Wainui Witika-Park [Mon, 6 May 2024 01:48:54 +0000 (01:48 +0000)]
Update release notes for 22.05.21 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wainui Witika-Park [Mon, 6 May 2024 01:45:47 +0000 (01:45 +0000)]
Increment version for 22.05.21 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wainui Witika-Park [Wed, 1 May 2024 05:37:55 +0000 (05:37 +0000)]
Make DBRev
220518000 executable
Jonathan Druart [Wed, 20 Mar 2024 07:35:29 +0000 (08:35 +0100)]
Bug 19613: Use the 'note' profile
WNC amended patch: tidied
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit
3cb586b72165bcbd029948f46407359be9d5e9a8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
55931114b62557dfbbe01e7bcf0cd150b5733262)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Fri, 15 Mar 2024 10:37:43 +0000 (11:37 +0100)]
Bug 19613: Scrub borrowers fields: borrowernotes opacnote
To prevent XSS
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit
83db8696ca7a83aba224a0ab645f03447a96887b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
383984a0164adabc79e91ad11e2e930f5e070ed9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Julian Maurice [Tue, 9 Apr 2024 12:45:39 +0000 (14:45 +0200)]
Bug 36149: Add userenv middleware to app.psgi
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Nick Clemens [Fri, 29 Mar 2024 18:09:30 +0000 (18:09 +0000)]
Bug 36149: (follow-up) POD and tidy
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Fri, 8 Mar 2024 15:06:11 +0000 (16:06 +0100)]
Bug 36149: Unset userenv from middleware
The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?
This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).
To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl and add a line after: CGI->new:
warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl - only "Something's wrong" - you no longer see any user info
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Nick Clemens [Mon, 1 Apr 2024 16:03:37 +0000 (16:03 +0000)]
Bug 36328: (QA follow-up) Expand tests and reorder elements to clarify differences
Also tidy
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Wed, 20 Mar 2024 07:34:09 +0000 (08:34 +0100)]
Bug 36328: Add a separate 'note' profile
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Fri, 15 Mar 2024 10:40:57 +0000 (11:40 +0100)]
Bug 36328: Add test
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Fri, 15 Mar 2024 10:39:33 +0000 (11:39 +0100)]
Bug 36328: Add p span div to Scrubber
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Owen Leonard [Tue, 9 Apr 2024 15:55:57 +0000 (15:55 +0000)]
Bug 36511: Some scripts missing a dependency following Bug 24879
These files needed the addition of 'use C4::Auth qw( check_cookie_auth
);'.
To test, apply the patch and restart services.
- If necessary, enable the LocalCoverImages system preference.
- Open the browser console and then the "Network" tab. You can click
"Images" to filter for the correct kind of request.
- Perform a catalog search. After the search has loaded, check that
there are no 500 errors in the Network tab.
- Go to Cataloging -> Label creator.
- If necessary, create a label batch and add some items.
- Export your batch and test both the "Download as CSV" and "Download as
XML" links. Both should trigger the correct download.
- Go to Serials -> Claims, and select a vendor with late issues.
- Select all late issues and click "Download selected claims" at the
bottom of the page.
- Your CSV file should download correctly.
The file acqui/check_uniqueness.pl has been corrected as well but I'm
not sure how to test it!
Signed-off-by: danyonsewell <danyonsewell@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit
747f5132311ea51ea6babbfc92a775ac0c67f93a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
01b22fb71d30f56d3102837b5c9b4cfdacbc9e76)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wainui Witika-Park [Wed, 3 Apr 2024 22:05:46 +0000 (11:05 +1300)]
Merge remote-tracking branch 'koha-security/22.05.x-security' into HEAD
Tomas Cohen Arazi [Thu, 28 Mar 2024 11:32:19 +0000 (08:32 -0300)]
Make DBRev
220520000 executable
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Aleisha Amohia [Thu, 28 Mar 2024 00:09:48 +0000 (00:09 +0000)]
Update release notes for 22.05.20 release
Signed-off-by: Aleisha Amohia <aleisha@catalyst.net.nz>
Wainui Witika-Park [Wed, 27 Mar 2024 23:04:09 +0000 (23:04 +0000)]
Increment version for 22.05.20 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Fridolin Somers [Wed, 27 Mar 2024 09:20:03 +0000 (10:20 +0100)]
Bug 24879: (follow-up) Fix test suite
Running cataloguing pluings (in cataloguing/value_builder) now requires
authentification.
This patch adds in failing unit tests a mock of C4::Auth::check_cookie_auth
Test with:
prove t/db_dependent/FrameworkPlugin.t t/db_dependent/Koha/UI/Form/Builder/Biblio.t t/db_dependent/Koha/UI/Form/Builder/Item.t t/db_dependent/Serials.t
(cherry picked from commit
f8a23b8ef46aea60eda9211a3e89af85d650ac26)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
suite
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Wainui Witika-Park [Wed, 27 Mar 2024 01:11:42 +0000 (01:11 +0000)]
Bug 23352: [22.05] (follow-up) change number of tests
Jonathan Druart [Fri, 15 Mar 2024 09:19:16 +0000 (10:19 +0100)]
Bug 24879: Exclude koha_perl_deps.pl
And tidy.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 14 Mar 2024 15:53:35 +0000 (16:53 +0100)]
Bug 24879: Use perl shebang to list the exec
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 14 Mar 2024 15:19:06 +0000 (16:19 +0100)]
Bug 24879: Add check_cookie_auth when missing
This can certainly be improved to adjust the permissions, but at least
they are no longer opened to the world..
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 14 Mar 2024 15:17:55 +0000 (16:17 +0100)]
Bug 24879: Adjust tests
Installer scripts cannot be run from the UI:
debian/templates/apache-shared-intranet.conf:RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 14 Mar 2024 15:14:17 +0000 (16:14 +0100)]
Bug 24879: Remove installer/externalmodules.pl
It is not used, if we need it back it must be moved to misc.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Tue, 17 Mar 2020 10:54:12 +0000 (11:54 +0100)]
Bug 24879: Add new test to catch missing auth statement
in intranet scripts
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Fri, 15 Mar 2024 09:12:41 +0000 (10:12 +0100)]
Bug 31988: Remove reports/itemtypes.plugin
This "plugin system" is only used for the itemtypes report. We can
simply remove the reports/manager.pl script and this plugin in favor of
a dedicated report.
Test plan:
Same behaviour expected before and after this patch
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 14 Mar 2024 15:42:08 +0000 (16:42 +0100)]
Bug 36322: Redirect docs dir to 404
http://localhost:8081/cgi-bin/koha/docs/CAS/CASProxy/examples/proxy_cas.pl
Test plan:
Hit the link
=> Erk
Copy the apache config to /etc/koha/apache-shared-intranet-git.conf
restart_all
Hit the link
=> 404
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Fridolin Somers [Mon, 18 Mar 2024 15:32:57 +0000 (16:32 +0100)]
Bug 36323: Move koha_perl_deps.pl to misc/devel
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Julian Maurice [Thu, 1 Feb 2024 08:15:23 +0000 (09:15 +0100)]
Bug 35960: Use .val() instead of string concat to prevent potential XSS
Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
fragment. It should be URI-encoded.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wainui Witika-Park [Tue, 26 Mar 2024 01:16:03 +0000 (01:16 +0000)]
Bug 36244: DBRev 22.05.19.001
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Kyle M Hall [Thu, 7 Mar 2024 16:10:35 +0000 (11:10 -0500)]
Bug 36244: Add atomic update to check for affected notices
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Fixed some typos in bug numbers and text.
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Andreas Jonsson [Thu, 7 Mar 2024 09:12:25 +0000 (09:12 +0000)]
Bug 36244: Do template toolkit processing first
To avoid injection of template toolkit code
from database fields that are controlled by
untrusted sources.
Test plan:
* review subtest 'Template toolkit syntax in
parameters' in t/db_dependent/Letters.t
* Run the unit test:
prove t/db_dependent/Letters.t
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Andreas Jonsson [Thu, 7 Mar 2024 09:07:49 +0000 (09:07 +0000)]
Bug 36244: Unit test for tt syntax in parameters
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Lucas Gass [Tue, 26 Mar 2024 20:32:15 +0000 (20:32 +0000)]
Bug 36176: Exclude misc/releases_notes/*
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Wed, 28 Feb 2024 15:28:33 +0000 (16:28 +0100)]
Bug 36176: Reject cud- for stable branches
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wainui Witika-Park [Wed, 28 Feb 2024 21:50:56 +0000 (21:50 +0000)]
Update release notes for 22.05.19 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Aleisha Amohia [Wed, 28 Feb 2024 21:23:38 +0000 (21:23 +0000)]
Increment version for 22.05.19 release
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Jonathan Druart [Wed, 14 Feb 2024 07:49:33 +0000 (08:49 +0100)]
Bug 36034: Add test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Andreas Jonsson [Thu, 8 Feb 2024 10:57:03 +0000 (11:57 +0100)]
Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw
Adapt code to the change of return value type of checkpw
introduced in bug 34893
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Martin Renvoize [Thu, 8 Feb 2024 15:55:43 +0000 (15:55 +0000)]
Bug 35518: Tidy the moved blocks
This patch just tidies the moved blocks to get us past the QA script
check.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
b577b6567045184adcb5bb55b7e5c70428e124ee)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
1f182d45aba607dbfaf63c98f97b8615e5eea09d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit
d44a697788c947b9deb08aafaeb965f0e2b069f0)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
870c18a6545092de9fd50c187f68dd0d6574b56b)
Nick Clemens [Fri, 26 Jan 2024 14:10:01 +0000 (14:10 +0000)]
Bug 35518: Check authentication and set userenv before fetching userenv variables
Currently we get the userenv before we have set it correctly for the session
To test:
1 - Sign in as a user with fast cataloging permission
2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
3 - Check the link, it should have your current signed in barcode
4 - Sign in to a different browser with a different user and at a different branch
5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
6 - It may have your branch, but it may also have the other user's branch from the other window
7 - Keep entering gibberish to get a link until one user has the correct branch
8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
90b6f68616e2ba5ca3fcbbd9698c97ef41a45593)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
26722f2a08af99b9e3cb4eb50398df896085f527)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit
1460974627a7c094144fe4b834f07a5ee0c5b493)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
70c86eb8926def78636e69b02d4ad47cecce6323)
Jonathan Druart [Wed, 14 Feb 2024 08:45:45 +0000 (09:45 +0100)]
Bug 36092: Pass sessionID at the end of get_template_and_user
It seems safer to pass the logged in user and session info at the end of
the sub.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
c50372c0b5c490971e4e336541aa85fbb45033d2)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
2ba597ea70612aec6880a583e9436da2367b5644)
Jonathan Druart [Wed, 14 Feb 2024 09:33:11 +0000 (10:33 +0100)]
Bug 36092: Pass the sessionID from checkauth if we hit auth
If we hit the auth page we were not passing sessionID to the template
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
0decb260343455caabd4101b0b0e9499723f2951)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
9580111a206522e90a76d0fbaafdaaca0401d6fd)
Jonathan Druart [Wed, 14 Feb 2024 09:56:17 +0000 (10:56 +0100)]
Bug 36092: Add test
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
7bc46ea231c3e63e017da2a26a7a8918ed161cab)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
14cce4e9364792e93c50a1d6bed01d4e85d150d4)
Tomas Cohen Arazi [Fri, 28 Jul 2023 13:40:28 +0000 (10:40 -0300)]
Bug 30524: (QA follow-up) Fix tests
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit
158edb411b32253fae4f068ce416d6ad4d1a67d3)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit
38725ed0af95c318077c46f337795054e31c60e4)
Tomas Cohen Arazi [Thu, 27 Jul 2023 18:33:55 +0000 (15:33 -0300)]
Bug 30524: (QA follow-up) Unit tests for GenerateCSRF()
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit
60d11ae7251a227fab3977ecd61cb01d0f062f79)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
d4187c77eb3b39977b759af7df7641e70cd96358)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit
26ab7e0b200ac8e5fe4d88603996d823bf63d8bc)
Kyle M Hall [Thu, 27 Jul 2023 11:45:57 +0000 (07:45 -0400)]
Bug 30524: (QA follow-up) Only generate CSRF token if it will be used
This patch avoids generating CSRF tokens unless the csrf-token.inc file
is included in the template.
Passed token doesn't need HTML escaped. The docs for WWW::CSRF state:
The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option).
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit
ddf1eb6cef14da365675890920ff72f010c59527)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
73ca151686b682aaa2b950ccbc89fcec14514112)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit
b1bd7ec29a0febddc210dbdc3bef0a78e37c7719)
Kyle M Hall [Tue, 30 Jan 2024 15:58:02 +0000 (10:58 -0500)]
Bug 35942: OPAC user can enroll several times to the same club [23.05.x]
Test Plan:
1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit
9bdab108e22768b018b017ed7c0e0016270f2570)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Jonathan Druart [Fri, 26 Jan 2024 07:58:17 +0000 (08:58 +0100)]
Bug 35918: Fix auto library connect (AutoLocation)
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.
To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
branchip: 172.18.0.4
Connect and select CPL. Randomly FFL will be picked instead.
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Fri, 26 Jan 2024 07:57:03 +0000 (08:57 +0100)]
Bug 35918: Add test
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 25 Jan 2024 08:36:01 +0000 (09:36 +0100)]
Bug 35890: Add tests for AutoLocation
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Wed, 24 Jan 2024 15:25:30 +0000 (16:25 +0100)]
Bug 35890: Reject login if IP is not valid
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Wed, 24 Jan 2024 15:24:51 +0000 (16:24 +0100)]
Bug 35890: Remove var loggedin
It is never used and add confusion
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Victor Grousset/tuxayo [Thu, 15 Feb 2024 03:18:37 +0000 (04:18 +0100)]
Bug 35904: (QA follow-up): tidy up code
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 25 Jan 2024 09:35:41 +0000 (10:35 +0100)]
Bug 35904: Make C4::Auth::checkauth testable easily
This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.
We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.
There are still 3 left:
1.
733 # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace
2.
806 # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.
3.
828 # Patron does not have the borrowers permission
Same as 2.
2. and 3. should be investigated a bit more.
This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.
Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:09:02 +0000 (18:09 -0300)]
Bug 29510: (follow-up) Adapt GET /patrons/:patron_id
This patch makes GET /patrons/:patron_id rely on this new behavior from the
objects.find helper.
To test:
1. Run:
$ kshell
k$ prove t/db_dependent/api/v1/patrons.t
=> SUCCESS: Tests pass!
2. Apply this patch
3. Repeat 1
=> SUCCESS: Tests still pass!
4. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:03:00 +0000 (18:03 -0300)]
Bug 29510: Make objects.find call search_limited if present
This patch makes objects.find implicitly update the passed
*$result_set* to use search_limited. This way no object leaks could
happen without noticing.
To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Tests fail because search_limited is not used
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass! Results are correctly filtered based on userenv!
5. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:02:17 +0000 (18:02 -0300)]
Bug 29510: Regression tests
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Kyle M Hall [Tue, 30 Jan 2024 14:32:12 +0000 (14:32 +0000)]
Bug 35941: (QA follow-up) Tidy clubs-tab.pl
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Tue, 30 Jan 2024 13:53:03 +0000 (14:53 +0100)]
Bug 35941: Limit club list to those from the logged in user
clubs-tab get the patron's id from the parameter. At the OPAC we must
use the one from the logged in user, to prevent leak to other users
Test plan:
Have 2 clubs: A, B
Enroll to A with patron borrowernumber=1
Enroll to B with patron borrowernumber=2
Log in with patron 1 and hit:
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1
=> OK
Now hit
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2
=> oops
Apply this patch, try again.
The "borrowernumber" parameter is no longer used to fetch the club list.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Marcel de Rooy [Tue, 13 Feb 2024 12:36:44 +0000 (12:36 +0000)]
Bug 36072: opac-request-article should check syspref
Note: This is handled now just like opac-reserve.
Test plan:
Disable ArticleRequests and hit the page.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wainui Witika-Park [Mon, 29 Jan 2024 00:06:42 +0000 (00:06 +0000)]
Update release notes for 22.05.18 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
root [Sun, 28 Jan 2024 23:37:54 +0000 (12:37 +1300)]
Increment version for 22.05.18 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Martin Renvoize [Tue, 6 Dec 2022 20:07:02 +0000 (17:07 -0300)]
Bug 35343: Add record accessor method to Koha::Authority
Code lifted from bug 31794 to fix already backported bug 26611.
Unit tests included.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
40115a2c8cba3e081ffd0710899ef4556a3bbb54)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Tomas Cohen Arazi [Wed, 17 Aug 2022 13:33:07 +0000 (10:33 -0300)]
Bug 27342: Fix C4::ILSDI::Services::AuthenticatePatron
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Tomas Cohen Arazi [Tue, 16 Aug 2022 13:50:47 +0000 (10:50 -0300)]
Bug 27342: (QA follow-up) Fix test
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Martin Renvoize [Wed, 10 Aug 2022 07:12:53 +0000 (08:12 +0100)]
Bug 27342: (QA follow-up) Remove dbh from new tests
Jonathan Druart [Tue, 5 Jan 2021 10:28:16 +0000 (11:28 +0100)]
Bug 27342: Remove dbh from C4::Auth
We must not pass $dbh but retrieve it when needed instead
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Jonathan Druart [Tue, 5 Jan 2021 10:18:26 +0000 (11:18 +0100)]
Bug 27342: Improve test for OPAC
We don't need to build allowed_scripts_for_private_opac for staff
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Wainui Witika-Park [Wed, 27 Mar 2024 01:03:49 +0000 (01:03 +0000)]
Bug 34893: [22.05] (follow-up) change number of tests
Wainui Witika-Park [Wed, 28 Feb 2024 21:50:56 +0000 (21:50 +0000)]
Update release notes for 22.05.19 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Aleisha Amohia [Wed, 28 Feb 2024 21:23:38 +0000 (21:23 +0000)]
Increment version for 22.05.19 release
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Jonathan Druart [Wed, 14 Feb 2024 07:49:33 +0000 (08:49 +0100)]
Bug 36034: Add test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Andreas Jonsson [Thu, 8 Feb 2024 10:57:03 +0000 (11:57 +0100)]
Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw
Adapt code to the change of return value type of checkpw
introduced in bug 34893
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Martin Renvoize [Thu, 8 Feb 2024 15:55:43 +0000 (15:55 +0000)]
Bug 35518: Tidy the moved blocks
This patch just tidies the moved blocks to get us past the QA script
check.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
b577b6567045184adcb5bb55b7e5c70428e124ee)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
1f182d45aba607dbfaf63c98f97b8615e5eea09d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit
d44a697788c947b9deb08aafaeb965f0e2b069f0)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
870c18a6545092de9fd50c187f68dd0d6574b56b)
Nick Clemens [Fri, 26 Jan 2024 14:10:01 +0000 (14:10 +0000)]
Bug 35518: Check authentication and set userenv before fetching userenv variables
Currently we get the userenv before we have set it correctly for the session
To test:
1 - Sign in as a user with fast cataloging permission
2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
3 - Check the link, it should have your current signed in barcode
4 - Sign in to a different browser with a different user and at a different branch
5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
6 - It may have your branch, but it may also have the other user's branch from the other window
7 - Keep entering gibberish to get a link until one user has the correct branch
8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
90b6f68616e2ba5ca3fcbbd9698c97ef41a45593)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
26722f2a08af99b9e3cb4eb50398df896085f527)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit
1460974627a7c094144fe4b834f07a5ee0c5b493)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
70c86eb8926def78636e69b02d4ad47cecce6323)
Jonathan Druart [Wed, 14 Feb 2024 08:45:45 +0000 (09:45 +0100)]
Bug 36092: Pass sessionID at the end of get_template_and_user
It seems safer to pass the logged in user and session info at the end of
the sub.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
c50372c0b5c490971e4e336541aa85fbb45033d2)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
2ba597ea70612aec6880a583e9436da2367b5644)
Jonathan Druart [Wed, 14 Feb 2024 09:33:11 +0000 (10:33 +0100)]
Bug 36092: Pass the sessionID from checkauth if we hit auth
If we hit the auth page we were not passing sessionID to the template
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
0decb260343455caabd4101b0b0e9499723f2951)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
9580111a206522e90a76d0fbaafdaaca0401d6fd)
Jonathan Druart [Wed, 14 Feb 2024 09:56:17 +0000 (10:56 +0100)]
Bug 36092: Add test
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
7bc46ea231c3e63e017da2a26a7a8918ed161cab)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit
14cce4e9364792e93c50a1d6bed01d4e85d150d4)
Tomas Cohen Arazi [Fri, 28 Jul 2023 13:40:28 +0000 (10:40 -0300)]
Bug 30524: (QA follow-up) Fix tests
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit
158edb411b32253fae4f068ce416d6ad4d1a67d3)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit
38725ed0af95c318077c46f337795054e31c60e4)
Tomas Cohen Arazi [Thu, 27 Jul 2023 18:33:55 +0000 (15:33 -0300)]
Bug 30524: (QA follow-up) Unit tests for GenerateCSRF()
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit
60d11ae7251a227fab3977ecd61cb01d0f062f79)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
d4187c77eb3b39977b759af7df7641e70cd96358)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit
26ab7e0b200ac8e5fe4d88603996d823bf63d8bc)
Kyle M Hall [Thu, 27 Jul 2023 11:45:57 +0000 (07:45 -0400)]
Bug 30524: (QA follow-up) Only generate CSRF token if it will be used
This patch avoids generating CSRF tokens unless the csrf-token.inc file
is included in the template.
Passed token doesn't need HTML escaped. The docs for WWW::CSRF state:
The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option).
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit
ddf1eb6cef14da365675890920ff72f010c59527)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
73ca151686b682aaa2b950ccbc89fcec14514112)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit
b1bd7ec29a0febddc210dbdc3bef0a78e37c7719)
Kyle M Hall [Tue, 30 Jan 2024 15:58:02 +0000 (10:58 -0500)]
Bug 35942: OPAC user can enroll several times to the same club [23.05.x]
Test Plan:
1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit
9bdab108e22768b018b017ed7c0e0016270f2570)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Jonathan Druart [Fri, 26 Jan 2024 07:58:17 +0000 (08:58 +0100)]
Bug 35918: Fix auto library connect (AutoLocation)
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.
To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
branchip: 172.18.0.4
Connect and select CPL. Randomly FFL will be picked instead.
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Fri, 26 Jan 2024 07:57:03 +0000 (08:57 +0100)]
Bug 35918: Add test
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 25 Jan 2024 08:36:01 +0000 (09:36 +0100)]
Bug 35890: Add tests for AutoLocation
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Wed, 24 Jan 2024 15:25:30 +0000 (16:25 +0100)]
Bug 35890: Reject login if IP is not valid
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Wed, 24 Jan 2024 15:24:51 +0000 (16:24 +0100)]
Bug 35890: Remove var loggedin
It is never used and add confusion
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Victor Grousset/tuxayo [Thu, 15 Feb 2024 03:18:37 +0000 (04:18 +0100)]
Bug 35904: (QA follow-up): tidy up code
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Thu, 25 Jan 2024 09:35:41 +0000 (10:35 +0100)]
Bug 35904: Make C4::Auth::checkauth testable easily
This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.
We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.
There are still 3 left:
1.
733 # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace
2.
806 # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.
3.
828 # Patron does not have the borrowers permission
Same as 2.
2. and 3. should be investigated a bit more.
This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.
Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:09:02 +0000 (18:09 -0300)]
Bug 29510: (follow-up) Adapt GET /patrons/:patron_id
This patch makes GET /patrons/:patron_id rely on this new behavior from the
objects.find helper.
To test:
1. Run:
$ kshell
k$ prove t/db_dependent/api/v1/patrons.t
=> SUCCESS: Tests pass!
2. Apply this patch
3. Repeat 1
=> SUCCESS: Tests still pass!
4. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:03:00 +0000 (18:03 -0300)]
Bug 29510: Make objects.find call search_limited if present
This patch makes objects.find implicitly update the passed
*$result_set* to use search_limited. This way no object leaks could
happen without noticing.
To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Tests fail because search_limited is not used
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass! Results are correctly filtered based on userenv!
5. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:02:17 +0000 (18:02 -0300)]
Bug 29510: Regression tests
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Kyle M Hall [Tue, 30 Jan 2024 14:32:12 +0000 (14:32 +0000)]
Bug 35941: (QA follow-up) Tidy clubs-tab.pl
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Tue, 30 Jan 2024 13:53:03 +0000 (14:53 +0100)]
Bug 35941: Limit club list to those from the logged in user
clubs-tab get the patron's id from the parameter. At the OPAC we must
use the one from the logged in user, to prevent leak to other users
Test plan:
Have 2 clubs: A, B
Enroll to A with patron borrowernumber=1
Enroll to B with patron borrowernumber=2
Log in with patron 1 and hit:
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1
=> OK
Now hit
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2
=> oops
Apply this patch, try again.
The "borrowernumber" parameter is no longer used to fetch the club list.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Marcel de Rooy [Tue, 13 Feb 2024 12:36:44 +0000 (12:36 +0000)]
Bug 36072: opac-request-article should check syspref
Note: This is handled now just like opac-reserve.
Test plan:
Disable ArticleRequests and hit the page.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wainui Witika-Park [Mon, 29 Jan 2024 00:06:42 +0000 (00:06 +0000)]
Update release notes for 22.05.18 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
root [Sun, 28 Jan 2024 23:37:54 +0000 (12:37 +1300)]
Increment version for 22.05.18 release
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wainui Witika-Park [Thu, 25 Jan 2024 00:00:01 +0000 (13:00 +1300)]
Merge remote-tracking branch 'upstream/22.05.x' into HEAD
Tomas Cohen Arazi [Wed, 17 Aug 2022 13:33:07 +0000 (10:33 -0300)]
Bug 27342: Fix C4::ILSDI::Services::AuthenticatePatron
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>