This patch adds get_column to ensure we are returning a string value of
a field rather than accidentally triggering a relationship accessor.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
commit f6e0b04f48
Bug 23271: Replace search_limited with search_with_library_limits
We were modifying the occurrences of:
Koha::Patron::Categories->search_limited;
with:
Koha::Patron::Categories->search_with_library_limits;
But between the patch submission and the push, another occurrence has
been added by bug 23590.
Test plan:
Create a new suggestion from staff and click "select manager"
Without the patch, notice the error:
The method Koha::Patron::Categories->search_limited is not covered by tests!
With the patch applied everything is working correctly
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Koha::ApiKeys is no longer the simple object we need to test
Koha::Object->store, let use Koha::Library::Groups
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch makes the Koha::OAuth library use the new validation method
To test:
1. In master, enable RESTOAuth2ClientCredentials and have your
superlibrarian patron a client_id/secret pair generated
2. Use Postman to gain an access token with the client_id/secret pair
=> SUCCESS: This works in Koha
3. Use the access token to GET /api/v1/patrons
=> SUCCESS: It works
4. Apply this patchset up to the regression tests
5. Run:
$ updatedatabase
$ koha-plack --restart kohadev
=> SUCCESS: All good
6. Repeat 2
=> FAIL: You get an error trying to acquire an access token. Boo
7. Run:
$ kshell
k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail!
8. Apply this patch
9. Run:
$ koha-plack --restart kohadev
$ kshell
k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!
10. Repeat 2
=> SUCCESS: Your original client_id/secret pair works!
11. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
1. Apply this patch
2. Run:
$ kshell
k$ prove tt/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail!
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
https://bugs.koha-community.org/show_bug.cgi?id=28772
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch makes the apikeys.pl display the generated API secret once,
when generated. After that, it won't be displayed by the UI.
To test:
1. Generate a new API key
=> FAIL: The secret is displayed in the API keys table
2. Visit some other page, and go back to the API keys page
=> FAIL: The API key secret is there
3. Apply this patch
4. Go to More > Manage API keys
=> SUCCESS: It no longer displays the secret
5. Generate a new API key
=> SUCCESS: The API key details (including the secret) are displayed.
=> SUCCESS: A message telling to copy the secret because it won't be
displayed again is shown.
6. Repeat 4
=> SUCCESS: The secret is no longer displayed
7. Sign off :-D
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch refactors the Koha::ApiKey class so:
- It encrypts the generated secret
- Allows accessing the plain text secret only immediately after the key
creation (this implies that it won't be accessible if the key is
fetched from the DB).
- It implements an allow list for attributes, that are not read only.
Changing any other of them will make ->store throw an exception.
- A method for validating plain text secrets against the encrypted one
is added.
- A method for accessing the plain text secret is added. Returns undef
if the object is not 'fresh'.
To test:
1. Apply this patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/ApiKey.t
=> SUCCESS: Tests pass! Expected behavior is confirmed
3. Sign off :-D
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch limits the accessibility for "Manage API keys" section only
to superlibrarians and the owner of that said API key account.
The way it does it is by checking if user is superlibrarian or if
logged-in user is the same as a patron id/borrower number is the same
as logged-in user number both in template and apikeys.pl and making sure
the link is inaccessible or redirects to the 403 page if user tries to
go there directly.
To reproduce:
1) create/pick existing patron, set Staff access, allows viewing
of catalogue in staff interface (catalogue)" and "Add, modify and
iew patron information (borrowers)" permissions on;
2) enable "RESTOAuth2ClientCredentials" in sysprefs;
3) login with that user into staff interface;
4) check any other patron, go to the "More"->"Manage API keys" and
check that you can see, add delete their API keys;
5) apply patch;
6) with that same user try to access "Manage API keys" page again.
Ensure that you can't access that page of other patrons but can
access your own page and manage your own API keys.
7) log in with superlibrarian now and ensure that you can access every
"Manage API keys" page of every patron and apply changes there.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Remove fields from OPACSuggestionUnwantedFields before creating the
suggestion
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
JD amended patch: remove useless sort
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The following sequence is bad:
46 my $suggestion = $input->Vars;
181 &NewSuggestion($suggestion);
All columns can be set when we insert the suggestion into the DB
We definitely want to avoid the following fields to be set by the final
user: acceptedby, accepteddate, STATUS, etc...
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch prevents an existing user from exploiting the patron edit form in order to
force create new patrons
To test:
Try all combinations of PatronSelfRegistration and PatronSelfRegistrationVerifyByEmail
with and without this patch.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Security patch. Follow-up for 28929.
Including correction for gonenoaddress and two others.
Includes unwanted fields too now.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 28929: (follow-up) Add exec flag to tests
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
* selfreg and selfmod for OPAC
* patron's edition on staff
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested OPAC and staff side. Prevents mangling flags column.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds some logic to the background jobs template in order to
make job status and job type translatable. Output of dates has been
changed to use the KohaDates plugin, using the "with_hours" flag.
This patch also modifies the page title and breadcrumbs so that if one
is viewing the details of a background job the page title and
breadcrumbs reflect this.
I've also added inclusion of the preferences search form in the header,
the default for administration pages which don't have their own search.
To test, apply the patch and go to Administration -> Background jobs.
- If there are no background jobs listed, submit at least one batch of
bibliograhpic records and at least one batch of authorty records for
modification (Tools -> Batch record modification).
- In the table of background jobs, the status should be shown
correctly. If you see it capitalized ("Finished") you're seeing the
new string in the template which will be used for translation.
- In the "Type" column, you should see either "Batch authority record
modification" or "Batch bibliographic record modification"
- In the "Queued," "Started," and "Ended" columns the date should be
formatted according to your system's dateformat system preference,
including the time.
- View the details of a background job. The same changes to status and
type should be seen on this page, as well as the date formatting of
the date fields.
- In the breadcrumbs, confirm that it shows a link to the
background jobs page followed by "Details if job #X".
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
1. Add values to the AV ROADTYPE
2. Go to the BorrowerUnwantedField system preference and attempt to hide streettype and B_streettype.
3. It doesn't work, the fields still show.
4. Apply patch
5. Repeat step 2, it should work now.
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If only the city and country address information was provided they ended
up being glued together like this: CityCountry. (AddressFormat=US style)
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If the city field was not filled out on the main or alternate address,
the content of state, country and zipcode wouldn't display on the
Details tab in the patron account in staff.
To test:
- Enter main contact and alternate address without city
- Verify that the address information isn't shown on the details
tab after saving
- Apply patch
- Verify that the information is displayed now
- Toggle AddressFormat and check display is correct for all settings
- Switch back to US address format
- Try several combinations of empty fields for city, zipcode, country
and state. The punctuation and whitespace should always appear
correctly.
Examples:
- Enter just country
- Enter zipcode and country
- ...
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To Test:
1. Check the BorrowerMandatoryField and BorrowerUnwantedField system preferences, sort1 and sort2 cannot be hidden or required
2. Apply patch
3. Check the BorrowerMandatoryField and BorrowerUnwantedField system preferences again, you should see sort1 and sort2
4. Since sort1 and sort2 are now added to borrowers.json we must also check the system preferences PatronQuickAddFields & PatronDuplicateMatchingAddFields
5. They should both now include sort1 and sort2, check to make sure they work with these two system preferences
6. Look at the system preferences PatronSelfRegistrationBorrowerMandatoryField, PatronSelfRegistrationBorrowerUnwantedField, and PatronSelfModificationBorrowerUnwantedField
7. sort1 and sort2 should be disabled in these OPAC system preferences
This patch does not attempt to add sort1 or sort2 to the self reg or borrower mod pages. If they should be added, which I am not sure they should, we should do so in a seperate bug
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
# Failed test 'use Koha::OAI::Server::Repository;'
# at t/00-load.t line 62.
# Tried to use 'Koha::OAI::Server::Repository'.
# Error: "transformMARCXML4XSLT" is not exported by the C4::XSLT module
# Can't continue after import errors at /kohadevbox/koha/Koha/OAI/Server/Repository.pm line 39.
The != '' version doesn't check for the whitespace existing and thus
might have added the punctuation without the partNumber or partName being
inserted at all.
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
At the moment the punctuation entered for $n $p and is
removed in the part template, which leads to displaying the subfields
without any punctuation and spaces in between.
To test:
- Catalog records with various combinations of 8xx series added
entry fields. Subfield a, t, n, p and v are the most important.
- Verify the display in OPAC and staff is not great.
- Apply the patch.
- Verify the display in OPAC and staff is improved.
For examples see:
https://www.loc.gov/marc/bibliographic/bd80x83x.html
Important note: At the moment 8xx series added entry fields will only display, when
there is also a 490 ind. 1 = 1 field present.
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bad conflict resolution
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If Pseudonymization is set but the bcrypt_settings config used by the
feature is not set, then there is an ugly 500 on checking out.
bad bcrypt settings at /kohadevbox/koha/Koha/PseudonymizedTransaction.pm line 116.
However it's pretty hard to handle correctly this exception (and that's
why it hasn't be done initially). However we could prevent the pref to
be turned on if the config entry is not present.
Test plan:
Remove the bcrypt_settings from the config
Try to turn the syspref on
Add the config
Try to turn the syspref on/off
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
JD amended patch: fix qa failures
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
We want to prevent non-superlibrarian users to remove superlibrarian
flag.
It's handled already in the controller, but needs to be done
client-side.
Here we are disabling the select/hide all links to remove the remaining
possibility to remove the superlibrarian flag from non-superlibrarian
users.
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
With bug 20100 and 22150 we allow to select all the permissions but the
superlibrarian permission, to ease the selection. And we also forbid a
non-superlibrarian user to add superlibrarian permission.
However there is something wrong in the JS code and it's possible to add
the superlibrarian permission. The user is getting an ugly 500 and so
the permission change is not done, but the UI checks must be fixed.
To recreate:
Login with a non-superlibrarian user
Edit permission
Clear all
=> You can select the "superlibrarian" permission
Test plan:
Login with a non-superlibrarian user
Try to set the superlibrarian permissions to a user
=> not possible
Try the select all/clear all
=> still cannot set the superlibrarian permission
Work to be done:
Login with a non-superlibrarian user
Edit permissions for a superlibrarian user
=> You can remove it, then cannot add it back
Should we allow removal of superlibrarian permission by
non-superlibrarian user?
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Default stylesheets do not reference item fields for XSLT display, however, we
spend time translating the values in the item fields.
This patch adds a system preference, PassItemMarcToXSLT. and unless enabled we remove
item fields before processing
To test:
1 - Perform some search on the staff client and opac
2 - Use the console (F12) to view the time spent on the network tab
3 - Note performance
4 - Apply patch, updatedatabase, restart_all
5 - Repeat searches
6 - Note that display has not changed
7 - Note performance, results should display slightly faster
Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 28373: Unit test
Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 28373: (QA follow-up) Fix typo in system preference description
Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 28373: (follow-up) QA fixes
Use fully qualified subroutine name
Don't return explicit undef
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 28373: (QA follow-up) Add . to end of system preference description
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 28373: Add note to XSLT prefs about the new pref
Bug 28373: Add warning if custom stylesheets are defined
This patch adds a check of the current XSLT prefs and warns to check the new pref
if any are not set to default
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(in the search query)
cause: decodeURIComponent used when URI encoding was necessary. (At
least in main usecase of this feature)
It could have been a copy and paste error. From the above
browseRecords() function.
== Test plan ==
1. Search in the staff catalogue «a "alice"»
Replace a and alice with whatever than will return a result for you
2. Click on the first result
3. Check the "Return to results" link
It should be like
staff_url://cgi-bin/koha/catalogue/search.pl?idx=kw&q=a
This is the bug. Because when clicking the link, your search will be
'kw,wrdl: a'
instead of
'kw,wrdl: a "alice"'
4. Apply this patch.
5. Search in the staff catalogue «a "alice"»
Replace a and alice with whatever than will return a result for you
6. Click on the first result
7. Check the "Return to results" link
The link should preserve the full query
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds 'can_be_blank => 0' for the rentaldiscount rule to prevent
storing blank values in the database
Additionally, if there is no charge we do not need to check for a discount
and can simply return
To test:
1 - Set rental discount to "" to a rule in circulation rules
2 - Checkout an item that will follow this rule
3 - Check the intranet log:
[WARN] Argument "" isn't numeric in subtraction (-) at /kohadevbox/koha/C4/Circulation.pm line 3385.
4 - Apply patch and restart all
5 - Update database
6 - Set the rule to "" again
7 - Check the DB, no rule is stored
SELECT * FROM circulation_rules WHERE rule_name = 'rentaldiscount';
8 - Checkout the item again
9 - No warns in log
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
