Commit graph

52179 commits

Author SHA1 Message Date
b92e9a2115
Bug 34478: Manual fix - memberentry (modify)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:13 +01:00
1ea77fbd19
Bug 34478: Manual fix - batchMod
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:12 +01:00
18e808240f
Bug 34478: op =~ ^cud- in pl/pm
This is the result of
  bash op_must_start_with_cud-perl.sh

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:11 +01:00
11d371a620
Bug 34478: Manual fix - additem
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:10 +01:00
93e717ac31
Bug 34478: Manual fix - opac-suggestions
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:10 +01:00
d320e6fe27
Bug 34478: Replace POST with GET when needed - add_form
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:09 +01:00
8a39b582f1
Bug 34478: Adjust selenium tests
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:08 +01:00
21f5c30920
Bug 34478: Add missing csrf-token.inc for opac
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:07 +01:00
69fd7c026d
Bug 34478: op =~ ^cud- everywhere
This is the result of
  perl op_must_start_with_cud.pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:06 +01:00
4e1372b77c
Bug 34478: op =~ ^cud-
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:05 +01:00
bf9830d354
Bug 34478: op-cud - Trick CGI directly
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:04 +01:00
c8384299f7
Bug 34478: op-cud - Rename op with op-cud in templates
This is the result of
  perl rename_op_with_op-cud.pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:03 +01:00
77e3b58eee
Bug 34478: op-cud - Adjust C4::Auth code
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:02 +01:00
348dbb1594
Bug 34478: Move C4::Auth check
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:02 +01:00
314fe71ff8
Bug 34478: Remove check_csrf from pl files
We should no longer need to check CSRF token from pl files

TODO - there is a change for some files where we returned 403

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:01 +01:00
a0dcce9ce1
Bug 34478: Check CSRF in get_template_and_user
Not sure this is the right place in get_template_and_user
Will have to test login and 2FA

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:00 +01:00
4ed5bf19a7
Bug 34478: Add 'op' to opac-passwd
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:59 +01:00
bb69578db0
Bug 34478: Add 'op' to opac-user.tt
Bug 34478: [TO SQUASH] Add 'op' to opac-user.tt

Bug 34478: [TO SQUASH] Add 'op' to opac-user.tt

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:58 +01:00
a3c0c92508
Bug 34478: Add missing CSRF token to POST forms
This is the result of
  % perl csrf_add_missing_csrf.pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:57 +01:00
7e7159bf58
Bug 34478: Remove generate_csrf from pl
We do not longer need to generate_csrf from pl files

TODO - members/boraccount.tt and sco/sco-main.tt needs to be adjusted

Bug 34478: [TO SQUASH] Remove generate_csrf from pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:56 +01:00
8596861127
Bug 34478: Replace csrf_token input with include file - manual
A couple of left not caught by the previous regex

Still TODO:
% git grep csrf_token **/*.inc **/*.tt
still shows example that needs to be replaced, later (because we use GET)

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:55 +01:00
4481fb3377
Bug 34478: Replace csrf_token input with include file
perl -p -i -n -e 's#<input type="hidden" name="csrf_token" value="\[% csrf_token \| html %]" />#[% INCLUDE '\''csrf-token.inc'\'' %]#g' **/*.tt **/*.inc

This should have actually been done at the same time as
  "Bug 30524: (QA follow-up) Only generate CSRF token if it will be used"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:55 +01:00
8e3901342a
Bug 34478: Replace get with post when needed
This is what has been marked as done in "csrf_get.txt"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:54 +01:00
0631153f06
Bug 35955: Add tests
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:53 +01:00
108c955eac
Bug 35955: Cache CSRF token in template plugin
This change uses the Koha::Cache::Memory::Lite cache to
cache the CSRF token, so that it is only generated once,
and is re-used by the Koha::Template::Plugin::Koha object
throughout the entire template processing for the HTTP request.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:52 +01:00
e2440f2c61
Bug 36098: Default to 'file' if pref does not exist
During the installer process there is a bunch of warnings
  "Use of uninitialized value $storage_method in string eq at"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:51 +01:00
c42ede262a
Bug 36098: (follow-up) extend test to check driver
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:33 +01:00
5572567143
Bug 36098: Fix storage_method pass
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:32 +01:00
56d8ac2476
Bug 36098: Allow to pass storage_method
Will need this on follow-up bugs.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:32 +01:00
09de3f820b
Bug 36098: (QA follow-up) Add POD to Koha::Session
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:31 +01:00
0e6537d199
Bug 36098: Add Koha::Session module to ease session handling
This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.

Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:30 +01:00
7c54394383
Bug 35935: Ensure login branch will be used after incorrect login
If a different branch is selected after an incorrect login, the previous
branch will be used.

To recreate:
* login with foo/bar, select CPL => FAIL
* login with koha/koha, select another branch => OK but CPL is picked!

It was caused by a dup of "branch" in CGI param list (and first was
picked).

This patch patch also removes "koha_login_context" to not have it twice.
You can also open the source of the page to confirm that form#loginform
contains "branch" and "koha_login_context" in hidden inputs.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested in KTD. Works as advertised.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:29 +01:00
7d95c64048
Bug 36092: Pass sessionID at the end of get_template_and_user
It seems safer to pass the logged in user and session info at the end of
the sub.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:28 +01:00
3a053ebdf9
Bug 36092: Pass the sessionID from checkauth if we hit auth
If we hit the auth page we were not passing sessionID to the template

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:27 +01:00
1bc2f8cf1b
Bug 36092: Add test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:27 +01:00
c0d5013f2e
Bug 35918: Fix auto library connect (AutoLocation)
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.

To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
  branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
  branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
  branchip: 172.18.0.4

Connect and select CPL. Randomly FFL will be picked instead.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:26 +01:00
837d04527a
Bug 35918: Add test
Signed-off-by: Magnus Enger <magnus@libriotech.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:25 +01:00
200799c11e
Bug 35890: Add tests for AutoLocation
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:24 +01:00
e59623bfc2
Bug 35890: Reject login if IP is not valid
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:23 +01:00
8fb9b814aa
Bug 35904: (QA follow-up): tidy up code
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:22 +01:00
a82772d7ec
Bug 35904: Make C4::Auth::checkauth testable easily
This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.

We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.

There are still 3 left:
1.
733         # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace

2.
806         # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.

3.
828         # Patron does not have the borrowers permission
Same as 2.

2. and 3. should be investigated a bit more.

This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.

Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:21 +01:00
16a648e9ca
Bug 35904: Remove var loggedin
It is never used and add confusion

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:21 +01:00
05dad853b7
Bug 36019: Remove dead code in tags/review
Since bug 20489 it is no longer possible to login with the DB user.
At the time, get_template_and_user returned borrowernumber=0 in this case.

In tags/review.pl we have:
  $borrowernumber == 0 and push @errors, {op_zero=>1};

This condition is never met, and op_zero related code can be removed in the template.

Test plan:
Confirm the above

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:20 +01:00
097a27e932
Bug 36017: Remove dead code in admin/clone-rules
Since
  commit 61628c97c2
  Bug 18936: (follow-up) Add cloning of circulation rules back to Koha

There are some dead code in admin/clone-rules.

"result" is always passed to the template.

Test plan:
Confirm the above and that cloning rules from the circ rules page still
works correctly.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:19 +01:00
4b6508e7ea
Bug 35949: Remove useless code pointing to branchreserves.pl in request.tt
messagetransfert is never set (it is from circ/waitingreserves.pl, `git grep messagetransfert`) and branchreserves.pl does not exist!

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:18 +01:00
fc19c774fd
Bug 34426: (QA follow-up) Polishing xt script
Test plan:
Run it again. Same results?

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:17 +01:00
31edf8d1b9
Bug 34426: Add xt/find-missing-csrf.t
Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:16 +01:00
Andreas Jonsson
fee4368cd8
Bug 35930: Add guards for plugins_enabled
The 'new' method in Koha::Plugins returns undefined if
plugins are disabled.  Therefore, calls to this method
must be guarded by a check that plugins actually are enabled.

Test plan:

* Code inspection of patch, alternatively
* Activate the ill system by installing a backend such as
  koha-illbackend-libris:
  https://github.com/Libriotech/koha-illbackend-libris
* Make sure plugins are disabled in koha-conf.xml
* In the staff interface, go to ILL requests.
* The page should load without getting an error 500.

PA amended commit message: This is not related to ILL backends being plugins or not
This is about ILL batches, where checking for metadata enrichment plugins was missing 'enable_plugins' guard
Additionally, unrelated to batches, it's also about ILLAvailability, where checking for ILL availabililty plugins was missing enable_plugins guard

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Hans Pålsson <hans.palsson@hkr.se>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 13:28:30 +00:00
b577b65670
Bug 35518: Tidy the moved blocks
This patch just tidies the moved blocks to get us past the QA script
check.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 13:27:14 +00:00
90b6f68616
Bug 35518: Check authentication and set userenv before fetching userenv variables
Currently we get the userenv before we have set it correctly for the session

To test:
 1 - Sign in as a user with fast cataloging permission
 2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
 3 - Check the link, it should have your current signed in barcode
 4 - Sign in to a different browser with a different user and at a different branch
 5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
 6 - It may have your branch, but it may also have the other user's branch from the other window
 7 - Keep entering gibberish to get a link until one user has the correct branch
 8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
 9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2024-02-14 13:27:03 +00:00