]> git.koha-community.org Git - koha.git/log
koha.git
5 weeks agoBug 37737: [23.11] Fixed report permissions to prevent disallowed duplication
Lisette Scheer [Mon, 9 Sep 2024 20:12:47 +0000 (20:12 +0000)]
Bug 37737: [23.11] Fixed report permissions to prevent disallowed duplication

Test plan:
1. Checkout 23.11
2. Create a report
3. Create a user with staff login and run reports permissions
4. Log in as your new user
5. Preview the SQL of the report
6. In the preview modal, select Duplicate report
7. Apply patch
8. Repeat steps 4-6.
9. You should be prompted to login.

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 87817b1e0ad1689eb8bbfc93e46355d5e376632f)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 weeks agoBug 37861: Fix XSS vulnerability in barcode append function
Artur [Sat, 7 Sep 2024 16:12:05 +0000 (18:12 +0200)]
Bug 37861: Fix XSS vulnerability in barcode append function

When user inputs were appended directly to the barcode table, the values were not properly escaped, allowing potential XSS attacks. This patch ensures that user inputs are sanitized and safely added to the DOM using .text() and .attr() methods to prevent script injection.

To test:
Enable the "SelfCheckInModule".
Open the barcode input form.
Enter a barcode with HTML or script tags.
Without the patch, observe that the script is executed.
Apply the patch.
Repeat step 2.
Verify that the input is escaped and no script execution occurs.
Check that the barcode is properly appended to the table.

Documentation:
No updates required.

Sponsored-by: KillerRabbitAos
Signed-off-by: Bo Gustavsson <bosse@gustavsson.one>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit b576548223badb76272e9f28c1b24ca0e87caebf)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
2 months agoUpdate release notes for 22.11.21 release v22.11.21
Frédéric Demians [Mon, 7 Oct 2024 18:00:42 +0000 (20:00 +0200)]
Update release notes for 22.11.21 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoIncrement version for 22.11.21 release
Frédéric Demians [Mon, 7 Oct 2024 17:51:30 +0000 (19:51 +0200)]
Increment version for 22.11.21 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 36879: Spurious warning in QueryBuilder
Andreas Jonsson [Thu, 16 May 2024 07:38:09 +0000 (09:38 +0200)]
Bug 36879: Spurious warning in QueryBuilder

Test plan:

With ElasticSearch enabled,
* Perform a search using the default  sort order
  (i.e. 'relevance').
* Verify that no warnings are generated in
  plack-intranet-error.log

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 85ae71cfd4226a5af93f5650aae6ced34f1b8136)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 37044: Added library branch to SCO OPAC message
Sam Lau [Thu, 6 Jun 2024 14:29:54 +0000 (14:29 +0000)]
Bug 37044: Added library branch to SCO OPAC message

This patch simply adds the correct branch at the end of an OPAC message on the SCO page.

To Test:
1) From the staff interface, click on a patron and add an OPAC message
   to their account.
2) Log into the SCO with this patron.
   (http://localhost:8080/cgi-bin/koha/sco/sco-main.pl)
3) Notice how in the "Messages for you" at the top, you will see the
   message, however, at the timestamp, it says something like "Written
   on 06/06/2024 by " w/o listing the library that sent it.
4) Apply patch
5) Log back into SCO module
6) Note that now in the message timestamp, it correctly lists the
   library that sent the message.
7) Sign-off

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4801037abe0f8d294eb03503c2b5a275ed06f62a)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit da490f117af20f4307d2c62e01bc1db7bc0b7695)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit b70ac8205a89154565302d76e308b440c060f328)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 37198: Improve GetPreparedLetter documentation
Martin Renvoize [Wed, 26 Jun 2024 14:24:01 +0000 (15:24 +0100)]
Bug 37198: Improve GetPreparedLetter documentation

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 149412cb62a074ccdef1e1c2bbbd2bee35c48498)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 84814bbef33ac9c04b12cb3f063b2a11cfd0b2ce)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 021191bfb65bfc174f0385891d0e6ebab0106ca3)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 35240: Add missing IDs to input
Eric Garcia [Tue, 25 Jun 2024 17:18:13 +0000 (17:18 +0000)]
Bug 35240: Add missing IDs to input

1. Tools -> Rotating collections -> Edit collection
2. Use browser dev tools to notice that the inputs don't have matching
   IDs
3. Apply patch
4. Do step 2 again and notice IDs are no longer missing.
5. Sign off :)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 21a66bf17c867734271e57c9f06b0b3e619d9ff0)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 27cbe1d0cf85a79ac57505452189d025f5841437)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 87a5eb7f17abf5b9c413f27303cba9ed92b0187e)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 34444: [22.11.x] Correct handling of sort1 and sort2 values
Nick Clemens [Wed, 8 May 2024 13:22:58 +0000 (13:22 +0000)]
Bug 34444: [22.11.x] Correct handling of sort1 and sort2 values

Removed extraneous sort_1 data elements
Update selectors to use field names for statistics field
Updated code to set the value after finding the correct selector

To test:
* Make sure you have at least 2 funds with different stat settings, using AV and not
* Create a basket with an order line
* Close it and receive shipment
* Create an invoice and receive the order line
* Finish receiving

* Click "Modify fund"
* Switch fund, verify the stat fields are updated accordingly
* Change values for statistical values
* Update fund
* Edit fund again, pull downs are correct
* Change values in form and close, do not update
* Click 'Modify fund' - confrim form is filled with the saved values

Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 5ce0e962d742139110bf3c8b286ad07a70ec55d4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 25387: (follow-up) Slightly change wording of alert
Katrin Fischer [Thu, 27 Jun 2024 07:03:20 +0000 (07:03 +0000)]
Bug 25387: (follow-up) Slightly change wording of alert

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1004d47d0093bd5a7547fb7d943837df895ae3eb)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 3dc5bd07d50bb3ab892407888a4b6e28e8519df4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit a6242f8165d3b7d9b8eb677ed0aa05368ec0d8cc)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 25387: (QA follow-up) Tidy
Nick Clemens [Tue, 25 Jun 2024 21:12:39 +0000 (21:12 +0000)]
Bug 25387: (QA follow-up) Tidy

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4c677600f2a3f8b019d54676dcd95faac1784532)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 39449c76c46325391e20a169d595094554c8c4a8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit b084bd374cdb22c5e381c296dc9363a88b35ed17)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 25387: Warn when merging different authority types
Marion Durand [Wed, 6 Oct 2021 12:49:58 +0000 (14:49 +0200)]
Bug 25387: Warn when merging different authority types

Merging two different authorities types can result in the loss of some
field. This patch adds a warning when merging different type of
authorities and add more display of authorities types during merge.

To test:
1- Find two authorities you what to merge. Be sure that these
authorities have different type
2- Search for these authorities (be sure to have both results on the
results page)
3- For the first authority click on "Actions" then on "Merge", same for
the second one
4- Check that koha is asking you to choose a framework and that
authority types are not displayed
5- Choose a framework, then click on next
6- Check that the authority type is not displayed in the tabs and that
no warning appear
7- Apply the patch
8- Repeat step 1 to 3 again
9- Check that authority type is now displayed next to their ID
10- Repeate setp 5 again
11- Check that the authority types is now displayed in the tabs next to
their ID and that a warning appear

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit b2ae5380b0741e1d2277a58f264df88f243ecadb)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8e7ea9baafcba3e02a4c13ba707b4f45abf5c695)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 7ea807117eef9b7cfd83036cfe9e66c21e5c6273)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 37003: (follow-up) Amend 22.11 RMaint
Martin Renvoize [Tue, 25 Jun 2024 13:14:46 +0000 (14:14 +0100)]
Bug 37003: (follow-up) Amend 22.11 RMaint

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 16e35d5f107031e9573f5f565dedfb428b9c5696)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 5e69aef19d71c62681a5ebeeab6a0df2fb14fa4e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit d7eee5de10341cc359b2aa36bac1d153bbc87d7c)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 37003: Add the 24.11 release team
Martin Renvoize [Thu, 6 Jun 2024 10:27:33 +0000 (11:27 +0100)]
Bug 37003: Add the 24.11 release team

This patch updates the teams.yaml to include the voted in 24.11
release team.

Test plan
1/ Check against https://wiki.koha-community.org/wiki/Release_Teams

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a2ebd5ad2833a84c67ecf8dbbd8820065013f2e9)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit a7b870fdfd0245e5b572d94ab11f377d2c26fe5b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 73dd7b3de16e814fd0ea56bb6b972b939c307c7f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 30493: (QA follow-up) Fix for the only_my_library case as well
Emily Lamancusa [Fri, 14 Jun 2024 19:10:24 +0000 (15:10 -0400)]
Bug 30493: (QA follow-up) Fix for the only_my_library case as well

Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 94e1d8ed0c4742f48d23dc0241c0d04f058ee316)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit bcb520d69e4e65e5278fc8c57d04817d8b816db7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit ba0ea9cd26e6914c10f5a4b0a57ffafb448f3b05)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 30493: Pending archived suggestions appear on intranet home page
Baptiste Wojtkowski [Thu, 13 Jun 2024 13:36:18 +0000 (15:36 +0200)]
Bug 30493: Pending archived suggestions appear on intranet home page

If suggestions are archived before their status is changed to something other than "Pending", they still appear on the intranet home page and the acquisitions home page as suggestions to be managed.

WITHOUT PATCH:
1. Go to Acquisitions > Suggestions
2. Click on New purchase suggestion
3. Fill in the form (title only is fine)
4. Click on Submit your suggestion
5. Go to the home page (click the Koha logo)
   --> Notice it says that there is 1 pending suggestion
6. Go to Acquisitions
   --> Notice it says that there is 1 pending suggestion
7. Go to Suggestions
8. Click on the up arrow to the right of the Edit button and choose Archive
   --> There are no more pending suggestions
9. Go to the home page (click the Koha logo)
   --> Notice it says that there is 1 pending suggestion
10. Go to Acquisitions
   --> Notice it says that there is 1 pending suggestion

The search function was fetching suggestions without considering the
"archived" field. I now pick only suggestion that are pending AND not
archived.

WITH PATCH:
9. Go to the home page (click the Koha logo)
   --> Notice it says that there is no pending suggestion
10. Go to Acquisitions
   --> Notice it says that there is no pending suggestion

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e87f4cd550e60d7955551abf44f4dd9c1fd332d5)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 5db98bbd65bc0498bbb916c148076b258e5135ad)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 619db47e3fe3b590f85643840e49770acf2f7149)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 35294: Fix typos in catalogue code comments
Brendan Lawlor [Thu, 6 Jun 2024 13:14:43 +0000 (13:14 +0000)]
Bug 35294: Fix typos in catalogue code comments

Test plan:
1. git grep -n -E 'barocode|preproccess' to find the files and line # of typos
2. Apply the patch
3. git grep -E 'barocode|proccess'
4. See no results

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e8ef0f9417588345d6c9f7e2e5986e4e53986f52)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 96097d8058f6de34036fc4b26dec83c485ed08d9)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e471583547d42555f73ed2013ebe2883460ef460)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 36930: Item search gives irrelevant results when using 2+ added filter criteria
Janusz Kaczmarek [Wed, 22 May 2024 21:08:35 +0000 (21:08 +0000)]
Bug 36930: Item search gives irrelevant results when using 2+ added filter criteria

In the Item search the librarian is allowed, in the first step, to define
additional filters like Title, Author, Publisher, Publication date etc.
(in the third fieldset).  This works fine but only for one criterion.
If one adds two or more criteria, the filter does not apply at all.

Test plan
=========
1. Make an Item search with the Pulblisher filter. Put
   %University of California% as the value.
   You should get 5 rows (with standard ktd test data set), three
   from 1982, and two from 1988.
2. Edit search -> add the second criterion: AND Publication date is 1982.
   You would expect three rows but you get 900+ rows.
3. Apply the patch; restart_all.
4. Repeat p. 2. You should get the expected three rows.

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit bdc7ac2c93f9af9ac196c77da47758a1078c47d7)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit dca760d5b24428143a0e0de7b52c131c813488fc)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit fc8c2ac8c1c8cf01d43d7b7363cb53237bd361bf)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 36937: Remove warning from unit tests
Matt Blenkinsop [Thu, 23 May 2024 09:23:10 +0000 (09:23 +0000)]
Bug 36937: Remove warning from unit tests

This patch fixes a warning in the unit tests

Test plan:
1) prove t/db_dependent/api/v1/password_validation.t
2) There will be a warning in the output - 'Use of uninitialized value $status in numeric eq (==)'
3) Apply patch
4) Re-run the test
5) The warning will disappear

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 0af87f009f5e66ee82ea33767489ef4158820377)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2 months agoBug 30715: Terminology for the log viewer - use 'Staff interface' instead of 'Intranet'
David Nind [Mon, 3 Jun 2024 02:01:30 +0000 (02:01 +0000)]
Bug 30715: Terminology for the log viewer - use 'Staff interface' instead of 'Intranet'

The log viewer (Tools > Additional tools > Log viewer) uses
'Intranet' as:
- an option for filtering what log entries to display.
- a value in the log entries interface column, for log entries.

Koha's terminology guideline is to use 'Staff interface' instead of
'Interface' (https://wiki.koha-community.org/wiki/Terminology#I).

Test plan:
1. Perform some actions that will create log entries when using the
   staff interface. For example:
   1.1 Enable the UseRecalls system preference.
   1.2 Edit the title for a record.
   1.3 Add an item for a record.
2. Use the log viewer to view the logged changes:
   2.1 Go to Tools > Additional tools > Log viewer.
   2.2 Select Submit.
   2.3 Log entries are displayed for the changes made.
3. Note that:
   3.1 For the log viewer 'Interface' filter options, "All" is
       selected by default, and other options are Intranet, OPAC,
       SIP, Command-line, REST API, and Cron job.
   3.2 For the changes viewed in step 2, the value displayed in
       the 'Interface' column is 'Intranet'.
4. Apply the patch.
5. Refresh the page.
6. Note that:
   5.1 For the interface filter options, 'Intranet' is now changed
       to 'Staff interface'.
   5.2 In the list of log entries, the value in the interface column
       is now 'Staff interface'.
7. Sign off D:

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit ec8465eb1021537ca3f09d0db423e605acd868db)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoFix version number in DBRev file v22.11.20-2
Katrin Fischer [Wed, 14 Aug 2024 13:21:57 +0000 (13:21 +0000)]
Fix version number in DBRev file

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
4 months agoUpdate release notes for 22.11.20 release
Katrin Fischer [Wed, 14 Aug 2024 06:24:33 +0000 (06:24 +0000)]
Update release notes for 22.11.20 release

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
4 months agoRevert "Bug 37255: Fix handling of "All" values on waiting hold cancellation policy"
Katrin Fischer [Wed, 14 Aug 2024 06:23:40 +0000 (08:23 +0200)]
Revert "Bug 37255: Fix handling of "All" values on waiting hold cancellation policy"

This reverts commit 3f75367a31e128137eaddf289760711f181007b8.

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
4 months agoUpdate release notes for 22.11.20 release v22.11.20
Tomas Cohen Arazi [Tue, 13 Aug 2024 14:53:49 +0000 (11:53 -0300)]
Update release notes for 22.11.20 release

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoIncrement version for 22.11.20 release
Tomas Cohen Arazi [Tue, 13 Aug 2024 14:49:44 +0000 (11:49 -0300)]
Increment version for 22.11.20 release

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37508: (QA follow-up) Move sth error check up
Tomas Cohen Arazi [Tue, 13 Aug 2024 04:08:44 +0000 (01:08 -0300)]
Bug 37508: (QA follow-up) Move sth error check up

This patch moves the error check right before the ->check_columns call.
This is how main and 24.05 behave. 23.11 doesn't have bug 35907
backported so things are not exactly the same. With this patch tests
pass and the only difference in behavior is logging.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37508: Don't return Internal server error when running report
Nick Clemens [Mon, 12 Aug 2024 12:10:12 +0000 (12:10 +0000)]
Bug 37508: Don't return Internal server error when running report

To test:
1 - Create a report like:
SELECT "a"
FROM borrowers
WHERE <<Test>> != ''
2 - Run report
3 - Enter "password"
4 - Internal server error / stacktrace
5 - Apply patch
6 - Repeat
7 - Get a yellow warning box

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37508: (QA follow-up) Use ->check_columns
Marcel de Rooy [Fri, 9 Aug 2024 09:56:11 +0000 (09:56 +0000)]
Bug 37508: (QA follow-up) Use ->check_columns

Add shebang to Guided.t too.

Test plan:
See also previous commits.
Try sql like:
  select access_token from oauth_access_tokens

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37508: (QA follow-up) Move check to Koha::Report, extend
Marcel de Rooy [Fri, 9 Aug 2024 09:50:44 +0000 (09:50 +0000)]
Bug 37508: (QA follow-up) Move check to Koha::Report, extend

Do not allow password but allow password_expiry_days etc.
Do not allow token, secret and uuid too.

Test plan:
Run t/db_dependent/Koha/Reports.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37508: (follow-up) Don't pass the column or sql containing password
Aleisha Amohia [Thu, 8 Aug 2024 23:53:47 +0000 (23:53 +0000)]
Bug 37508: (follow-up) Don't pass the column or sql containing password

This patch replaces these variables with a non-translatable message.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37508: (follow-up) Throw error is password is in SQL query at all
Aleisha Amohia [Wed, 7 Aug 2024 04:37:25 +0000 (04:37 +0000)]
Bug 37508: (follow-up) Throw error is password is in SQL query at all

Confirm tests pass t/db_dependent/Reports/Guided.t

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37508: Test for errors when returning an aliased password column
David Cook [Wed, 7 Aug 2024 01:15:10 +0000 (01:15 +0000)]
Bug 37508: Test for errors when returning an aliased password column

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37508: Throw error if password column is detected in SQL report
Aleisha Amohia [Mon, 29 Jul 2024 03:53:06 +0000 (03:53 +0000)]
Bug 37508: Throw error if password column is detected in SQL report

This enhancement prevents SQL queries from being run if they would return a password field from the database table.

To test:

1. Run tests and notice they fail t/db_dependent/Reports/Guided.t

2. Apply patch and restart services

3. Create a public report with an SQL report which would access a password column in a database table
4. Try to run the report. Notice you are met with an error and the results are not shown.
5. Access the JSON URL, you should not get the results and should be shown an error
6. Confirm tests pass t/db_dependent/Reports/Guided.t

Sponsored-by: Reserve Bank of New Zealand
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37370: Return 400 if OpacExportOptions does not contain the passed format
Tomas Cohen Arazi [Tue, 16 Jul 2024 15:43:39 +0000 (12:43 -0300)]
Bug 37370: Return 400 if OpacExportOptions does not contain the passed format

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37466: Add correct filter for sort_by in results.tt
David Cook [Thu, 25 Jul 2024 06:44:37 +0000 (06:44 +0000)]
Bug 37466: Add correct filter for sort_by in results.tt

This patch replaces the $raw filter with the correct uri filter
for the sort_by in results.tt

Test plan:
1. Apply patch
2. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=1
3. Click on "Edit this search"
4. Note that the "Popularity (most to least)" Sort by option is selected
5. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=24y24ty2498294t9824yt9y23
6. Click on "Edit this search"
7. Note that the "Popularity (most to least)" Sort by option is selected

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37464: Validate "type" sent to barcode/svc
David Cook [Thu, 25 Jul 2024 06:56:18 +0000 (06:56 +0000)]
Bug 37464: Validate "type" sent to barcode/svc

This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37488: Validate paths in datalink.txt/idlink.txt files
David Cook [Fri, 26 Jul 2024 04:01:43 +0000 (04:01 +0000)]
Bug 37488: Validate paths in datalink.txt/idlink.txt files

This change validates the paths in datalink.txt/idlink.txt,
so that only images in the unpacked archive directory are allowed

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Create a datalink.txt file with the following:
42,selfie.jpg
3. Create a jpeg at selfie.jpg
4. ZIP the datalink.txt and selfie.jpg files
5. Upload to the "Upload patron images" tool
(after enabling the "patronimages" system preference)
6. Note that the image uploads correctly

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37323: Tidy
David Cook [Fri, 26 Jul 2024 03:27:22 +0000 (03:27 +0000)]
Bug 37323: Tidy

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37323: Don't allow symlinks in link files in zip and validate filepaths
Chris Cormack [Thu, 18 Jul 2024 23:57:32 +0000 (23:57 +0000)]
Bug 37323: Don't allow symlinks in link files in zip and validate filepaths

Test plan:
0. Apply patch and restart/reload Koha
1. Test that uploading a patron image still works, in single file format and as a zip

Work as suggested

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37323: Escape characters in patron image picture upload
Amit Gupta [Thu, 11 Jul 2024 17:43:06 +0000 (23:13 +0530)]
Bug 37323: Escape characters in patron image picture upload

To Test
1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip
   where the domain is one you can watch the logs from.
2. Go to Tools and click on Upload patron images choose option zip file and upload the file.
3. Check /var/log/apache2/access.log and see the curl with the IP
   "xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0"
4. Apply the patch
5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.
6. Test uploading actual zip file and images still works.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoBug 37255: Fix handling of "All" values on waiting hold cancellation policy
Emmi Takkinen [Thu, 4 Jul 2024 11:23:31 +0000 (14:23 +0300)]
Bug 37255: Fix handling of "All" values on waiting hold cancellation policy

If one creates a default waiting hold cancellation policy with
patron categories set as "All" and itemtype set as "All", Koha
breaks on 500 error. This happens because in we try to match
template policy with "All" values either in category or itemtype
with *, not undef. This patch fixes this.

To test:
1. Create a new default waiting hold cancellation policy and
set both patron category and itemtype as "All".
2. Save policy.
=> Error page for error 500 is displayed.
3. Apply this patch.
4. Reload page.
=> Page is displayed and policy listing displays new policy
as it should.

Sponsored-by: Koha-Suomi Oy
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
4 months agoUpdate release notes for 22.11.19 release v22.11.19
Frédéric Demians [Fri, 26 Jul 2024 07:00:25 +0000 (09:00 +0200)]
Update release notes for 22.11.19 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoIncrement version for 22.11.19
Frédéric Demians [Fri, 26 Jul 2024 06:50:47 +0000 (08:50 +0200)]
Increment version for 22.11.19

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoMerge branch '22.11.x' into 22.11.x-security
Frédéric Demians [Fri, 26 Jul 2024 06:48:54 +0000 (08:48 +0200)]
Merge branch '22.11.x' into 22.11.x-security

4 months agoBug 37210: Properly escape SQL query parameters by using bind values
Julian Maurice [Tue, 2 Jul 2024 14:32:32 +0000 (16:32 +0200)]
Bug 37210: Properly escape SQL query parameters by using bind values

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 72bda28e4d3f9963131e667ff92aa8b8382cccd7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37210: Escape single quote in search string in overdue.pl
Hammat Wele [Thu, 27 Jun 2024 14:09:04 +0000 (14:09 +0000)]
Bug 37210: Escape single quote in search string in overdue.pl

To Test:
1. Go to /cgi-bin/koha/circ/overdue.pl
2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'»
3. Apply the filter
   ==> It takes 10 seconds, sleep(10) is executed
4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value
5. select the option from the filter and Apply the filter
   ==> It takes 10 seconds, sleep(10) is executed
we can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch
6. Apply the patch
7. Repeat step 1,2,3
   ==> it doesn't take 10 seconds, the injected sql is not executed
8. Repeat step 5
==> it doesn't take 10 seconds, the injected sql is not executed
9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch
   ==> it doesn't take 10 seconds, the injected sql is not executed

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit a4a7ed7a151582eff2a46ee1e8f85d4533f69def)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Add 400 response definition to all routes
Tomas Cohen Arazi [Mon, 8 Jul 2024 20:21:25 +0000 (17:21 -0300)]
Bug 37018: Add 400 response definition to all routes

This patch adds a test for well defined 400 responses on all verbs and
paths on the API spec.

The tests verify:

* Presence of 400 response definition
* The description must start with 'Bad request' (needs coding guideline)
* If DBIC queries are allowed on the route, then `invalid_query` needs
  to be mentioned in the description.

All routes get fixed to make the tests pass.

To test:
1. Apply this patch
2. Run:
   $ ktd --shell
  k$ yarn api:bundle
  k$ prove xt/api.t
=> SUCCESS: Tests pass!

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Clarify operators
Martin Renvoize [Wed, 10 Jul 2024 08:39:33 +0000 (09:39 +0100)]
Bug 37018: Clarify operators

This patch clarifies the list of operators both in the validate routine
and in the swagger descrption block where we document this feature for
the end user.

JD amended patch: tidy

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 534e7bf44a3667046793c07a9f17a4bcc13a3b74)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Silence useless warning
Tomas Cohen Arazi [Mon, 8 Jul 2024 20:30:01 +0000 (17:30 -0300)]
Bug 37018: Silence useless warning

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e1f52ff212f65d174604c6d180ab40ed16330883)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Handle exception in unhandled_exception() helper
Tomas Cohen Arazi [Mon, 8 Jul 2024 19:48:01 +0000 (16:48 -0300)]
Bug 37018: Handle exception in unhandled_exception() helper

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 58677f8e2e180342ce813506cb63bb81cb58804d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: (follow-up) adding some allowed operators
Hammat Wele [Wed, 3 Jul 2024 13:59:48 +0000 (13:59 +0000)]
Bug 37018: (follow-up) adding some allowed operators

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 5cb4c9c18f1e3d1894c84a4af2fdca03e3e0d69e)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Use validation in search_rs helper
Martin Renvoize [Wed, 5 Jun 2024 13:20:22 +0000 (14:20 +0100)]
Bug 37018: Use validation in search_rs helper

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e75c94184f16fb556dab9dfbfb2f50f5f78bd91f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Add validation method to Koha::REST::Plugin::Query.pm
Martin Renvoize [Wed, 5 Jun 2024 13:19:54 +0000 (14:19 +0100)]
Bug 37018: Add validation method to Koha::REST::Plugin::Query.pm

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 907510b076d0a5d9332d90041963d16e63decd81)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Add Koha::Exceptions::REST
Tomas Cohen Arazi [Mon, 8 Jul 2024 17:34:25 +0000 (14:34 -0300)]
Bug 37018: Add Koha::Exceptions::REST

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 8c63713497d86ac985734d18ea0acd86a4d45abf)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Unit tests
Martin Renvoize [Wed, 5 Jun 2024 13:19:06 +0000 (14:19 +0100)]
Bug 37018: Unit tests

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit f4cab95872351c01aa53e08fb2305ae587c03df7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37018: Regression tests
Tomas Cohen Arazi [Sat, 6 Jul 2024 13:32:07 +0000 (10:32 -0300)]
Bug 37018: Regression tests

This patch adds regression tests. With the current codebase, the
malicious query returns a 200. It should be caught and a 400 needs to be
returned.

To test:
1. Apply this patch
2. Run:
   $ ktd --shell
  k$ prove t/db_dependent/api/v1/query.t
=> FAIL: It returns a 200
3. Once the rest of the patches are ready, repeat 2
=> SUCCESS: It returns a 400

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 1fd94e90bcc74fe5f312ec0bf69850f96e4789ba)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37247: Fix display of "closed"
Jonathan Druart [Fri, 5 Jul 2024 12:47:42 +0000 (14:47 +0200)]
Bug 37247: Fix display of "closed"

The subscription was not shown as closed after we closed it.
This is because "closed" is not passed to the template.
It seems more reliable to rely on the subscription object (that is passed to both
serials/serials-collection.tt and serials/subscription-detail.tt, the
others are not showing the Reopen/Close buttons)

Also fetch the subscription object after and reopen/close it to display
accurate values.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 3cf17aa16f70e978f654345274972b65ca7b6164)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37247: Fix subscriptions operation allowed without authentication
Fridolin Somers [Thu, 4 Jul 2024 14:18:17 +0000 (16:18 +0200)]
Bug 37247: Fix subscriptions operation allowed without authentication

Move close and reopen after get_template_and_user().
Also move Koha::Subscriptions->find(), not a good idea to run DB queries
before authentication.

Test plan :
1) Apply patch
2) Authenticate to staff interface
3) Go to an existing open subscription
4) Open a new browser tab and use it to log-out
5) Go to first tab and click on 'Close'
6) You get login page
7) Authenticate
8) Check subscription is not closed
9) Check you can close and reopen subscription

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 42c2dd78ef52ec00afd6307ef179c491615c7085)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37146: Add tests
Jonathan Druart [Thu, 11 Jul 2024 09:40:35 +0000 (11:40 +0200)]
Bug 37146: Add tests

(cherry picked from commit 73e62a38f9c20f5ce1ab342940407d4969d5ba93)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
4 months agoBug 37146: Prevent path traversal by validating input
David Cook [Fri, 21 Jun 2024 01:45:51 +0000 (01:45 +0000)]
Bug 37146: Prevent path traversal by validating input

This patch validates the plugin_name passed to plugin_launcher.pl
against the base path containing the "value_builder" directory.

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=29
3. Check that the tag editor for leader still works
4. Go to http://localhost:8081/cgi-bin/koha/cataloguing/additem.pl?biblionumber=29
5. Check that the pluginf or "Date acquired" still works

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
(cherry picked from commit 4e9644238ff04d06e4e6dc980fcc8ad1a85a88ea)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoUpdate release notes for 22.11.18 release v22.11.18
Frédéric Demians [Tue, 18 Jun 2024 15:18:59 +0000 (17:18 +0200)]
Update release notes for 22.11.18 release

6 months agoIncrement version for 22.11.18 release
Frédéric Demians [Tue, 18 Jun 2024 14:35:39 +0000 (16:35 +0200)]
Increment version for 22.11.18 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36818: Escape characters in file names uploaded
Chris Cormack [Wed, 8 May 2024 22:41:43 +0000 (22:41 +0000)]
Bug 36818: Escape characters in file names uploaded

To test:
1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip'
   Where the domain is one you can watch the logs from
2/ Upload this file as a cover image
3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames
4/ Choose process, check the logs of the webserver see the connection has been made
5/ Apply the patch
5/ Repeat 2 & 3 and see the filename is now escaped
6/ Choose process and check no errors but no no remote execution occurs
7/ Test uploading actual zip file and images still works

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 14bdaae3f257a321f8ec0d32c6b1e9bc6ed6033d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36520: Sanitize input in opac-sendbasket.pl
Chris Cormack [Mon, 13 May 2024 02:26:13 +0000 (02:26 +0000)]
Bug 36520: Sanitize input in opac-sendbasket.pl

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 2f3f42ba98b698871bc473d65a14b5e89d0ae86c)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36520: Prevent SQL injection in GetPreparedLetter
Jonathan Druart [Mon, 13 May 2024 12:47:28 +0000 (14:47 +0200)]
Bug 36520: Prevent SQL injection in GetPreparedLetter

Actually in _get_tt_params

The following query will delay the response

SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
  FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
    SELECT 1
      FROM
    SELECT SLEEP( 6 ) x
   ) -- - )

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 0b3c98b0ba01ea5c886ecfe8eef174b5b7c6ec25)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36520: Add tests
Jonathan Druart [Wed, 15 May 2024 09:25:47 +0000 (11:25 +0200)]
Bug 36520: Add tests

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit ebbab1b398a97ecc884d4cbf22d5bd4239e014cb)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36575: (QA follow-up) Shibboleth POD and checkpw_internal call
Marcel de Rooy [Tue, 30 Apr 2024 14:39:36 +0000 (14:39 +0000)]
Bug 36575: (QA follow-up) Shibboleth POD and checkpw_internal call

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 4cafd512cd31701fa3ee2a19abc4de4488b91e69)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36575: Adjust checkpw_internal to return patron
Nick Clemens [Wed, 24 Apr 2024 15:06:22 +0000 (15:06 +0000)]
Bug 36575: Adjust checkpw_internal to return patron

This patch refactors checkpw_internal to remove the SQL code, use patron ojbects, and return the
patron that correctly matches the userid/caerdnumber when auth is successful

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit fe78f06a50c41a7dbac24206e31bc5b1189ee185)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36575: (bug 34893 follow-up) Return patron when autocreating in Shibboleth
Nick Clemens [Wed, 24 Apr 2024 14:25:40 +0000 (14:25 +0000)]
Bug 36575: (bug 34893 follow-up) Return patron when autocreating in Shibboleth

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit f6fe24bdd8f72cdf09111a93d0ca0a114b5ee570)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36575: (bug 34893 follow-up) Return patron from LDAP
Nick Clemens [Wed, 24 Apr 2024 14:23:51 +0000 (14:23 +0000)]
Bug 36575: (bug 34893 follow-up) Return patron from LDAP

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit e6ce7aded6bc737fd98c2e94aba51abb4581afbb)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36575: (QA follow-up)
Martin Renvoize [Thu, 11 Apr 2024 10:18:30 +0000 (12:18 +0200)]
Bug 36575: (QA follow-up)

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit fffc5600cad077e8b4d8d5211263f1935c5b07cd)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
6 months agoBug 36575: Return correct patron when there is a shared userid / cardnumber
Nick Clemens [Thu, 11 Apr 2024 09:39:03 +0000 (09:39 +0000)]
Bug 36575: Return correct patron when there is a shared userid / cardnumber

This patch moves some patron fetching code in C4/Auth to use to patron returned from the validation
methods and only try to fetch the patron (to check if locked, update attempts, etc) if we didn't authenticate

To test:
1 - Set a user to have userid = BANANA password = Password1
2 - Set a user to have cardnumber = BANANA password = Password2
3 - Hit the patron authentication API:
    http://localhost:8080/api/v1/auth/password/validation
    with data:
    { "identifier": "BANANA", "password":"Password1" }
    and:
    { "identifier": "BANANA", "password":"Password2" }
4 - Note you receive the same response for both
5 - Apply patch, restart all
6 - Repeat the API and confirm you get the correct patron for the password submitted

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
6 months agoRevert "Bug 36532: Protect opac-dismiss-message.pl from malicious usages"
Frédéric Demians [Thu, 23 May 2024 06:43:42 +0000 (06:43 +0000)]
Revert "Bug 36532: Protect opac-dismiss-message.pl from malicious usages"

This reverts commit 2278d229e899cd279f62addd8275365718ad8cbb.

7 months agoUpdate release notes for 22.11.17 release v22.11.17
Frédéric Demians [Fri, 10 May 2024 08:08:17 +0000 (08:08 +0000)]
Update release notes for 22.11.17 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
7 months agoIncrement version for 22.11.17 release
Frédéric Demians [Fri, 10 May 2024 08:01:14 +0000 (08:01 +0000)]
Increment version for 22.11.17 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
7 months agoBug 36149: Add userenv middleware to app.psgi
Julian Maurice [Tue, 9 Apr 2024 12:45:39 +0000 (14:45 +0200)]
Bug 36149: Add userenv middleware to app.psgi

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5cca1bdcd67a1a8fc8b0bb2aa6c666cccdb49fbb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 57b1c90e19e913e86e66fb1aa295950cba91985f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
7 months agoBug 36149: (follow-up) POD and tidy
Nick Clemens [Fri, 29 Mar 2024 18:09:30 +0000 (18:09 +0000)]
Bug 36149: (follow-up) POD and tidy

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 31943a5781aaaa9803ca87247eb7a663fb999fc5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0534259c2cbdbb9d6e0ad56535d0c000eea3a629)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
7 months agoBug 36149: Unset userenv from middleware
Jonathan Druart [Fri, 8 Mar 2024 15:06:11 +0000 (16:06 +0100)]
Bug 36149: Unset userenv from middleware

The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?

This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).

To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl  and add a line after: CGI->new:
    warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
     enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl  - only "Something's wrong" - you no longer see any user info

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 576e7e09fdca703f76c0d10ae55eebf12ee1fdf4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 3dd1cdd74ff004d1d218366a377fc91d8ae4e21d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
7 months agoBug 19613: Fix test for 22.11
Frédéric Demians [Wed, 24 Apr 2024 10:40:09 +0000 (10:40 +0000)]
Bug 19613: Fix test for 22.11

7 months agoBug 19613: Use the 'note' profile
Jonathan Druart [Wed, 20 Mar 2024 07:35:29 +0000 (08:35 +0100)]
Bug 19613: Use the 'note' profile

WNC amended patch: tidied

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 3cb586b72165bcbd029948f46407359be9d5e9a8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 55931114b62557dfbbe01e7bcf0cd150b5733262)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
7 months agoBug 19613: Scrub borrowers fields: borrowernotes opacnote
Jonathan Druart [Fri, 15 Mar 2024 10:37:43 +0000 (11:37 +0100)]
Bug 19613: Scrub borrowers fields: borrowernotes opacnote

To prevent XSS

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 83db8696ca7a83aba224a0ab645f03447a96887b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 383984a0164adabc79e91ad11e2e930f5e070ed9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
7 months agoBug 36532: Protect opac-dismiss-message.pl from malicious usages
Jonathan Druart [Fri, 5 Apr 2024 06:58:06 +0000 (08:58 +0200)]
Bug 36532: Protect opac-dismiss-message.pl from malicious usages

Really bad design, NEVER retrieve the logged in user from the CGI
param!

See comment 1 for more info

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit c92d38a6c603278e0d253c6e29731380c017ebb7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 36511: Some scripts missing a dependency following Bug 24879
Owen Leonard [Tue, 9 Apr 2024 15:55:57 +0000 (15:55 +0000)]
Bug 36511: Some scripts missing a dependency following Bug 24879

These files needed the addition of 'use C4::Auth qw( check_cookie_auth
);'.

To test, apply the patch and restart services.

- If necessary, enable the LocalCoverImages system preference.
- Open the browser console and then the "Network" tab. You can click
  "Images" to filter for the correct kind of request.
- Perform a catalog search. After the search has loaded, check that
  there are no 500 errors in the Network tab.

- Go to Cataloging -> Label creator.
- If necessary, create a label batch and add some items.
- Export your batch and test both the "Download as CSV" and "Download as
  XML" links. Both should trigger the correct download.

- Go to Serials -> Claims, and select a vendor with late issues.
- Select all late issues and click "Download selected claims" at the
  bottom of the page.
- Your CSV file should download correctly.

The file acqui/check_uniqueness.pl has been corrected as well but I'm
not sure how to test it!

Signed-off-by: danyonsewell <danyonsewell@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 747f5132311ea51ea6babbfc92a775ac0c67f93a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01b22fb71d30f56d3102837b5c9b4cfdacbc9e76)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 72cead50b49efaad6349cf653b970e6f5b610475)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoMerge remote-tracking branch 'security/22.11.x-security' into 22.11.x
Frédéric Demians [Wed, 3 Apr 2024 13:32:56 +0000 (15:32 +0200)]
Merge remote-tracking branch 'security/22.11.x-security' into 22.11.x

8 months agoBug 34755: (Rmaint follow-up) Fix tests
Lucas Gass [Thu, 21 Mar 2024 13:42:03 +0000 (13:42 +0000)]
Bug 34755: (Rmaint follow-up) Fix tests

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit f1803c71460c8e5668366c319d52e683d274605b)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 34755: Backport Koha::Token change from bug 34478
David Cook [Mon, 4 Mar 2024 04:19:38 +0000 (04:19 +0000)]
Bug 34755: Backport Koha::Token change from bug 34478

This change includes the Koha::Token changes which uses
Koha::Session for generating and checking CSRF tokens.

0. Apply the patch and koha-plack --restart kohadev
1. Setup Keycloak OIDC SSO according to "Testing SSO"
wiki guide
2. In a regular window go to http://localhost:8080
3. In a private window go to http://localhost:8080 and click
the SSO "Log in with..." button, but don't log into Keycloak
4. In the regular window, login locally, and navigate to 5-6 pages
5. In the private window, log into Keycloak
6. Note that you are redirected back to Koha and logged in
successfully (no wrong_csrf_token error).

Signed-off-by: Olivier Hubert <olivier.hubert@inlibro.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 46c0419a11d56b078f1f8528e51bf1a78bd284e6)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 19f79fa6064664a69597b0b330dca9c538b816bf)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 36098: Default to 'file' if pref does not exist
Jonathan Druart [Wed, 21 Feb 2024 08:42:16 +0000 (09:42 +0100)]
Bug 36098: Default to 'file' if pref does not exist

During the installer process there is a bunch of warnings
  "Use of uninitialized value $storage_method in string eq at"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit e2440f2c617c48d77cc416857937b6fb18c34208)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a42bce58b21c32868057dc0a45dde7580efae8f9)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 922928eb7def8016abdcb4a8b8396858421b9f71)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 36098: (follow-up) extend test to check driver
David Cook [Thu, 15 Feb 2024 23:07:02 +0000 (23:07 +0000)]
Bug 36098: (follow-up) extend test to check driver

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit c42ede262a24503c1f350a8d2639a391b86278bf)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 973b3ce069023ca6d06b29de8bdd0cd51736f2e6)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 95b21601296f3dd46419b92f7d5913189e44a9f4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 36098: Fix storage_method pass
David Cook [Thu, 15 Feb 2024 22:49:19 +0000 (22:49 +0000)]
Bug 36098: Fix storage_method pass

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 5572567143c10b424765149bd97c2aa99d577132)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 941f34626a0720afd2c00bb4990b9eac7bc9eda8)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8914f906b4d5991e4c2814b4f1219d6abdd74fa2)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 36098: Allow to pass storage_method
Jonathan Druart [Thu, 15 Feb 2024 13:05:21 +0000 (14:05 +0100)]
Bug 36098: Allow to pass storage_method

Will need this on follow-up bugs.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 56d8ac247698f8755a8215245dffd000877d76e7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit be03ca910f714e8991ff8e2e0163f3c0f9de2b08)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ac8c0a8a4a0c1050ea23b283ebdd9d616bc187ef)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 36098: (QA follow-up) Add POD to Koha::Session
Martin Renvoize [Thu, 15 Feb 2024 11:53:02 +0000 (11:53 +0000)]
Bug 36098: (QA follow-up) Add POD to Koha::Session

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 09de3f820b5333e3f23f149f6b8c101d24ba15ed)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0ff685f2289ea4e2c7aa1414f8e2e286fd8d6c84)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 96dc7d77c0ce1951a13de465ef837daaeadeebf6)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 36098: Add Koha::Session module to ease session handling
David Cook [Thu, 15 Feb 2024 02:49:18 +0000 (02:49 +0000)]
Bug 36098: Add Koha::Session module to ease session handling

This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.

Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0e6537d199fe49a9e91e1c75f9462ddf1c878fed)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f927343a88ade7cf3fe860b60c41057e6ff39692)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit e19e066b4aa5635e0b53d3351d6c92c68cf20b97)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 24879: (follow-up) Fix test suite v22.11.16-1
Fridolin Somers [Wed, 27 Mar 2024 09:20:03 +0000 (10:20 +0100)]
Bug 24879: (follow-up) Fix test suite

Running cataloguing pluings (in cataloguing/value_builder) now requires
authentification.

This patch adds in failing unit tests a mock of C4::Auth::check_cookie_auth

Test with:
prove t/db_dependent/FrameworkPlugin.t t/db_dependent/Koha/UI/Form/Builder/Biblio.t t/db_dependent/Koha/UI/Form/Builder/Item.t t/db_dependent/Serials.t

(cherry picked from commit f8a23b8ef46aea60eda9211a3e89af85d650ac26)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
suite

8 months agoBug 36176: Exclude misc/releases_notes/*
Lucas Gass [Tue, 26 Mar 2024 20:32:15 +0000 (20:32 +0000)]
Bug 36176: Exclude misc/releases_notes/*

(cherry picked from commit 93a68d2068264bbaad070f178182de638147c0a6)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 34943: (QA follow-up) Use `before_biblio_action` and an `action` param
Tomas Cohen Arazi [Mon, 11 Mar 2024 17:33:25 +0000 (14:33 -0300)]
Bug 34943: (QA follow-up) Use `before_biblio_action` and an `action` param

This patch harmonizes the hook name and parameters with the rest of the
codebase.

To test:
1. Apply this patch
2. Run:
   $ ktd --shell
  k$ qa
=> SUCCESS: All looks green, and tests still pass (i.e. they were
correctly adjusted to the new schema).
3. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 353f510c146cfcffc0bb488a8411755f111e5711)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 34943: Implement `before_biblio_metadata_store` plugin hook
Tomas Cohen Arazi [Fri, 8 Dec 2023 20:24:35 +0000 (17:24 -0300)]
Bug 34943: Implement `before_biblio_metadata_store` plugin hook

This patch implements a hook allowing record modification right before
they are written on the DB. The idea is that a plugin could be used to
add machine-generated fields/subfields.

To test:
1. Apply the unit tests patch
2. Run:
   $ ktd --shell
  k$ prove t/db_dependent/Koha/Plugins/Biblio_and_Items_plugin_hooks.t
=> FAIL: Tests fail! The hook is not implemented so the desired results
don't appear (added fields/subfields).
3. Apply this patch
4. Repeat 2
=> SUCCESS: It works!
5. Run:
  k$ qa -c 2
=> SUCCESS: All green!
6. Sign off :-D

Sponsored-by: Theke Solutions
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e78b7bdbe5c10e3d4a568a4560b28e46ab71a02f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoBug 34943: Unit tests
Tomas Cohen Arazi [Fri, 8 Dec 2023 20:23:44 +0000 (17:23 -0300)]
Bug 34943: Unit tests

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit ddb2ab7a9fb7e91e10301158fe68d3dfdfae5fcc)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
8 months agoUpdate release notes for 22.11.16 release v22.11.16
Frédéric Demians [Mon, 25 Mar 2024 11:04:54 +0000 (11:04 +0000)]
Update release notes for 22.11.16 release

8 months agoIncrement version for 22.11.16 release
Frédéric Demians [Mon, 25 Mar 2024 10:50:48 +0000 (10:50 +0000)]
Increment version for 22.11.16 release

8 months agoBug 36244: DBRev 22.11.15.001
Frédéric Demians [Mon, 25 Mar 2024 10:47:59 +0000 (10:47 +0000)]
Bug 36244: DBRev 22.11.15.001