAC.
- Go to Lists -> New list.
- Change the category to "Private" and the "Allow changes" dropdown to
"Staff only."
- You should see a message, 'The "Staff only" permission has no actual
effect while this list is strictly private'
- Change the category to "Public." The message should disappear.
- View the contents of a list.
- Click the "Send list" button at the top of the table of titles.
- It should trigger the "Sending your list" popup window.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch removes the use of event attributes (onclick) from the OPAC's
bibliographic detail page template. These events are defined now along
with the other in-page JS.
The patch also adjusts the global "Dopop" function so that the popup
window is a litte bigger. The comments form did not fit well.
In checking for use of the "Dopop" function I found that it was being
redefined in opac-topissues.tt for no reason so I removed it.
To test you must have the OPACComments system preference enabled.
- Log in to the OPAC, locate a bibliographic record, and view the detail
page.
- Under the "Comments" tab, click the "Post your comments on this title"
link. It should trigger a popup window.
- Submit your comment. When the detail page reloads, return to the
"Comments" tab and click the "Edit" link on your comment. The same
popup window should be triggered.
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
1. Set system preferences:
- Disable OPACAllowUserToChooseBranch
- Set ReservesControlBranch to "item's home library"
- Enable UseBranchTransferLimits
- Set BranchTransferLimitsType to "item type"
- Enable canreservefromotherbranches
- Disable IndependantBranches
2. Create two libraries: ITEM_LIB and PATRON_LIB
3. Set circulation rules:
- Remove all circulation rules (DELETE FROM circulation_rules)
- Set a default rule that allow some holds and with "OPAC item level
holds" = "force". Allow "on shelf" holds for easier testing.
- In the rules for ITEM_LIB, under "Default checkout, hold and return
policy",
- set "Hold policy" to "From any library"
- set "Hold pickup library match" to "item's home library"
- In the rules for PATRON_LIB, under "Default checkout, hold and
return policy",
- set "Hold policy" to "From any library",
- set "Hold pickup library match" to "any library"
4. In "Library transfer limits" disable all transfers from ITEM_LIB to
PATRON_LIB for an item type (let's say "BOOK")
5. Create a biblio with an item:
- item type must be the same as in previous step ("BOOK")
- home branch and holding branch must be ITEM_LIB
6. Create a patron at PATRON_LIB, give it a password so it can log in.
7. Go to OPAC, and login with this patron
8. Try to place a hold for the new item. You should be allowed to place
a hold, but when doing it, no holds will be created.
9. Apply patch, restart Koha
10. Try to place a hold for the new item. This time the hold should be
created
Signed-off-by: Jessie Zairo <jzairo@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Merged tidy patch and switch to Koha::Policy::Holds here.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Not sure this is correct, but I think it is!
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch adds the requirements that updating a system preference
requires a CSRF token. (Also, adding and deleting local system preferences.)
0. Apply patch
1. koha-plack --reload kohadev
2. Add local system preference
3. Update local system preference
4. Delete local system preference
5. Update normal system preference
6. Note no errors
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
</script> tags are interpreted in JSON strings as HTML, which can
lead to XSS attacks.
This patch puts HTML escaped JSON in the value of a hidden HTML element.
The Javascript then takes the value as a string, parses it as JSON,
and is able to use it to save search filters without triggering a
XSS attack.
This patch also adds DataTable's built-in HTML escaping for the query
and limits on the admin UI for the search filters.
Test plan:
0. Apply patch
1. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters
2. Enable the system preference
3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
4. Click "Save search as filter"
5. Checkbox "Show in staff interface?"
6. Type "E-TEST" into box and click 'Save'
7. Go to
http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
8. Click "E-TEST" under "Custom search filters"
9. Note that you see search results
10. Go to
http://localhost:8081/cgi-bin/koha/admin/search_filters.pl
11. Note that for "E-TEST" you see a "Query" like
{"operators":[],"operands":["e"],"indexes":[]}
12. Note that for "E-TEST" you see a "Limits" like
{"limits":[]}
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This change validates and escapes inputs for task scheduler.
Test plan:
0. Apply patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/tools/scheduler.pl
3. Input a time a minute in the future and leave the date blank
4. Choose an existing report and output format
5. Type a malicious string which is also a valid email address
into the Email field
6. Click "Save"
7. Note that the job is added but the Email is wrapped in single
quotes
8. Try using a non-malicious email address with a single quote.
9. Note that the single quote is escaped, so that it will still
be used by runreport.pl
JD amended patch: tidy
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Removed pars for $email =~ regex, removed old commented lines.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch sets the $auth_state to failed when changing auth sessions,
so that the new login attempt gets processed correctly (instead
of skipping the authorization step).
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?tab=&op=search&searchfield=baseurl
3. Log in as an OPAC user with 0 permissions
4. Note the auth screen "Error: You do not have permission to access this page"
5. Click "Log in"
6. Note that you're still shown a login screen (and that you've been logged out of
your previous authenticated session)
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I think the correct behavior for this script should be that koha-foreach
will return 0 (success) if all the commands it tried to run succeeded, but
1 (failure) if any of the commands failed.
To test:
1. $ koha-create --create-db test
2. $ vi test.sh
if [ $USER = 'kohadev-koha' ]; then
echo "FAILED";
exit 1;
else
echo "SUCCESS";
exit 0;
fi
3. $ debian/scripts/koha-foreach sh test.sh
FAILED
kohadev: 1 status returned by "sh test.sh"
SUCCESS
4. $ echo $?
5. Note that the exit status is 0 (success)
6. Apply patch
7. $ debian/scripts/koha-foreach sh test.sh
FAILED
kohadev: 1 status returned by "sh test.sh"
SUCCESS
8. $ echo $?
9. Note that the exit status is 1 (failure)
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This change adds a unit test to test Koha::Auth::TwoFactorAuth::verify
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This change adds a mfa_range configuration option for TOTP
to koha-conf.xml, and overrides the "verify" method from
Auth::GoogleAuth in order to provide a new default for "range"
Test plan:
0. Apply the patch
1. koha-plack --restart kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication
3. Change the syspref to "Enable"
4. Go to
http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51
5. Click "More" and "Manage two-factor authentication"
6. Register using an app
7. In an Incognito window, go to
http://localhost:8081/cgi-bin/koha/mainpage.pl
8. Sign in with the "koha" user
9. Note down a code from your Authenticator app
10. Wait until after 60 seconds and try it
11. Note it says "Invalid two-factor code"
12. Try a new code from the app
13. Note that it works
14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml
15. Clear memcached and koha-plack --restart kohadev
16. Sign in with the "koha" user
17. Note down a code from your Authenticator app
18. Wait 4 minutes and then try it
19. Note that it works
20. Disable your two-factor authentication and click to re-enable it
21. Use a code older than 60 seconds when registering for the two
factor authentication
22. Note that the code works
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
At this time, we can specify fields to hide in SIP response at the login level. From a security perspective, it would be useful to also be able to specify which fields are allowed in a response.
Test Plan:
1) Apply this patch
2) prove t/db_dependent/SIP/Message.t
Signed-off-by: Sam Lau <samalau@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>