Owen Leonard [Tue, 25 Feb 2025 12:48:36 +0000 (12:48 +0000)]
Bug 37266: [24.05.x] patron_lists/delete.pl should have CSRF protection
This patch adds CSRF protection to patron list deletions.
Also changed: The "Delete selected lists" button is now in a floating
toolbar.
To test, apply the patch and go to Tools -> Patron lists.
- If necessary, create a few patron lists.
- Test the two methods for list deletion available on the page:
- Check one or more checkboxes and then click the "Delete selected
lists" at the top of the page.
- Click the "Actions" button for an individual list and choose "Delete
list."
- Open the checkout page for a patron.
- Under the "Patron lists" tab, add the patron to a list.
- Click the "Actions" button for an that list and choose "Delete
list."
- When you are taken to the patron lists page the list should have
been deleted.
- Perform the same test on the patron details page.
Sponsored-by: Athens County Public Libraries Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
David Cook [Thu, 20 Feb 2025 00:04:39 +0000 (00:04 +0000)]
Bug 39170: Improve validation of report ID
This change improves the validation of the report ID passed by the user.
Test plan:
0. Apply the patch
1. koha-plack --restart kohadev
2. Create a SQL report
3. Go to /cgi-bin/koha/tools/scheduler.pl
4. Add in a Time, Date, and Email
5. Choose your report from the list
6. Click "Save"
7. Note that your report is saved
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
In the `opac-detail.pl` case, it is a simple change by removing MARC
data traversal in favor of the new method. The code checking
suppression gets moved up so we don't process or make any other
calculations if the record is suppressed.
The other two scripts where completely missing the check and thus
leaking suppressed records.
To test:
1. Pick two records, one marked as suppressed, and the other not
suppressed.
2. Try acessing them in the OPAC detail page.
=> SUCCESS: Suppressed records are suppressed, and not suppressed ones
are not.
3. Try the same records on the ISBD and MARC view
=> FAIL: They are not suppressed!
4. Apply this patch
5. Repeat 2
=> SUCCESS: Suppression is still respected
6. Repeat 3
=> SUCCESS: Suppression is respected on the ISBD and MARC views
7. Sign off :-D
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Works as advertised. Remember to activate OPAC suppression with
OpacSuppression. Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
This patch adds a convenient method at the Koha::Biblio level, as a
wrapper for the extrator added on this bug. Following the established
pattern we adopted a while back.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/Koha/Biblio.t
=> SUCCESS: Tests pass! All use cases covered!
3. Sign off :-D
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
This patch adds an extractor method for the historically hardcoded field
942$n. This way we have a single place in which we code the extraction
and sanitization of its value.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/Koha/Biblio/Metadata/Extractor/MARC.t
=> SUCCESS: Tests pass! All use cases are covered!
3. Sign off :-D
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Marcel de Rooy [Fri, 14 Feb 2025 07:27:13 +0000 (07:27 +0000)]
Bug 36081: (QA follow-up) Resolve IsNotDebit exception in ArticleRequests.t
Resolve (when running ArticleRequests.t):
Exception 'Koha::Exceptions::Account::IsNotDebit' thrown 'Account line 326 is not a debit'
This occurs after switching from ArticleRequest->new to TestBuilder.
TestBuilder creates an account line that has a credit_type_code and
a debit_type_code. (This could be fixed further somewhere else.)
For now, just setting debit_id to NULL.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Jonathan Druart [Mon, 10 Feb 2025 10:31:34 +0000 (11:31 +0100)]
Bug 36081: Fix some failing tests
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Jonathan Druart [Fri, 31 Jan 2025 13:42:49 +0000 (14:42 +0100)]
Bug 36081: Mock format
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Jonathan Druart [Fri, 31 Jan 2025 13:10:03 +0000 (14:10 +0100)]
Bug 36081: Force TestBuilder to generate a valid format value
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Jonathan Druart [Thu, 30 Jan 2025 15:48:40 +0000 (16:48 +0100)]
Bug 36081: Use multivalue_preference
C4::Context->multivalue_preference is not used so far and split on |
However the values of "multiple" sysprefs are separated by... comma!
Let support both here.
This patch also removes silly JS code in the template.
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Marcel de Rooy [Tue, 13 Feb 2024 13:32:06 +0000 (13:32 +0000)]
Bug 36081: Check SupportedFormats server side
Test plan:
Add article request with format via OPAC.
Run t/db_dependent/Koha/ArticleRequest.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tests in t/db_dependent/Koha/ArticleRequest.t pass. I can add an
article request with a type. If I allow PHOTOCOPY but change the
HTML in the OPAC form so SCAN is submitted I get a nice (but
somewhat generic) error.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Nick Clemens [Tue, 1 Oct 2024 14:05:56 +0000 (14:05 +0000)]
Bug 37810: (QA follow-up) Tidy
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Pedro Amorim [Mon, 2 Sep 2024 14:51:31 +0000 (14:51 +0000)]
Bug 37810: Consider ServiceActive on status response
Some SUSHI providers return ServiceActive instead of the documented Service_Active:
https://countermetrics.stoplight.io/docs/counter-sushi-api/f0dd30f814944-server-status
This ensures the test connection does not fail regardless of what is used
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Pedro Amorim [Thu, 19 Sep 2024 12:36:54 +0000 (12:36 +0000)]
Bug 37810: Add test
Test plan:
1) Apply only tests patch, run:
prove t/db_dependent/Koha/ERM/EUsage/UsageDataProvider.t
2) Verify tests fail
3) Apply fix patch
4) Run tests again, verify they pass
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
David Cook [Mon, 20 Jan 2025 02:55:12 +0000 (02:55 +0000)]
Bug 38913: (QA follow-up) test UTF-8 exceptions in large MARC records
MARC records with over 99999 bytes are invalid by spec, and when you use
UTF-8 encoded characters in your MARC records, there is the potential
to generate fatal errors in MARC::File::USMARC when it runs
"marc_to_utf8" from "MARC::File::Encode" during its "decode" operation.
That is, if you MARC::File::USMARC->encode a MARC record
with over 99999 bytes (including a number of UTF-8 bytes), there
is the potential when you run MARC::File:USMARC->decode on that same
data that you'll generate a fatal exception.
The main patch in bug 38913 wraps the function doing the decode,
so that a bad record doesn't crash processing.
Without the patch, this unit test will fail. With the patch, this
unit test will pass.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 9d41abc1e77c15ee88f66ba7aa0b419524760293) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Janusz Kaczmarek [Thu, 16 Jan 2025 21:04:28 +0000 (21:04 +0000)]
Bug 38913: (bug 38416 follow-up) Elasticsearch indexing explodes with oversized records
After Bug 38416 Elasticsearch indexing explodes with oversized
records, especially with UTF encoded data.
In Koha::SearchEngine::Elasticsearch::marc_records_to_documents a
following snippet has been introduced:
my $usmarc_record = $record->as_usmarc();
my $decoded_usmarc_record = MARC::Record->new_from_usmarc($usmarc_record);
But if $record is oversized (> 99999 bytes), it is OK for MARC::Record
object, but not for $record->as_usmarc. The produced ISO 2709 string
is not correct and hence cannot be properly converted back to
MARC::Record object by new_from_usmarc.
The result in this case can be like:
UTF-8 "\x85" does not map to Unicode at /usr/share/perl5/MARC/File/Encode.pm line 35.
Since it is done without any eval / try, the whole reindex procedure
(for instance rebuild_elasticsearch.pl) is being randomly interrupted
with no explanation.
Test plan:
==========
Hard to reproduce. But the explanation together with discussion in Bug
38416 (from 2024-12-15) explains and justifies the need of this added
eval.
1. Have a standard KTD installation with Elasticsearch.
2. Use the provided test record - add it to Koha with
./misc/migration_tools/bulkmarcimport.pl -b -file test.xml -m=MARCXML
(have patience).
During load process you should see a message like:
UTF-8 "\xC4" does not map to Unicode at /usr/share/perl5/MARC/File/Encode.pm line 35.
3. The record should get biblionumber 439. Check in librarian interface with
http://<your_addreess>:8081/cgi-bin/koha/catalogue/detail.pl?biblionumber=439
that the record has been imported.
However, you should not be able to make a search for this record.
4. Try to reindex with:
./misc/search_tools/rebuild_elasticsearch.pl -b -bn 439
You should get a message like:
UTF-8 "\xC4" does not map to Unicode at /usr/share/perl5/MARC/File/Encode.pm line 35.
Again, no search results.
5. Apply the patch ; restart_all.
6. Repeat reindex with:
./misc/search_tools/rebuild_elasticsearch.pl -b -bn 439
There should be no warning now and you should be able to find the record.
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Followed the test plan. Works as advertised. Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit c7127fabf4ebe736a3563df4bd3e500691d0b632) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Bug 38779: Add built record sources assets on install
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1de253eb508528bdfa90502b3073a73cfd36c478) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
David Cook [Mon, 18 Nov 2024 04:46:31 +0000 (04:46 +0000)]
Bug 38469: Replace single quotes with double quotes to prevent XSS
This change replaces single quotes with double quotes to prevent XSS
for particular operations on the circ returns page.
Test plan:
0. Apply the patch
1. Go to http://localhost:8081/cgi-bin/koha/circ/returns.pl?print_slip=1&reserve_id=1
2. Note that a pring slip is generated
(you may need to allow popups)
3. To test the XSS is patched, try the proof-of-concept from the
bug report
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Baptiste Wojtkowski <baptiste.wojtkowski@biblibre.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Matt Blenkinsop [Fri, 31 Jan 2025 13:14:24 +0000 (13:14 +0000)]
Bug 39007: [24.05] Update API spec and unit test
Test plan:
1) Run prove t/db_dependent/api/v1/erm_sushi_services.t - FAIL
2) Apply patch
3) Repeat step 1 - PASS
4) Inspect patch diff and note that last_audit has been added to the API definition
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Please enter the commit message for your changes. Lines starting
Bug 28907: REST - Drop support for allow-owner functionality
...and allow-guarantor functionality. Replaced by $c->auth->public($patron_id)
and/or $c->auth->public_guarantor($patron_id), where $patron_id is the patron's
id that owns the requested resource.
Old method, was applicable to both privileged and public routes:
New method, use public routes with no x-koha-authorization:
GET /public/route/{patron_id}
Koha/REST/V1/Controller#public_action:
sub public_action {
my $c = shift->openapi->valid_input or return;
my $patron_id = $c->param( 'patron_id' );
try {
# Throws an exception that will render a response of 401 if not
# authenticated and 403 if trying to access another user's resources
$c->auth->public($patron_id); #or $c->auth->public_guarantor($patron_id)
...
# other code
...
}
catch {
$c->unhandled_exception($_);
}
}
Another example of retrieving $patron_id when patron_id is not a request
parameter:
GET /public/another/object/{another_object_id}
my $patron_id = Another::Object->find($another_object_id)->borrowernumber;
try {
# 403 if $another_object_id does not belong to API user
$c->auth->public($patron_id);
...
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
https://bugs.koha-community.org/show_bug.cgi?id=28907 Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
To test:
1. prove t/db_dependent/Koha/REST/Plugin/Auth/PublicRoutes.t
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Bug 28907: Add REST exceptions for public routes auth
To test:
1. perl -c Koha/REST/Plugin/Exceptions.pm
2. perl -c Koha/Exceptions/REST.pm
More tests coming in following patches.
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Phil Ringnalda [Fri, 13 Dec 2024 18:34:09 +0000 (10:34 -0800)]
Bug 38467: (follow-up) Update cpanfile
For use_rfc3986() to work, we need at least Template::Toolkit 2.27.
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Phil Ringnalda [Fri, 13 Dec 2024 18:12:36 +0000 (10:12 -0800)]
Bug 38467: (follow-up) Fix test
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Jonathan Druart [Wed, 20 Nov 2024 08:57:06 +0000 (09:57 +0100)]
Bug 38467: Add test
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
David Cook [Mon, 18 Nov 2024 05:37:18 +0000 (05:37 +0000)]
Bug 38467: Make uri and url filters rfc3986 when using C4::Template
This change invokes Template::Filters->use_rfc3986 in the C4::Template
module.
Test plan:
0. Apply the patch
1. Note that "uri" and "url" filters now escape single quotes
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Magnus Enger [Wed, 4 Sep 2024 06:13:05 +0000 (08:13 +0200)]
Bug 37816: Stop SIP2 from logging passwords
Koha's SIP2 server does a lot of logging, including all incoming
requests, in full. This means that passwords are logged, both for
the user the SIP2 client uses for logging into Koha, as well as
for the end users who provide a password to e.g. check something
out. This patch replaces passwords with three asterisks in
log strings, before they are written to the log.
To test, in ktd:
- Run the new tests:
$ prove t/db_dependent/SIP/Sip.t
- Tail the SIP2 logs:
$ sudo tail -f /var/log/koha/kohadev/sip*.log
- Telnet into the SIP2 server:
$ telnet localhost 6001
- Try logging in by pasting this into the telnet session:
"9300CNterm1|COmypassword|CPCPL|"
- Verify that "mypassword" is replaced by "***" in the logs
- Try different values for the password, including the correct password
which is "term1" in ktd
- Try other SIP2 messages that include password fields (AC, AD, CO)
Update 2024-12-03: Fix issues pointed out by QA.
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Julian Maurice [Fri, 15 Nov 2024 10:24:17 +0000 (11:24 +0100)]
Bug 38454: Flush memory cache before every API request
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Jonathan Druart [Mon, 6 Jan 2025 13:26:00 +0000 (14:26 +0100)]
Bug 38829: Add a test
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Added a shebang line. Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
David Cook [Mon, 18 Nov 2024 05:15:26 +0000 (05:15 +0000)]
Bug 38470: Add missing double quotes to some Javascript
This change adds some double quotes where quotes were missing,
and replaces single quotes with double quotes, which prevents XSS.
Test plan:
0. Apply the patch
1. Create a subscription
2. Using the ID from the subscription, go to this page:
http://localhost:8081/cgi-bin/koha/serials/subscription-detail.pl?
print_routing_list_issue=1&subscriptionid=<SUBSCRIPTIONID>
3. Note that you're able to generate a print slip
(You may need to allow popups)
4. To check the security vulnerability is fixed, try the proof-of-concepts
attached to the bug report
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
David Cook [Mon, 18 Nov 2024 04:14:37 +0000 (04:14 +0000)]
Bug 38468: Add double quotes to some template strings
This change adds double quotes to some template strings where
quotes are missing all together or single quotes are used incorrectly.
Test plan:
0. Apply the patch
1. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=test
2. Click on "Gairm"
3. Use the search result navigation box to go to the next result
On the left of the page. Just bellow the breadcrumb and
left of the record title.
4. Note that everything loads correctly
5. To test that the security hole has been fixed, try some of the
proof-of-concept attacks provided for biblionumber and searchid
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Baptiste Wojtkowski <baptiste.wojtkowski@biblibre.com> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
David Cook [Thu, 17 Oct 2024 05:35:56 +0000 (05:35 +0000)]
Bug 37727: Prevent CSV Formula injection via DataTables
This change prevents CSV Formula injection on DataTables exports
by escaping formula with a single quote prefix as per OWASP recommendations.
Test plan:
0. Apply patch
1. Go to http://localhost:8081/cgi-bin/koha/members/memberentry.pl
?op=edit_form&destination=circ&borrowernumber=51
2. Add the following in a "Circulation note"
=SUM(1+1)
3. Go to http://localhost:8081/cgi-bin/koha/members/member.pl
?quicksearch=1&circsearch=1&searchmember=koha
4. Click "Export" and choose "Excel" and "CSV"
5. Open those downloaded files in Excel
6. Note that the =SUM(1+1) function is prefixed with a single quote,
and is not automatically executed
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Works as advertised. The problematic "cell" is exported as "'=SUM(1+1)". Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
David Cook [Fri, 14 Jun 2024 04:34:47 +0000 (04:34 +0000)]
Bug 37087: Add TCP keepalive support to SIP server
This change adds the ability to enable and configure TCP keepalive
support for the SIP server using SIPconfig.xml.
For the sake of backwards compatibility, it defaults to disabled
and additional parameters default match typical kernel defaults.
Technical detail can be found in the perldoc for C4/SIP/SIPserver.pm
Test plan:
0. Apply the patch
1. koha-sip --restart kohadev
2. apt-get update && apt-get install tcpdump
3. In one window, run "tcpdump -A -n -v -i any 'port 6001'"
4. In another window, run the following:
echo -e "9300CNterm1|COterm1|CPCPL|\r" | nc 127.0.0.1 6001 -v
5. Note in tcpdump output that after the initial flood of packets,
nothing more is received
6. vi /etc/koha/sites/kohadev/SIPconfig.xml
7. In the "server-params" element, add attributes like the following:
custom_tcp_keepalive='1'
custom_tcp_keepalive_time='10'
custom_tcp_keepalive_intvl='5'
8. koha-sip --restart kohadev
9. In one window, run "tcpdump -A -n -v -i any 'port 6001'"
10. In another window, run the following:
echo -e "9300CNterm1|COterm1|CPCPL|\r" | nc 127.0.0.1 6001 -v
11. Note in tcpdump output that after the initial flood of packets,
ACK packets are sent out every 10+ seconds for the idle connection
Signed-off-by: Tadeusz „tadzik” Sośnierz <tadeusz@sosnierz.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 73c7acd33f005eebe9e1338b263cec95e1099d48) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
to test:
1- try to save an agreement with 81+ characters in License Info
2- it does not save
3- apply patch, updatedatabase
4- repeat 1, it works!
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2512392b2a8fc5f6485bb64cc90376067446b56e) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Bug 37292: Add an index on oauth_access_tokens.expires
This patch adds a needed index to the column.
To test:
1. On a fresh KTD, run:
$ ktd --shell
k$ koha-mysql kohadev
> SHOW CREATE TABLE oauth_access_tokens;
=> FAIL: There's no 'KEY' entry for the `expires` column
2. Apply this patch
3. Run:
k$ updatedatabase
=> SUCCESS: A message tells the index was added
4. Repeat 1
=> SUCCESS: The index was actually added to the DB
5. Run:
k$ reset_all
6. Repeat 1
=> SUCCESS: The index is created at install time too!
7. Run:
k$ updatedatabase
=> SUCCESS: Nothing explodes, no message about index being created
8. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2e63ece6ae9d560302408a4303df882a47791c87) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Wed, 27 Nov 2024 08:55:23 +0000 (09:55 +0100)]
Bug 38543: Do not include rowGroup asset files
rowGroup plugin is now part of the datatables.min.js bundle. We no
longer need to include its css and js files, and they no longer exist
anyway!
[2024/11/27 08:52:37] [WARN] File not found : lib/jquery/plugins/rowGroup/stylesheets/rowGroup.dataTables.min.css at /kohadevbox/koha/Koha/Template/Plugin/Asset.pm line 107
[2024/11/27 08:52:37] [WARN] File not found : lib/jquery/plugins/rowGroup/dataTables.rowGroup.min.js at /kohadevbox/koha/Koha/Template/Plugin/Asset.pm line 84.
Test plan:
Confirm that the checkouts are grouped "today" and "previous" on the
checkout page.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4b82e00416c73a0e8a1b1e57ed453863d802bf6d) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
This patch updates the JavaScript on the patrons requesting modification
page in order to make it work following the upgrade to Bootstrap 5. The
automatic panel expansion is broken.
To test, apply the patch and enable, if necessary, the OPACPatronDetails
system preference.
- Log in to the OPAC and submit changes to your personal details.
- Do this again as a different user so that there is more than one
pending request.
- From the staff interface home page, follow the link for "Patrons
requesting modifications"
- Upon loading, the "Update patron records" page should automatically
expand the first panel.
- Locate the patron record for the second of the patrons you requested
updates for.
- From that patron's detail page, follow the "Review pending
modifications" link.
- The panel containing that patron's information should expand by
default.
Sponsored-by: Athens County Public Libraries Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a42686d8910594d674e7bbb8d163351306d3fbb5) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Jonathan Druart [Tue, 19 Nov 2024 10:15:54 +0000 (11:15 +0100)]
Bug 38476: Make DT 'Configure' button a link
So that we can open in a separate bug using right click.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit d53784de3a4adeab7b7c6c097883b6b72e52e9d4) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Lucas Gass [Tue, 5 Nov 2024 22:13:32 +0000 (22:13 +0000)]
Bug 38362: Fix printing lists on opac/opac-shelves.pl
To test from the OPAC:
1 - create a list with more than 10 items
2 - print the list -> there is a pagination and that only 10 items
are printed
3 - Apply patch
4 - print the list again -> every items are being printed
Signed-off-by: Sam Sowanick <sam.sowanick@corvallisoregon.gov> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Tidied: added a few spaces. Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8d0e7ff906ae4e6b1367307e7dfdead909676bcb) Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Michał Kula [Wed, 17 Jul 2024 13:05:02 +0000 (13:05 +0000)]
Bug 37393: fix "In bundle:" link not showing for items in staff interface
The cause was erroneous check `[% IF bundlesEnabled %]` before the parent bundle information is requested+shown. The `bundlesEnabled` variable checks if the current biblio ITSELF is of collection type, so should only be used for whether to show the button to add new items to the bundle items, NOT for querying whether current item is part of a bundle, as the items that make up the bundle aren't of collection type themselves.
The second fixed problem was that `bundle_host` didn't contain `.biblio` subitem (which'd contain the actual host biblio title) as the JavaScript code assumed, and it wasn't possible to request it with the API either.
Test plan: please follow the reproduction instructions from bug and ensure that the described issue is gone.
If you run into an error 400 on the detail page, you need to refresh API definitions, in kts shell you'drun:
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 7df4eda9ecb478c5d6dc5672998d2616f14c83f2) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
Phil Ringnalda [Fri, 6 Sep 2024 00:16:28 +0000 (17:16 -0700)]
Bug 37293: MARC bibliographic framework text for librarians and OPAC limited to 100 characters
The database columns for liblibrarian and libopac in marc_tag_structure and
marc_subfield_structure are 255 characters, but the HTML maxlength in
/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marctagstructure.tt and
/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marc_subfields_structure.tt
limit tags to 100 characters and subfields to 80 characters.
Test plan:
1. Apply patch, restart_all
2. Administration - MARC bibliographic framework - for Default, Actions -
MARC Structure
3. For the 000 tag, Actions - Edit tag
4. In both the "Description in staff interface" and "Description in OPAC"
paste the 255 character string
and click Save changes
5. Verify that the display shows all 255 characters, then Actions - Edit tag
and verify that the two inputs reloaded with all 255 characters, and that
you cannot type a 256th character, then click Cancel
6. For the 000 tag, Actions - Edit subfields
7. Paste the same string in both the staff interface and OPAC inputs, Save
changes, verify that all 255 characters show, click Edit subfields, verify
that all 255 characters reloaded in the inputs, verify that you cannot
type a 256th character
Sponsored-by: Chetco Community Public Library Signed-off-by: Shi Yao Wang <shi-yao.wang@inlibro.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a9044f4b3487d7b3eea7aaec7653edff48463ea3) Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Nick Clemens [Tue, 23 Jul 2024 16:16:57 +0000 (16:16 +0000)]
Bug 37424: Display additional materials note in batch checkout
This patch adds a missing conditional for ADDITIONAL_MATERIALS to the batch checkout table
Test plan:
1. Set a staff member with circ permissions, including FORCE_CHECKOUT
2. Turn on: CircConfirmItemParts, BatchCheckouts, BatchCheckoutsValidCategories (all)
3. Log in as staff member in step 1
4. Attempt to checkout an item with a 952$3 from the batch checkout tab
5. The item with a 952$3 displays, but the copy/text of the materials specified note does not.
6. Do not confirm checkout
7. Apply patch
8. Try again, the materials note should show this time
9. Confirm checkout
10. Success! Item is checked out
Signed-off-by: Catrina Berka <catrina@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 03538b59aaa897375e1839e4260ffadac03890ab) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Wed, 20 Nov 2024 10:51:59 +0000 (11:51 +0100)]
Bug 38437: Auto-show modal on single receive
Might have been broken by the bootstrap 5 upgrade, but not sure.
Not sure why the click does not trigger the modal.
1. Place an order in acquisitions
1.1. Go to Acquisitions
1.2. Click 'Search' next to 'Search vendors'
1.3. Click 'Add to basket' next to 'My basket'
1.4. Search for an existing record (e.g. search for Shakespeare)
1.5. Click 'Add order' next to a result or in the detailed record
1.6. In the item form, choose an item type
1.7. Click 'Add item'
1.8. Choose a fund
1.9. Enter a price in 'Vendor price'
1.10. Click 'Save'
1.11. Click 'Close basket'
1.12. Click 'Yes, close'
2. Receive the order
2.1. Click 'Receive shipments'
2.2. Enter a value in 'Vendor invoice'
2.3. Click 'Next'
2.4. Click 'Receive' next to your order
=> The modal is shown
Signed-off-by: Michaela Sieber <michaela.sieber@kit.edu> Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit ef455af3445b824bd97c0db3e60ebe37dc1bdf20) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Wed, 20 Nov 2024 13:55:21 +0000 (13:55 +0000)]
Bug 38495: (follow-up) Add a confirmation message
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT} Added a html filter for qa tools.. Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0be0f03d5267bb13eb28a7cdbfbcdd43cbb830df) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Wed, 20 Nov 2024 13:24:12 +0000 (13:24 +0000)]
Bug 38495: Use JS to submit form to cancel background jobs
This patch adjusts the link to cancel jobs to be submitted as a POST with cud-cancel operation
To test:
1 - Stop your long tasks bacground jobs worker
sudo koha-worker --stop --queue long_tasks kohadev
2 - Stage a file for import
3 - Administration -> Manage jobs
4 - See your new job
5 - Click 'cancel'
6 - It didn't work
7 - Apply patch
8 - Browse to jobs again
9 - Click 'Cancel'
10 - Job is successfully cancelled
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit d047776630152a9e2b16c7797aaac600c0dff6e2) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Marcel de Rooy [Fri, 22 Nov 2024 08:28:46 +0000 (08:28 +0000)]
Bug 38513: Fix Biblio.t for Koha_Main_My8
This should do the tric: The test output shows that the second
mapping was not found (field 264); also the expected suspect btw.
So adding that here.
Test plan:
Run t/db_dependent/Biblio.t
See also comment28 on bug 19097.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Simulated the above by removing 264c from Koha to MARC mapping. Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 28d24aaa0874844ec8643a9ea19cc0b501013c6a) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Mon, 25 Nov 2024 10:57:54 +0000 (11:57 +0100)]
Bug 38526: (bug 36822 follow-up): Improve datetime comparison in tests
17:39:54 koha_1 | # Failed test 'updated_on correctly saved on newly created user'
17:39:54 koha_1 | # at t/db_dependent/Auth_with_shibboleth.t line 319.
17:39:54 koha_1 | # Structures begin differing at:
17:39:54 koha_1 | # $got->[0] = '2024-11-19 16:39:30'
17:39:54 koha_1 | # $expected->[0] = '2024-11-19 16:39:29'
17:39:54 koha_1 | # Looks like you failed 1 test of 54.
We must use t::lib::Dates::compare to compare datetimes in tests.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit ed25a48ccf566bf4a21040a36d25bda8d598c301) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Janusz Kaczmarek [Wed, 23 Oct 2024 13:27:52 +0000 (13:27 +0000)]
Bug 38239: Incorrect number of items to pull (in Holds to pull) with partially filled holds
With a over-sufficient number of items, when more than one patron has
placed hold, and the holds have been partially filled (checked-in =
waiting for pick up), the number of items to pull in the Holds
to pull table shows the total number of holds, including those waiting.
This erroneously suggests to the librarian to pull an excessive number
of items from the shelves.
Test plan:
==========
1. For a bibliographic record with more than two items (in ktd, e.g.
"Lanark a life in four books"), place hold for two patrons.
2. On the Holds to pull page control that there are two items to pull.
3. As a librarian from the library of one of the patrons, Check-in one
item.
4. Note that in Holds to pull table you still see two items to pull,
which is misleading.
5. Apply the patch; restart_all.
6. Now you should see only one item to be pulled.
Sponsored-by: Ignatianum University in Cracow Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit abfba936fb4ffcab5d1234c3fc577ac493865c5e) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
George Veranis [Thu, 7 Nov 2024 13:39:16 +0000 (14:39 +0100)]
Bug 28075: (follow-up) adding all choices and values of 135a
Extend patch of 135a to cover all choices with all possible values as
described by IFLA for 135a.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 9a72d3c7576d2c884ea93ae7f065d6836358c3d9) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch add more values to selection of 135a in UNIMARC
Test Plan:
1) Add on default framework the field 135a and check the Editor option
2) Set on plugin section the value of unimarc_field_135a.pl
3) Open cataloguing editor and use 135 field tag editor to select a value
4) Apply patch
5) Open cataloguing editor and use 135 field tag editor to select a value,
after patch you have more options to select
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 3fa03e2e660de9c0ab12e8281671963f089c3ef9) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Mon, 11 Nov 2024 22:17:58 +0000 (22:17 +0000)]
Bug 38416: Tidy
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8b952b1a343f03c86589f4e696a84e18000525b8) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Mon, 11 Nov 2024 04:40:52 +0000 (04:40 +0000)]
Bug 38416: Add unit tests
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a9eaefa3b89d77ff3a43bb560d5bc79b0c7615e5) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Mon, 11 Nov 2024 04:30:06 +0000 (04:30 +0000)]
Bug 38416: Failover to MARCXML if cannot roundtrip USMARC during indexing
This change failsover to MARCXML from USMARC if there are any
warnings generated by MARC::File::USMARC::decode when trying to
roundtrip the record.
Test plan:
0. Apply the patch
1. Setup your koha-testing-docker to use Elasticsearch
2. Create a new record with 15,000 characters in the 500$a field
3. Index that record
(e.g. perl misc/search_tools/rebuild_elasticsearch.pl --biblios -v -v)
4. Note that a warning saying the following appears:
"Warnings encountered while roundtripping a MARC record to/from USMARC.
Failing over to MARCXML"
5. View the "Elasticsearch record" on the detail page and note that the
marc_format is MARCXML
6. Perform a search for the record (the keyword should be something that
brings up other results too)
7. Note that the record appears correctly in the search results
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0d862343ddce4a86a4932b80d747b9574c739e4d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Phil Ringnalda [Wed, 13 Nov 2024 05:31:02 +0000 (21:31 -0800)]
Bug 29818: Cannot save subscription frequency without display order
The schema says that subscription_frequencies.displayorder can be null, and
everything else deals with it being null just fine, but if you try to save
a new frequency without specifying display order with strict_sql_modes set,
you get an error.
Test plan:
1. Without the patch, Serials - Manage frequencies - New frequency
2. Description is mandatory, so fill it in, then click Save
3. Boom! Apply patch, restart_all
4. Repeat steps 1-2, and verify that no error is thrown and the new
frequency shows up (at the top of the list since nothing comes before
something)
5. New frequency, fill in Description, try typing something other than a
number in Display order and saving. You should be told to follow the
directions that only numeric characters are allowed
Sponsored-by: Chetco Community Public Library Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 77c003ed544d653345acf4debe968110ea94a1fd) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Emily Lamancusa [Wed, 16 Oct 2024 14:14:51 +0000 (10:14 -0400)]
Bug 38186: Don't initiate transfer when cancelling hold on lost item
To test:
0. In the Circulation Rules, set the default return policy to "item
returns home (default settings have this already)
1. Find an item belonging to a branch other than the logged-in branch
2. Place a hold on that biblio record for pickup at the logged-in branch
3. Check in the item to set the hold to waiting
4. Set the expiration date to a date in the past
To do this in KTD:
ktd --shell
koha-mysql kohadev
UPDATE reserves SET expirationdate = < yesterday's date >;
5. Set a lost status on the item
6. Go to Circulation > Holds awaiting pickup
--> The hold should appear on the "holds waiting past their expiration
date" tab
7. Click the "Cancel and return to <homebranch>" button next to the hold
8. Open the biblio record for the item
--> Note that the lost status is gone and the item shows as in-transit
9. Apply patch
10. Repeat steps 2-8 on the same item
--> This time, the item is still lost and is not in-transit
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1c3ed6e4dbd2bb01762aa3bbd350c8346b1815b5) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Fri, 6 Sep 2024 01:49:35 +0000 (01:49 +0000)]
Bug 37854: Re-indent HTML (whitespace-only)
This whitespace only change re-indents the HTML
Signed-off-by: Olivier V <olivier.vezina@inLibro.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit f067830305c98c42143a2d5c579e91a0dc9e7147) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Fri, 6 Sep 2024 01:45:27 +0000 (01:45 +0000)]
Bug 37854: Add fieldset.rows so that Javascript works
This change adds a fieldset.rows that the Javascript produced
by C4/Barcodes/ValueBuilder.pm will work here too like it
does for /cgi-bin/koha/cataloguing/additem.pl and
/cgi-bin/koha/acqui/neworderempty.pl
The fieldset.rows element ruins the styling, so we add some context
specific styling to the styling is preserved.
Test plan:
0. Apply the patch
1. Set "autoBarcode" to "generated in the form <branchcode>yymm0001"
2. Create a vendor
3. Create a backet with "Create items when" set to "receiving an order"
4. Add an order (any order)
5. Close the basket
6. Receive the shipment
7. Click in the barcode field
8. Note that you get a barcode like CPL24090001 and not undefined24090001
Signed-off-by: Olivier V <olivier.vezina@inLibro.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 79b5228116ccfac3fc4aa9366493bfaeb858c1f7) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Thu, 11 Jul 2024 12:03:40 +0000 (12:03 +0000)]
Bug 37326: decode barcode file in inventory tool
This patch ensures that barcodes uploaded as a file into batchMod are run through
any transformations to match the behaviour of barcodes entered in a list
To test:
1 - Edit BarcodeSeparators system preference to remove \s
2 - Install barcode transformer plugin:
https://github.com/bywatersolutions/koha-plugin-barcode-transformer/releases/tag/v1.2.0
3 - Configure the plguin:
item:
-
match: "^[A-Z]* \| "
search: "^[A-Z]* \| "
replace: ""
-
match: " \| .*$"
search: " \| .*$"
replace: ""
4 - Go to Cataloging->Batch item modification
5 - Enter a list of barcodes into the 'Scan one by one' box like:
ERR | 12345 | ERR
FOO | 23456 | FOO
BAR | 34567 | BAR
6 - Click 'Continue'
7 - Note the barcodes not found are:
12345
23456
34567
8 - Save the barcodes with extra text into a file
9 - Perform batch mod, supplying the barcodes via the file
10 - Note the barcodes not found are the original strings
11 - Apply patch, restart all
12 - Perform batch modification using file again
13 - Note the not found barcodes are the transformed version
14 - Sign off!
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit d794891005e4a457371bd9ecaaf845e70fe85255) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jan Kissig [Wed, 13 Nov 2024 20:18:26 +0000 (20:18 +0000)]
Bug 23426: (follow-up) Fix failing test to send correct summary flag
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 7509681e10fc8f8df71aa98627d1feaee64602e6) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jan Kissig [Thu, 7 Nov 2024 13:32:05 +0000 (13:32 +0000)]
Bug 23426: (follow-up) Enhance sip_cli_emulator.pl for test plan
This follow up enhances the sip_cli_emulator.pl to use start-item and/or end-item as params. With these new params the original test plan can be extended:
Test plan:
a) create several manual invoices for patron 23529000035676 : http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=19
b) run
perl misc/sip_cli_emulator.pl -a 127.0.0.1 -p 6001 -su term1 -sp term1 -l CPL --patron 23529000035676 -m patron_information -s " Y " --start-item=1 --end-item=2
to get fine 1 and 2 or
perl misc/sip_cli_emulator.pl -a 127.0.0.1 -p 6001 -su term1 -sp term1 -l CPL --patron 23529000035676 -m patron_information -s " Y " --start-item=3 --end-item=3
to retrieve fine 3
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit cfb841f9e6abc56735f8567ec40f46702cda9786) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jan Kissig [Thu, 7 Nov 2024 12:42:59 +0000 (12:42 +0000)]
Bug 23426: (follow-up) This patch reintroduces the former implementation of fine items
The original implementation of fine items was accidently overwritten with this patch. This follow up reverts these changes but keeps additional improvements that were also part of this patch.
These are:
- Returning the active currency as part of the response (BH)
- Fixing the number of items in the response which are specified in BP and BQ when other items as fine items are requested.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e5bd8aec41cb8f7ade5f7a228bbb34ff40ecea5b) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jan Kissig [Thu, 25 Apr 2024 09:13:55 +0000 (11:13 +0200)]
Bug 23426: Add fine items to patron information response in SIP2
This patch adds fine items (AV) to patron information response in SIP2
In addition the active currency we be part of the response (BH)
This also fixes the number of items in the response which are specified in BP and BQ in the request
to test:
a) create a manual invoice for patron 23529000035676 : http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=19
b) in ktd call: perl /usr/share/koha/bin/sip_cli_emulator.pl -a 127.0.0.1 -p 6001 -su term1 -sp term1 -l CPL --patron 23529000035676 -m patron_information -s " Y "
c) verify that no |AV field is in response
d) apply patch
e) in ktd call: perl /usr/share/koha/bin/sip_cli_emulator.pl -a 127.0.0.1 -p 6001 -su term1 -sp term1 -l CPL --patron 23529000035676 -m patron_information -s " Y "
f) verify that response includes fields like '|AVManual fee '
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Tidied inline Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1d80470105e709e729a41ff52512dbcfd2992c69) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
projects / koha.git / log