Commit graph

52189 commits

Author SHA1 Message Date
ed70fdc2a8
Bug 34478: Manual fix - basketgroups
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:22 +01:00
fec3a9c231
Bug 34478: Manual fix - account refund - Add op param to forms
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:21 +01:00
beec6ef5df
Bug 34478: Manual fix - delete baskets - Add csrf include
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:20 +01:00
a89d4576b1
Bug 34478: Manual fix - delete baskets
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:19 +01:00
f99d7a76e3
Bug 34478: Manual fix - account line discount
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:18 +01:00
399885aaca
Bug 34478: Manual fix - account refund
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:17 +01:00
1a98ef7584
Bug 34478: Manual fix - account payout
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:16 +01:00
918fbc24f7
Bug 34478: Display programming errors in case plack.psgi caught something suspicious
It will help developpers to debug the problematic places.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:16 +01:00
1f081b86b6
Bug 34478: Manual fix - duplicate_orders (cud-select)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:15 +01:00
576f0c29b2
Bug 34478: Manual fix - preferences
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:14 +01:00
b92e9a2115
Bug 34478: Manual fix - memberentry (modify)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:13 +01:00
1ea77fbd19
Bug 34478: Manual fix - batchMod
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:12 +01:00
18e808240f
Bug 34478: op =~ ^cud- in pl/pm
This is the result of
  bash op_must_start_with_cud-perl.sh

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:11 +01:00
11d371a620
Bug 34478: Manual fix - additem
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:10 +01:00
93e717ac31
Bug 34478: Manual fix - opac-suggestions
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:10 +01:00
d320e6fe27
Bug 34478: Replace POST with GET when needed - add_form
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:09 +01:00
8a39b582f1
Bug 34478: Adjust selenium tests
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:08 +01:00
21f5c30920
Bug 34478: Add missing csrf-token.inc for opac
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:07 +01:00
69fd7c026d
Bug 34478: op =~ ^cud- everywhere
This is the result of
  perl op_must_start_with_cud.pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:06 +01:00
4e1372b77c
Bug 34478: op =~ ^cud-
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:05 +01:00
bf9830d354
Bug 34478: op-cud - Trick CGI directly
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:04 +01:00
c8384299f7
Bug 34478: op-cud - Rename op with op-cud in templates
This is the result of
  perl rename_op_with_op-cud.pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:03 +01:00
77e3b58eee
Bug 34478: op-cud - Adjust C4::Auth code
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:02 +01:00
348dbb1594
Bug 34478: Move C4::Auth check
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:02 +01:00
314fe71ff8
Bug 34478: Remove check_csrf from pl files
We should no longer need to check CSRF token from pl files

TODO - there is a change for some files where we returned 403

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:01 +01:00
a0dcce9ce1
Bug 34478: Check CSRF in get_template_and_user
Not sure this is the right place in get_template_and_user
Will have to test login and 2FA

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:56:00 +01:00
4ed5bf19a7
Bug 34478: Add 'op' to opac-passwd
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:59 +01:00
bb69578db0
Bug 34478: Add 'op' to opac-user.tt
Bug 34478: [TO SQUASH] Add 'op' to opac-user.tt

Bug 34478: [TO SQUASH] Add 'op' to opac-user.tt

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:58 +01:00
a3c0c92508
Bug 34478: Add missing CSRF token to POST forms
This is the result of
  % perl csrf_add_missing_csrf.pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:57 +01:00
7e7159bf58
Bug 34478: Remove generate_csrf from pl
We do not longer need to generate_csrf from pl files

TODO - members/boraccount.tt and sco/sco-main.tt needs to be adjusted

Bug 34478: [TO SQUASH] Remove generate_csrf from pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:56 +01:00
8596861127
Bug 34478: Replace csrf_token input with include file - manual
A couple of left not caught by the previous regex

Still TODO:
% git grep csrf_token **/*.inc **/*.tt
still shows example that needs to be replaced, later (because we use GET)

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:55 +01:00
4481fb3377
Bug 34478: Replace csrf_token input with include file
perl -p -i -n -e 's#<input type="hidden" name="csrf_token" value="\[% csrf_token \| html %]" />#[% INCLUDE '\''csrf-token.inc'\'' %]#g' **/*.tt **/*.inc

This should have actually been done at the same time as
  "Bug 30524: (QA follow-up) Only generate CSRF token if it will be used"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:55 +01:00
8e3901342a
Bug 34478: Replace get with post when needed
This is what has been marked as done in "csrf_get.txt"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:54 +01:00
0631153f06
Bug 35955: Add tests
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:53 +01:00
108c955eac
Bug 35955: Cache CSRF token in template plugin
This change uses the Koha::Cache::Memory::Lite cache to
cache the CSRF token, so that it is only generated once,
and is re-used by the Koha::Template::Plugin::Koha object
throughout the entire template processing for the HTTP request.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:52 +01:00
e2440f2c61
Bug 36098: Default to 'file' if pref does not exist
During the installer process there is a bunch of warnings
  "Use of uninitialized value $storage_method in string eq at"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:51 +01:00
c42ede262a
Bug 36098: (follow-up) extend test to check driver
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:33 +01:00
5572567143
Bug 36098: Fix storage_method pass
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:32 +01:00
56d8ac2476
Bug 36098: Allow to pass storage_method
Will need this on follow-up bugs.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:32 +01:00
09de3f820b
Bug 36098: (QA follow-up) Add POD to Koha::Session
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:31 +01:00
0e6537d199
Bug 36098: Add Koha::Session module to ease session handling
This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.

Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:30 +01:00
7c54394383
Bug 35935: Ensure login branch will be used after incorrect login
If a different branch is selected after an incorrect login, the previous
branch will be used.

To recreate:
* login with foo/bar, select CPL => FAIL
* login with koha/koha, select another branch => OK but CPL is picked!

It was caused by a dup of "branch" in CGI param list (and first was
picked).

This patch patch also removes "koha_login_context" to not have it twice.
You can also open the source of the page to confirm that form#loginform
contains "branch" and "koha_login_context" in hidden inputs.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested in KTD. Works as advertised.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:29 +01:00
7d95c64048
Bug 36092: Pass sessionID at the end of get_template_and_user
It seems safer to pass the logged in user and session info at the end of
the sub.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:28 +01:00
3a053ebdf9
Bug 36092: Pass the sessionID from checkauth if we hit auth
If we hit the auth page we were not passing sessionID to the template

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:27 +01:00
1bc2f8cf1b
Bug 36092: Add test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:27 +01:00
c0d5013f2e
Bug 35918: Fix auto library connect (AutoLocation)
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.

To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
  branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
  branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
  branchip: 172.18.0.4

Connect and select CPL. Randomly FFL will be picked instead.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:26 +01:00
837d04527a
Bug 35918: Add test
Signed-off-by: Magnus Enger <magnus@libriotech.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:25 +01:00
200799c11e
Bug 35890: Add tests for AutoLocation
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:24 +01:00
e59623bfc2
Bug 35890: Reject login if IP is not valid
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:23 +01:00
8fb9b814aa
Bug 35904: (QA follow-up): tidy up code
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2024-03-01 10:55:22 +01:00