This fixes issues with the tests caused by:
Bug 32496: Reduce unnecessary unblessings of objects in Circulation.pm
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
GetDebarments was removed and replaced by $patron->restrictions.
The tests needed some adjustments to reflect that change.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes some typos in test and update message that were highlighted
by the QA tools.
Add missing bug number to the atomic update file.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Add tests, remove ODueDebarmentRemovalAllowUnrestricted syspref and instead
modify AutoRemoveOverduesRestrictions to have a third option
Signed-off-by: Michaela <michaela.sieber@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
How to test:
1) Run tests in t/db_dependent/Circulation/MarkIssueReturned.t
Sponsored by: Gothenburg University Library
Signed-off-by: Michaela <michaela.sieber@kit.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Instead of the fallback to 51, we pass a borrower that has
permission for editing items.
Test plan:
Do not apply patch.
Run test without a borrower 51 in db. (FAIL)
Apply patch.
Run test again. (PASS)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Run t/db_dependent/Koha/Item.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This is the case for subtest: attributes_from_api() tests.
Test plan:
export TZ='Europe/Amsterdam'
prove t/db_dependent/Koha/Object.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
See also bug 34930. Using same approach.
Test plan:
export TZ='Europe/Amsterdam'
prove t/db_dependent/Koha/Patrons.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch removes the use of event attributes (onclick, onchange) from
the OPAC lists template. These events are defined now along with the
other in-page JS.
The patch also removes a "delete list" button which was only shown
when viewing an empty list and which was redundant.
To test, apply the patch and log into the OPAC.
- Go to Lists -> New list.
- Change the category to "Private" and the "Allow changes" dropdown to
"Staff only."
- You should see a message, 'The "Staff only" permission has no actual
effect while this list is strictly private'
- Change the category to "Public." The message should disappear.
- View the contents of a list.
- Click the "Send list" button at the top of the table of titles.
- It should trigger the "Sending your list" popup window.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch removes the use of event attributes (onclick) from the OPAC's
bibliographic detail page template. These events are defined now along
with the other in-page JS.
The patch also adjusts the global "Dopop" function so that the popup
window is a litte bigger. The comments form did not fit well.
In checking for use of the "Dopop" function I found that it was being
redefined in opac-topissues.tt for no reason so I removed it.
To test you must have the OPACComments system preference enabled.
- Log in to the OPAC, locate a bibliographic record, and view the detail
page.
- Under the "Comments" tab, click the "Post your comments on this title"
link. It should trigger a popup window.
- Submit your comment. When the detail page reloads, return to the
"Comments" tab and click the "Edit" link on your comment. The same
popup window should be triggered.
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
1. Set system preferences:
- Disable OPACAllowUserToChooseBranch
- Set ReservesControlBranch to "item's home library"
- Enable UseBranchTransferLimits
- Set BranchTransferLimitsType to "item type"
- Enable canreservefromotherbranches
- Disable IndependantBranches
2. Create two libraries: ITEM_LIB and PATRON_LIB
3. Set circulation rules:
- Remove all circulation rules (DELETE FROM circulation_rules)
- Set a default rule that allow some holds and with "OPAC item level
holds" = "force". Allow "on shelf" holds for easier testing.
- In the rules for ITEM_LIB, under "Default checkout, hold and return
policy",
- set "Hold policy" to "From any library"
- set "Hold pickup library match" to "item's home library"
- In the rules for PATRON_LIB, under "Default checkout, hold and
return policy",
- set "Hold policy" to "From any library",
- set "Hold pickup library match" to "any library"
4. In "Library transfer limits" disable all transfers from ITEM_LIB to
PATRON_LIB for an item type (let's say "BOOK")
5. Create a biblio with an item:
- item type must be the same as in previous step ("BOOK")
- home branch and holding branch must be ITEM_LIB
6. Create a patron at PATRON_LIB, give it a password so it can log in.
7. Go to OPAC, and login with this patron
8. Try to place a hold for the new item. You should be allowed to place
a hold, but when doing it, no holds will be created.
9. Apply patch, restart Koha
10. Try to place a hold for the new item. This time the hold should be
created
Signed-off-by: Jessie Zairo <jzairo@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Merged tidy patch and switch to Koha::Policy::Holds here.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Not sure this is correct, but I think it is!
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch adds the requirements that updating a system preference
requires a CSRF token. (Also, adding and deleting local system preferences.)
0. Apply patch
1. koha-plack --reload kohadev
2. Add local system preference
3. Update local system preference
4. Delete local system preference
5. Update normal system preference
6. Note no errors
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
</script> tags are interpreted in JSON strings as HTML, which can
lead to XSS attacks.
This patch puts HTML escaped JSON in the value of a hidden HTML element.
The Javascript then takes the value as a string, parses it as JSON,
and is able to use it to save search filters without triggering a
XSS attack.
This patch also adds DataTable's built-in HTML escaping for the query
and limits on the admin UI for the search filters.
Test plan:
0. Apply patch
1. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters
2. Enable the system preference
3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
4. Click "Save search as filter"
5. Checkbox "Show in staff interface?"
6. Type "E-TEST" into box and click 'Save'
7. Go to
http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
8. Click "E-TEST" under "Custom search filters"
9. Note that you see search results
10. Go to
http://localhost:8081/cgi-bin/koha/admin/search_filters.pl
11. Note that for "E-TEST" you see a "Query" like
{"operators":[],"operands":["e"],"indexes":[]}
12. Note that for "E-TEST" you see a "Limits" like
{"limits":[]}
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This change validates and escapes inputs for task scheduler.
Test plan:
0. Apply patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/tools/scheduler.pl
3. Input a time a minute in the future and leave the date blank
4. Choose an existing report and output format
5. Type a malicious string which is also a valid email address
into the Email field
6. Click "Save"
7. Note that the job is added but the Email is wrapped in single
quotes
8. Try using a non-malicious email address with a single quote.
9. Note that the single quote is escaped, so that it will still
be used by runreport.pl
JD amended patch: tidy
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Removed pars for $email =~ regex, removed old commented lines.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch sets the $auth_state to failed when changing auth sessions,
so that the new login attempt gets processed correctly (instead
of skipping the authorization step).
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?tab=&op=search&searchfield=baseurl
3. Log in as an OPAC user with 0 permissions
4. Note the auth screen "Error: You do not have permission to access this page"
5. Click "Log in"
6. Note that you're still shown a login screen (and that you've been logged out of
your previous authenticated session)
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I think the correct behavior for this script should be that koha-foreach
will return 0 (success) if all the commands it tried to run succeeded, but
1 (failure) if any of the commands failed.
To test:
1. $ koha-create --create-db test
2. $ vi test.sh
if [ $USER = 'kohadev-koha' ]; then
echo "FAILED";
exit 1;
else
echo "SUCCESS";
exit 0;
fi
3. $ debian/scripts/koha-foreach sh test.sh
FAILED
kohadev: 1 status returned by "sh test.sh"
SUCCESS
4. $ echo $?
5. Note that the exit status is 0 (success)
6. Apply patch
7. $ debian/scripts/koha-foreach sh test.sh
FAILED
kohadev: 1 status returned by "sh test.sh"
SUCCESS
8. $ echo $?
9. Note that the exit status is 1 (failure)
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This change adds a unit test to test Koha::Auth::TwoFactorAuth::verify
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This change adds a mfa_range configuration option for TOTP
to koha-conf.xml, and overrides the "verify" method from
Auth::GoogleAuth in order to provide a new default for "range"
Test plan:
0. Apply the patch
1. koha-plack --restart kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication
3. Change the syspref to "Enable"
4. Go to
http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51
5. Click "More" and "Manage two-factor authentication"
6. Register using an app
7. In an Incognito window, go to
http://localhost:8081/cgi-bin/koha/mainpage.pl
8. Sign in with the "koha" user
9. Note down a code from your Authenticator app
10. Wait until after 60 seconds and try it
11. Note it says "Invalid two-factor code"
12. Try a new code from the app
13. Note that it works
14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml
15. Clear memcached and koha-plack --restart kohadev
16. Sign in with the "koha" user
17. Note down a code from your Authenticator app
18. Wait 4 minutes and then try it
19. Note that it works
20. Disable your two-factor authentication and click to re-enable it
21. Use a code older than 60 seconds when registering for the two
factor authentication
22. Note that the code works
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
At this time, we can specify fields to hide in SIP response at the login level. From a security perspective, it would be useful to also be able to specify which fields are allowed in a response.
Test Plan:
1) Apply this patch
2) prove t/db_dependent/SIP/Message.t
Signed-off-by: Sam Lau <samalau@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
At the moment it's quite a lot of clicks to get from the basket
summary to the invoice something was received in. This adds a nice
shortcut by creating a new column for the invoicenumber in the basket
summary table.
To test:
* Make sure you have a basket with some received and unreceived
order lines
* Verify that the (received) shows for your received lines
* Verify no invoice number or link to it in sight
* Apply patch
* Verify that there is now a column for the Invoice containing
the invoice number as a link to the invoice
* Test with a staff patron, that doesn't have edit_invoices permission
* Verify that now instead of a link you see the invoice number as text
Be happy, sign off ;)
Note: this doesn't change the CSV export. The way the CSV is built is
quite different to the summary table, so it would be better handled
in a separate bug/patch. The columns are already quite different!
Sponsored-by: The Research University in the Helmholtz Association (KIT)
Signed-off-by: Laura Escamilla <laura.escamilla@bywatersolutions.com>
Signed-off-by: Michaela Sieber <michaela.sieber@kit.edu>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Émily-Rose Francoeur <emily-rose.francoeur@inLibro.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch adds the option to display sort1 and sort2 columns in the
view of the contents of a basket in acquisitions. The columns are
labeled "Statistic 1" and "Statistic 2" to match the labels in the
order creation/edit form.
The fields are hidden by default in the updated table configuration.
To test, apply the patch and restart services.
- Go to acquisitions and create a basket if necessary:
- Search for a vendor and click New -> Basket from the vendor
toolbar on the vendor search results screen.
- Create a basket, then click "Add to basket" from the basket details
page.
- Add an order to the basket.
- With at least one order in the basket, check the table of orders in
the basket.
- The columns should be unchanged.
- The table configuration button should show the two statistics fields
as hidden. Test that they can be displayed.
- Go to Administration -> Table settings.
- Under Acquisitions -> basket, try changing the settings for the
Statistic 1 and Statistic 2 fields, and check that your changes are
reflected in the basket view.
- Test with a vendor which has an EDI account:
- Enable the EDIFACT system preference.
- Go to Administration -> EDI accounts and create an account for your
vendor.
- Confirm that the table of orders in your basket still displays
correctly now that the "Supplier report" column is present.
Signed-off-by: Michaela Sieber <michaela.sieber@kit.edu>
Signed-off-by: Ray Delahunty <r.delahunty@arts.ac.uk>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Before this patch set, a search for patrons from article requests or
reserves would search the attributes by default. They were not considered
'standard' searches, however.
This patch simply defaults to searching the 'standard' fields unless a value is passed
To test:
1 - Apply other patches
2 - Have patrons with searchable attributes
3 - From a title, click the holds or artickle requests tab
4 - Search for the attribute values and confirm patrons are not returned
5 - Apply this patch
6 - Search again, patrons are now returned
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We'd missed an escape case in one of the calls to .split for the pipe
delimited split operations.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch moves the parsing of standard search_field into the buildPatronQuery subroutine
and adds a check for 'standard' field before adding attributes to the search
To test:
1 - Add a new attribute type and make it searchable
2 - Add a value to a patron
3 - Search for this value using 'Standard' fields, confirm you get the patron
4 - Search for the value using 'Cardnumber' field, confirm you get the patron - BAD!
5 - Apply patch
6 - Repeat cardnumebr search, confirm patron not found - Yay!
7 - Search standard, confirm patron is found
8 - Add a new field to 'DefaultPatronSearchFields
9 - Confirm it appears in patron search dropdown
10 - Confirm a search of this field with the attribute value does not return the patron
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
The first column was named basket_number, but it's actually the
order_line.
To test:
* Edit column configuration for acquisition > basket
* Make sure to set at least one checkbox for 'basket_number'
* Apply patch, run database update
* Verify that the first column is now 'order_line', but your
settings have been preserved
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Moving to modalselect also has the effect of moving from comma delimited
to pipe delimitation for the preference contents
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
As requested by Katrin.. switch to the modal and expose all fields from
the borrowers database table
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>