git.koha-community.org Git

Bug 36511: Some scripts missing a dependency following Bug 24879

These files needed the addition of 'use C4::Auth qw( check_cookie_auth
);'.

To test, apply the patch and restart services.

- If necessary, enable the LocalCoverImages system preference.
- Open the browser console and then the "Network" tab. You can click
  "Images" to filter for the correct kind of request.
- Perform a catalog search. After the search has loaded, check that
  there are no 500 errors in the Network tab.

- Go to Cataloging -> Label creator.
- If necessary, create a label batch and add some items.
- Export your batch and test both the "Download as CSV" and "Download as
  XML" links. Both should trigger the correct download.

- Go to Serials -> Claims, and select a vendor with late issues.
- Select all late issues and click "Download selected claims" at the
  bottom of the page.
- Your CSV file should download correctly.

The file acqui/check_uniqueness.pl has been corrected as well but I'm
not sure how to test it!

Signed-off-by: danyonsewell <danyonsewell@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 747f5132311ea51ea6babbfc92a775ac0c67f93a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01b22fb71d30f56d3102837b5c9b4cfdacbc9e76)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Merge remote-tracking branch 'koha-security/22.05.x-security' into HEAD

Make DBRev 220520000 executable

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Update release notes for 22.05.20 release

Signed-off-by: Aleisha Amohia <aleisha@catalyst.net.nz>

Increment version for 22.05.20 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 24879: (follow-up) Fix test suite

Running cataloguing pluings (in cataloguing/value_builder) now requires
authentification.

This patch adds in failing unit tests a mock of C4::Auth::check_cookie_auth

Test with:
prove t/db_dependent/FrameworkPlugin.t t/db_dependent/Koha/UI/Form/Builder/Biblio.t t/db_dependent/Koha/UI/Form/Builder/Item.t t/db_dependent/Serials.t

(cherry picked from commit f8a23b8ef46aea60eda9211a3e89af85d650ac26)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
suite

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Bug 23352: [22.05] (follow-up) change number of tests

Bug 24879: Exclude koha_perl_deps.pl

And tidy.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 24879: Use perl shebang to list the exec

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 24879: Add check_cookie_auth when missing

This can certainly be improved to adjust the permissions, but at least
they are no longer opened to the world..

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 24879: Remove installer/externalmodules.pl

It is not used, if we need it back it must be moved to misc.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 24879: Add new test to catch missing auth statement

in intranet scripts

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 31988: Remove reports/itemtypes.plugin

This "plugin system" is only used for the itemtypes report. We can
simply remove the reports/manager.pl script and this plugin in favor of
a dedicated report.

Test plan:
Same behaviour expected before and after this patch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36322: Redirect docs dir to 404

http://localhost:8081/cgi-bin/koha/docs/CAS/CASProxy/examples/proxy_cas.pl

Test plan:
Hit the link
=> Erk
Copy the apache config to /etc/koha/apache-shared-intranet-git.conf
restart_all
Hit the link
=> 404

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36323: Move koha_perl_deps.pl to misc/devel

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35960: Use .val() instead of string concat to prevent potential XSS

Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
fragment. It should be URI-encoded.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36244: DBRev 22.05.19.001

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36244: Add atomic update to check for affected notices

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Fixed some typos in bug numbers and text.

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36244: Do template toolkit processing first

To avoid injection of template toolkit code
from database fields that are controlled by
untrusted sources.

Test plan:

* review subtest 'Template toolkit syntax in
parameters' in t/db_dependent/Letters.t
* Run the unit test:
prove t/db_dependent/Letters.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36244: Unit test for tt syntax in parameters

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36176: Exclude misc/releases_notes/*

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36176: Reject cud- for stable branches

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Update release notes for 22.05.19 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Increment version for 22.05.19 release

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Bug 36034: Add test

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw

Adapt code to the change of return value type of checkpw
introduced in bug 34893

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Bug 35518: Tidy the moved blocks

This patch just tidies the moved blocks to get us past the QA script
check.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit b577b6567045184adcb5bb55b7e5c70428e124ee)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1f182d45aba607dbfaf63c98f97b8615e5eea09d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit d44a697788c947b9deb08aafaeb965f0e2b069f0)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 870c18a6545092de9fd50c187f68dd0d6574b56b)

Bug 35518: Check authentication and set userenv before fetching userenv variables

Currently we get the userenv before we have set it correctly for the session

To test:
1 - Sign in as a user with fast cataloging permission
2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
3 - Check the link, it should have your current signed in barcode
4 - Sign in to a different browser with a different user and at a different branch
5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
6 - It may have your branch, but it may also have the other user's branch from the other window
7 - Keep entering gibberish to get a link until one user has the correct branch
8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90b6f68616e2ba5ca3fcbbd9698c97ef41a45593)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 26722f2a08af99b9e3cb4eb50398df896085f527)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 1460974627a7c094144fe4b834f07a5ee0c5b493)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 70c86eb8926def78636e69b02d4ad47cecce6323)

Bug 36092: Pass sessionID at the end of get_template_and_user

It seems safer to pass the logged in user and session info at the end of
the sub.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit c50372c0b5c490971e4e336541aa85fbb45033d2)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 2ba597ea70612aec6880a583e9436da2367b5644)

Bug 36092: Pass the sessionID from checkauth if we hit auth

If we hit the auth page we were not passing sessionID to the template

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0decb260343455caabd4101b0b0e9499723f2951)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 9580111a206522e90a76d0fbaafdaaca0401d6fd)

Bug 36092: Add test

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 7bc46ea231c3e63e017da2a26a7a8918ed161cab)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 14cce4e9364792e93c50a1d6bed01d4e85d150d4)

Bug 30524: (QA follow-up) Fix tests

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 158edb411b32253fae4f068ce416d6ad4d1a67d3)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit 38725ed0af95c318077c46f337795054e31c60e4)

Bug 30524: (QA follow-up) Unit tests for GenerateCSRF()

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 60d11ae7251a227fab3977ecd61cb01d0f062f79)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit d4187c77eb3b39977b759af7df7641e70cd96358)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit 26ab7e0b200ac8e5fe4d88603996d823bf63d8bc)

Bug 30524: (QA follow-up) Only generate CSRF token if it will be used

This patch avoids generating CSRF tokens unless the csrf-token.inc file
is included in the template.

Passed token doesn't need HTML escaped. The docs for WWW::CSRF state:
The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option).

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit ddf1eb6cef14da365675890920ff72f010c59527)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 73ca151686b682aaa2b950ccbc89fcec14514112)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit b1bd7ec29a0febddc210dbdc3bef0a78e37c7719)

Bug 35942: OPAC user can enroll several times to the same club [23.05.x]

Test Plan:

1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e22768b018b017ed7c0e0016270f2570)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Bug 35918: Fix auto library connect (AutoLocation)

This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.

To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
  branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
  branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
  branchip: 172.18.0.4

Connect and select CPL. Randomly FFL will be picked instead.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35918: Add test

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35890: Add tests for AutoLocation

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35890: Reject login if IP is not valid

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35890: Remove var loggedin

It is never used and add confusion

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35904: (QA follow-up): tidy up code

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35904: Make C4::Auth::checkauth testable easily

This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.

We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.

There are still 3 left:
1.
733         # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace

2.
806         # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.

3.
828         # Patron does not have the borrowers permission
Same as 2.

2. and 3. should be investigated a bit more.

This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.

Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 29510: (follow-up) Adapt GET /patrons/:patron_id

This patch makes GET /patrons/:patron_id rely on this new behavior from the
objects.find helper.

To test:
1. Run:
$ kshell
k$ prove t/db_dependent/api/v1/patrons.t
=> SUCCESS: Tests pass!
2. Apply this patch
3. Repeat 1
=> SUCCESS: Tests still pass!
4. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 29510: Make objects.find call search_limited if present

This patch makes objects.find implicitly update the passed
*$result_set* to use search_limited. This way no object leaks could
happen without noticing.

To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Tests fail because search_limited is not used
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass! Results are correctly filtered based on userenv!
5. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 29510: Regression tests

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35941: (QA follow-up) Tidy clubs-tab.pl

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35941: Limit club list to those from the logged in user

clubs-tab get the patron's id from the parameter. At the OPAC we must
use the one from the logged in user, to prevent leak to other users

Test plan:
Have 2 clubs: A, B
Enroll to A with patron borrowernumber=1
Enroll to B with patron borrowernumber=2
Log in with patron 1 and hit:
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1
=> OK
Now hit
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2
=> oops

Apply this patch, try again.
The "borrowernumber" parameter is no longer used to fetch the club list.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 36072: opac-request-article should check syspref

Note: This is handled now just like opac-reserve.

Test plan:
Disable ArticleRequests and hit the page.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Update release notes for 22.05.18 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Increment version for 22.05.18 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 35343: Add record accessor method to Koha::Authority

Code lifted from bug 31794 to fix already backported bug 26611.

Unit tests included.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 40115a2c8cba3e081ffd0710899ef4556a3bbb54)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 27342: Fix C4::ILSDI::Services::AuthenticatePatron

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Bug 27342: (QA follow-up) Fix test

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Bug 27342: (QA follow-up) Remove dbh from new tests

Bug 27342: Remove dbh from C4::Auth

We must not pass $dbh but retrieve it when needed instead

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 27342: Improve test for OPAC

We don't need to build allowed_scripts_for_private_opac for staff

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 34893: [22.05] (follow-up) change number of tests