Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nicolas Hunstein <nicolas.hunstein@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan
1. Go to the staff client
2. Go to administration
3. Search systempreferences for 'StaffInterfaceLanguages'
4. Ensure there is a systempreference variable matching 'StaffInterfaceLanguages'
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nicolas Hunstein <nicolas.hunstein@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. In K-T-D git grep for “OpacItemLocation”
1. Notice that related XSLT / XSL scripts are not coming up. Only .pm, .pl and .sql scripts.
2. Git grep for “OPACItemLocation”. Note that XSLT/XSL files show up but not the .pm, .pl and .sql scripts.
3. Apply the patch. Updatedatabase. Restart_all
4. Git grep for “OPACItemLocation”
1. Notice that both the XSLT/XSL files in addition to the .sql, .pm and .pl scripts are now showing up.
5. Sign off and have a spectacular day :D
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1. Apply patch and restart_all
2. Do a catalog search that returns results.
3. Using the browsers dev tools inscpet the page and look for the 'available_items_loop_items' class in the 'Location column'.
4. Each child <li> element should have a class that is the branchcode.
5. Make sure that branchcode is correct.
6. Change the StaffSearchResultsDisplayBranch system preference. Make sure that each branchcode is still correct.
7. Change the system preference 'noItemTypeImages' to 'Dont show'.
8. Make sure the branchcode is still correct.
9. Checkout an item that would show up in these search results.
10. Do steps 3-8 again excpet this time look for the HTML element 'onloan_items_loop_items'.
11. Put some items in transfer that would show up in these search resultss.
12. Do steps 3-8 again excpet this time look for the HTML element 'other_items_loop_items'.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
If the database version and the code version are the same, we should
short circuit and exit immediately.
This patch adds the Koha::Installer module which can very quickly
check if a db or atomic update is needed.
It also moves the logic for C4::Installer::TransformToNum to
Koha::Installer::TransformToNum for performance reasons.
It also moves the logic for C4::Installer::get_atomic_updates to
Koha::Installer::get_atomic_updates for performance reasons.
Test plan:
1. Apply patch
2. Run `time koha-upgrade-schema kohadev`
3. Note that it completes in less than .1 seconds
4. To test db updates, change the database Version to a number
slightly behind the code version, and run
`time koha-upgrade-schema kohadev`
5. Note that the correct version update is processed
6. To test atomic updates:
cp installer/data/mysql/atomicupdate/skeleton.pl \
installer/data/mysql/atomicupdate/bug_34088.pl
7. Run `time koha-upgrade-schema kohadev`
8. Note that it takes over 1 second to run and the atomic update
is attempted
Signed-off-by: Sam Lau <samalau@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch caches the authority types when fetched during linking to avoid grabbing the same type more than once.
Additionally it removes a second call to fetch the same type in some scenarios
To test:
1 - Apply patch
2 - Enable linking during cataloging/updating records
3 - Edit a record and confirm it is linked ocrrectly
4 - Run the authority linking cron and confirm it works as expected
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch removes the 'StaffDetailItemSelection' along with any usages of it. Now, the checkboxes on an item details page are always there.
To test:
1) Apply patch, restart_all, updatedatabase
2) In sys prefs, search for 'StaffDetailItemSelection', nothing should show up.
3) Visit an items details page, make sure there are checkboxes next each item that allow you to perform modification/deletion.
Signed-off-by: Eric Garcia <cubingguy714@gmail.com>
Signed-off-by: Heather Hernandez <heather_hernandez@nps.gov>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
These routines ultimately need to be moved to the Koha namespace, for now though,
we can reduce look ups during import and batch modification by caching the values
here for each request
To test:
1 - prove -v t/db_dependent/ClassSources.t
2 - Import some records with items, confirm cn_sort values correctly built
3 - Edit some items, confirm cn_Sort correclty built
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan, k-t-d:
Preparation: Create additional fields for table 'subscription', visit:
/cgi-bin/koha/admin/additional-fields.pl?tablename=subscription
2 text fields, one repeatable, one not-repeatable
2 AV fields, one repeatable, one not-repeatable
2 MARC fields, one 'get' and one 'set', both non-repeatable, MARC field
942$c
Attempt to create a repeatable MARC field (get or set). Notice you're
unable to.
1) Add a new serial subscription, visit:
/cgi-bin/koha/serials/subscription-add.pl
2) Set the mandatory "Record" input (e.g. '112'). Click the 'Next' and
press 'Ok' on the alert box.
3) Fill in all required fields and press "Test prediction pattern"
4) At the bottom, fill in all additional fields, click the '+New' and
'Clear' links, hit 'Save'
5) Notice the fields are shown, repeated fields are comma separated
6) Click Edit -> Edit Subscription, repeat steps 4 and 5
7) Go back to subscription additional fields, set all fields as
searchable
8) Visit serials-home: /cgi-bin/koha/serials/serials-home.pl
9) Click 'Search'
10) Notice the searchable fields now show in their columns, repeated
fields separated by comma
11) Perform a search using a repeatable field, verify it all works as
expected.
-- Subscription Claims --
Preparation:
1) Define a new claim notice, visit:
/cgi-bin/koha/tools/letter.pl?op=add_form&module=claimissues
2) Input code, name, click "Email" set a "Message subject" and put
something in the message body. Hit 'Save'.
3) Set a serial as late, visit our original subscription:
/cgi-bin/koha/serials/serials-collection.pl?subscriptionid=1
4) Click "Edit serials" and status -> "Late". Hit "Save".
5) Link the original subscription to the existing vendor, visit:
/cgi-bin/koha/serials/subscription-add.pl?op=modify&subscriptionid=1
6) Click "Search for a vendor". Hit "Ok". Hit "Choose". Save the
subscription.
Claims:
7) Visit claims:
/cgi-bin/koha/serials/claims.pl
8) Click "Ok"
9) Verify that searchable additional fields all have their respective
column. Repeated fields are shown comma separated.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This change adds the ability to enable and configure TCP keepalive
support for the SIP server using SIPconfig.xml.
For the sake of backwards compatibility, it defaults to disabled
and additional parameters default match typical kernel defaults.
Technical detail can be found in the perldoc for C4/SIP/SIPserver.pm
Test plan:
0. Apply the patch
1. koha-sip --restart kohadev
2. apt-get update && apt-get install tcpdump
3. In one window, run "tcpdump -A -n -v -i any 'port 6001'"
4. In another window, run the following:
echo -e "9300CNterm1|COterm1|CPCPL|\r" | nc 127.0.0.1 6001 -v
5. Note in tcpdump output that after the initial flood of packets,
nothing more is received
6. vi /etc/koha/sites/kohadev/SIPconfig.xml
7. In the "server-params" element, add attributes like the following:
custom_tcp_keepalive='1'
custom_tcp_keepalive_time='10'
custom_tcp_keepalive_intvl='5'
8. koha-sip --restart kohadev
9. In one window, run "tcpdump -A -n -v -i any 'port 6001'"
10. In another window, run the following:
echo -e "9300CNterm1|COterm1|CPCPL|\r" | nc 127.0.0.1 6001 -v
11. Note in tcpdump output that after the initial flood of packets,
ACK packets are sent out every 10+ seconds for the idle connection
Signed-off-by: Tadeusz „tadzik” Sośnierz <tadeusz@sosnierz.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Add shebang to Guided.t too.
Test plan:
See also previous commits.
Try sql like:
select access_token from oauth_access_tokens
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch replaces these variables with a non-translatable message.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirm tests pass t/db_dependent/Reports/Guided.t
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This enhancement prevents SQL queries from being run if they would return a password field from the database table.
To test:
1. Run tests and notice they fail t/db_dependent/Reports/Guided.t
2. Apply patch and restart services
3. Create a public report with an SQL report which would access a password column in a database table
4. Try to run the report. Notice you are met with an error and the results are not shown.
5. Access the JSON URL, you should not get the results and should be shown an error
6. Confirm tests pass t/db_dependent/Reports/Guided.t
Sponsored-by: Reserve Bank of New Zealand
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
JD Amended patch: replace '==' with 'eq' for consistency with other
occurrences.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We do two things here..
* We're making the improvement to C4::Letters that sets librarian to a
patron object more resilient by testing for the userenv first.
* We correct the logic in Koha::Ticket such that we always store changes
when there's a ticket update
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch adds a 'librarian' object fetch to
C4::Letters::GetPreparedLetter when a called passes the 'want_librarian'
flag.
This allows for the notice to take full advantage of the patron object
for that librarian rather than requireing old non-TT syntax for this
feature.
Test plan
1) We use the 'librarian' object in the new TICKET_ASSIGNED default
notice, use the next patch to test that the librarian title is
correctly substituted into the notice.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch fixes the fact `RANK` become a reserved word in MySQL 8.0.2
[1]
To test:
1. Launch KTD with MySQL 8:
$ ktd down
$ DB_IMAGE=mysql:8 ktd up -d
2. Open the logs
$ ktd --shell
k$ tail -f /var/log/koha/kohadev/*.log
3. Create a serial, receive an issue and try to create a routing list
4. Click on `+ Add recipients` and look for Henry
5. Click `Add` and then `Close`
=> FAIL: Henry not added
=> FAIL: The logs show an error about wrong SQL syntax
6. Run:
k$ prove t/db_dependent/Serials.t
=> FAIL: Tests explode with the same kind of error!
6. Apply this patch
7. Restart plack
8. Repeat 3 through 6
=> SUCCESS: Henry added!
=> SUCCESS: No explosion about the SQL syntax in the logs
=> SUCCESS: Tests pass!
9. Sign off :-D
[1] https://dev.mysql.com/doc/refman/8.0/en/keywords.html
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch replaces the use of is_notforloan with not_for_loan and
removes the older is_notforloan method and tests
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Sponsored-by: Cuyahoga County Public Library <https://cuyahogalibrary.org/>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Sponsored-by: Cuyahoga County Public Library <https://cuyahogalibrary.org/>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch updates all instances where the current noissuescharge sysprefs are used. They will now use the is_patron_inside_charge_limits method to handle the patron category level limits
Sponsored-by: Cuyahoga County Public Library <https://cuyahogalibrary.org/>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch allows checkouts to be processed via SIP even when
the item is already checked out to a user.
Test plan:
0) Apply the patch
1) koha-sip --stop kohadev
2) koha-sip --start kohadev
3) misc/sip_cli_emulator.pl -a localhost -p 6001 -l CPL -su term1 -sp term1 -m checkout --patron koha --item 39999000001310
4) misc/sip_cli_emulator.pl -a localhost -p 6001 -l CPL -su term1 -sp term1 -m checkout --patron 23529000035676 --item 39999000001310
5) Note the output includes "AFItem checked out to another patron"
6) Enable system preference "AllowItemsOnLoanCheckoutSIP"
7) misc/sip_cli_emulator.pl -a localhost -p 6001 -l CPL -su term1 -sp term1 -m checkout --patron 23529000035676 --item 39999000001310
8) Note the output no longer includes "AFItem checked out to another patron" and the item has been checked out to patron 23529000035676
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
When parsing the branch limits the regular expression matches
parameters that contains the substring "branch:" rather than the prefix
"^branch:". Consequently, both prefixes homebranch: and holdingbranch:
triggers the branch limit.
Test plan:
- Activate the system preference IntranetAddMastheadLibraryPulldown.
- In staff interface:
- Perform a catalogue search (e.g. "book").
- Click on a facet for holding library or home library
(e.g. "Fairview").
- Click on the "more options" icon in the search box and make sure
that "All libraries" is selected.
- Activate the system preference OpacAddMastheadLibraryPulldown
- In opac:
- Perform a catalogue search (e.g. "book").
- Click on a facet for holding library or home library
(e.g. "Fairview").
- Make sure "All libraries" is still selected in the dropdown next
to the search input.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
1. Do an item search that returns results
2. Use the column filtering available at the top of the table for each column
3. Try itemnumber, get a 500 error each time
4. As long as there is data in the itemnumber column and you attempt to use another column you'll see a 500 error.
5. APPLY PATCH, restart_all
6. The itemnumber column filtering should now work as expected
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
Run `perl -c Koha/Old/Hold.pm`
It should print 'syntax OK'
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch blocks the patron set as the anonymous patron from logging into the staff interface and OPAC.
To test:
1) In Administration->sys. pref, make sure AnonymousPatron is pointed to an account.
2) Visit that patron's page and set their permissions to superlibrarian ("Access to all librarian functions")
3) Ensure that you know the username and password for this patron and can log in.
4) Visit the OPAC, attempt to log-in with your anon patron.
5) Note that you can log in and nothing happens.
6) Visit the staff interface, attempt to log-in with anon patron.
7) Once again, note that you are able to log-in with no issue.
8) Apply patch and restart_all
9) Attempt to log into the OPAC and staff interface with the patron again.
10) This time, you should get an error message on both pages saying, "Error: You can't log in as the anonymous patron!"
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This removes the unblessing of the patron object and uses fields form the patron
To test:
Confirm tests still pass:
prove -v t/db_dependent/Holds.t t/db_dependent/Circulation.t t/db_dependent/Holds/DisallowHoldIfItemsAvailable.t t/db_dependent/Reserves.t t/db_dependent/api/v1/holds.t
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This routine currently takes the agerestriction value from biblioitems and an unblessed borrower object
and uses the date of birth to calculate whether the ptrons DOB is before or after the minimum value required
against the age restriction
We have a routine in the patron object to get the patron's age - we cna use this against the parsed agerestriction
value in a simple comparison and remove the need to unbless and pass the patron.
FIXME: We should move this to a biblioitems or biblio object method
To test:
0 - In Admin -> Koha to MARC mapping, set biblioitems.agerestriction to 521,a
1 - Set syspref AgeRestrictionMarker to 'Age'
2 - Edit a record and set 521$a to 'Age 14'
3 - Add an item or copy the barcode of the item on that record
4 - Attempt to checkout item to Lisa Charles in sample data, or a 15 year old patron
5 - It should checkout fine
6 - Check in item
7 - Edit patron Joyce Gaines to set age to 13 DOB:06/20/2011, or create a 13 year old patron
8 - Attempt to checkout item
9 - Item is blocked
10 - Apply patch
11 - Repeat tests, confirm no change
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch adds a new key 'notconsidered' to the authority cache when
linking to avoid doubling when creating new authorities and wishing
to ignore thesaurus
To test:
0 - Set LinkerConsiderThesaurus to "don't"
1 - Set AutCreateAuthorities to generate
2 - Set AutLinkBiblios to Do
3 - Set CataloguingModuleRelink to Do
4 - Save a new record in Koha with the same randomized heading repeated
but from 3 different authority sources
ensure source is defined by indicators only and by field $2 once
ensure the heading is random so that no matches will be found
5 - Confirm each authority is linked to a new unique authority
6 - Apply patch, restart all
7 - Repeat 4 with a new subject heading
8 - Confirm all headings are linked to the same authority
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Fixes the following error message when running the overdues check cronjob on a
Koha system without defined overdue rules:
/etc/cron.daily/koha-common:
Use of uninitialized value in string eq at /usr/share/koha/lib/C4/Overdues.pm
line 686.
by checking if the variable is defined before comparing it.
Test plan:
1. Go to Tools - Overdue notice/status triggers and verify that for every single
patron type for both Default and every individual library, you have no value
set for Delay, so that you will never send anyone an overdue notice
2. Run the cron job which creates and sends overdue notices
3. Confirm the above mentioned error no longer appears
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan using koha-testing-docker:
1) Make sure SIP is running. You may need to edit
/etc/koha/sites/SIPconfig.xml and remove the 8023 connector and
restart the SIP-server (koha-sip --restart kohadev)
2) Find a patron, say 23529000197047
3) Set a password by selecting "change password", set it to
"Password1234"
4) Find a book, say 39999000000856
5) Issue book to patron with sip-client:
sudo koha-shell -c "/usr/share/koha/bin/sip_cli_emulator.pl \
--address localhost --port 6001 -t cr \
--su term1 --sp term1 --message checkout \
--location CPL --item 39999000000856 \
--patron 23529000197047 --password Password1234"\
kohadev
6) Note the AH-header in the response which for example:
'AH20240619 235900'
7) Make a renewal with:
sudo koha-shell -c "/usr/share/koha/bin/sip_cli_emulator.pl \
--address localhost --port 6001 -t cr \
--su term1 --sp term1 --message renew \
--location CPL --item 39999000000856 \
--patron 23529000197047 --password Password1234"\
kohadev
8) Make sure the AH-header in the response is different from the
response to the checkout, for example: 'AH20240624 235900'
Signed-off-by: Tadeusz „tadzik” Sośnierz <tadeusz@sosnierz.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Actually in _get_tt_params
The following query will delay the response
SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
SELECT 1
FROM
SELECT SLEEP( 6 ) x
) -- - )
To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch refactors checkpw_internal to remove the SQL code, use patron ojbects, and return the
patron that correctly matches the userid/caerdnumber when auth is successful
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch moves some patron fetching code in C4/Auth to use to patron returned from the validation
methods and only try to fetch the patron (to check if locked, update attempts, etc) if we didn't authenticate
To test:
1 - Set a user to have userid = BANANA password = Password1
2 - Set a user to have cardnumber = BANANA password = Password2
3 - Hit the patron authentication API:
http://localhost:8080/api/v1/auth/password/validation
with data:
{ "identifier": "BANANA", "password":"Password1" }
and:
{ "identifier": "BANANA", "password":"Password2" }
4 - Note you receive the same response for both
5 - Apply patch, restart all
6 - Repeat the API and confirm you get the correct patron for the password submitted
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We usually test if C4::Context->userenv, so we need to undef when
unsetting, not {} (evaluated true)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Same pattern, remove dbh stack
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>