Marc Véron [Mon, 12 Jun 2017 06:20:56 +0000 (08:20 +0200)]
Bug 18779: Translatability: Get rid of exposed tt directives in authorities-search-results.inc (OPAC)
The file opac-tmpl/bootstrap/en/includes/authorities-search-results.inc
exposes template directives to translation where translators should not
be confronted with.
To test:
- Apply patch
- Verify that Authority search in OPAC works as before
- Bonus test: create a new language 'aa-AA', verify that line above
does not show up in aa-AA-opac-bootstrap.po
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Mon, 12 Jun 2017 05:48:57 +0000 (07:48 +0200)]
Bug 18778 - Translatability: Get rid of tt directive in translation for item-status.inc
The file opac-tmpl/bootstrap/en/includes/item-status.inc exposes a template directive where translators should not be confronted with.
"%s %s [%%#- This include takes two parameters: an item structure and an "
"optional loan (issue) structure. The issue structure is used by course "
"reserves pages, which do not use an API to fetch items that populates item."
"datedue. -%%] %s %s %s %s "
This patch fixes new lines inside a tt directive (comment).
It is merely a string patch.
To test:
Verify that the code changes make sense.
(Bonus test: create a new language 'aa-AA', verify that line above does not
show up in aa-AA-opac-bootstrap.po)
NOTE: Followed test plan similar to bug 18776 comment 3.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Sun, 11 Jun 2017 18:16:46 +0000 (20:16 +0200)]
Bug 18777: Translatability: Get rid of exposed tt directives in opac-memberentry.tt
The file opac-memberentry.tt exposes template directives to translation where
translators should not be confronted with.
Example from po file:
"%s [%% UNLESS hidden.defined('B_address') && hidden.defined('B_address2') && "
"hidden.defined('B_city') && hidden.defined('B_state') && hidden."
"defined('B_zipcode') && hidden.defined('B_country') && hidden."
"defined('B_phone') && hidden.defined('B_email') && hidden."
"defined('contactnote') %%] "
To test:
- Apply patch
- Verify that advanced search in OPAC the page 'your personal details'
behaves as before
- Verify that you can change values and submit an update request
- Create a new translation for a 'language' aa-AA (perl translate create aa-AA)
- Verify that template directives ar no longer exposed in aa-AA-opac-bootstrap.p
NOTE: Followed test plan similar to bug 18776 comment 3.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Sun, 11 Jun 2017 14:54:28 +0000 (16:54 +0200)]
Bug 18776: Translatability: Get rid of exposed tt directives in opac-advsearch.tt
The file opac-advsearch.tt exposes template directives to translation where translators should not be confronted with.
Example in po file:
"[%% IF ( ( OpacAdvSearchOptions and OpacAdvSearchOptions.grep('itemtype')."
"size > 0 and not expanded_options ) or ( OpacAdvSearchMoreOptions and "
"OpacAdvSearchMoreOptions.grep('itemtype').size > 0 and expanded_options ) ) "
"%%] "
To test:
- Apply patch
- Verify that advanced search in OPAC behaves as before
- Create a new translation for a 'language' aa-AA (perl translate create aa-AA)
- Verify that template directives ar no longer exposed in aa-AA-opac-bootstrap.po
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marcel de Rooy [Fri, 4 Aug 2017 14:44:51 +0000 (16:44 +0200)]
Bug 18754: [QA Follow-up] Tiny corrections
Converted one INCLUDE directive to PROCESS; we are not changing variables here. (The PROCESS directive is slightly faster than INCLUDE because it avoids the need to localise (i.e. copy) the variable stash before processing the template.)
Removed one vim inserted letter i.
Error in [% IF ( XISBN.publicationyear ) _ ', ' _ XISBN.publicationyear %][% END %] The concatenation became part of the condition.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
See: [% IF ( nextTitle ) %][% nextTitle |html %][% ELSE %]next biblio[% END "
"%]
To test:
- Apply patch
- Do a search in OPAC that has more than 1 results
- Go to the detail page of one of the items found
- Verify that the details display as before and that you can
browse the results with Previous and Next
- In staff client, change OPACXSLTDetailsDisplay from 'default' to
empty for "no xslt" and repeat steps above
- In staff client, set HTML5MediaEnabled to 'OPAC' or 'OPAC and staff client'
- Verify that media catalogued in field 856 still work
- Create a new translation for a 'language' aa-AA (perl translate create aa-AA)
- Verify that template directives ar no longer exposed in aa-AA-opac-bootstrap.po
Followed test plan which works as intended
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Tue, 23 May 2017 15:09:49 +0000 (17:09 +0200)]
Bug 18660: Translatability: Get rid of template directives [%% in translation for patroncards-errors.inc
Translation for koha-tmpl/intranet-tmpl/prog/en/includes/patroncards-errors.inc
contains a lot of (partial) template directives like:
%%]%s %sLayout: [%%
This patch fixes it
To test:
- Verify that code changes make sense
- Apply patch
- Create a translation (cd misc/translator , then: perl translate create aa-AA
- Verify that in po/aa-AA-staff-prog.po contains no fragments like %%] or [%%
for patroncards-errors.inc
- Try to get an error: Try a link like
http://[YOUR SERVER]/cgi-bin/koha/patroncards/create-pdf.pl?batch_id=1&template_id=999&layout_id=999&start_card=1
...where template_id and layout_id do not exist
(Amended for comment #2 2017-06-05 mv)
(Amended for comment #6 2017-08-02 mv)
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Sun, 28 May 2017 07:34:21 +0000 (09:34 +0200)]
Bug 18687: Translatability: abbr tag should not contain lang attribute
In manage-marc-import.tt, we have an abbreviation:
<abbr title="Differences between the original biblio and the imported" lang="en">Diff</abbr>
In translations (e.g. German), the line appears as follows:
<abbr title="Unterschiede zwischen Originaltitelsatz und importiertem Titelsatz" lang="en">Diff</abbr>
The lang attribute is wrong here, it is still "en".
The text language is the same as defined at the top of the page - or with other
words, the lang tag is superfluous.
This patch removes it.
To test:
Verify that code change makes sense.
Passes QA test and the change is logical Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Thu, 29 Jun 2017 13:22:54 +0000 (15:22 +0200)]
Bug 18654 - Translatability: Get rid of tt directives starting with [%% in translation for itemsearch.tt
This patch removes entries like the following in translations of itemsearch.tt:
"[%% INCLUDE form_field_select name=\"homebranch\" options = branches "
"empty_option = \"All libraries\" %%] [%% INCLUDE form_field_select name="
"\"holdingbranch\" options = branches empty_option = \"All libraries\" %%] %s "
"[%% INCLUDE form_field_select name=\"location\" options = locations "
"empty_option = \"All locations\" %%] %s "
New patch on top of Bug 18633 that resolves parts of initial comment.
To test:
- Verify that in itemsearch.tt no tt directives are splitted by new lines
(search for [% INCLUDE )
- Verify that itemsearch.tt works as before
Followed test plan and verified that tt directives are not split by new
lines, the changes to the fieldset tags in comment 3 have been removed
and itemtype.tt still works correctly as before
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Mon, 22 May 2017 19:09:06 +0000 (21:09 +0200)]
Bug 18652: Get rid of tt directive in translation for uncertainprice.tt
Translation tool shows toe following for ncertainprice.tt
0; url=[% scriptname %]?booksellerid=[% booksellerid %]
This patch fixes it.
To test:
- Apply patch
- Verify that code change makes sense
- Verify that Home > Acquisitions > [vendor] > Uncertain prices for [vendor]
works as before
- Additional test (for a langunage 'aa-AA')
perl translate create aa-AA
verify that line 41 no longer appears in aa-AA-staff-prog.po
Amended to switch from BLOCK to a template variable, see comment #5
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Fri, 4 Aug 2017 08:52:13 +0000 (10:52 +0200)]
Bug 18649: Translatability: Get rid of tt directive in translation for admin/categories.tt and onboardingstep2.tt
New patch without trailing IF construction in tt directives as
requested in comment #28
To test: Verify that translation tool no longer shows tt directives as
described in comment #1
New patch, needs SO.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marc Véron [Fri, 26 May 2017 11:32:06 +0000 (13:32 +0200)]
Bug 18629 - Translatability: Fix problems with web installer 17.05
The new web installer for 17.05 has a great new design - but it has a lot of
translatability issues. Some strings are not picked for translations,
some expose the content of tt directives, and others are splitted by
html tags, resulting in small text fragments that are not easy to translate.
This patch weeds out such translation problems for step1.tt, step2.tt and
step3.tt
To test:
- Apply patch (on top of Bug 18665 because of html tags inside of
tt directives in step2.tt)
- Prepare a fresh install (drop database, create database)
- Walk through the installation process and verify that it works as before
- Verify that string changes (in English) make sense
- Create a translation( cd misc/translator, then perl translate create aa-AA)
then: vim po/aa-AA-staff-prog.po and search for: /installer\/step
Verify that strings for step1.tt, step2.tt, step3.tt are not fragmented,
do not contain [%%, and are easily translatable (make sense without having
to search in source files for context).
(Amended to remove some superfluous chomps 2017-06-27 mv)
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marcel de Rooy [Tue, 6 Jun 2017 11:31:29 +0000 (13:31 +0200)]
Bug 17807: [Follow-up] Use marcxml for marc21 prefix
Not sure what happened here, but this is an easy fix.
Test plan:
Try oai.pl with marcxml, marc21 and oai_dc again.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marcel de Rooy [Wed, 21 Dec 2016 14:03:18 +0000 (15:03 +0100)]
Bug 17807: Use XSLT_Handler in Koha::OAI
Replacing some code in the OAI modules by a call to an existing module.
Note that the xmldoc format is used in the transform call to get a xml
document object.
The stylesheet method of Repository now only returns the name of the xsl
file to be used instead of a cached xslt object. Similar functionality
inside XSLT_Handler is used when calling transform.
Note: We still lack unit tests in this area. I did not see the need for
adding something for stylesheet since it only returns a simple string.
The other change is made in Record::new; there are no tests for this
module yet and the heart of the change here is actually tested already
in XSLT_Handler.t.
Note: I benchmarked calls to Repository in the old and the new situation
and did not see significant changes.
Test plan:
[1] Run t/db_dependent/OAI/Server.t
[2] Run oai.pl with ListRecords and marcxml.
[3] Run oai.pl with ListRecords and oai_dc.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marcel de Rooy [Wed, 21 Dec 2016 14:50:31 +0000 (15:50 +0100)]
Bug 17807: Add format parameter to XSLT_Handler->transform
Format may be chars (default), bytes or xmldoc.
Note: xmldoc is a XML::LibXML document object.
Since the default is chars, this does not affect current use.
Note: The format parameter (xmldoc) will be used later in one of the OAI
modules to prevent duplicated xml parsing.
Test plan:
Run t/db_dependent/XSLT_Handler.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Jonathan Druart [Thu, 19 Jan 2017 19:11:21 +0000 (20:11 +0100)]
Bug 17969: Refactor the way <<items.content>> is generated
<<items.content>> is generated 4x in advance_notices.pl and once in
overdue_notices.pl
It would be better to have it in C4::Letters.
It will enforce the fact that it already has the same behavior, make it
testable and reusable.
Test plan:
Use the <<items.content>> tag for advance and overdue notices.
The generated notices must be the same as before this patch.
Followed test plan, works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Jonathan Druart [Wed, 2 Aug 2017 14:49:08 +0000 (11:49 -0300)]
Bug 19025: Move GetReserveInfo to Koha::Holds
This subroutine is only used once and can be replaced with a call to
Koha::Holds->find
It will avoid unnecessary joins.
Test plan:
- Define a HOLD_SLIP template notice using fields from the tables
reserves, branches, borrowers, biblio, biblioitems and items.
- Generate one and make sure the values are correctly filled
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Lee Jamison [Fri, 11 Aug 2017 18:58:53 +0000 (18:58 +0000)]
Bug 19088: plugins-upload causes error log noise
After uploading a plugin the error log indicates
use of uninitialized value in $op. This patch
silences the noise.
To test:
1) Set <enable_plugins> to 1 (one) in koha-conf.xml.
2) Set the UseKohaPlugins system preference to 'Enable'.
3) Navigate to Administration -> Manage plugins.
4) Install the test plugin KPZ file attached to this bug.
5) Notice the uninitialized value noise in the error log.
6) Uninstall the plugin (plack restart may be required if plack is
enabled).
7) Apply patch.
8) Install the plugin again.
9) Notice no noise in the error log.
10) Run qa tools.
11) Run prove t/db_dependent/Plugins.t
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Kyle M Hall [Wed, 30 Aug 2017 13:37:48 +0000 (09:37 -0400)]
Bug 19205 - Pay selected fine generates 500 error
Using the pay selected option from the borrowers account, to pay for one specific fine among other gives a 500 error, despite the payment going through.
Test Plan:
1) Add two fines using the Create manual invoice function.
2) Select one fine and "pay selected".
3) Pay a part of the amount.
4) Note error
5) Apply this patch
6) Repeat steps 1-3
7) No error!
Signed-off-by: Andreas Hedström Mace <andreas.hedstrom.mace@sub.su.se> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 03:03:41 +0000 (08:33 +0530)]
Bug 19035 - Stored XSS in lists.pl
To Test
1. Hit the page /cgi-bin/koha/patron_lists/lists.pl
2. Click on new patron list
3. Add a text in the field Name that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Fixed in both the pages list.pl and list.pl?patron_list_id=xx
xx is patronlist id
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 15:28:34 +0000 (20:58 +0530)]
Bug 19114 - Stored XSS in parcels.pl
Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped
Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 14:21:48 +0000 (19:51 +0530)]
Bug 19112 - Stored XSS in basketheader.pl page
To Test
1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.
Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 09:30:55 +0000 (15:00 +0530)]
Bug 19110 - XSS Stored in branches.pl
To Test
1. Hit the page /cgi-bin/koha/admin/branches.pl?op=add_form_category
2. Add a text in the field Name and description that contains js.
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Fixed for js escaped execute for both pages
1. /cgi-bin/koha/admin/branches.pl?op=delete_confirm&branchcode=xx
xx is branchcode
2. /cgi-bin/koha/admin/branches.pl?op=add_form with Group(s):
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 17:52:32 +0000 (23:22 +0530)]
Bug 19100 - XSS Flaws in memberentry.pl
1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid.
5. Notice it is no longer executed.
NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 03:53:13 +0000 (09:23 +0530)]
Bug 19105 - XSS Stored in holidays.pl
To Test
1. Hit the page /cgi-bin/koha/tools/holidays.pl
2. Select the date
3. Add a text in the field Title and Description that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Fixed for all holidays
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 17:28:02 +0000 (22:58 +0530)]
Bug 16069 - XSS issue in basket.pl page
1. Hit /cgi-bin/koha/acqui/basket.pl?basketno=xx<script>alert('amit')</script>
xx - is a basketno
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/acqui/basket.pl?basketno==xx<script>alert('amit')</script>
xx - is a basketno.
5. Notice it is no longer executed.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Fri, 11 Aug 2017 15:38:14 +0000 (21:08 +0530)]
Bug 19079 - XSS Flaws in Membership page
1. Hit /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber
2. Notice the java script is executed.
4. Apply patch.
5. Reload page, and hit the page again /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Fri, 4 Aug 2017 04:14:52 +0000 (09:44 +0530)]
Bug 19033: XSS Flaws in Currencies and exchange page
1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes the issue, follows common practice on the codebase.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Fri, 4 Aug 2017 05:11:49 +0000 (10:41 +0530)]
Bug 19034: XSS Flaws in Z39.50/SRU servers administration
1. Hit /cgi-bin/koha/admin/z3950servers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search Z39.50/SRU servers box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search Z39.50/SRU servers box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Fri, 4 Aug 2017 05:08:12 +0000 (10:38 +0530)]
Bug 19034: XSS Flaws in Cities
1. Hit /cgi-bin/koha/admin/cities.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search cities box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search cities box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Fri, 4 Aug 2017 05:04:19 +0000 (10:34 +0530)]
Bug 19034: XSS Flaws in Patron categories pages
1. Hit /cgi-bin/koha/admin/categories.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search patron categories box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search patron categories box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Mon, 7 Aug 2017 15:19:56 +0000 (20:49 +0530)]
Bug 19050 - XSS Flaws in Quick spine label creator
1. Hit /cgi-bin/koha/labels/spinelabel-home.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> barcode text box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on barcode text box.
6. Notice it is no longer executed
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/tools/batchMod.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Mon, 7 Aug 2017 15:54:44 +0000 (21:24 +0530)]
Bug 19051 - XSS Flaws in Batch item deletion page
1. Hit /cgi-bin/koha/tools/batchMod.pl?del=1
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Mon, 7 Aug 2017 15:38:36 +0000 (21:08 +0530)]
Bug 19051 - XSS Flaws in - Batch record deletion page
1. Hit /cgi-bin/koha/tools/batch_delete_records.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Record number list (one per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Record number list (one per line) text area.
6. Notice it is no longer executed.
7. Fixes for both biblio and authority records.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Mon, 7 Aug 2017 16:47:14 +0000 (22:17 +0530)]
Bug 19052 - XSS Flaws in - Invoice search page
1. Hit /cgi-bin/koha/acqui/invoices.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Invoiceno,
ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Invoiceno,
ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Mon, 7 Aug 2017 16:34:30 +0000 (22:04 +0530)]
Bug 19052 - XSS Flaws in vendor search page
1. Hit /cgi-bin/koha/acqui/booksellers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> vendor search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on vendor search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Mon, 7 Aug 2017 17:04:05 +0000 (22:34 +0530)]
Bug 19054 - XSS Flaws in Report - Top Most-circulated items
1. Hit /cgi-bin/koha/reports/cat_issues_top.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in Callnumber, Day, Month, Year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Callnumber, Day, Month, Year search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Thu, 10 Aug 2017 16:21:38 +0000 (21:51 +0530)]
Bug 19078 - XSS Flaws in System preferences
1. Hit /cgi-bin/koha/admin/preferences.pl
2. Enter <script>alert('amit')</script> in search system preferences box.
3. Notice the java script is executed.
4. Apply patch.
5. Reload page, and enter <script>alert('amit')</script> in search system preferences box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 16:51:37 +0000 (22:21 +0530)]
Bug 19118 - Due to wrong variable name passed vendor name is not coming in browser title bar
Test
1. Hit the page /cgi-bin/koha/acqui/supplier.pl?booksellerid=xx
xx is a booksellerid
2. Apply the patch and reload the page.
3. You can see vendor name in browser title bar.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marcel de Rooy [Wed, 16 Aug 2017 11:15:19 +0000 (13:15 +0200)]
Bug 19126: Fix Members.t with IndependentBranches set
If you enabled that pref, Members.t fails with:
t/db_dependent/Members.t .. 63/63 # Looks like you failed 15 tests of 63.
The first one is:
t/db_dependent/Members.t .. 32/63
Failed test 'Staff patron not deleted from list'
at t/db_dependent/Members.t line 304.
Bottle neck is GetBorrowersToExpunge. The results of that sub depend on the
state of this preference.
Trivially fixing it here by disabling the pref before the first call.
Test plan:
[1] Do not apply this patch yet. Enable IndependentBranches.
[2] Run Members.t and observe that it fails.
[3] Apply this patch. And run Members.t again. It should pass now.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 19130: (followup) Controller scripts should preserve behaviour
This patch is a followup to making
Koha::Acquisition::Booksellers->search work as any other Koha::Objects
(DBIC) query instead of having a different behaviour hardcoded.
To achieve it, this patch makes the controller scripts add
wildcard/truncation chars as prefix and sufix for searches, and make the
default sorting for results be by 'name', ascending.
To test:
- Just verify the behaviour remains unchanged by this patchset on the
controller scripts (re. searching).
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 19130: Remove ->search() overloading and adjust tests
This patch removes the custom ->search() function. Tests are adjusted
so the results from ->search() calls are not expected to return in the
previously hardcoded order.
To test:
- Apply this patch
- Run:
$ sudo koha-shell kohadev
k$ cd kohaclone
k$ prove t/db_dependent/Bookseller.t
=> SUCCESS: Tests pass
- Sign off :-D
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Nick Clemens [Wed, 19 Jul 2017 17:31:03 +0000 (17:31 +0000)]
Bug 18447 - Remove redundant line
This line was added by bug 12342 but seems to have stopped working.
These patches set default so this specific case should not be needed.
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Nick Clemens [Wed, 19 Jul 2017 17:27:24 +0000 (17:27 +0000)]
Bug 18447 - Add changes to opac
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Nick Clemens [Tue, 18 Apr 2017 14:57:20 +0000 (10:57 -0400)]
Bug 18447 - Datepicker only shows -10/+10 years
This patch makes 2 changes:
1 - Global datepicker defaulted to c-100:c+10
2 - Dateofbirth datepicker defaulted to c-100:c
To test:
1 - Open some date pickers (patron entry, subscriptions, anywhere really)
- Make sure to check some dateofbirth datepickers
2 - Note that default is 10 years in either direction, updated when you
select
3 - Apply patch
4 - Note we now get -100 years / +10 years from current selection
5 - Now find a dateofbirth datepicker and note default is -100:+0
6 - Sign off
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Jonathan Druart [Tue, 15 Aug 2017 18:08:46 +0000 (15:08 -0300)]
Bug 19080: Fix member vs borrowernumber in delmember
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Jonathan Druart [Thu, 10 Aug 2017 17:44:50 +0000 (14:44 -0300)]
Bug 19080: Handle non-existing patrons gratefully
This is a recurrent bug we have over the last years. When a script is
called with non-existent borrowernumber it will crashes.
We need to handle this gracefully instead of letting the script crashes.
On bug 18403 a new subroutine is added to the codebase
(output_and_exit_if_error) to handle this kind of errors correctly.
Since it is not pushed yet, I propose to just redirect to a script that
handle it correctly (circulation.pl) instead of adding this message to
all these scripts.
Test plan:
Hit different scripts from the members module and pass a non-existent
borrowernumber.
You must be redirected to circulation.pl with a friendly message.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Owen Leonard [Thu, 11 May 2017 15:02:29 +0000 (15:02 +0000)]
Bug 18581 - Add standard edit and delete buttons to suggestions list
This patch modifies the table of suggestions in the staff client, moving
the edit link to the standard last column and styling it correctly. A
delete button is added as well.
Unrelated change: I removed the column containing suggestionid because I
don't think it's human-relevant information.
To test, apply the patch and go to Acquisitions -> Suggestions.
- In each tab, the table of suggestions should have an unsorted last
column containing "edit" and "delete" links which should be styled
correctly and working correctly.
- On the detailed view of a suggestion, the "delete" button in the
toolbar should still work correctly.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18354 Adding item type attribute to cover image div
This adds item type so we can do things with javascript.
To Test:
1.) Do a search on OPAC
2.) Inspect element to confirm item type is not present
3.) Apply patch
4.) Do a search on OPAC to confirm item type is present as a class
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 17288: (follow-up) Remove unneccessary Date() function
Remove line:
var now = new Date(); from both subfields
Also fix 18 positions (00-17) for default data in 006 field
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Nick Clemens [Tue, 27 Sep 2016 14:02:55 +0000 (14:02 +0000)]
Bug 17288 (QA Followup)
Don't default char 5 (is undefined in some forms)
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bad formatted data in 007 field. Fixed
To test follow the previous commit.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Nick Clemens [Fri, 9 Sep 2016 22:30:26 +0000 (22:30 +0000)]
Bug 17288 - Advanced Editor - Rancor - Helpers for 006 and 007 fields
To test:
Open advanced cataloging editor
Experiment with 006 and 007 fields and ensure helpers function for all
material types
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Fri, 28 Jul 2017 15:45:20 +0000 (11:45 -0400)]
Bug 16892: Address error checking in comment #47
Tweaked logic to include error check for category
and branch being valid. If not, the user is told
about a configuration error to share with the
library. Otherwise, it should proceed as normal.
TEST PLAN is comment #35 still.
Though include a run with an invalid category
and/or branch code in the two system preferences:
GoogleOpenIDConnectDefaultBranch and/or
GoogleOpenIDConnectDefaultCategory
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Mon, 3 Apr 2017 17:05:41 +0000 (13:05 -0400)]
Bug 16892: Follow up use AddMember as per QA comment
Same Test plan as before.
Signed-off-by: Eugene Jose Espinoza <eugenegf@yahoo.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Tue, 19 Jul 2016 14:48:35 +0000 (10:48 -0400)]
Bug 16892: Follow up with adding missing IGNORE
Signed-off-by: Eugene Jose Espinoza <eugenegf@yahoo.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Tue, 19 Jul 2016 12:55:42 +0000 (08:55 -0400)]
Bug 16892: System Preferences
This adds the missing system preferences for a fresh install.
Signed-off-by: Eugene Jose Espinoza <eugenegf@yahoo.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Mon, 11 Jul 2016 04:42:40 +0000 (00:42 -0400)]
Bug 16892: Add automatic patron registration via OAuth2 login
10988 added the ability to log into the OPAC authenticating with
Google Open ID Connect. This extends it, by allowing an
unregistered patron to have an account automatically created
with default category code and branch.
This is accomplished by adding 3 system preferences.
- GoogleOpenIDConnectAutoRegister
whether it will attempt to auto-register the patron.
- GoogleOpenIDConnectDefaultCategory
This category code will be used to create Google OpenID Connect patrons.
- GoogleOpenIDConnectDefaultBranch'
This branch code will be used to create Google OpenID Connect patrons.
Sponsored-by: Tulong Aklatan Signed-off-by: Eugene Jose Espinoza <eugenegf@yahoo.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Magnus Enger [Thu, 17 Aug 2017 20:48:07 +0000 (22:48 +0200)]
Bug 19134: C4::SMS falils on long driver name
Code in C4::SMS takes the part of the SMS::Send-driver that comes after
SMS::Send and tries to turn it into part of a path to a YAML file
that can contain additional parameters to SMS::Send. The current
code works for e.g. SMS::Send::A::B, but if there is one or more
extra names, it fails to turn :: into /. So we have:
SMS::Send::A::B -> SMS/Send/A/B
SMS::Send::A::B::C -> SMS/Send/A/B::C
This patch makes sure all occurrences of :: are turned into /, by
adding a "g" modifier at the end of the regex.
Testing:
Testing this preperly would take a whole lot of setup for a very
small change. I would suggest that the following two oneliners
are enough to demonstrate that the change makes sense:
$ perl -e '$x = "a::b::c"; $x =~ s|::|/|; print $x, "\n";'
$ perl -e '$x = "a::b::c"; $x =~ s|::|/|g; print $x, "\n";'
So:
- Check that the output of these oneliners make sense
- Check that the patch changes the code in a similar way to the
change from the first oneliner to the second.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Fri, 4 Aug 2017 17:42:56 +0000 (13:42 -0400)]
Bug 19040: Refactor GetMarcBiblio parameters
Change parameters to a hashref.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks good to me.
Two calls in migration_tools/22_to_30 still in old style.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Jonathan Druart [Mon, 14 Aug 2017 19:19:15 +0000 (16:19 -0300)]
Bug 18817: Update links manually
Without the anchor it is not possible to retrieve the html page, so
these occurrences have been updated manually (and yes it was painful)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Jonathan Druart [Mon, 14 Aug 2017 18:38:05 +0000 (15:38 -0300)]
Bug 18817: Update links with anchor automatically
I generate a mapping files (old anchor > new anchor) from the doc files.
Here are the links that have been updated automatically
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Joy Nelson [Mon, 19 Jun 2017 14:45:16 +0000 (07:45 -0700)]
Bug 18817 Correct Manual URL
Corrected the manual url in the help screen for 17.05 onward.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Chris Cormack [Tue, 1 Aug 2017 22:15:10 +0000 (10:15 +1200)]
Bug 18046: CAS logout infinite redirect
To test (You need a CAS server and CAS configured in Koha)
1/ Login using CAS in Koha
2/ Logout in Koha
3/ Notice you get redirected again and again
4/ Apply patch
5/ Login with CAS, then logout
6/ Notice logout works, but no longer infinitely redirected
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Patch has been in production use for several months
on several instances. Fixes a critical bug.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks like a typical workaround, but evidently works.
Not tested with CAS.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marcel de Rooy [Tue, 22 Aug 2017 14:41:46 +0000 (16:41 +0200)]
Bug 19163: Critical typo in stage-marc-import process
Template says ISO2709 but script wants MARC or MARCXML..
Slipped in with bug 19049.
Trivial but critical fix.
Test plan:
Import a MARC file.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I picked this fix because I think MARC is always ambiguous. ISO2709
clearly denotes the serialization format used.
Signed-off-by: Liz Rea <liz@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marcel de Rooy [Wed, 2 Aug 2017 11:01:47 +0000 (13:01 +0200)]
Bug 18996: [QA Follow-up] Remove global variables from Message.t
As per request of Colin in comment18, this patch makes the use of global
variables in Message.t no longer needed.
The three subtests are now completely independent and could well be moved
to separate test scripts.
Note: Strictly speaking, the use of global (package) variables could
potentially introduce new bugs (e.g. if the value is modified outside the
script). This seems not to be the case here, but we are safe now.
Test plan:
Run the test again.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Variable $branch was not used.
Promoted some global vars to our.
Shared the branchcode between all three subtests now.
The third subtest contains all six cases mentioned in the first patch.
Test plan:
Run t/db_dependent/SIP/Message.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Marcel de Rooy [Tue, 1 Aug 2017 12:10:56 +0000 (14:10 +0200)]
Bug 18996: Resolve an uninitialized warning from ILS/Item.pm
From the syslog call on line 107/108. The field $item->{title} has not
been initialized. When catching the warns in a test script with Test::Warn,
I got:
Use of uninitialized value $args[1] in sprintf at /usr/lib/x86_64-linux-gnu/perl/5.20/Sys/Syslog.pm line 423.
This simply resolves the warning. We might have a closer look to this title
field on another report though.
Test plan:
Run Message.t from the next patch without this fix. It will fail since the
additional warning makes warnings_like return false.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18996: Handle data corruption from old_issues at SIP checkin
As per bug 18966 AddReturn returns false with a DataCorrupted message
when the issue_id at hand already occurs in the old_issues table.
This should be handled when returning an item via SIP too. SIP should
not pretend that the checkin was successful, since this item needs
special care.
The following six different situations are handled:
[1] An attempt to checkin an invalid barcode is handled as before. The
ok flag is false; the screen message shows 'Invalid Item'.
[2] We receive a DataCorrupted message: the alert type is set to the
unused 98 code to indicate this new error condition. The ok flag
is false; the screen message shows 'Checkin failed: data problem'.
[3] The item checked in was not checked out AND the option checked_in_ok
is active. The ok flag is set to true; no screen message.
[4] The item checked in was not checked out AND the option checked_in_ok
is not active. The ok flag is not changed (normally false); the screen
message shows 'Item not checked out'.
[5] (The regular checkin) The item was checked out and AddReturn returned
true. The ok flag is true; no screen message.
[6] ("Otherwise") The item was checked out, but AddReturn returned false.
The ok flag is false; the screen message shows 'Checkin failed'.
Note: Currently this case only refers to the Wrongbranch and withdrawn
messages from AddReturn (where doreturn==0).
Note: Situation 1 and 5 are unchanged. Behavior is slightly changed for
situation 3 and 4; the option is only used when the item was not checked
out. Situation 2 and situation 6 are changed. After bug 18966 SIP
returned OK in case of data corruption (while checkin failed). In the
remaining cases under [6] SIP also returned OK while checkin failed.
Test plan:
[1] Test all six cases listed above. In order to simulate data corruption
insert the issue_id at hand in old_issues before you check in.
In cases 3 and 4 you need to toggle the option in your SIPconfig.xml and
restart the SIP server.
Case 6 can be tested by checking out at branch A, adjusting the value
of pref AllowReturnToBranch and checking in at branch B.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18919: Repair "Transaction branch" in cash_register_stats.pl
- values of the option fields are now correctly loaded
TEST PLAN:
go to domain/cgi-bin/koha/reports/cash_register_stats.pl
1 - Make a report for all branches => it works
2 - Make a report for any branch => you will get the same or no result
3 - apply patch
4 - Repeat 2 => it should work
Followed test plan worked as intended Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Owen Leonard [Thu, 25 May 2017 12:40:43 +0000 (12:40 +0000)]
Bug 12644 - Add subtitles to staff client cart
This patch adds display of subtitles to the staff client cart.
To test you should have some values mapped to subtitle in Administration
-> Keyword to MARC Mapping.
1. Apply the patch.
2. Add some records to the staff client cart which have subtitles.
3. Open the cart and onfirm that subtitles display correctly in both the
brief and "More details" view.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Wed, 28 Jun 2017 23:31:12 +0000 (23:31 +0000)]
Bug 18877: Add documentation on dbhost for koha-create help
TEST PLAN
---------
apply bugs 9409 and 14533 (order is irrelevant)
trigger message about missing database name
-- notice it fails to mention dbhost
apply this patch
trigger message again
-- notice it mentions dbhost
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Thu, 22 Jun 2017 19:26:33 +0000 (19:26 +0000)]
Bug 14533: Make --use-db display a message if no DB defined
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Yarik Dot [Thu, 22 Jun 2017 17:53:00 +0000 (17:53 +0000)]
Bug 14533: remove CREATE USER when koha-create --use-db
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mark Tompsett [Fri, 23 Jun 2017 01:46:50 +0000 (01:46 +0000)]
Bug 9409: Add --dbhost parameter and dbhost field
This allows setting the remote db host correctly for
request-db either with a command-line or passwd file.
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Nick Clemens [Fri, 21 Apr 2017 14:08:27 +0000 (10:08 -0400)]
Bug 18469: Suspend all holds when specifying a date to resume hold does not keep date
Name of field had 'datepicker' embedded, this caused variable issue
To test:
1 - Place several holds for a patron
2 - Go to holds tab in circulation
3 - Select a date for suspend all holds until
4 - Suspend all holds
5 - Note date is not used, suspended indefinitely
6 - Apply patch
7 - Resume all suspended holds
8 - Select a date for suspend all holds until
9 - Suspend all holds
10 - Note date is used
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Colin Campbell [Tue, 8 Aug 2017 10:47:40 +0000 (11:47 +0100)]
Bug 19061: Avoid SQL Injection vulnerability
Embedding values in the SQL statement allows the passing of values
that would normally be rejected resulting in mysql errors
variables should always be passed via placeholders and
the execute call
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Jonathan Druart [Wed, 9 Aug 2017 16:01:37 +0000 (13:01 -0300)]
Bug 18292: Tests do not need to return 1 - xt
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
git grep '^1;$' t/**/*.t
should not return any results
NOTE: does not fix C4/SIP/t, nor xt tests.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>