Commit graph

606 commits

Author SHA1 Message Date
56c2856e26 Bug 12561: Remove non-XSLT views
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-08-16 09:57:04 +02:00
09e0799a8d Bug 28660: (bug 21325 follow-up) Fix auto self check
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Works as expected.
The need for an additional check of pref WebBasedSelfCheck is
merely theoretical.

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-22 08:12:51 +02:00
9d6d641d1f Bug 17600: Standardize our EXPORT_OK
On bug 17591 we discovered that there was something weird going on with
the way we export and use subroutines/modules.
This patch tries to standardize our EXPORT to use EXPORT_OK only.

That way we will need to explicitely define the subroutine we want to
use from a module.

This patch is a squashed version of:
Bug 17600: After export.pl
Bug 17600: After perlimport
Bug 17600: Manual changes
Bug 17600: Other manual changes after second perlimports run
Bug 17600: Fix tests

And a lot of other manual changes.

export.pl is a dirty script that can be found on bug 17600.

"perlimport" is:
git clone https://github.com/oalders/App-perlimports.git
cd App-perlimports/
cpanm --installdeps .
export PERL5LIB="$PERL5LIB:/kohadevbox/koha/App-perlimports/lib"
find . \( -name "*.pl" -o -name "*.pm" \) -exec perl App-perlimports/script/perlimports --inplace-edit --no-preserve-unused --filename {} \;

The ideas of this patch are to:
* use EXPORT_OK instead of EXPORT
* perltidy the EXPORT_OK list
* remove '&' before the subroutine names
* remove some uneeded use statements
* explicitely import the subroutines we need within the controllers or
modules

Note that the private subroutines (starting with _) should not be
exported (and not used from outside of the module except from tests).

EXPORT vs EXPORT_OK (from
https://www.thegeekstuff.com/2010/06/perl-exporter-examples/)
"""
Export allows to export the functions and variables of modules to user’s namespace using the standard import method. This way, we don’t need to create the objects for the modules to access it’s members.

@EXPORT and @EXPORT_OK are the two main variables used during export operation.

@EXPORT contains list of symbols (subroutines and variables) of the module to be exported into the caller namespace.

@EXPORT_OK does export of symbols on demand basis.
"""

If this patch caused a conflict with a patch you wrote prior to its
push:
* Make sure you are not reintroducing a "use" statement that has been
removed
* "$subroutine" is not exported by the C4::$MODULE module
means that you need to add the subroutine to the @EXPORT_OK list
* Bareword "$subroutine" not allowed while "strict subs"
means that you didn't imported the subroutine from the module:
  - use $MODULE qw( $subroutine list );
You can also use the fully qualified namespace: C4::$MODULE::$subroutine

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-16 08:58:47 +02:00
af7e41d114 Bug 28606: Remove warning from C4::Auth 887
[WARN] Use of uninitialized value in sprintf at /kohadevbox/koha/C4/Auth.pm line 887.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-16 08:58:45 +02:00
ce5d409cfd Bug 28571: Remove C4::Auth::_session_log
It's not used and must be removed

Test plan:
  % git grep _session_log
must not return any result.

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-24 11:53:44 +02:00
41a8005d10 Bug 28606: Remove $DEBUG and $ENV{DEBUG}
We should remove the debug statements or use Koha::Logger when we want
to keep it.

Test plan:
Confirm that occurrences of remaining occurrences of DEBUG need to be
kept (historical scripts for instance)
Confirm that the occurrences removed by this patch can be removed
Confirm that the occurrences replaced by Koha::Logger are correct

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks good to me, noting a few minor points on BZ.

JD amended patch: replace "warn #Finished" with "#warn Finished", and
put the statement on a single line

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-24 11:53:44 +02:00
512c7ba7e4 Bug 28590: Remove get_shelves_userenv and set_shelves_userenv
They are no longer used since bug 7310, now we are using
Koha::Virtualshelves->get_some_shelves

Test plan:
Create some lists, login at the OPAC and confirm that you see
the list in the navbar (top)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-22 12:04:31 +02:00
a3c5ecd0e4 Bug 28388: Preserve "Browse results" when "view plain" is clicked
This patch modifies the way search sessions are preserved in the OPAC so
that viewing the "plain MARC" view will not cause the search context to
be lost.

To test, apply the patch and make sure OpacBrowseResults is enabled.

- Perform a search in the OPAC which will return multiple search
  results.
- View the details of one of the search results.
  - You should see a "Browse results" box in the right-hand sidebar.
- Click the "MARC view" link.
  - If you click back to the "Normal view" now, the results browser
    should still appear.
  - From the MARC view, click the "view plain" link.
  - Return to the "Normal view."
    - Before the patch: The results browser is gone.
    - After the patch: The results browser is still there.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-21 12:07:28 +02:00
40089a0a53 Bug 28519: Put CGI::Session::Serialize::yamlxs in lib directory
This patch adds a "lib" directory to the source tree which gets
mapped to the same directory as "C4" and "Koha" for single and
standard installations.

CGI::Session::Serialize::yamlxs is put into this "lib" directory.

This patch also includes some changes so that dev/git installations
work as well.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-17 10:07:36 +02:00
a502ae7b68 Bug 28489: Don't deal with encoding during the serialization
Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-14 17:35:19 +02:00
Andrew Nugged
1887f3b53f Bug 28489: POD - CGI::Session::Serialize::yamlxs for CGI::Session
Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-14 17:35:19 +02:00
cb90cbf4eb Bug 28317: Use the default CGI::Session serializer
We remove YAML::Syck on bug 22824 and YAML on 27673, to use YAML::XS.
However we need one of them for CGI::Session::Serialize::yaml
It's preferable to change the serializer and use the default one instead
of writing one based on YAML::XS (or patch the existing ::yaml that does
not seem maintained).

There was an encoding bug reported on the default serializer (see commit
a858e8a8b8) but we fail to recreate it.

Test plan:
Create 3 libraries with branchcode=branchname: "CPL", "ÄÄÄ~ÄãÃ" and "✔️ ❤️ ★"
Use the 3 options of SessionStorage and switch from one logged in
library to another.
Confirm that everything is working correctly (ie. no ending issue in the
library name at the top-right corner)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-05-19 14:45:32 +02:00
da9006b20d Bug 21325: Prevent authentication when sending userid and password in querystring
This patch permits authentication via userid/password only when the
HTTP method is POST when using C4::Auth::checkauth().

The goal is to stop people from supplying userid and password in querystrings
in order to log into web pages.

Test plan:
0. Do not apply patch yet
1. Open a new browser (ie we don't want any existing CGISESSID cookies
available - opening a new tab/window isn't enough. It must be a
new instance or you can clear your cookies)
2. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
3. Note the user has been logged in and is being asked to confirm hold.

4. Apply the patch

5. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
6. Note the user is not logged in and the user is presented with a login screen

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-04-16 13:56:46 +02:00
592ab10fe5 Bug 22824: Remove C4::Boolean, true_p, boolean_preference, etc.
It seems that we don't really need all this overhead.
YesNo must be a boolean and contain 1 or 0.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-03-04 16:18:42 +01:00
b5ab335d1b Bug 18506: (QA follow-up) opacShibOnly -> OPACShibOnly
As requested

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-02-09 09:46:08 +01:00
1a81264ac1 Bug 18506: Add xShibOnly preference for Shibboleth authentication
This patch adds two system preferences to Koha, opacShibOnly and
staffShibOnly, allowing users to restrict authentication to just
one method, Shibboleth.

We do however, allow for local fallback for the SCO/SCI logins.

A system preference was chosen over a configuration file update to
allow for local override at the virtualhost level. In this way a
hosting provider can setup a 'backdoor opac' for example to allow
fallback to local logins for support operations.

Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-02-09 09:46:08 +01:00
6b23c0634b Bug 14004: Set the syspref's value to an empty string
It's tested with "defined" in C4::Context->preference

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-01-27 14:36:26 +01:00
c009eeafed Bug 14004: Add OpacAdditionalStylesheet and opaclayoutstylesheet
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-01-27 14:36:26 +01:00
180db2f63b Bug 14004: Add ability to temporarily disable JS/CSS sysprefs
It would be *super* handy if intranetuserjs and/or opacuserjs could be
temporarily disabled via a check-box or syspref.
Right now, debugging issues in intranetuserjs usuaally starts with
copying the contents into a text file, blanking the syspref and re-testing.

This patch adds this feature by setting syspref via ENV
OVERRIDE_SYSPREF like override via Apache config.

Implemented only for preferences :
OPACUserCSS OPACUserJS IntranetUserCSS IntranetUserJS
=> replaced with ' '
intranetcolorstylesheet intranetstylesheet
=> replaced with 0

Test plan :
1) Set some CSS in IntranetUserCSS like : #breadcrumbs{color:red}
2) Go to staff interface home page like : /cgi-bin/koha/mainpage.pl
3) See CSS impact is visible
4) Edit URL : /cgi-bin/koha/mainpage.pl?DISABLE_SYSPREF_IntranetUserCSS=1
5) See CSS impact is not visible
6) Check with the other preferences

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-01-27 14:36:26 +01:00
00734f1689 Bug 27324: (follow-up) Remove references to intranetbookbag from Auth.pm
This patch removes references to intranetbookbag from Auth.pm. Now that
the templates use Koha.Preference("intranetbookbag") everywhere it is
unnecessary.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-01-20 10:16:48 +01:00
8c9acd7f28 Bug 27345: Add missing global permissions for superlibrarian
When a superlibrarian is logged in, C4::Auth::get_template_and_user pass the CAN_user_$flag to the template, but some are missing:
suggestions, lists, cash_management

So far they are not used in the template but it will avoid a developer to spend time on it if we fix it now.

Test plan:
Compare with installer/data/mysql/mandatory/userflags.sql
Note that we don't need selfcheck

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-01-08 15:21:51 +01:00
8ece86e769 Bug 24786: Default to 'branch default' on auth.
If no branch is selected (i.e. 'My library') then we should default to
'branch default' if one is defined for the users library at login.

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-11-06 15:40:00 +01:00
1bc723b33c Bug 24786: (follow-up) Cache the register_name in the session
This leads to one DB hit less per page load in the staff client when
cash registers are enabled.

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-11-06 15:40:00 +01:00
5b1934312b Bug 24786: Allow setting a register for the session
This patch adds the ability to set a register for the current session
from the 'set library' page.

Upon entering the page, the current selection will be displayed.
Changing the branch will trigger the register select list to update to
display only those registers associated with the updated branch and will
automatically select either 'no register' or the 'branch default'
register.  The user can then override that selection to choose a
different register for the session.

Test plan
1/ Enable cash registers with the 'UseCashRegisters' system preference
2/ Select the 'Set library' option from the top right menu
3/ Note that you can now select a cash register from the subsequent page
4/ Change the branch and note that the cash register selection is
updated to reflect the change
5/ Note that the 'branch default' register is auto-selected upon branch
selection if one has been defined, otherwise '-- None --' is selected
6/ You can then alter the selection before submitting the form
7/ Once submitted note that you are returned to the page you were on
prior to attempting to change the library and register
8/ Note the present of the register name next to the library name at the
top of the screen.
9/ Signoff

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-11-06 15:39:59 +01:00
37540532b1 Bug 25898: (follow-up) POD
Our docs shouldn't suggest indirect object notation is accepted or
encouraged.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-15 12:56:30 +02:00
Julian Maurice
96cc447045 Bug 25898: Prohibit indirect object notation
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-15 12:56:30 +02:00
97b9eab178 Bug 20804: Add support for "days" to the timeout syspref
If the timeout syspref did not contain an integer, or was not matching
integer.'d|D', then it "fallback" to 0

We can easily add support for hours and fallback to 600 if the value is
not correct.
It will prevent the session to timeout immediately

Test plan:
0. Do not apply the patches
1. Fill the timeout syspref with "5h"
2. Login
3. Click somewhere
=> Notice that the session timed out
4. Apply the patches, restart_all
5. Login
6. Click somewhere
=> You have 5 hours to enjoy Koha
7. Fill the pref with an incorrect value ("5x" for instance)
8. Logout, login
9. There is a warning in the log, and you have 10 minutes (600 secondes) to enjoy Koha

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-14 11:47:57 +02:00
b827acf53f Bug 26191: Relocate track_login call in Auth.pm
This is a leftover from bug 22543.
Trivial move.

Test plan:
Do not apply this patch.
Pick a user that has not yet logged in today.
Only login via the opac and immediately check if borrowers.datelastseen did not change.
Apply this patch, restart, flush etc.
Only login via the opac and verify again rightaway (no further opac actions).
Now datelastseen should have been changed already.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-08 11:36:32 +02:00
5efc27ea53 Bug 24663: Handle special cases for recovery password and selfreg
The password recovery and self-registration features need to be
accessible at the OPAC even if not public.

Test plan:
Self register a new account, then ask for a new password with OpacPublic
turned off

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Tomás Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
4b9475346e Bug 24663: Test OpacPublic for all OPAC scripts
Prior to this patchset there were 3 different calls to
get_template_and_user (or checkauth) with the authnotrequired param:
 * authnotrequired => 0
 * authnotrequired => 1
 * authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 )

The first one says that an unauthenticated user can access the page, the
second that the user has to be authenticated, and the last one that it
depends on the OpacPublic syspref.
Actually we must replace the first one with the third one, if the OPAC
is not public, the authentication must be forced.

To do so we are going to remove the "authnotrequired => 0" occurrences,
and check the OpacPublic syspref's value in C4::Auth

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
db55279886 Bug 25360: (follow-up) Remove the https FIXME in Auth.pm
The FIXME is no longer valid since we fixed the X-Forwarded headers
for Plack. And since we do not even use using_https anymore in
the templates (see bug 21094).

Test plan:
Run Auth.t
Git grep for using_https

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
b42d57984b Bug 25360: Use secure flag for CGISESSID cookie when using HTTPS
This patch adds the secure flag to the CGISESSID cookie when using HTTPS.
This prevents the cookie being used again over a normal HTTP
request.

Bug 25360: [Follow-up] Test for "on" or "ON" value for HTTPS env var

This patch tests for HTTPS "on" or "ON" before setting the secure
cookie.

Bug 25360: [Follow-up] Fix typo in C4/InstallAuth.pm

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Amended number of tests in Context.t
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
e9b051baf7 Bug 24201: (QA follow-up) Correct call to set_userenv
One call to set_userenv had been implimented incorrectly with the
parameters out of order.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-08-07 16:54:40 +02:00
Nicolas Legrand
4163f24014 Bug 24201: (follow-up) add desk choice with library choice
You should be able to add desk choice when you are logging in or
changing library.

Test plan:

1. apply patch
2. have at least three libraries, one without desk, one with one and
one with a few.
3. At login, when choosing a library, it should enable all desks it
has. Pick one.
4. the desk id and name should be set in your session and appear in
the top right, next to the library name.
5. change library and desks from intranet (at the set-library.pl page)
6. you should have the same behaviours
7. if you have a library without a desk, it should prompt you a '---'
option and no desks will be attached to the session.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-08-07 16:54:40 +02:00
876d95285e Bug 24201: (follow-up) Use GetLoggedInDeskName
This patch updates the templates to use the new TT plugin instead of
adding additional variables to the already crouded get_template_and_user.

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-08-07 16:54:40 +02:00
Nicolas Legrand
3fc961b7c2 Bug 24201: Attach desk to intranet session
When Desks are defined, a librarian can attach a desk to its session.

Test plan:

1. apply 13881 and create some desks
2. you should see “NO DESK SET” in the intranet header
3. go to circulation > Set desk
4. you should see your desk name in the header, whatever the page
5. you can also set desk with the header menu

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-08-07 16:54:40 +02:00
c9eb2be381 Bug 23795: Convert opaccredits system preference to news block
This patch builds on Bug 22318 to move the opaccredits system
preference into the Koha news system, making it possible to have
language- and library-specific content.

To test you should have some content in the opaccredits system
preference. Apply the patch and run the database update process.

 - Go to the OPAC and confirm that the content which was previously in
   the opaccredits system preference now displays correctly where
   it was before.
 - In the staff client, go to Tools -> News and verify that the content
   from opaccredits is now stored in news items. There should be
   one entry for each of the enabled translations in your system, for
   instance 'opaccredits_en', 'opaccredits_fr-FR',
   'opaccredits_cs-CZ'
 - Go to Administration -> System preferences and confirm that the
   opaccredits preference has been removed.

Signed-off-by: Sally <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-07-23 11:17:27 +02:00
cbd8655157 Bug 25765: Replace LoginBranchname and LoginBranchcode with use of Branches template plugin
The template plugin Branches contains a method GetLoggedInBranchcode that returns current branch code.
This patch adds GetLoggedInBranchname to get current branch name.
It is used to replace vars LoginBranchname and LoginBranchcode sent to all templates in C4/Auth.pm.

In labels and patrons cards modules, I choose to remove a unseless display of
current branch in a hint.

In acqui/acqui-home.tt, I choose to remove a useless display of current
branch and also because table of founds contains a filter on library.

Test plan:
Check pages source code to see branch code or name is correct.
list of the pages:
/cgi-bin/koha/acqui/acqui-home.pl
/cgi-bin/koha/catalogue/detail.pl?biblionumber=XXX
/cgi-bin/koha/circ/branchoverdues.pl
/cgi-bin/koha/circ/set-library.pl
/cgi-bin/koha/circ/offline.pl
/cgi-bin/koha/labels/label-edit-batch.pl?op=new
/cgi-bin/koha/labels/label-manage.pl
/cgi-bin/koha/patroncards/edit-batch.pl
/cgi-bin/koha/patroncards/manage.pl
OPAC:
/cgi-bin/koha/opac-detail.pl?biblionumber=XXX

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-07-23 11:17:27 +02:00
4689777ba9
Bug 23794: Convert OpacMainUserBlock system preference to news block
This patch builds on Bug 22318 to move the OpacMainUserBlock system
preference into the Koha news system, making it possible to have
language- and library-specific content.

To test you should have some content in the OpacMainUserBlock system
preference. Apply the patch and run the database update process.

 - Go to the OPAC and confirm that the content which was previously in
   the OpacMainUserBlock system preference now displays correctly where
   it was before.
 - In the staff client, go to Tools -> News and verify that the content
   from OpacMainUserBlock is now stored in news items. There should be
   one entry for each of the enabled translations in your system, for
   instance 'opacmainuserblock_en', 'opacmainuserblock_fr-FR',
   'opacmainuserblock_cs-CZ'
 - Go to Administration -> System preferences and confirm that the
   OpacMainUserBlock preference has been removed.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-05-01 08:17:23 +01:00
73fd85fd02
Bug 21190: (follow-up) Save patron id in failure when available
The wrong password might belong to an existing user. If that is the case,
we have a $patron.
Note that logaction will save the object info but has no user in the
context environment for a failure.

Test plan:
Login with good user, bad pw and bad user, bad pw. Check logviewer.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-14 16:13:39 +01:00
8a04980366
Bug 21190: Add authentication logging to checkpw
Add optional logging for successful and failing login attempts in
checkpw.

Test plan:
Enable the preferences
Perform a good login and a bad attempt
Check action_logs

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-14 16:13:39 +01:00
Aleisha Amohia
c95ae98d60
Bug 4461: Adding user flags for managing OPAC problem reports
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-06 11:18:13 +01:00
21c9b685bf
Bug 20415: Remove UseKohaPlugins system preference
Owen Leonard 2018-03-16 10:47:47 UTC :
<<
I don't think the system preference adds any security. There are already multiple permissions required for working with plugins:

- Configure plugins
- Manage plugins ( install / uninstall )
- Use report plugins
- Use tool plugins

And even with those permissions your server must be configured to allow the use of plugins.
>>

Test plan :
1) Install kitchen sink plugin https://github.com/bywatersolutions/koha-plugin-kitchen-sink
2) Run misc/devel/install_plugins.pl
3) Set config enable_plugins=1
4) Check all parts of the plugin are working
5) Set config enable_plugins=0
6) Check all parts of the plugin are disabled

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-26 11:42:02 +00:00
Hayley Mapley
619d6362ce
Bug 22943: Renames the in_ipset function to in_iprange in C4::Auth
Bug 14407 introduced a new system preference to allow limiting the
online self checkout system to an IP or IP Range. The function that
handles this is called in_ipset, which is the name of a linux tool. To
stop confusion, this patch renames the function to 'in_iprange', and the
variable 'ipset' within it to 'iprange'.

To test, follow the test plans outlined in Bug 14407 and confirm that
everything works as expected.

Sponsored-by: Catalyst IT
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-16 11:00:21 +00:00
9b86077aae
Bug 17845: Remove unused code related to printers
There is some quite old and unused code in Koha related
to printer configuration and network printing. These code
hasn't been functional in a long time and should be removed.

This patch:

- Removes printcirculationslips system preference
- Removes table printers
- Removes branchprinter column from branches

Check that:
- Go to administration
- Open any age there, but change the last bit to: printers.pl
- Apply patch, run the database update
- Verify the hidden page no longer exists
- Verify that logging in and out still works correctly
- Verify that checkout and returns work correctly
- Switch to another branch using the "Set library" option

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-10 15:18:27 +00:00
18f3b83b6e
Bug 22880: (QA follow-up) Remove opacheader from C4::Auth
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-24 13:24:55 +00:00
Magnus Enger
d20c9ff588
Bug 22543: Prevent "back and refresh attack"
To reproduce and test:
- Log into the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click "Back", you are taken to /cgi-bin/koha/opac-user.pl
- Reload the page, you see an error like "Confirm new submission
  of form"
- Reload the page again and confirm the submission of the form
- You are now logged in to the OPAC again!
- Log out again
- Apply this patch
- Log in to the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click back, you are taken to /cgi-bin/koha/opac-user.pl
- No matter how many times you reload /cgi-bin/koha/opac-user.pl,
  you should not see anything other than the login form.
- Check that Self Check Out still works as it should, by making
  sure you have a user with self_check permissions, then setting
  WebBasedSelfCheck, AutoSelfCheckAllowed, AutoSelfCheckID and
  AutoSelfCheckPass appropriately. Then visit
  /cgi-bin/koha/sco/sco-main.pl and verify everything works as
  expected.

The messages and errors pages you see related to resubmitting the
form might differ from the ones described here, depending on what
browser you use. I tested in Chromium 76.0.x.

This fix was originally proposed by LMSCloud:
74a7fe0f0c

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-11-27 11:30:18 +00:00
a6838a3e35
Bug 23068: Add ability for Koha to handle X-Forwarded-For headers so REMOTE_ADDR features work behind a proxy
Koha has a number of features that rely on knowing the IP address of the connecting client. If that server is behind a proxy these features do not work.
This patch adds a module to automatically convert the X-Forwarded-For header into the REMOTE_ADDR environment variable for both CGI and Plack processes.

TEST PLAN:
1) Apply this patch set
2) Install Plack::Middleware::RealIP via cpanm or your favorite utility
3) Update your plack.psgi with the changes you find in this patch set ( this process differs based on your testing environment )
4) Restart plack
5) Tail the plack error log for your instance
6) Use curl to access the OPAC, adding an X-Forwarded-For header: curl --header "X-Forwarded-For: 32.32.32.32" http://127.0.0.1:8080
7) Note the logs output this address if you are unproxied
8) If you are proxied, restart plack using a command like below, where the ip you see in the logs ("REAL IP) is what you put in the koha conf:
    <koha_trusted_proxies>172.22.0.1 1.1.1.1</koha_trusted_proxies>
9) Restart all the things!
10) Repeat step 6
11) You should now see "REAL IP: 32.32.32.32" in the plack logs as the remote address in your plack-error.log logs!
12) Disable plack so you are running in cgi mode, repeat step 6 again
13) You should see "REAL IP: 32.32.32.32" as the remove address in your opac-error.log logs!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Ed Veal <eveal@mckinneytexas.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-31 16:10:17 +00:00
c9c6dd1016
Bug 23771: Don't look for patrons if we don't have a userid
While the code requires external auth to test, the change is simple enough I
think a good read would suffice

To test:
1 - You either need Shib or CAS enabled and setup
2 - Add two users with blank.null cardnumbers
3 - Lock those user accounts
    Set failedloginattempts to 1
    Try a bad login with the userid
    Or set via the DB
4 - Try a good login via the external auth
5 - Note it fails
6 - Apply patch
7 - Login now succeeds

Signed-off-by: Mike Somers - Bridgewater State University <msomers@bridgew.edu>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-11 14:34:10 +01:00
Katrin Fischer
30627be138
Bug 23697: (QA follow-up) Rename PatronAutocompletion to PatronAutoComplete
Just a find and replace on the changed system preference name.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-08 14:51:12 +01:00