When creating a patron attribute type, there is a "Allow password"
checkbox. If checked, the librarian will be able to enter a password for
this patron attribute when editing a patron.
The goal was to allow a patron to log in with a secondary password.
However, this feature has never been implemented.
"""
commit 6fc62bcd32
CommitDate: Mon May 12 09:03:00 2008 -0500
extended patron attributes tables & syspref (DB rev 081)
- password_allowed (if set, staff patron editor will
allow a password to be associated with a value; this
is mostly a hook for functionality to be implemented
in the future.
"""
To decrease maintainability, this patch suggest to remove the 2 DB fields
borrower_attributes.password and
borrower_attribute_types.password_allowed
If they have not used by the library.
Test plan:
- Edit a patron attribute type and select "allow password"
- Edit a patron and defined a password for this attribute
- Execute the DB entry
- Note that you get a warning
- Empty the password field
- Execute the DB entry
- You do not get the warning and the 2 DB fields have been removed
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Currently if not logged in when browsing to
http://YOURCATALOG/cgi-bin/koha/sco/sco-main.pl
You are redirected to opac-auth.tt and SCOUserCSS and SCOUserJS are not
loaded. This page passes through a parameter to the template to indicate
this is an SCO login and appropriate CSS and JS should be loaded.
Additionally this patch ensure that when loggin in using the form you
are redirected to the sco-main.pl instead of the patron account page for
the user.
To test:
1 - Verify that normal login works on both staff and opac
2 - Verify that SCO link goes to login page if AutoSelfCheckAllowed is
set to "Don't allow"
3 - Enter changes into SCOUserJS and SCOUserCSS and observe these are
present on SCO log in page with AutoSelfCheck disabled
4 - Verify that a logged in opac user without permissions cannot access
the self-checkout module
5 - Verify that AutoSelfCheckAllowed and associated system preferences
function as expected
6 - Verify the AutoSelfCheck user is logged out if they attempt to visit
another page
Followed test plan.
If I go to http://YOURCATALOG/cgi-bin/koha/sco/sco-main.pl, CSS and JS trigger already on
the login form, I suppose that is intended.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
The default patron search types has changed from 'contain' to
start_with. Users consider it as a bug.
This patch revert the previous changes to default on 'contain'.
Test plan:
Search for patrons in different places (guarantor, checkout, patron
module, acquisition module, etc.) and confirm that the default is always
'contain'
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
GetLoanLength arbitrary defaulted to 21. The expected behavior seems to
be to default on 0 (loan will be dued today).
IMPORTANT NOTE: This patch will introduce a change in the behaviors for
configuration with a 0 in issuelength. Before this patch, the rule with
a issuelength==0 was skipped, now it's used!
Test plan:
1/ Do not define any rule: the due date will be today (before this patch
was +21 days)
2/ Define some rules which does not match the patron category, itemtype
or branchcode: the due date will be today (before this patch was +21
days).
3/ Modify a rule to match the checkout and set issuelength=0: the due
date will be today (before this patch, the rule was skipped)
4/ Modify this rule and set the issuelength to something > 0: the due
date will be adjusted (same behavior as before this patch)
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Works ok, checked 1-4
All test pass
No koha-qa errors
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The login page should not be displayed if the page is displayed in a
frame.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
Added the following indexes:
Interest-age-level | 591$a ind1=1
Interest-grade-level | 591$a ind1=2
lexile-number | 591$a ind1=8
Reading-grade-level | 591$a ind1=0
Moved 'lex' from a zebra index to a ccl alias to lexile-number.
Changed the handling of st-numeric in C4/Search.pm to allow for search ranges.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
This patch alters the MySQL query to remove a max statement which
incorrectly groups full annual barcodes with numeric values.
Signed-off-by: Srdjan <srdjan@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
From C4::Koha::GetAuthorisedValues
# TODO: the "selected" feature should be replaced by a utility function
# somewhere else, it doesn't belong in here. For starters it makes
# caching much more complicated. Or just let the UI logic handle it, it's
# what it's for.
Indeed, it's not a job for a subroutine, the template should take care of that.
Note that a perf gain could be won with this patch \o/
Test plan:
- Edit an itemtype and check the value of the "Search category" dropdown list
- Edit a patron attribute type and check the value of the "Class" dropdown list
- Detail for a catalogue record, the Status column should be correctly
populated if items are damaged and/or lost
- Item details for a catalogue record, the lost, damaged and withdrawn
value should be correctly displayed
- Edit a patron, the "street type" should be correctly selected
- Create a patron attribute type linked to an authorised value list.
- Edit a patron, set a value for this attribute, edit it again. The
correct value should be selected.
- Search for subscriptions. The 'Location' dropdown list should behave
correctly (select the entry you have choosen before, etc.)
- Edit a subscription, the location dropdown list should select the
correct value.
- Edit and view a suggestion with a 'reason for suggestion' set (you
should have at least 1 OPAC_SUG AV defined)
Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
subroutines should not take $dbh in parameter.
C4::Biblio::TransformMarcToKoha has it and does not use it.
Test plan:
Look at the patch and confirm that all occurrences of
TransformMarcToKoha have been modified.
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Right now, ->dbh calls are actually quite expensive (they involve
DB connection health checks, each and every time). Some speed-sensitive
subroutines inside C4/Biblio.pm (GetMarcStructure, GetAuthorisedValueDesc)
have this statement
my $dbh = C4::Context->dbh;
on top of the code, but they don't always/don't usually need DB
handle - not at that stage at least. This trivial patch eliminates
unneeded ->dbh calls in those subroutines. With it, average
GetMarcStructure() running time goes down from 14 miliseconds
to 9 miliseconds (on top of Bug 16166), it also makes catalogue
search profiling a bit easier.
Test plan:
1) apply patch
2) ensure that catalogue searches are still working
3) run t/*Biblio* tests
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This subroutine always returns what has been sent in parameter.
It is unecessary and can be removed.
Test plan:
prove t/Ris.t
should not be noisy
Export a catalogue record in Ris should generate the same file with and
without this patch
NOTE: With/Without were identical in my testing.
t/Ris.t is nicely silenced.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
TEST PLAN
---------
1) prove t/Ris.t
-- very noisy
2) apply patch
3) prove t/Ris.t
-- just one confusing noise.
4) run koha qa test tools
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Add support for processing incoming Edifact Quotes, Invoices
and order responses and generating and transmission of
Edifact Orders.
Basic workflow is that an incoming quote generates an aquisition
basket in Koha, with each line corresponding to an order record
The user can then generate an edifact order from this (or another)
basket, which is transferred to the vendor's site
The supplier generates an invoice on despatch and this will
result in corresponding invoices being generated in Koha
The orderlines on the invoice are receipted automatically.
We also support order response messages. This may include
simple order acknowledgements, supplier reports/amendments
on availability. Cancellation messages cause the koha order
to be cancelled, other messages are recorded against the order
Which messages are to be supported/processed is specifiable on a
vendor by vendor basis via the admin screens
You can also specify auto order i.e. to generate orders from quotes
without user intervention - This reflects existing
workflows where most work is done on the suppliers website
then generating a dummy quote
Received messages are stored in the edifact_messages table
and the original can be viewed via the online
Database changes are in installer/data/mysql/atomicchanges/edifact.sql
Note new perl dependencies:
Net::SFTP:Foreign
Text::Unidecode
Signed-off-by: Paul Johnson <p.johnson@staffs.ac.uk>
Signed-off-by: Sally Healey <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Rename not_borrowered_since to not_borrowed_since
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
This patch adds the ability to select a patron list for deletetion
when using the Batch patron deletion/anonymization tool. It also adds
buttons to the the patron lists table to access both the batch deletion
and batch modification directly from the lists view.
This is a squash of previous patches but now adds a patron_list_id
parameter to C4::Members::GetBorrowersToExpunge and uses that routine to
fetch patrons from a list.
Test Plan:
1) Apply this patch
2) Create a list of patrons with the new Patron Lists feature
3) Try using the batch edit link form the lists table
4) Try using the batch delete link from the lists table
5) Verify previous functionality has not changed
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Patron batches are correctly passed to the edit and delete pages.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Test Plan (remains the same):
0) Back up your database
1) Apply all these patches
2) In your mysql client use your Koha database and execute:
> DELETE FROM systempreferences;
> SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql;
-- Should be no errors.
> SELECT * FROM systempreferences LIKE 'GoogleO%';
-- Should see 4 entries.
> QUIT;
3) Restore your database
4) Run ./installer/data/mysql/updatedatabase.pl;
5) In your mysql client use your Koha database and execute:
> SELECT * FROM systempreferences LIKE 'GoogleO%';
-- Should see the same 4 entries.
6) Log into the staff client
7) Home -> Koha administration -> Global system preferences
8) -> OPAC
-- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca)
9) -> Administration
-- There should be a 'Google OAuth2' section with the ability
to set those 4 system preferences.
10) In a new tab, go to https://console.developers.google.com/project
11) Click 'Create Project'
12) Type in a project name that won't freak users out, like your
library name (e.g. South Pole Library).
13) Click the 'Create' button.
14) Click the 'APIs & auth' in the left frame.
15) Click 'Credentials'
16) Click 'Create new Client ID'
17) Select 'Web application' and click 'Configure consent screen'.
18) Select the Email Address.
19) Put it a meaningful string into the Product Name
(e.g. South Pole Library Authentication)
20) Fill in the other fields as desired (or not)
21) Click 'Save'
22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL.
(http://library.yourDNS.org)
23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new
googleoauth2 script
(http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleopenidconnect)
24) Click 'Create Client ID'
25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID
system preference.
26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret
system preference.
27) Change the GoogleOpenIDConnect preference to 'Use'.
28) Click 'Save all Administration preferences'
29) In the OPAC, click 'Log in to your account'.
-- You should get a confirmation request, if you are
already logged in, OR a login screen if you are not.
-- You need to have the primary email address set to one
authenticated by Google in order to log in.
30) Run koha qa test tools
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
To test
1/ Apply both patches
2/ This patch lets you easily configure mappings for categorycode values.
These mapping will be used when updating the user's account after a successful LDAP login.
Here is an example configuration :
<config>
<ldapserver id="ldapserver>
<mapping>
<categorycode is="usertype">STU</categorycode>
...
</mapping>
<categorycode_mapping>
<categorycode value="STU">STUDENT</categorycode>
<categorycode value="EMP">EMPLOYEE</categorycode>
</categorycode_mapping>
</ldapserver>
</config>
3/ With this configuration, LDAP users with the usertype value "EMP" on the LDAP server should have the "EMPLOYEE" categorycode in Koha.
Signed-off-by: Chris <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
To test
1/ Apply both patches
2/ This patch lets you easily configure mappings for categorycode values.
These mapping will be used when updating the user's account after a successful LDAP login.
Here is an example configuration :
<config>
<ldapserver id="ldapserver>
<mapping>
<categorycode is="usertype">STU</categorycode>
...
</mapping>
<categorycode_mapping>
<categorycode value="STU">STUDENT</categorycode>
<categorycode value="EMP">EMPLOYEE</categorycode>
</categorycode_mapping>
</ldapserver>
</config>
3/ With this configuration, LDAP users with the usertype value "EMP" on the LDAP server should have the "EMPLOYEE" categorycode in Koha.
Signed-off-by: Chris <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
These prefs do not need to be cached, a quick access to $ENV permit to
get the value.
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
Also fixes ! and +
Rebased to master
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
It makes perfect sense and works as expected. This part of the code is too
under-tested so no point requiring a regression test for such a simple change.
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
This failure has been introduced by
commit 243b797dd1
Bug 15285: Update common files
This is because the cannot_be_modified key is not always created by
C4::Utils::DataTables::ColumnsSettings subroutines
Test plan:
prove t/db_dependent/ColumnsSettings.t
should return green
And you can also test a table where the feature is set and a column
cannot be modified from the admin page.
NOTE: Works as described. I was pondering this potential
solution when I found it in bugzilla.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
This patch fixes a regression introduced by
commit 7e70202d34
Bug 15381: Remove GetAuthType and GetAuthTypeCode
This first version will reintroduce the same behavior as before bug
15381: the record will be displayed even if it's no in the DB
Test plan:
Search for authorities
delete one
The zebra's index is not updated yet and the results will contain the
record you have deleted.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
This patch makes the PayPal integration feature independent from the
URL::Encode library, which is absent in some supported distributions.
It uses the URI package which is already a Koha dependency.
To test:
- Apply the patch
- Notice there are no deps for URL::Encode
- Follow the steps from the original patch
=> SUCCESS: It works as expected
- Sign-off :-D
Note: I deleted the line in which $amount_to_pay was url-encoded, because that's
one of the things query_form does (and the variable is only used as a parameter to it).
Sponsored-by: ByWater Solutions
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Test plan:
- Update your configuration file to use LDAP authentication and enable update
(<update>1</update>) option,
- login with an existing user with extended attrbitutes that are not in
LDAP mapping,
- check that all attributes are still here.
Signed-off-by: Chris <chrisc@catalyst.net.nz>
Signed-off-by: Philippe Blouin <philippe.blouin@inlibro.com>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
This patch adds the ability to query the extended patron
attributes via the ILSDI web service's GetPatronInfo service.
Example: ilsdi.pl?service=GetPatronInfo&patron_id=3&show_attributes=1
A new element <attributes> will be added if there
are any attributes available from the database.
We need to discuss the security implications of showing the
attributes. At present it will allow querying of non-public
(OPAC-visible) information. We might want to change this.
Sponsored-By: Halland County Library
Test plan:
* Configure Koha to make use of extended attributes:
Under 'Administration' -> 'Global system preferences' ->
'Patrons' tab -> Set 'ExtendedPatronAttributes' to 'Enable',
press save and switch to 'Web services' tab.
* Enable the ILS-DI service:
Under 'Administration' -> 'Global system preferences' ->
'Web services' tab -> 'ILS-DI' section:
Set 'ILS-DI' to 'Enable' and save.
* Create an attribute to query:
Under 'Administration' -> 'Patrons and circulation' ->
'Patron attribute types' press 'New patron attribute type':
Enter a type code, like 'DOORCODE', description and assign
a category that your test patron is a member of, then save.
* Set value for test user:
Locate the test patron, the new attribute should be listed
under 'Additional attributes and identifiers'.
Click 'Edit' and assign a value, like '1337' and save.
* Query the ILS-DI service:
http://127.0.1.1/cgi-bin/koha/ilsdi.pl?service=GetPatronInfo&patron_id=1&show_attributes=1
The output XML should have an element named 'attributes'
containing the data you entered.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Koha's SIP2 server should have support for the AV field ( field items ).
The biggest problem with this field is that its' contents are not really
defined in SIP2 protocol specification. All it says is "this field
should be sent for each fine item". Due to this, I think the contents of
the field need to be configurable at the login level, so that the
contents can be defined based on the SIP2 devices requirements for the
AV field.
Test Plan:
1) Apply this patch
2) Find a patron with outstanding fines
3) Run a patron information request using misc/sip_cli_emulator.pl using the new -s option with the value " Y "
4) Note there is an AV field for each fee containing the description and amount
5) Edit your sip config, add an av_field_template parameter to the login you are using such as
av_field_template="TEST [% accountline.description %] [% accountline.amountoutstanding | format('%.2f') %]"
6) Restart your SIP server
7) Repeat the patron information request
8) Note your custom AV field is being used!
Signed-off-by: Chris Davis <cgdavis@uintah.utah.gov>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
The items.new column is badly named, the Koha::Item->new accessor will
never returns this value, but the constructor will be called instead.
This patch renames it with new_status to avoid the ambiguity.
Test plan:
0/ Do not apply this patch
1/ Define some rules in the "Automatic item modifications by age" tool
with at least one items.new field used
2/ Apply this patch
3/ Execute the update DB entry
4/ Reload the tool page and confirm that the changes have been taken
into account
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
$VERSION reintroduced into External/BakerTaylor.pm but was
not declared. Causes tests to fail.
Readd VERSION to the package vars
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
These files should be managed on their own bug reports.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
perl -p -i -e 's/use vars qw\(\s*\);\n//' **/*.pm
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
perl -p -i -e 's/^.*set the version for version checking.*\n//' **/*.pm
+ manual adjustements
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Mainly a
perl -p -i -e 's/^.*3.07.00.049.*\n//' **/*.pm
Then some adjustements
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
perl -p -i -e 's/^(use vars .*)\$VERSION\s?(.*)/$1$2/' **/*.pm
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
C4::Members::GetMemberAccountRecords wrongly casts float to integer
It's common to use sprintf in Perl to do this job.
% perl -e 'print int(1000*64.60)."\n"';
64599
% perl -e 'print sprintf("%.0f", 1000*64.60)."\n"';
64600
Test plan:
1) Create manual invoice for 64.60 (or 1.14, 1.36, ...)
2) Try to pay it using "Pay amount" or "Pay selected" buttons
Signed-off-by: Sally Healey <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
On debian Jessie, the CGI version is >= 4.08
Since this version, the param method raise a warning
"CGI::param called in list context".
Indeed, it can cause vulnerability if called in list context
https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameterhttp://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
There is a long journey to get rid of these warnings.
First I suggest to redefine the multi_param method when the CGI version
installed is < 4.08, it will allow us to move the wrong ->param calls to
->multi_param without waiting for everybody to upgrade.
The different ways to call these 2 methods are:
my $foo = $cgi->param('foo'); # OK
my @foo = $cgi->param('foo'); # NOK, will raise the warning
my @foo = $cgi->multi_param('foo'); #OK
$template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning
# and vulnerable
$template->param( foo => scalar $cgi->param('foo') ); # OK
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested a call to multi_param with CGI < 4.08.
With reference to the comments on Bugzilla, this workaround is arguable,
but provides a base to move to multi_param. If we come up with a better
solution, it should be easy to adjust.
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
As promised, here is the long-awaited sequel to #8753.
What has changed :
- The Koha::Patron::Password::Reset is now used in place of C4::Passwordrecovery
- That ugly shift-grep contraption is no more (goodbye old friend)
- The generated unique key won't end in a dot anymore
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
The patron attributes displayed on editing a patron are not displayed if
limited to another library.
C4::Members::Attributes::SetBorrowerAttributes will now only delete attributes
the librarian is editing.
SetBorrowerAttributes takes a new $no_branch_limit parameter. If set,
the branch limitations have not effect and all attributes are deleted
(same behavior as before this patch).
Test plan:
1/ Create 2 patron attributes, without branch limitations.
2/ Edit a patron and set a value for these attributes
3/ Limit a patron attributes to a library (one you are not logged in
with).
4/ Edit again the patron.
=> You should not see the limited attributes
5/ Edit the patron attributes and remove the branch limitation
=> Without this patch, it has been removed from the database and is not
displayed anymore.
=> With this patch, you should see it.
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Accessing to the cache for each call to C4::Context->preference might
have an impact on performances.
To avoid that this patch introduces a L1 cache (simple hashref). It will
be populated by accessing the L2 cache (Koha::Cache).
If a pref is retrieved 10x, the first one will get the value from the L2
cache, then the L1 cache will be check.
To do so we will need to clear the L1 cache every time a page is loaded.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Unless in t/db_dependent/Context.t where we want to test the cache
behaviors.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
At the moment, the sysprefs are only cache in the thread memory
executing the processus
When using Plack, that means we need to clear the syspref cache on each
page.
To avoid that, we can use Koha::Cache to cache the sysprefs correctly.
A big part of the authorship of this patch goes to Robin Sheat.
Test plan:
1/ Add/Update/Delete local use prefs
2/ Update pref values and confirm that the changes are correctly taken
into account
Signed-off-by: Chris <chrisc@catalyst.net.nz>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Tested with plack with syspref cache enabled, there is some time between setting the syspref and applying it, but it takes just one reload of page, it shouldn't be problem, should it?
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl>
Tested with CGI and CGI + memcache; some small issues still remain,
but it would be better to deal with them in separate bug reports
if necessary
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
There are some places where frames are used, the greybox JS plugin for
instance.
We need either to allow them from Koha or replace this plugin.
The easier for now is to switch the value from DENY with SAMEORIGIN.
Test plan:
- modify a record in a batch (tools/batch_record_modification.pl)
- click on preview marc
=> With only the previous patch you will get a blank page.
=> With this patch apply, it will work as expected.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Web pages that can be embedded in frames are vulnerable to cross-frame
scripting attacks. Cross-frame scripting is a type of phishing attack
that involves instructions to an unsuspecting user to follow a specific
link to update confidential information in an online application.
Because the link leads to a legitimate page from the online application
that is embedded in a frame hosted by the attackers' server, the
attackers can capture all the information that the user enters.
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Note:
QA question: Does the Koha::Patron->siblings method should return undef
if there is no guarantor?
It would avoid the weird != undef, = $borrowernumber conditions.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2 subroutines of C4::Members deal with guarantor/guarantees:
GetGuarantees and GetMemberRelatives.
Since we already have a Koha::Patron->guarantor method, it makes sense
to move these 2 subroutines to this module.
This first patch deals with GetGuarantees.
Test plan for the entire patch set:
1/ Create 5 patrons A (adult), B (child), C (child), D (child), E
(child), F (adult)
2/ Add relation between them: A is father of B, C and D.
E does not have a guarantor
F does not have guarantees
3/ Check some items out for all of these patrons
4/ On the "Check out" and "Details" tabs, you should not see any
differences with these patch applied : The "Relatives' checkouts" tabs
should list all of the guarantor/guarantee/siblings checkouts
Note:
$template->param('C' => 1);
I have not found any reference of this 'C' in the template.
It seems it's an old c/p from members/memberentrygen.tt
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Looking at the code, there is some broken with the guarantees code.
It seems that the expected behavior would be to update address, fax,
B_city, mobile, city and phone info of the guarantees when a guarantor
is modified.
But the code in C4::Members::ModMember is broken:
668 my $borrowercategory= GetBorrowercategory(
$data{'category_type'} );
669 if ( exists $borrowercategory->{'category_type'} &&
$borrowercategory->{'category_type'} eq ('A' || 'S') ) {
670 # is adult check guarantees;
671 UpdateGuarantees(%data);
672 }
First, GetBorrowerCategory expects a categorycode, not a category_type.
Then UpdateGuarantees retrieves the param like:
989 sub UpdateGuarantees {
990 my %data = shift;
Which means that %data will always be something like ( a_key => undef )
And nothing more.
The updateguarantees subroutine (It has been renamed) has been introduced by
commit 56825e415f
Date: Mon Aug 30 13:48:58 2004 +0000
modularizing (with Members.pm) members management
(beginning of...)
And the `%data = shift` already existed...
This code has never worked and could be removed.
See http://lists.koha-community.org/pipermail/koha-devel/2016-January/042241.html
Test plan:
Confirm the previous assertions.
Note that I have found this bug working on bug 15631, see patch "Bug
15631: Koha::Cities - remove getidcity and GetCities"
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch will add indexes for Date/time-last-modified.
To test:
1. apply patch
2. reindex
3. search for dtlm:DATE and date-time-last-modified:DATE
4. confirm that you get results
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
I confirm Hector signing-off. A simple Zebra server restart suffice to get
working the searches on date-time-last-modified and dtlm.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>