Commit graph

39562 commits

Author SHA1 Message Date
eb7a8db2c0 Bug 20168: Compiled CSS
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-09 14:34:06 +02:00
94c6868118 Bug 20168: Remove li tags from OPACSearchForTitleIn for new installs
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-09 14:33:45 +02:00
221a40282c Bug 20168: Consider opaclayoutstylesheet empty if 'opac.css'
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-09 14:23:41 +02:00
00b1bf3c2c Bug 20168: (follow-up) Add automatic creation of RTL CSS
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-09 14:13:09 +02:00
9cb89b4639 Bug 20168: Update of the OPAC bootstrap template to bootstrap v4
This patch updates the version of Bootstrap in the OPAC from 2.3.1 to
4.5.0. The Bootstrap JavaScript files have been replaced with custom
builds of the 4.5.0 JavaScript source files. The Bootstrap CSS is now
built into the OPAC CSS by loading the required Bootstrap 4.5.0 SCSS
files in node_modules.

OPAC SCSS now starts with Bootstrap customizations:

/* Bootstrap variable customizations */
$headings-color: #727272;
...

Followed by loading the necessary Bootstrap SCSS files:

/* Bootstrap imports */
@import "../../../../../node_modules/bootstrap/scss/functions";
@import "../../../../../node_modules/bootstrap/scss/variables";
...

Followed by our CSS. The build process for generating compiled CSS now
creates a file which bundles Bootstrap CSS and ours. Removed from the
Koha source: Bootstrap CSS files, Bootstrap "glyphicons" images.

The upgrade to Bootstrap 4 involved a lot of markup changes to conform
with new Bootstrap classes, especially in classes related to the grid.
Besides duplicating the grid we used before, this upgrade adds some new
features made possible by Bootstrap 4.5's use of flexbox as a layout
tool. This includes custom ordering of columns based on class names:
https://getbootstrap.com/docs/4.5/layout/grid/#order-classes.

Other areas where the most changes have been made: Navigation menus,
breadcrumb menus, buttons, dropdowns.

Bootstrap's JavaScript file is now "bootstrap.bundle.min.js" to reflect
the fact that a required JavaScript asset is now distributed separately
in Bootstrap 4. The "bundle" version includes Popper.js.

Unrelated changes: Indentation corrections, removal of invalid
"//<![CDATA[" markers, removal of invalid script type attributes.

To test, apply the patch and run 'yarn install' to install Bootstrap as
an npm module. Run 'yarn build --view opac' to regenerate the OPAC CSS.

Test as many aspect of the OPAC as possible, viewing pages at various
browser widths to confirm that everything adjusts well. Test with
various OPAC interface system preferences enabled and disabled.

Test self checkout and self checkin.

Known issues: RTL support has not been updated.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-09 14:13:03 +02:00
83ebab049d Bug 23682: DBRev 20.06.00.035
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 15:00:48 +02:00
e8a08cdfa7 Bug 23682: Fix use Koha::Plugins::Handler statements
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 15:00:48 +02:00
85405a2143 Bug 23682: Dedup plugin calls my moving to a single call in process_invoice()
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 15:00:48 +02:00
Katrin Fischer
2804d786c4 Bug 23682: INSERT IGORE systen preference in database update
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 15:00:48 +02:00
5d05feac31 Bug 23682: (QA follow-up) Fix typo in syspref description
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 15:00:48 +02:00
d8696702ce Bug 23682: Add ability to manually import EDI invoices as an alternative to automatic importing on download
Some library would like to delay the importing of invoices until
a time of their choosing. The invoices should be imported into
the database as they do now, but the invoice processing should
be skipped. Instead, any invoice file with a status of 'new'
should have an 'Import' button to process the invoice.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Enable the new syspref EdifactInvoiceImport
4) Run the edi cronjob to import a new invoice file
5) View EDI messages table at /acqui/edifactmsgs.pl
6) Note the invoice files is not processes, and retains the status of 'new'
7) Use the 'import' button to process the invoice
8) Note the invoice is now marked 'received' and the 'import' button is gone
9) Verify the invoice was actually processes

Signed-off-by: Debi Stears <DDStears@washoecounty.us>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 15:00:48 +02:00
8cbf2841ad Bug 24197: DBRev 20.06.00.034
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 15:00:48 +02:00
72deefe8cf Bug 24197: (QA follow-up) Shorten syspref name to AddressForFailedEmailNotices
If you define the address we use it, if not we fallback,
it's not really a redirect, and that just makes the name longer.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
cb272f01f4 Bug 24197: (QA follow-up) Embelished syspref description
As requested, I have embelished the syspref description to more
accurately depict the fallback sequence for email delivery.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
bed91ac8f7 Bug 24197: Changed use of 'branch' terminology to 'library'
Sponsored-by: Catalyst IT
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
b48cdd227f Bug 24197: Added new local use syspref which sets the email address that failed overdue notices are set to.
Test plan:
1. Set no email addresses in patron record then checkout
items to the patron making the due date in the past

2. Visit patron's home library page: Administration > Libraries
Set a branch email and in global system preferences observe there is no syspref
named RedirectAddressForFailedOverdueNotices

3. Manually run overdue_notices.pl

4. Check the message_queue database table and observe there is a
print overdue notice and a email notice with to_address of the
branch email address

5. Apply patch

6. Run database update:
cd installer/data/mysql
sudo koha-shell <instance_name>
./updatedb.pl

7. Confirm there is a new system preference named:
RedirectAddressForFailedOverdueNotices

Give it a different email address to that in the branch email.

7. Repeat steps 1,3,4 and observe that the failed overdue notices have been
sent to the email defined in RedirectAddressForFailedOverdueNotices

Sponsored-By: Catalyst IT
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
029bdb1fed Bug 25541: (QA follow-up) Default to disabled + Correct message
This patch defaults the 'holds_block_checkin' configuration to disabled
(to maintain current behaviour on upgrades). It also updates a
copy/paste for siplog logging to make the message triggered by this
action unique as expected.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
002ae7504a Bug 25541: (QA follow-up) Rename no_holds_checkin to holds_block_checkin
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
c4f66a8514 Bug 25541: Add new param to debian sip config
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
5377bfc624 Bug 25541: Add ability to prevent checkin via SIP of items with holds
Some libraries would like patrons to be unable to return items with
holds via SIP. Instead, the screen message should indicate that the
patron should return that item at the circ desk so a librarian can use
it to fill the next hold right away and place it on the hold shelf.

Test Plan:
1) Apply this patch.
2) Place a hold for an item.
3) Enable the new SIP option no_holds_checkin for a SIP account.
4) Restart the SIP server.
5) Check in the item using the SIP CLI tool using the SIP account
   for which you set the new option.
6) Note the checkin fails with a screen message indicating you should
   return the item to the circulation desk.

Signed-off-by: Peter Lau <peter.lau@yccece.edu.hk>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
be92f7e79c Bug 26041: Enable keyboard navigation without 'ctrl'
This patch enables keyboard navigation using the arrow keys without the
need to hold the control key for the jQuery UI datepicker.

Test plan
1/ Navigate to an item in the opac and attempt to place a hold
2/ On the resultant screen, use keyboard navigation to trigger the 'Show
more options' dropdown.
3/ Focus on one of the date inputs using keyboard navigation.
4/ Use 'ctrl + arrow' keys to navigate the datepicker.
5/ Note that prior to the patch using 'bare' arrow keys does not trigger
anything
6/ Apply the patch and confirm that the datepicker can now be naviated
using the arrow keys without holding the ctrl key.
7/ Confirm that using the ctrl key combinations continue to work as
expected too.
8/ Signoff

Signed-off-by: Brandon J <brandon.jimenez@inLibro.com>

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
89cc457ca2 Bug 17801: Use issuedate for limits in Most Circulated Items
To test:
1 - Have two checkouts in old_issues
    issue 1: timestamp 2020-08-01 00:00:00, issuedate 2019-08-01 00:00:00
    issue 2: timestamp 2020-07-01 00:00:00, issuedate 2019-07-01 00:00:00
2 - Perform a Most Circulated Items search for checkout dates 2020-06-01 to 2020-09-01. Both checkouts appear in search
3 - Repeat search with checkout dates 2019-06-01 to 2019-09-01. Neither checkout appears in search
4 - apply patch, restart all
5 - Repeat search with checkout dates 2020-06-01 to 2020-09-01. Neither checkout appears in search
6 - Repeat search with checkout dates 2019-06-01 to 2019-09-01. Both checkouts appears in search

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
1733944b34 Bug 26236: Fix translating interface from DB term to readable term
When viewing the logs we try to swith the db values like 'cron' to friendly terms like
'Cron job'

The values we use for building the selectors on the page ar eupper case, but DB values are lower case

If we simply force upper case in the comparison we can ensure we always match correctly

To test:
1 - Enable some 'Logs' setting in System preferences
2 - Perform some action in koha that will log
    Run a cronjob
    Change a syspref
    etc.
3 - Browse to Tools-> Log viewer
4 - Click 'Submit' to see all logs
5 - Note the 'Interface' column contains lower case DB values
6 - Apply patch
7 - Reload the page
8 - Values in interface are now Camel cased and more friendly

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
Joonas Kylmälä
089b857586 Bug 26271: Add null to the list of accepted account_line data types
The database schema for accountlines table allows the
manager_id/user_id column to be NULL. If request to
/api/v1/patrons/<patron_id>/account returns such an accountline where
it is NULL we get 500 error as response. Adding NULL to allowed data
types fixes this issue.

To test:
 1) Run prove t/db_dependent/api/v1/patrons_accounts.t and notice it
    doesn't fail

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
Joonas Kylmälä
898cd3b82e Bug 26271: Add failing test to reveal issue with patrons API endpoint
When manager_id is null/undef the API returns error code 500.

To test:
 1) Notice failure when running
    prove t/db_dependent/api/v1/patrons_accounts.t

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
Katrin Fischer
bb73c5343c Bug 15851: (QA follow-up) Fix booleans to uppercase to make this work for Elasticsearch and UseControlNumber
Same test plan as before, but with UseControlNumber = Use and
Elasticsearch.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
8da73fe428 Bug 15851: (follow-up) Only display the analytics link when required (staff)
This patch replicates the introduced behaviour, for the admin interface.
To test, follow the test plan from the OPAC, but on the intranet.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
0291c1e7e7 Bug 15851: Only display the analytics link when required
This patch makes opac-detail.pl query for analytics the same way it
would do with the generated link (i.e. based on UseControlNumber) and
passes a flag to the XSLT so it displays (or not) the 'Analytics' link.

To test:
1. Apply the first patch
2. Have a known record without analytics
3. Open the record in the OPAC
=> FAIL: It shows the 'Analytics' link
4. Have a record known to have analytics and open in OPAC, on a separate
   tab
=> SUCCESS: It shows the 'Analytics' link
5. Apply this patch and restart_all
6. Reload the tabs
=> SUCCESS: It shows the link where it has to, and hides it where it
shouldn't be displayed
7. Sign off :-D

Sponsored-by: Orex Digital

Signed-off-by: Hugo Agud <hagud@orex.es>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
f70df9b194 Bug 15851: Display analytics links for more cases
The current XSLT displays the link to linked analytics only for serials.
This patch makes it show for all the relevant position 7 on the leader
values. I left out a and b as recommended by expert librarians on my
team, but I can revert that if required.

The current implementation adds a new CSS class for each case, so
libraries willing to keep the current behaviour or just have more
granular control on the cases they want the link to display, just can.

This patch makes sense with the follow-up one, which will display the
link only if there are really related records.

To test:
1. Open a non-serial record, notice there's no link to analytics
2. Apply this patch and reload
=> SUCCESS: There's an 'Analytics' link
3. Inspect the produced HTML
=> SUCCESS: A special class with analytic_* value has been added, and
thus we now can control its display through CSS
4. Sign off :-D

Sponsored-by: Orex Digital

Signed-off-by: Hugo Agud <hagud@orex.es>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 14:18:23 +02:00
Katrin Fischer
8a37842e1a Bug 26313: (follow-up) Fix OPAC and "Show volumes" links
Elasticsearch requires the booleans in search requests to
be uppercase. This fixes the "Show analytics" link in
OPAC (same as first patch for intranet) and the "Show volume"
link.

To test both patches:

Set UseControlNumber = Use

1) "Show analytics"
- Turn SearchEngine to Elasticsearch and make sure it works
- Pick any serial record in your database, make sure 001 is set
- Go to new > new child record
- Fill in 245 and save
- For both staff and OPAC:
  - Click on the "In" link, it should bring you to the parent record
  - Click on "Show analytics", it should show your analytical record
- Switch to "Zebra" - verify links still work.

2) "Show volumes"
- Turn SearchEngine to Elasticsearch again
- Pick any serial record in your database, make sure 001 is set
- Set LDR, pos. 19 = a - Set
- Note 001 value
- Find another record and edit it
- Set LDR, pos. 19 = a or b, LDR 7 not a or b (m will work)
- Set 773$ title of set record $w 001 of set record
- For both staff and OPAC:
  - Click on the "In: link, it should bring up your set record
  - Click on the "Show volumes" link, it should bring up the volume

- Switch to "Zebra" - verify all links still work.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 13:40:00 +02:00
fde7bf5495 Bug 26313: "Show analytics" link must use uppercase for booleans
In elasticsearch we only treat AND and OR as boolean operators if
they are capitalized

To test:
- Turn SearchEngine to Elasticsearch and make sure it works
- Pick any serial record in your database, make sure 001 is set
- Go to new > new child record
- Fill in 245 and save
- Click on the "In" link, it should bring you to the parent record
- Click on "Show analytics" => there will be no result
- Apply patch
- restart and reload
- Try again
- It works!
- Switch SearchEngine syspref to 'Zebra'
- Test again
- It still works!

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 13:40:00 +02:00
c53dfb5562 Bug 26331: Make svc/letters/preview executable
Without this patch, you can't preview letters when running Koha in CGI mode.

To test:
1. Run Koha as CGI (and not Plack)
2. Go to /cgi-bin/koha/tools/letter.pl?op=add_form&branchcode=&module=circulation&code=CHECKIN
3. Try to preview the notice (using a valid barcode)
4. Note in the browser console that svc/letters/preview is generating a 500 error

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 13:40:00 +02:00
b729886216 Bug 26362: Show correct libraries in overdues report
Currently the overdues report does the following display:
Patron library = home branch
Home library = holding branch
Holding library = patron branch

This patch corrects the display of libraries in the overdues report.

To test:

0) Do not apply patch
1) Go to http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=51
2) Go to http://localhost:8081/cgi-bin/koha/circ/set-library.pl
3) Choose "Troy"
4) http://localhost:8081/cgi-bin/koha/circ/circulation.pl?borrowernumber=51
5) Checkout "39999000004571" with due date of "09/01/2019 23:59"

Note the facts:
Patron library = Centerville
Home library = Fairview
Holding library = Troy

6) Go to http://localhost:8081/cgi-bin/koha/circ/overdue.pl
7) Change "Columns" visibility to show Holding and Home libraries
8) Note that the libraries are incorrect:

Patron library appears to be: Fairview
Home library appears to be: Troy
Holding library appears to be: Centerville

9) Apply the patch
10) koha-plack --restart kohadev
11) Go to http://localhost:8081/cgi-bin/koha/circ/overdue.pl
12) Change "Columns" visibility to show Holding and Home libraries
13) Note that the libraries are correct:

Patron library appears to be: Centerville
Home library appears to be: Fairview
Holding library appears to be: Troy

Signed-off-by: Emmi Takkinen <emmi.takkinen@outlook.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 13:40:00 +02:00
b87dc492fe Bug 26309: Make cxn_pool configurable
In get_elasticsearch_params we set the conf to static if undefined,
but we never defined it

To test:
1 - Apply unit test patch
2 - prove -v t/Koha/SearchEngine/Elasticsearch.t
3 - It fails
4 - Apply this patch
5 - It succeeds

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 13:20:06 +02:00
2e421ed7a4 Bug 26309: Unit tests
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 13:20:06 +02:00
017e19567a Bug 24663: (follow-up) Remove authnotrequired if set to 0
2 newly added scripts

Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
5efc27ea53 Bug 24663: Handle special cases for recovery password and selfreg
The password recovery and self-registration features need to be
accessible at the OPAC even if not public.

Test plan:
Self register a new account, then ask for a new password with OpacPublic
turned off

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
8f40973f0f Bug 24663: Force authentication in svc/records/preview (?)
Was this wrong?

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
37c5a88157 Bug 24663: Force auth in adveditorshortcuts.pl
This was wrong!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
638786e719 Bug 24663: Remove authnotrequired if set to 0
It defaults to 0 in get_template_and_user

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
4b9475346e Bug 24663: Test OpacPublic for all OPAC scripts
Prior to this patchset there were 3 different calls to
get_template_and_user (or checkauth) with the authnotrequired param:
 * authnotrequired => 0
 * authnotrequired => 1
 * authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 )

The first one says that an unauthenticated user can access the page, the
second that the user has to be authenticated, and the last one that it
depends on the OpacPublic syspref.
Actually we must replace the first one with the third one, if the OPAC
is not public, the authentication must be forced.

To do so we are going to remove the "authnotrequired => 0" occurrences,
and check the OpacPublic syspref's value in C4::Auth

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
db55279886 Bug 25360: (follow-up) Remove the https FIXME in Auth.pm
The FIXME is no longer valid since we fixed the X-Forwarded headers
for Plack. And since we do not even use using_https anymore in
the templates (see bug 21094).

Test plan:
Run Auth.t
Git grep for using_https

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
b42d57984b Bug 25360: Use secure flag for CGISESSID cookie when using HTTPS
This patch adds the secure flag to the CGISESSID cookie when using HTTPS.
This prevents the cookie being used again over a normal HTTP
request.

Bug 25360: [Follow-up] Test for "on" or "ON" value for HTTPS env var

This patch tests for HTTPS "on" or "ON" before setting the secure
cookie.

Bug 25360: [Follow-up] Fix typo in C4/InstallAuth.pm

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Amended number of tests in Context.t
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
72f4765e6f Bug 23634: Make is_superlibrarian return 1 or 0
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
bc97867dfc Bug 23634: (QA follow-up) Our PUT is really a PATCH
This patch makes the controller not expect that there will always be all
the email fields. So it now checks if an email field was passed, and
changed, and renders the error if that stands.

To test:
1. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/patrons.t
=> FAIL: Tests written by Nick highlight a problem
2. Apply this patch
3. Repeat 1
=> SUCCESS: Problems solved
4. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-02 15:40:55 +02:00
1a5cf89eb5 Bug 23634: (QA follow-up) Adjust tests
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-02 15:40:55 +02:00
8366baaad5 Bug 23634: (QA follow-up) Catch all email cases in API
The API was only catching the primary email change case, but we need to
catch email, emailpro and B_email.

We were also not accounting for any of the emails (on PUT or from the
DB) being undefined.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-02 15:40:55 +02:00
9524c1d761 Bug 23634: (follow-up) Prevent updates on POST
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-02 15:40:55 +02:00
aada130fe9 Bug 23634: Secure the email on the API
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-02 15:40:55 +02:00
087af360cc Bug 23634: Prevent non-superlibrarians from editing superlibarian emails
This patchset prevents a non-superlibrarian user from editing a
superlibrarians email address via memberentry.  This is to prevent a
privilege escalation vulnerability whereby a user could update a
superlibrarians contact details to match their own and then request a
password reset via the OPAC.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-02 15:40:55 +02:00