If a librarian has edit_subscription but not create_subscription :
When trying to edit a subscription, after saving permission is denied.
This is because permissions in serials/subscription-add.pl depends on arg 'op' and on edit this arg starts with 'modify' but changes to 'modsubscription' when saving.
Test plan :
- Create a user with staff access
- Define its permissions on serials : only edit_subscription
- Edit a subscription
- Click 'Next'
- Click 'Test prediction pattern'
- Click 'Save subscription'
=> Without patch you get to page serials/subscription-add.pl with permission denied
=> With patch subscription is saved and you get to subscription details page
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 12bd6358cfe6c9348cb111d22f04097f7911babf) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit fe386c172496159198b34383c3080185de7ae0af) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Mark Tompsett [Sat, 2 Sep 2017 01:23:20 +0000 (21:23 -0400)]
Bug 19120: Leave cancelled ordered items alone when reopening basket
TEST PLAN
---------
1) Apply first patch
2) prove t/db_dependent/Acquisition/close_reopen_basket.t
-- FAILS
3) Apply this patch
4) prove t/db_dependent/Acquisition/close_reopen_basket.t
-- SUCCESS!
5) run koha qa test tools
Followed test plan, patch worked as described Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Mark Tompsett [Sat, 2 Sep 2017 01:21:40 +0000 (21:21 -0400)]
Bug 19120: Add tests to reproduce the problem
TEST PLAN
---------
1) apply this patch
2) prove t/db_dependent/Acquisition/close_reopen_basket.t
-- FAILS!
-- This proves the test works.
3) run koha qa test tools
Followed test plan, patch worked as described Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Alex Arnaud [Fri, 6 Oct 2017 07:19:15 +0000 (07:19 +0000)]
Bug 19418: (bug 12833 follow-up) Add missing use statement
Patron search fail on calling svc/members/search. This script
return a 500 error and the search stay on "Processing..."
Test plan:
- Enable ExtendedPatronAttributes system preference,
- make a standard search (search fields),
- check the search works and it doesn't stick on "Processing..."
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
I do not recreate the issue, but the change make sense and the issue has
been raised by several people
Bug 19350 - Holds without link in 773 trigger SQL::Abstract::puke
Test:
1. find bibio without items which has something in field 773
(for us, it's article) but doesn't have 0 or 9 (host item entry)
2. click on hold in left menu
3. verify application error
4. apply patch and verify that it works
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Aleisha Amohia [Thu, 30 Mar 2017 04:15:54 +0000 (04:15 +0000)]
Bug 18351: Able to delete budget with funds
To test:
1) Create a budget, add a fund
2) Delete budget. Notice this is successful and triggers no warning
message etc.
3) Go to Funds. Notice the funds appear as if they are not there
4) Go into mysql and view the aqbudgetperiods table - notice the funds
are still there and are now inaccessible.
5) Apply patch
6) Create a budget, add a fund
7) Attempt to delete budget. Notice you can't click Delete button.
Confirm number of funds in hover message is correct.
8) Delete fund
9) Confirm you can now delete budget.
Sponsored-by: Catalyst IT Signed-off-by: Felix Hemme <felix.hemme@thulb.uni-jena.de> Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 18351: [FOLLOW-UP] Some code fixes
See Comment 5. Ready to test.
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 18351: [FOLLOW-UP] Code fix
See comment 10.
Ready for testing.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 18351: [FOLLOW-UP] Prevent deletion from forcing URL
This patch adds a check in the script for existing funds so that the
budget cannot be deleted when forcing the URL and has other small fixes.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 18351: [FOLLOW-UP] Prevent deletion if funds are added after clicking 'Delete' and before confirming delete
Followed test plan and patch works as described.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0ed469525fe16e36663c1f5266568beb5e27672d) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 2a9dc2e595d916e4fb94948871f665df06b7088b) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
To test:
1) Go to Acquisitions, find a vendor and a basket (create if you don't
have either)
2) Close the basket
3) View the basket and reopen it
4) Notice the warn
5) Apply the patch and repeat steps 1-3
6) Notice the warn no longer shows and the basket is reopened as
expected
Sponsored-by: Catalyst IT Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 6ed1513e5fe91772c1720963006bf8f04452416d) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f1677e56ecf1ea5f0ce2a408f1f11e931639e1d5) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Aleisha Amohia [Thu, 31 Aug 2017 21:25:28 +0000 (21:25 +0000)]
Bug 19229: Return to course when cancelling out of edit form
To test:
1) Ensure UseCourseReserves is enabled
2) Go to Course Reserves, create a course
3) Edit course
4) Click Cancel
5) Notice you are returned to the courses home page rather than returned
to the course
6) Apply patch
7) Go to edit course and click cancel again
8) Confirm you are returned to the course and that this feels like the
natural expectation.
Sponsored-by: Catalyst IT Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit f55af2fc078a7d6a05238232bc276e6924307179) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ae405f61c8d4c04361267b500347a496a2ce7d58) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 17834: Change library news text for single-branch libraries
To test:
1) Log into OPAC, go to home page
2) Confirm that the text shows as 'RSS feed for (branchname) library
news' if single-branch library
3) Confirm text shows as normal for libraries with more than one branch
Sponsored-by: Catalyst IT Signed-off-by: maricris <mlabancia@gmail.com> Signed-off-by: anafe <anafeazuela@yahoo.com> Signed-off-by: iflora <iflora@unimas.my> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Katrin Fischer [Mon, 8 Jun 2015 00:03:34 +0000 (02:03 +0200)]
Bug 14316: Clarify meaning of record number in Batch record deletion tool
Changes the label from 'list of record numbers...' to
'List of biblionumbers or authority ids...' to make it
more clear to the user which kind of input is expected.
To test:
- Go to Tools > Batch record deletion
- Check the new description
- Decide if it's more clear or not
Signed-off-by: Marc Veron <veron@veron.ch> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Karam Qubsi [Tue, 18 Jul 2017 16:06:48 +0000 (00:06 +0800)]
Bug 18946 - Change language from external web fails
How to reproduce:
1. Get a multilingüal Koha like
http://demo1.orex.es/cgi-bin/koha/opac-changelanguage.pl?language=en
http://demo1.orex.es/cgi-bin/koha/opac-changelanguage.pl?language=es-ES
2. Copy that urls to any web page in an other domain -it must be in some
host - and try to link to the spanish or english version,it will keep you in the same position.
3. Apply this patch and try again , everything should work fine .
Signed-off-by: Hugo Agud <hagud@orex.es> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Lari Taskula [Wed, 31 May 2017 14:03:54 +0000 (17:03 +0300)]
Bug 18692 - intranet part
Fixes misplaced columns introduced by previous patch and adds the "-" for phone
transport type.
To test:
1. Set SMSSendDriver system preference on
2. Go to intranet messaging preferences
3. By default you should see checkboxes for all messages for SMS
4. Ensure columns are not misplaced (pushing one column too much to the right)
5. Delete sms method from one of the messages in message_transports table
6. Observe that "-" is displayed instead of checkbox for that message for SMS
7. Repeat same for TalkingTechItivaPhoneNotification system preference.
By default it may not have transports in message_transports, so make sure
to assign some in order to have the checkboxes visible.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Fridolin Somers [Thu, 1 Jun 2017 15:22:42 +0000 (17:22 +0200)]
Bug 18692 - same with syspref TalkingTechItivaPhone
Fixes misplaced columns introduced by previous patch and adds the "-" for phone
transport type.
To test:
1. Set SMSSendDriver system preference on
2. Go to intra and OPAC messaging preferences
3. By default you should see checkboxes for all messages for SMS
4. Ensure columns are not misplaced (pushing one column too much to the right)
5. Delete sms method from one of the messages in message_transports table
6. Observe that "-" is displayed instead of checkbox for that message for SMS
7. Repeat same for TalkingTechItivaPhoneNotification system preference.
By default it may not have transports in message_transports, so make sure
to assign some in order to have the checkboxes visible.
Signed-off-by: Michael Andrew Cabus <michael@bywatersolutons.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Fridolin Somers [Mon, 29 May 2017 14:32:18 +0000 (16:32 +0200)]
Bug 18692 - When SMS is enabled the OPAC messaging table is misaligned
Bug 6726 had corrected the fact that when SMS is enabled the messaging table is missing a column.
Bug 6458 has broken this.
The SMS column is missing an else case with cell containing only "-" like other columns.
Test plan :
- set SMSSendDriver preference empty
- go to OPAC patron messaging
- column SMS should not be visible
- set SMSSendDriver preference not empty
- go to OPAC patron messaging
- column SMS appears with checkboxes
Signed-off-by: Michael Andrew Cabus <michael@bywatersolutons.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Marc Véron [Wed, 9 Aug 2017 07:46:02 +0000 (09:46 +0200)]
Bug 18636: Sysprefs: Add explanation for conflict autonumbernum / BorrowerMandatoryFields
This patch adds a note to the system preferences autonembernum and
BorrowerMandatoryFields regarding a conflict if automembernum is on
and BorrowerMandatoryFields contains cardnumber.
To reproduce issue: See initial comment.
To test:
- Apply patch
- Verify that in system preferences note appears with both prefs
automembernum and BorrowerMandatoryFields
Followed test plan, works as described Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 65bce82b1fb32d3d98fe4d4ef1e1738a97749632) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 07695e8de40c55f2837ae81b5e35b8e11656f272) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Tue, 27 Jun 2017 16:50:44 +0000 (18:50 +0200)]
Bug 16485: collection column in Item search is always empty
This patch fills the column 'Collection' in item search from the item values.
To test:
- Go to item search
- Reproduce issue from initial comment
- Apply patch
- Verify that the column 'Collection' is filled
Still to do, but outside of my datatable skills:
Filter by drop down in the column header does a substring search.
Example: Filter for 'Fiction" returns both 'Fiction' and 'Non-fiction' items.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Laurence Rault <laurence.rault@biblibre.com> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 6c1504cfdb301cb0f9f3a14b5db31a63f5c3b0a5) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 74752502b309ddec4311a4311a3481bf54061187) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Colin Campbell [Wed, 2 Aug 2017 16:12:44 +0000 (17:12 +0100)]
Bug 19024 Do not unset order cancelled status on basket close
On closing a basket, status is updated to ordered for orders not
completed. However the operation was resetting the status for
cancelled as well as new orders.
While display is correct from the basket view (it checks the
cancellation date). The status in the acquisitions tab from the
catalogue view reverts erroneously to ordered.
This patch adds cancelled to the statuses not updated on basket
close.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Colin Campbell [Tue, 15 Aug 2017 10:44:12 +0000 (11:44 +0100)]
Bug 19024 Fix some infelicities of phrasing in test messages
The test messages were awkwardly phrased, re phrase them to
sound more natuaral. Patch is cosmetic (grammar) only
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Jonathan Druart [Wed, 9 Aug 2017 19:09:32 +0000 (16:09 -0300)]
Bug 19024: Add tests
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Katrin Fischer [Fri, 18 Aug 2017 08:36:59 +0000 (08:36 +0000)]
Bug 9857 - Follow-up - Fix for searches with su= or su:
When the initial search is su=.../su:... the links was
not constructed correctly. With this change, it should
be the case.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Katrin Fischer [Fri, 4 Dec 2015 00:17:50 +0000 (01:17 +0100)]
Bug 9857: Did you mean? uses wrong punctuation in search links
The link changes the search links generated by the plugins
from an=authid to an:authid, as suggested by Jared on the
bug report.
- Turn on the AuthorityFile und ExplodedTerms plugins
for the OPAC from the "Did you mean" section of the
administration module
- Search a term in your OPAC where one or several
authorities exist.
A last name or a place name might work well.
- Verify that there are suggestions displayed on top of
your result list.
- Verify that the link created is something like:
/cgi-bin/koha/opac-search.pl?q=an=14084
- Apply patch.
- Verify the link has changed a little and still works
correctly:
/cgi-bin/koha/opac-search.pl?q=an:14084
Signed-off-by: Frédéric Demians <f.demians@tamil.fr> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Alex Buckley [Tue, 11 Jul 2017 22:09:48 +0000 (10:09 +1200)]
Bug 18621: Added in value attribute to dateexpiry field
Test plan:
1. Create a patron category with the dateexpiry value of 29/9/2017
2. Create a patron user from that patron category (which I'll refer to as patron A) with the date
expiry value of 1/10/2017 and submit the form
3. Notice that the manual dateexpiry you have submitted is correctly
displayed
4. Create a duplicate patron with the same firstname and surname and
patron A, and set the date expiry value of 1/10/2017 and submit the form
5. The form displays a duplicate patron message. Notice that the dateexpiry input box is empty now
6. Select the new member (not a duplicate member) option in the
messagebox
7. The form successfully submits and notice that the date expiry value
displayed is that of the patron category (i.e. it is 29/9/2017) not the
dateexpiry value of 1/10/2017 that you manually set for this patron
8. Apply patch
9. Repeat step 4
10. The form displays a duplicate patron message. Notice the dateexpiry input box still
contains the value you entered which is 1/10/2017. Select the new member
(not a duplicate member) option in the messagebox
11. The form successfully submits and notice that the date expiry value
displayed is 1/10/2017 that you manually set for this patron
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 515e62992893b72c54a34311088a9442a37d8138) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 60b6d736ee306198af83e1a1482ff89280a05e7b) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Nick Clemens [Thu, 15 Jun 2017 15:07:03 +0000 (11:07 -0400)]
Bug 18812 - SIP Patron status does not respect OverduesBlockCirc
To test:
1 - Set 'OverduesBlockCirc' to block
2 - Find or create a patron with overdues
3 - Perform a SIP patron lookup on that patron
misc/sip_cli_emulator.pl -a 127.0.0.1 -p 6001 -su term1 -sp term1 -l CPL
--patron {userid or cardnumber} --password {pass} -m patron_information
4 - Note the first character of response is a ' '
5 - Apply patch
6 - Restart memcached, apache, and plack
7 - Perform SIP patron lookup
8 - Note the first character of response is 'Y'
9 - prove t/db_dependent/SIP/Patron.t
10 - Test should return green
Signed-off-by: Chris Kirby <chris.kirby@ilsleypubliclibrary.org>
Works as advertised
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ff4f0858950c37eeede38b2f067841602b97d7ba) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4b360f1371a56268458b62e5c8c68da853b4e52d) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Kyle M Hall [Mon, 31 Jul 2017 13:18:15 +0000 (09:18 -0400)]
Bug 19007 - Allow paypal payments via debit or credit card again
A recent change in Paypal has removed the previous default option of paying via debit or credit card without an account. To bring this option back, we need to send an additional parameter to the PayPal API.
Test Plan:
1) Enable paypal for your Koha instance
2) Ensure you are not logged in to PayPal
3) Attempt to pay a fine via PayPal
4) Not the the "Pay with Debit or Credit Card" option is missing
5) Apply this patch
6) Refresh opac-account.pl
7) Attempt to make a payment via PayPal again
8) Note the option "Pay with Debit or Credit Card" is now available
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: George Williams <gwilliams@nekls.org> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 85b963d11fb5d8674ca6b0ec60821663f9d8cf19) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 669b6839eab456f36ed7c65a7a97fa7b386ab4e6) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Mon, 18 Sep 2017 17:23:54 +0000 (14:23 -0300)]
Bug 19335: Fix 00-merge-conflict-markers.t when dockerised
This does not make sense, but fix a bug (why?)
Without this patch, the tests failed on po files:
[17:14:26] t/00-merge-conflict-markers.t .. Failed 1/1 subtests
Test Summary Report
-------------------
t/00-merge-conflict-markers.t (Wstat: 9 Tests: 0 Failed: 0)
Non-zero wait status: 9
Parse errors: Bad plan. You planned 1 tests but ran 0.
Result: FAIL
Note that this is not related to bug 19227.
if the ^>>>>>> and ^<<<<<< matches are done on the same line, the test fail
As saw it failed on *-pref.po files
misc/translator/po/kn-Knda-pref.po
misc/translator/po/ja-Jpan-JP-pref.po
misc/translator/po/nl-BE-pref.po
misc/translator/po/sr-Cyrl-pref.po
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0d03f143e25f498de780d2ddd1972c3be7947519) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit bdfec37ab66f9c72f86adc7d6045bc83b5a92d88) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
shows that 00-merge-conflict-markers.t ran 10,751 tests, 124 less than
the previous run. However 124 files have not been removed from the
codebase!
I suggest to count only 1 test for all files.
Moreover files from blib and cover_db are counted, they should be
excluded.
Test plan:
prove t/00-merge-conflict-markers.t
must return green
echo ">>>>>>>" >> mainpage.pl
and run the test again
It should now fail
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Works as advertised. Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Mason James <mtj@kohaaloha.com>
Failed test 'ListMetadataFormats'
at t/db_dependent/OAI/Server.t line 150.
Structures begin differing at:
$got->{responseDate} = '2017-06-12T14:31:51Z'
$expected->{responseDate} = '2017-06-12T14:31:50Z'
Aleisha Amohia [Wed, 28 Jun 2017 00:40:00 +0000 (00:40 +0000)]
Bug 18871: Make patron list name a link to view contents of list
The link is the same as the 'Add patrons' button in Actions dropdown,
but requires one less click, and makes finding the contents of the list
more obvious.
To test:
1) Go to Tools -> Patron lists
2) Create a patron list if you haven't already
3) Confirm that clicking the name of the list takes you to the correct
list and shows the expected content.
Sponsored-by: Catalyst IT Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit d51059807690797aa4d16b0c0dd2932235a3b683) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e570915729b6b8e02e22b0cfdff4440b75815d26) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Mon, 12 Jun 2017 07:07:28 +0000 (09:07 +0200)]
Bug 18781: Translatability: Get rid of exposed tt directives in openlibrary-readapi.inc
The file koha-tmpl/opac-tmpl/bootstrap/en/includes/openlibrary-readapi.inc
exposes template directives to translation. The only string that should
appear in .po from this file is "Open Library: "
To test:
- Apply patch
- Verify that code changes make sense
- Bonus test: create a new language 'aa-AA', verify in aa-AA-opac-bootstrap.po
that there is only the following string for openlibrary-readapi.inc:
msgid "Open Library: "
msgstr ""
NOTE: Followed a test plan similar to bug 18776 comment 3
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 23cc8b39682fea7b0a9150933c65c34ef22d23dd) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 861fa8c8db8bd8bbd6281863d5029d55675f359c) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
To test:
- Apply patch
- Verify that language selector in OPAC (top of the page) works as expected
- Bonus test: create a new language 'aa-AA', verify that line above does not
show up in aa-AA-opac-bootstrap.po
NOTE: Followed a test plan similar to bug 18776 comment 3
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 255cadeb772d63b06f77146c95b8d6e4b31d5836) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e0adbc10c09c25310f79fec55518fb5df50ad040) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Mon, 12 Jun 2017 06:20:56 +0000 (08:20 +0200)]
Bug 18779: Translatability: Get rid of exposed tt directives in authorities-search-results.inc (OPAC)
The file opac-tmpl/bootstrap/en/includes/authorities-search-results.inc
exposes template directives to translation where translators should not
be confronted with.
To test:
- Apply patch
- Verify that Authority search in OPAC works as before
- Bonus test: create a new language 'aa-AA', verify that line above
does not show up in aa-AA-opac-bootstrap.po
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 331320f93a5ef5293c3bcad80b9554ddea0196b0) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4dc640244651c584347b01f35f2cb25b6369a638) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Sun, 11 Jun 2017 14:54:28 +0000 (16:54 +0200)]
Bug 18776: Translatability: Get rid of exposed tt directives in opac-advsearch.tt
The file opac-advsearch.tt exposes template directives to translation where translators should not be confronted with.
Example in po file:
"[%% IF ( ( OpacAdvSearchOptions and OpacAdvSearchOptions.grep('itemtype')."
"size > 0 and not expanded_options ) or ( OpacAdvSearchMoreOptions and "
"OpacAdvSearchMoreOptions.grep('itemtype').size > 0 and expanded_options ) ) "
"%%] "
To test:
- Apply patch
- Verify that advanced search in OPAC behaves as before
- Create a new translation for a 'language' aa-AA (perl translate create aa-AA)
- Verify that template directives ar no longer exposed in aa-AA-opac-bootstrap.po
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ae684fc9491102ba0b560ca6f414a325e763b31a) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit b1bce06e515e22482ca555b85da19f965b475f5f) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marcel de Rooy [Fri, 4 Aug 2017 14:44:51 +0000 (16:44 +0200)]
Bug 18754: [QA Follow-up] Tiny corrections
Converted one INCLUDE directive to PROCESS; we are not changing variables here. (The PROCESS directive is slightly faster than INCLUDE because it avoids the need to localise (i.e. copy) the variable stash before processing the template.)
Removed one vim inserted letter i.
Error in [% IF ( XISBN.publicationyear ) _ ', ' _ XISBN.publicationyear %][% END %] The concatenation became part of the condition.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ff591f2c77a2a3c1de4a0e7167ccfeba08c2f128) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 78e527129b0b547eff7311c3f25a4b1f679d2a97) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
See: [% IF ( nextTitle ) %][% nextTitle |html %][% ELSE %]next biblio[% END "
"%]
To test:
- Apply patch
- Do a search in OPAC that has more than 1 results
- Go to the detail page of one of the items found
- Verify that the details display as before and that you can
browse the results with Previous and Next
- In staff client, change OPACXSLTDetailsDisplay from 'default' to
empty for "no xslt" and repeat steps above
- In staff client, set HTML5MediaEnabled to 'OPAC' or 'OPAC and staff client'
- Verify that media catalogued in field 856 still work
- Create a new translation for a 'language' aa-AA (perl translate create aa-AA)
- Verify that template directives ar no longer exposed in aa-AA-opac-bootstrap.po
Followed test plan which works as intended
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 752aef4593f1aa2d64700bf9738e7e03907eb1cd) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 65e09b28dbbe43772b9104ffcafa1f81441c4d70) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Sun, 28 May 2017 07:34:21 +0000 (09:34 +0200)]
Bug 18687: Translatability: abbr tag should not contain lang attribute
In manage-marc-import.tt, we have an abbreviation:
<abbr title="Differences between the original biblio and the imported" lang="en">Diff</abbr>
In translations (e.g. German), the line appears as follows:
<abbr title="Unterschiede zwischen Originaltitelsatz und importiertem Titelsatz" lang="en">Diff</abbr>
The lang attribute is wrong here, it is still "en".
The text language is the same as defined at the top of the page - or with other
words, the lang tag is superfluous.
This patch removes it.
To test:
Verify that code change makes sense.
Passes QA test and the change is logical Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 03c7f9366c97d6402e1e16182d7a2ddbbe37eccb) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 9f96a3bb39c8fcb246a3caeeb2d7a24f46da7153) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Lee Jamison [Fri, 11 Aug 2017 18:58:53 +0000 (18:58 +0000)]
Bug 19088: plugins-upload causes error log noise
After uploading a plugin the error log indicates
use of uninitialized value in $op. This patch
silences the noise.
To test:
1) Set <enable_plugins> to 1 (one) in koha-conf.xml.
2) Set the UseKohaPlugins system preference to 'Enable'.
3) Navigate to Administration -> Manage plugins.
4) Install the test plugin KPZ file attached to this bug.
5) Notice the uninitialized value noise in the error log.
6) Uninstall the plugin (plack restart may be required if plack is
enabled).
7) Apply patch.
8) Install the plugin again.
9) Notice no noise in the error log.
10) Run qa tools.
11) Run prove t/db_dependent/Plugins.t
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 1076a0edf32b621da54c53ea71595885f7e14c38) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit cdcc0458b796aff59a50e0f5d4c7b7140682eacf) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Amit Gupta [Tue, 15 Aug 2017 16:51:37 +0000 (22:21 +0530)]
Bug 19118 - Due to wrong variable name passed vendor name is not coming in browser title bar
Test
1. Hit the page /cgi-bin/koha/acqui/supplier.pl?booksellerid=xx
xx is a booksellerid
2. Apply the patch and reload the page.
3. You can see vendor name in browser title bar.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Marcel de Rooy [Wed, 16 Aug 2017 11:15:19 +0000 (13:15 +0200)]
Bug 19126: Fix Members.t with IndependentBranches set
If you enabled that pref, Members.t fails with:
t/db_dependent/Members.t .. 63/63 # Looks like you failed 15 tests of 63.
The first one is:
t/db_dependent/Members.t .. 32/63
Failed test 'Staff patron not deleted from list'
at t/db_dependent/Members.t line 304.
Bottle neck is GetBorrowersToExpunge. The results of that sub depend on the
state of this preference.
Trivially fixing it here by disabling the pref before the first call.
Test plan:
[1] Do not apply this patch yet. Enable IndependentBranches.
[2] Run Members.t and observe that it fails.
[3] Apply this patch. And run Members.t again. It should pass now.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Mark Tompsett [Fri, 23 Jun 2017 01:46:50 +0000 (01:46 +0000)]
Bug 9409: Add --dbhost parameter and dbhost field
This allows setting the remote db host correctly for
request-db either with a command-line or passwd file.
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Nick Clemens [Fri, 21 Apr 2017 14:08:27 +0000 (10:08 -0400)]
Bug 18469: Suspend all holds when specifying a date to resume hold does not keep date
Name of field had 'datepicker' embedded, this caused variable issue
To test:
1 - Place several holds for a patron
2 - Go to holds tab in circulation
3 - Select a date for suspend all holds until
4 - Suspend all holds
5 - Note date is not used, suspended indefinitely
6 - Apply patch
7 - Resume all suspended holds
8 - Select a date for suspend all holds until
9 - Suspend all holds
10 - Note date is used
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit a58745d9dbbf98c79f4c1a3e7cd40fb45425fc91) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit fec723524cbd972b4788f34e105908697c43ea01) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Wed, 2 Aug 2017 16:01:06 +0000 (18:01 +0200)]
Bug 19027 - Circulation rules: Better wording for standard rules for all libraries
In Home > Administration > Circulation and fine rules, the standard value for
"Select a library: All libraries" is confusing and leads to support cases.
Change wording to "Standard rules for all libraries".
To test:
- Apply patch
- Go to Home > Administration > Circulation and fine rules
- Verfiy that text in drop down 'Select a library' makes sense.
Followed test plan which works as intended. I agree with the wording it
is significantly clearer than previously Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Nick Clemens [Fri, 14 Jul 2017 11:25:42 +0000 (11:25 +0000)]
Bug 18941 - C4::Budgets GetBudgetByCode should return active budgets over inactive budgets
To test:
1 - Create an active budget
2 - Create an inactive budget
3 - Ensure they each have a fund with the same code
4 - Set MarcFieldsToOrder to get the budget_code from a marc field
5 - Stage a file using the duplicated code
6 - Add to a basket from the staged file
7 - Add the items
8 - Note funds are encumbered from the inactive budget
9 - Apply patch
10 - Repeat 5-8 with a new basket
11 - Note the active budget is now used
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Nick Clemens [Fri, 14 Jul 2017 11:06:16 +0000 (11:06 +0000)]
Bug 18941 - Unit tests
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Marcel de Rooy [Thu, 10 Aug 2017 07:24:08 +0000 (09:24 +0200)]
Bug 19071: Fix Members/IssueSlip.t
Resolve:
DBD::mysql::db do failed: Cannot delete or update a parent row: a foreign key constraint fails (`koha_master`.`clubs`, CONSTRAINT `clubs_ibfk_2` FOREIGN KEY (`branchcode`) REFERENCES `branches` (`branchcode`)) [for Statement "DELETE FROM branches"] at t/db_dependent/Members/IssueSlip.t line 44.
We do not need to delete all branches here.
Note: The test still needs attention for noisy userenv warns, but it should
pass now.
Test plan:
Run t/db_dependent/Members/IssueSlip.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Marcel de Rooy [Thu, 10 Aug 2017 07:13:44 +0000 (09:13 +0200)]
Bug 19071: Fix Circulation/issue.t
Resolve:
DBD::mysql::db do failed: Cannot delete or update a parent row: a foreign key constraint fails (`koha_master`.`clubs`, CONSTRAINT `clubs_ibfk_2` FOREIGN KEY (`branchcode`) REFERENCES `branches` (`branchcode`)) [for Statement "DELETE FROM branches"] at t/db_dependent/Circulation/issue.t line 65.
Cause:
See also bug 19070.
We do not need to delete all branches here.
Test plan:
Run t/db_dependent/Circulation/issue.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Marcel de Rooy [Mon, 7 Aug 2017 06:44:43 +0000 (08:44 +0200)]
Bug 19047: Fix AddBiblio call in Reserves.t
AddBiblio does not return a title; the biblioitemnumber is stored in the
title variable.
The variables for biblioitemnumber are not used and can be removed.
Test plan:
Run t/db_dependent/Reserves.t
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Katrin Fischer [Wed, 16 Aug 2017 12:34:17 +0000 (14:34 +0200)]
Bug 19128 - XSS - patron-attr-types.tt, authorised_values.tt and categories.tt
Preparation:
- Add a branch with script in the branch name
- Add a patron category with script in the category name
- Add a new authorised value cateogory with script
- Add a new authroised value for this category with script
in all possible fields
- Test editing patron categories
- Test editing patron attribute types
- Test viewing and editing authorised values
Verify that with this script there is no more script executed
and everything works fine.
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Wed, 16 Aug 2017 12:26:17 +0000 (17:56 +0530)]
Bug 19127 - Stored XSS in csv-profiles.pl
To Test
1. Hit the page /cgi-bin/koha/tools/csv-profiles.pl?op=add_form
2. Add a text in the field Profile name, Profile description
and Profile MARC fields that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Katrin Fischer [Wed, 16 Aug 2017 10:05:50 +0000 (12:05 +0200)]
Bug 19125 - XSS - members.pl
In preparation to test this patch:
- Add a patron list named <script>alert("patron list")</script>
- Add a library named <script>alert("library")</script>
- Add a patron category named <script>alert("patron category")</script>
To test:
- Access patron search page and do a search
- Verify that the alerts added above are executed
- Apply patch
- Verify that no alerts are displayed
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 09:07:50 +0000 (14:37 +0530)]
Bug 19108 - Stored XSS in biblio_framework.pl and marctagstructure.pl
To Test
1. Hit the page /cgi-bin/koha/admin/biblio_framework.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Click on Actions -> MARC structure
6. Apply patch and reload, the js is escaped
Fixed for both the pages biblio_framework.pl and marctagstructure.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 08:40:43 +0000 (14:10 +0530)]
Bug 19108 - Stored XSS in fieldmapping.pl
To Test
1. Hit the page /cgi-bin/koha/admin/fieldmapping.pl
2. Add a text in the field Field name that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 08:36:47 +0000 (14:06 +0530)]
Bug 19108 - Stored XSS in authtypes.pl
To Test
1. Hit the page /cgi-bin/koha/admin/authtypes.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 08:25:45 +0000 (13:55 +0530)]
Bug 19108 - Stored XSS in classsources.pl
Fixed for both Classification sources & Classification filing rules
To Test
1. first case classification source: Hit the page
/cgi-bin/koha/admin/classsources.pl?op=add_source
second case classification filing rules:
Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_sort_rule
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 08:19:10 +0000 (13:49 +0530)]
Bug 19108 - Stored XSS in items_search_fields.pl
To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Fixed for new and edit page
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 08:03:57 +0000 (13:33 +0530)]
Bug 19108 - Stored XSS in oai_sets.pl
To Test
1. Hit the page /cgi-bin/koha/admin/oai_sets.pl
2. Click on New set
3. Add a text in the field setSpec, setName that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 04:45:54 +0000 (10:15 +0530)]
Bug 19103 - Stored XSS in matching-rules.pl
To Test
1. Hit the page /cgi-bin/koha/admin/matching-rules.pl
2. Click on new record matching rule
3. Add a text in the field Description that contain js.
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 04:37:45 +0000 (10:07 +0530)]
Bug 19103 - Stored XSS in patron-attr-types.pl
To Test
1. Hit the page /cgi-bin/koha/admin/patron-attr-types.pl
2. Click on new patron attribute type
2. Add a text in the field Description that contain js.
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Tue, 15 Aug 2017 03:22:40 +0000 (08:52 +0530)]
Bug 19103 - Stored XSS in itemtypes.pl
To Test
1. Hit the page /cgi-bin/koha/admin/itemtypes.pl
2. Add a text in the field Description, Checkin message that contains js
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mason James <mtj@kohaaloha.com>
Amit Gupta [Mon, 14 Aug 2017 21:14:11 +0000 (02:44 +0530)]
Bug 19086 Stored XSS in subscription-add.pl
To Test
1. Hit the page /cgi-bin/koha/serials/subscription-add.pl
2. Add a text in the field Public note and Nonpublic note
that contains js (Internalnotes, notes)
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Mon, 14 Aug 2017 21:03:59 +0000 (02:33 +0530)]
Bug 19086 Stored XSS in supplier.pl
1. Hit the page /cgi-bin/koha/acqui/supplier.pl?op=enter
2. Add a text in the field company_postal, physical, company_fax,
accountnumber, contactposition, contact_fax, contact_notes, notes that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>