Jonathan Druart [Wed, 24 Jun 2015 09:03:22 +0000 (11:03 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (quote*_ajax.pl)
This patch uses check_api_auth instead of get_template_and_user.
Test plan:
Confirm that you are still able to access to the quote editor with the
edit_quotes permission.
Confirm that you are not if you don't have the permission.
wget your_url/cgi-bin/koha/tools/quotes/quotes_ajax.pl
should return "403 : Forbidden."
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Fridolin Somers [Tue, 23 Jun 2015 15:45:30 +0000 (17:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)
Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()
This patch corrects opac/opac-ratings.pl
Test plan :
- Apply patch
- Set sysopref OpacStarRatings to 'results and details'
- Disable Javascipt on your browser (otherwise it will use ajax)
- Login at OPAC
- Go to a record
- Click on a button left of 'Rate me' to choose a rating, ie 4
- Click on 'Rate me'
=> The page is reloaded and you see 'your rating: 4'
- Loggout from OPAC
- Try to access URL : http://<serveur>/cgi-bin/koha/opac-ratings.pl
=> You see the loggin page
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Fridolin Somers [Tue, 23 Jun 2015 14:45:21 +0000 (16:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (updatesupplier.pl)
Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()
This patch corrects acqui/updatesupplier.pl
Test plan :
- Apply patch
- Connect to intranet with a user having "vendors_manage" permission
- Go to acquisition module
- Create a new vendor
- Click on "Edit vendor"
- Change some information and save
=> Your change is saved
- Connect to intranet with a user not having "vendors_manage" permission
- Try to access <intranet>/cgi-bin/koha/acqui/updatesupplier.pl
=> Access is denied
- Disconnect from intranet
- Try to access <intranet>/cgi-bin/koha/acqui/updatesupplier.pl
=> Access is denied
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Mason James <mtj@kohaaloha.com>
Katrin Fischer [Sun, 7 Jun 2015 21:45:10 +0000 (23:45 +0200)]
Bug 8686: Raise required version of URI::Escape to 3.31
Raises the minimum required version of URI::Escape from
1.36 to 3.31.
TEST PLAN
---------
1) git branch -b bug_8686 origin/master
2) ./koha_perl_deps.pl -a | grep URI
-- it will list 1.36 required
3) git bz apply 8686
4) ./koha_perl_deps.pl -a | grep URI
-- it will list 3.31 required
5) koha qa test tools
NOTE: Also default in Ubuntu 14.04 LTS,
not just Wheezy as noted in comment #15.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signoff based on Nicole's comment (bug 9990 comment 6):
"This stops happening if you upgrade URI::Escape to
3.31. We should make it clear in the Perl Modules page that an upgrade
is needed." Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Jonathan Druart [Thu, 16 Apr 2015 14:39:09 +0000 (16:39 +0200)]
Bug 10355: paramater 'object' lost on the road
Test plan:
1) Go to any detail page in staff
2) Click on the modification log tab
3) Verify, that the object is prefilled with the records biblionumber
and you can also see it as parameter in the url
4) Click a second time on modification log to reset your search
Before this patch, the object parameter was empty.
It now contains the value of the biblionumber.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described, no koha-qa errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 0002126a2ab0ac38a8d3f144f446dc3ba69dab59) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Conflicts:
tools/viewlog.pl
Marcel de Rooy [Thu, 4 Jun 2015 10:03:42 +0000 (12:03 +0200)]
Bug 14329: Useless copy/pasta from Template::Plugin::HtmlToText
The synopsis of this TT plugin contains two example lines:
[% myhtml FILTER html2text(leftmargin => 0, rightmargin => 0) %]
[% myhtmltext | html2text %]
These lines have been copied (without too much thought :) to a few templates. Since we do no use the variables myhtml or myhtmltext in these templates, these lines are useless.
Test plan:
[1] Put some items in your cart. And send it.
[2] Send a shelf.
[3] Git grep on myhtml. Should not have results.
NOTE: Sent carts and lists in Intranet and OPAC successfully.
Though, this does bring into question why the letters
have HTML formatting if it is getting removed. That,
however, is beyond the scope of this bug.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Marcel de Rooy [Tue, 26 May 2015 12:52:07 +0000 (14:52 +0200)]
Bug 14276: Keep highlight on the active item in item editor
The highlight only works on even items.
This patch should resolve it.
Test plan:
Edit biblio with multiple items.
Verify that the highlight is visible on the selected item you edit.
And that there is no highlight for a new item.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Bug 14173: Paging on 'recent comments' page in OPAC is not displaying correctly
This patch corrects the display of current page on
a multipage recent comments.
To test:
1) Enable OpacShowRecentComments
2) Add multiple comments to multiple records
I used a script to add multiple lines like
"insert into reviews values ($i, 51, $i, 'Comment $i', 1, '2015-06-01 00:00:00')"
to table reviews
3) On OPAC, go to 'Recent comments', verify the bug
4) Apply the patch
5) Reload and check correct display
Can't found missing space near 'by' from description.
Display is correct for me.
Followed test plan, displays as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
If an error occurs in patron batch modification, a message similar to the following is displayed:
Can not update patron with borrowernumber 7055
It would be useful to have the cardnumber as well.
This patch adds the card number to the lists of errors.
It is not easy to trigger an error (see comments).
For testing, I tweaked the sub ModMember in C4/Members.pm to always return false.
TEST PLAN
---------
1) Log in as a superlibrarian and create a test user
2) Change the cardnumber to a number differing from the
borrower number.
3) Home -> Tools -> Batch patron modification
4) Type in the cardnumber of that test user
5) Check the Library checkbox.
6) Click Save
-- nice error, but it is borrower number instead of
the card number which was entered.
7) Apply the patch
8) Repeat steps 3-6
-- nice error, but it is now more informative.
9) run koha qa test tools.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 3b3f82de377c87f9108bf07dd0d293182e5b9bdc) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Tue, 26 May 2015 11:05:51 +0000 (13:05 +0200)]
Bug 14266: Trim the email address in the pl script
The original concern of bug 14266 was to provide a compatibility for
<IE9.
But actually we don't need to trim the email address template side.
It will even better to trim it in the perl script, so that the email
will be trimed even if JS is disabled.
Test plan:
1/ Share a list and does not provide any email address
2/ Submit
=> The form is not submited, no alert/message is displayed (same as
before this patch).
3/ Share a list and provide an email address with spaces before and
after
4/ Submit
=> You should receive the email
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Test output compliant with expected test plan outcome.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
David Cook [Mon, 25 May 2015 04:07:27 +0000 (14:07 +1000)]
Replace trim() with $.trim() in opac-shareshelf.tt
This patch replaces trim() with $.trim() which is supported
in versions of IE older than IE9.
Revised test plan
=================
Before applying patch:
0) Use IE 8 or Document Mode 8 in a newer IE using F12 Developer Tools
1) Set OpacAllowSharingPrivateLists to "Allow" in Global System Preferences
2) Create a private list in the OPAC
3) Add a record to the private list
4) Click "Share" or "Share list" on one of the list screens
5) Type in an email address and click "Send"
6) Note the error in the console log
7) The page should submit
Apply the patch:
7) Hold shift + refresh the browser to update any Javascript cache
8) Try to "Share" the list again
9) Note that the form submit after clicking "Send" and
that there are no errors in the console log
Kyle M Hall [Wed, 20 May 2015 15:31:18 +0000 (11:31 -0400)]
Bug 12066: New renew page in staff client doesn't record branch in statistics
Test Plan:
1) Apply this patch
2) Renew an item via circ/renew.pl
3) Note the branch code of your logged in library is set as the
branch in the generated statistic line
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Tested pre and post patch, now branch is saved
No errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Katrin Fischer [Mon, 25 May 2015 09:22:07 +0000 (11:22 +0200)]
Bug 13946: Change order status 'Pending' to 'Ordered'
The order status after closing the basket is 'ordered' in the
database, but displays as 'pending' in the staff interface.
As we use 'pending' when you have to review a suggestion, this
clashes in translations and the meaning is different. The patch
renames 'pending' for the order status to 'Ordered' to be more
clear.
To test:
- Verfiy 'Ordered' shows in the pull down on the acq advanced
search and search still works correctly
- Verify the results table also display 'Ordered' as the status
Signed-off-by: Cédric Vita <cedric.vita@dracenie.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Bug 14275: Remove CGI::scrolling_list from guided_reports.pl
Remove an instance of CGI::scrolling_list from this file
To test:
1) Go to Reports, Guided report wizard, New SQL report
2) Create a report with some auth value list, e.g.
SELECT surname,firstname FROM borrowers WHERE branchcode=<<Enter patrons library|branches>>
Save
3) Clic on 'Run this report", look at the dropdown, that will be changed
4) Apply the patch
5) Reload, check dropdown and any regression
Followed test plan, works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
A trivial string patch to update the error message displayed to
user if koha-translate is used to attempt removal of a language
that is not installed.
Test plan
=========
1/ attempt to remove a non-existent language by
<installdir>/debian/scripts/koha-translate --remove <langcode>
2/ it should show "Error: the selected language is not already
installed."
3/ apply patch
4/ repeat step 1; it should show "Error: the selected language is
not installed."
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Mason James <mtj@kohaaloha.com>
Aleisha [Tue, 12 May 2015 02:08:17 +0000 (02:08 +0000)]
Bug 14184: Undefined $term causes noisy warns in C4/CourseReserves.pm
This patch sets $term to be an empty string.
Test plan
=========
1/ enable 'UseCourseReserves' syspref in Circulation preferences
2/ in a terminal, run a `tail -f ` on your instance's opac-error.log
3/ go to the opac, click on 'Course reserve' tab to go to
opac-course-reserves.pl
4/ notice the warning - "opac-course-reserves.pl: Use of uninitialized
value $term" appear in the `tail`ed opac-error.log
5/ apply the patch
6/ reload the page (opac-course-reserves.pl)
7/ page works but the warning in step #4 is no longer logged
8/ run qa test (i.e. koha-qa.pl -c 1 -v 2), there should be no error
Remarks: Testing result match expected test plan output. The QA tests
pass with "OK" for the commit.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Aleisha [Tue, 12 May 2015 03:01:35 +0000 (03:01 +0000)]
Bug 14185: Undefined $limit causes warn in opac/opac-readingrecord.pl
This patch sets $limit to be an empty string.
Test plan
=========
1/ login into the opac using your user account credentials
2/ in a terminal, run a `tail -f ` on your instance's opac-error.log
3/ go back to the opac, click on 'your reading history' tab to go to
opac-readingrecord.pl
4/ notice the warning - "opac-readingrecord.pl: Use of uninitialized
value $limit" appear in the `tail`ed opac-error.log
5/ apply the patch
6/ reload the page (opac-readingrecord.pl)
7/ page works but the warning in step #4 is no longer logged
8/ run qa test (i.e. koha-qa.pl -c 1 -v 2), there should be no error
Remarks: Testing result match expected test plan output. The QA tests
pass with "OK" for the commit.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Bug 14186 [QA Followup]: Undefined $reservedfor causes warn in opac-reserve.pl
This is a followup for Bug 14186 that removes the extraneous tab
char on line 470, so that the patch can clear QA tools.
This patch sets $reservedfor to an empty string.
Test plan
=========
1/ in a terminal, run `tail -f ` on your instance's opac-error.log
2/ go to the opac and search from an item that exists on the Koha
instance.
3/ Select the title (if more than one title is returned) and click on
'Place hold' link to go to opac-reserve.pl
4/ notice the warning - "opac-reserve.pl: Use of uninitialized value
$reservedfor" appear in the `tail`ed opac-error.log
5/ apply the patch
6/ reload the page (opac-reserve.pl)
7/ page works but the warning in step #4 is no longer thrown up
8/ run qa test (i.e. koha-qa.pl -c 1 -v 2), there should be no error
Remarks: Testing result match expected test plan output. The QA tests
pass with "OK" for the commit.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Aleisha [Tue, 12 May 2015 03:30:46 +0000 (03:30 +0000)]
Bug 14186: Undefined $reservedfor causes warn in opac-reserve.pl
This patch sets $reservedfor to an empty string.
Test plan
=========
1/ in a terminal, run `tail -f ` on your instance's opac-error.log
2/ go to the opac and search from an item that exists on the Koha
instance.
3/ Select the title (if more than one title is returned) and click on
'Place hold' link to go to opac-reserve.pl
4/ notice the warning - "opac-reserve.pl: Use of uninitialized value
$reservedfor" appear in the `tail`ed opac-error.log
5/ apply the patch
6/ reload the page (opac-reserve.pl)
7/ page works but the warning in step #4 is no longer thrown up
8/ run qa test (i.e. koha-qa.pl -c 1 -v 2), there should be no error
Remarks: The QA test failed - "forbidden pattern: tab char (line 470)".
Marking this as 'FAILED QA'
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Jonathan Druart [Fri, 19 Jun 2015 08:25:30 +0000 (10:25 +0200)]
Bug 14408: Add tests to get_template_and_user
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Chris [Mon, 22 Jun 2015 05:23:52 +0000 (05:23 +0000)]
Bug 14408 Path Traversal error
Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc
Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Chris [Sun, 21 Jun 2015 09:35:07 +0000 (09:35 +0000)]
Bug 14423 : Multiple XSS bugs in suggestion.pl
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl?author=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&accepteddate_to=
2/ Notice alert box(es)
3/ Apply patch
4/ Reload and notice alert is gone
Repeat for
collection_title
copyrightdate
isbn
manageddate_from
manageddate_to
publishercode
suggesteddate_from
suggesteddate_to
Chris [Sun, 21 Jun 2015 09:01:32 +0000 (09:01 +0000)]
Bug 14423 : XSS bugs in catalogue search
To test
1/ hit a url like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?limit=%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice alert boxes
3/ Apply patch
4/ Reload url, no alerts
5/ Check search still works
Chris [Sun, 21 Jun 2015 08:46:40 +0000 (08:46 +0000)]
Bug 14423 : XSS issues in marc_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice all the alert boxes
3/ Apply patch
4/ Reload page, no more alerts
5/ Test functionality still works
Chris [Sun, 21 Jun 2015 08:33:13 +0000 (08:33 +0000)]
Bug 14423 XSS bug in auth_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works
Chris [Sun, 21 Jun 2015 08:18:20 +0000 (08:18 +0000)]
Bug 14423 : XSS bug in lateorders
1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works
Chris [Sun, 21 Jun 2015 08:10:20 +0000 (08:10 +0000)]
Bug 14423 : XSS in authorities-home
To test:
1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice you get 3 alert boxes
3/ Apply patch
4/ Hit the url again, no js
To exploit the vulnerability, no authentication is needed
To test
1/ Turn on mysql query logging
2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
3/ Check the logs notice something like
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
PROCEDURE ANALYSE
(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
4/ Apply patch
5/ Hit the url again
6/ Notice the log now only has
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed the problem and the fix for it. Signed-off-by: Mason James <mtj@kohaaloha.com>
Jonathan Druart [Fri, 19 Jun 2015 08:25:30 +0000 (10:25 +0200)]
Bug 14408: Add tests to get_template_and_user
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Jonathan Druart [Fri, 19 Jun 2015 09:21:47 +0000 (11:21 +0200)]
Bug 14416: (follow-up) opac addbybilionumber
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Chris Cormack [Thu, 18 Jun 2015 23:26:02 +0000 (11:26 +1200)]
Bug 14416 Stored XSS vulnerability
opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.
To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Chris Cormack [Thu, 18 Jun 2015 23:41:45 +0000 (11:41 +1200)]
Bug 14418 : More XSS vulnerabilities in opac-shelves.pl
To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script> Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it.
Chris Cormack [Thu, 18 Jun 2015 23:30:22 +0000 (11:30 +1200)]
Bug 14418 : XSS flaw in opac-shelves.pl
To test:
1/ Create a list and add at least one item to it
2/ Hit a url like http://192.168.2.18/cgi-bin/koha/opac-shelves.pl?viewshelf=7&sort=author&direction=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
Where the shelf id is the number of the list you created, notice the js is executed
3/ Apply the patch
4/ Reload the page notice the js is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Chris Cormack [Thu, 18 Jun 2015 21:25:22 +0000 (09:25 +1200)]
Bug 14418 XSS Vulnerabilities
Fix for /cgi-bin/koha/opac-search.pl
To test
1/ Hit /cgi-bin/koha/opac-search.pl?tag="><script
src='http://cst.sba-research.org/x.js'/>&q=a
2/ Notice the js is executed
3/ Apply patch
4/ Reload page, notice it is no longer executed
5/ Test the rss links work still
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed bug and that the patch fixes it. Signed-off-by: Mason James <mtj@kohaaloha.com>
Aleisha [Tue, 9 Jun 2015 02:02:55 +0000 (02:02 +0000)]
Bug 14360: Unescaped variable causes alert pop-up
To test:
1) Create a list in the OPAC, name it: <script>alert('Hello');</script>
2) Delete the list
3) Confirm deletion
4) See the alert say 'Hello'
5) Apply patch
6) Recreate list with same name
7) Delete list
8) Confirm deletion and alert no longer pops up
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Aleisha [Mon, 8 Jun 2015 02:30:23 +0000 (02:30 +0000)]
Bug 14360: Unescaped variable causes alert
Adding |html to [% resultsperpage %] to escape the variable and get rid of the alert.
To test:
1) Go to URL such as ... /cgi-bin/koha/opac-authorities-home.pl?op=do_search&resultsperpage=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
2) Notice pop-up box with alert
3) Apply patch, refresh page
4) Notice alert is gone
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Robin Sheat [Tue, 28 Apr 2015 03:19:30 +0000 (15:19 +1200)]
Bug 14068: fix preinst for fresh package installs
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Works as expected. Tested both upgrading and on a new install. Signed-off-by: Mason James <mtj@kohaaloha.com>
Robin Sheat [Fri, 24 Apr 2015 02:48:53 +0000 (14:48 +1200)]
Bug 14055: remove symlink that breaks upgrades
Old versions of koha-common would put in a symlink to the system YUI
libraries. This causes upgrade problems, so we look out for that and zap
it if it's there.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Bug 14006: about.pl checks the wrong zebra index mode
When setting zebra_bib_index_mode to grs1 I get two warnings when not applying the patch:
"The <zebra_bib_index_mode> entry is set to grs1. GRS-1 support is now deprecated and will be removed in future releases. Please use DOM instead by setting <zebra_bib_index_mode> to dom (full reindex required)."
"You have set <use_zebra_facets> but the <zebra_bib_index_mode> is not set to dom. Falling back to legacy facet calculation."
When applying the patch a third warning appears in addition to the two previous ones:
"The <zebra_bib_index_mode> entry is set to dom, but your system still appears to be set up for grs1 indexing."
Seems like the patch does what it should to me regarding the configuration mismatch warning.
Signed-off-by: Eivin Giske Skaaren <eskaaren@yahoo.no> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Bug 14075: Undefined value creates noisy warns in C4::AuthoritiesMarc
This match sets $sortby (previously undefined value) as an empty string to get rid of the warns.
To test:
1) Go to a URL such as http://localhost:8080/cgi-bin/koha/opac-authorities-home.pl?op=do_search&type=opac&operator=contains&value=a&marclist=any&and_or=and
2) Notice the warns in the error log
3) Apply patch
4) Reload URL
5) Notice page still works but no warns in error log
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: I would have done $sortby //= '';
But this works too. :)
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
TEST PLAN
---------
1) Apply first patch
2) prove -v t/db_dependent/Labels/t_Batch.t
-- YUCK! No meaningful messages on a lot of the ok's.
3) Apply this patch
4) prove -v t/db_dependent/Labels/t_Batch.t
-- YAY! Meaningful test results
5) koha qa test tools
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Nick Clemens [Thu, 14 May 2015 19:56:43 +0000 (19:56 +0000)]
Bug 14204: Fix t/db_dependent/Labels/t_Batch.t failing test from Bug 12991
This patch updaes the batch_id variable after items are added to test batch
To test:
1. prove t/db_dependent/Labels/t_Batch.t and see two tests fail
2. apply patch
3. prove again, tests pass!
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: The $batch->add_item() call to C4::Creators::Batch::add_item
triggers the change of the batch_id so this line is necessary! Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Mason James [Mon, 30 Mar 2015 06:33:45 +0000 (19:33 +1300)]
Bug 13109 - Serial failure for received and general viewing.
to test...
1/ attempt to view a subscription-detail that has a NULL value for either it's 'startdate' or 'enddate'
an example url would be...
http://koha-admin.foo.org/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=1
observe error...
'Date::Calc::PP::Delta_Days(): Usage: Date::Calc::Delta_Days($year1,$month1,$day1,$year2,$month2,$day2) at /your/koha/C4/Serials.pm line 2325'
2/ apply patch
3/ repeat step 1/
observe that detail page displays OK
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
I confirm the issue if startdate is null (can exist with old data,
before the js check on the form).
Amended patch: Remove trailing space char and the link to the bz number
(can be found using git log).
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All tests pass, even more now than before. Signed-off-by: Mason James <mtj@kohaaloha.com>
Yohann Dufour [Thu, 19 Jun 2014 14:32:05 +0000 (16:32 +0200)]
Bug 12445: ading unit tests to test the routines : CountSuggestion, ConnectSuggestionAndBiblio, SearchSuggestion, GetSuggestionInfo, DelSuggestion, GetSuggestionByStatus
These routines were not tested
Test plan:
1/ Execute the command : prove t/db_dependent/Suggestions.t
2/ The result has to be a success without error or warning :
t/db_dependent/Suggestions.t .. ok
All tests successful.
Files=1, Tests=89, 1 wallclock secs ( 0.05 usr 0.01 sys + 1.52 cusr 0.08 csys = 1.66 CPU)
Result: PASS
Signed-off-by: Paola Rossi <paola.rossi@cineca.it> Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Test pass, no koha-qa errors
But now there are 91!
prove t/db_dependent/Suggestions.t
t/db_dependent/Suggestions.t .. ok
All tests successful.
Files=1, Tests=91, 2 wallclock secs ( 0.05 usr 0.00 sys + 1.77 cusr 0.10 csys = 1.92 CPU)
Result: PASS
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Yohann Dufour [Thu, 19 Jun 2014 07:14:24 +0000 (09:14 +0200)]
Bug 12445: Improving unit tests for C4::Suggestions.pm
Now, the tests used 'is' instead of 'ok', the tests are wrapped in a transaction, adding tests for the routines NewSuggestion, GetSuggestion, ModSuggestion, GetSuggestionFromBiblionumber and GetInfoFromBiblionumber.
The tests for the routines DelSuggestionsOlderThan, CountSuggestion, ConnectSuggestionAndBiblio, SearchSuggestion, GetSuggestionInfo, DelSuggestion and GetSuggestionByStatus will be arrived in another patch.
Test plan:
1/ Execute the command : prove t/db_dependent/Suggestions.t
2/ The result has to be a success without warning or error :
t/db_dependent/Suggestions.t .. ok
All tests successful.
Files=1, Tests=32, 2 wallclock secs ( 0.03 usr 0.01 sys + 1.49 cusr 0.08 csys = 1.61 CPU)
Result: PASS
Signed-off-by: Paola Rossi <paola.rossi@cineca.it> Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Jonathan Druart [Tue, 10 Feb 2015 09:47:05 +0000 (10:47 +0100)]
Bug 13645: Use DBIx::Connector
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Jonathan Druart [Fri, 30 Jan 2015 16:10:54 +0000 (17:10 +0100)]
Bug 13645: Cache the DBIx connection
We don't want to recreate a new connection to the DB every time we want
a new schema.
This patch creates a $database package level variable on the same way
it's done in C4::Context for $dbh.
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Colin Campbell [Thu, 30 Oct 2014 15:36:09 +0000 (15:36 +0000)]
Bug 7904 Change SIP modules to use standard LIB path
For historical reasons the SIPServer and SIP modules
have used an extra module path in addition to the
standard Koha one. This has caused numerous irritants
in attempting to set up scripts and basic tests. It
does not help in attempting to modify or debug
this code
This patch changes the package value in the modules
under the C4/SIP directory and makes calls to
them use the full package name.
Where the export mechanism was being short circuited
routines have been explicitly exported and imported
declarations of 'use ILS' when that module was
not being used and which only generated warnings
have been removed.
As a lot of the changes affect lines where
an object is instantiated with new. The opportunity
has been taken to replace the ambiguous indirect
syntax with the preferred direct call
In intializing ILS the full path is added as this
will not require any changes to existing configs.
I suspect this feature is unused, and adds
obfuscation rather than flexibility but have kept
the feature as we need this change in order to
rationalize and extend the testing of the server.
The visible difference is that with the normal Koha
PERL5LIB setting. Compilation of Modules under C4/SIP
should be successful and not fail with unlocated modules,
allowing developers to see any perl warnings
All the SIP modules can now be run through the tests
in t/00-load.t now except for SIPServer itself
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Robin Sheat [Sun, 9 Nov 2014 22:38:29 +0000 (11:38 +1300)]
Bug 7904 - remove unnecessary path from SIP script
With the fixing of the namespace in the SIP code, we don't need to
modify the PERL5LIB to have the old one.
To test:
* do a package install using this and the other patches on bug 7904
* enable SIP
* make sure koha-start-sip and koha-stop-sip work
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Robin Sheat [Tue, 14 Apr 2015 03:28:46 +0000 (15:28 +1200)]
Bug 13979: [3.16.x] updates to allow installation on jessie
This patch makes the build script keep the shipped YUI JavaScript library
instead of explicitly deleting it and using the one the operating system
provides.
Development is done against the YUI library we ship, so this makes sense
even if Debian still shipped it.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Colin Campbell [Tue, 10 Feb 2015 17:22:43 +0000 (17:22 +0000)]
Bug 12820: Handle rental fees in Sip issue and renew
Implement correct handling of fees associated with checking out
an item.
This is associated with fee acknowledged field (BO)
To quote from the Sip2 document
" If this field is N in a Checkout message and there is a fee
associated with checking out the item, the ACS should tell the
SC in the Checkout Response that there is a fee, and refuse to
check out the item. If the SC and the patron then interact and the
patron agrees to pay the fee, this field will be set to Y on a second
Checkout message, indicating to the ACS that the patron has acknowledged
the fee and checkout of the item should not be refused just
because there is a fee associated with the item"
So there are two Checkout requests the first with BO not set to Y is
rejected but the fee amount is returned. The Second Checkout with BO set
to Y should succeed.
Added a debug log message indicating why we block a checkout
when we dont otherwise indicate
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Katrin Fischer [Sat, 21 Feb 2015 21:52:30 +0000 (22:52 +0100)]
Bug 13746: On creating a new subscription, notes fields get confused
For every subscription we have 4 notes fields in Koha, 2 are in the
subscription itself and another 2 are in the subscription history.
When creating a new subscription, the notes fields from the
subscription get copied to the fields of the subscription history,
leading to doubled up display of notes in the OPAC.
To test:
- Add a new subscription without patch
- check manual history
- Fill in both notes fields
- Verify that the notes fields got also saved into the
subscription history (easy from the Summary tab)
- Apply patch
- Add another subscription, like above
- Verify now only the subscription notes fields are saved
- Edit subscription and notes - verify all is ok
- Edit subscription history (Planning tab) - verify all is ok
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Katrin Fischer [Sat, 21 Feb 2015 19:40:31 +0000 (20:40 +0100)]
Bug 13744: Fix datatables paging on 'Holds to pull' report
The paging of the datatables on the 'holds to pull' report
page is broken without this patch.
To test:
- Make sure that some holds are placed on available items
in your installation
- Go to the circulation start page
- Open the 'holds to pull' report
- Verify that the patch fixes the paging on the result table
Also: Fixes "None" in the filter pull downs to be translatable. Signed-off-by: Nicole <nicole@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
To test:
- Search for a record with items that have been checked out
in the past
- From the detail page, open the 'checkout history' tab
- Check paging displays correctly with this patch and is
broken without
Signed-off-by: Nicole <nicole@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Katrin Fischer [Sat, 21 Feb 2015 19:30:07 +0000 (20:30 +0100)]
Bug 13744: Fix datatables paging on 'order from subscription' page
The paging of the datatable on the 'order from subscription' page
is broken without this patch.
To test:
- Make sure you have a subscription, note the vendor
- Create a new basket for this vendor
- Add a new order line 'from a subscription'
- Check paging on the result table displays correctly
Signed-off-by: Nicole <nicole@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Bug 11331 - CSV export for viewlog.pl is missing newlines - followup
Perl formatting and cleaning.
Also corrects the HTML of results table in viewlog.tt.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>
Bug 11331 - CSV export for viewlog.pl is missing newlines
When you try to export the result of tools/viewlog.pl in csv, file
cannot be correctly loaded :
- newline is missing after each record,
- strings should be enclosed in ""
- columns are not the same as for screen output
This patch corrects this by using like other export Text::CSV.
Adds a header line made with the keys of first data. For that, all data
values are initialiszed with empty string.
Test plan :
- Use a database with some logs, see sysprefs
/cgi-bin/koha/admin/preferences.pl?tab=logs
- Go to export page /cgi-bin/koha/tools/viewlog.pl
- Select a module
- Click on "To a file" and choose a file name
- Click on "Submit"
- Open file
=> Without this patch : newline is missing, multi-lines cells are not
enclosed in "", there are no column headings
=> Without this patch : each line is a data line, complexe cells are
enclosed in "", there are column headings
- Test the export of all modules to see that all headings are necessary
- Check the output to screen in the browser
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
The CSV export is significantly improved. I question the usefulness of
including biblioitemnumber in the output. A better inclusion would be
itemnumber.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
While this feature is still not perfect, this is a big improvement.
Passes tests and QA script, restores basic functionality.
Benjamin Rokseth [Tue, 22 Apr 2014 12:09:16 +0000 (14:09 +0200)]
Bug 12122: TransferSlip should accept both itemnumber and barcode
Added small patch to allow barcode as input in TransferSlip routine, mostly
to allow generating transfer slips where only barcode is present (aka.
javascript).
Test plan:
1) find book with <barcode> and <itemnumber>
2) generate transferslips with both:
transfer-slip.pl?transferitem=<itemnumber>3967925&branchcode=MPL&op=slip
transfer-slip.pl?barcode=<barcode>&branchcode=MPL&op=slip
and verify that the generated slips match.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Edit:
- Added tests in t/db_dependent/Circulation_transfers.t
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Passes tests and QA script.
Works with both itemnumber or barcode as described.
Tested printing transfer slips with the URL examples given
and in the UI.
Frédéric Demians [Mon, 12 Jan 2015 11:18:19 +0000 (12:18 +0100)]
Bug 13568 OAI Server doesn't handle properly resumption token
When responding to ListRecords and ListIdentifiers verbs, OAI server doesn't
return proper resumption token. At the end of a result set, OAI server
generates a resumption token even if there isn't anymore records. Consequently,
OAI harverster will send a new request, based on this invalid resumption,
token. OAI Server responds with an empty resultset, which is considered as an
invalid response by most of the harvesters.
TO TEST:
- Find in your DB, a day where a few biblio records have been created. The
number of created biblios must inferior to OAI-PMH:MaxCount.
- Let say this day is 2014-01-09. Send an OAI-PMH request to Koha OAI Server:
Kyle M Hall [Wed, 28 Jan 2015 13:31:30 +0000 (08:31 -0500)]
Bug 13636 - Staff search results item status incorrect for holds
Imagine this scenario: we have one record with four items. Two of those
items are checked out, one of those items is a waiting hold, and one of
those items is available. We would expect to see this on the search
results page. Instead, we will see both non-checked out items as
unavailable due to waiting holds.
This is due to a semantic issue GetReserveStatus.
C4::Search::searchResults uses GetReserveStatus to get the reserve
status of each item, but unlike all other calls to the sub, this one
passes in not only itemnumber, but biblionumber.
When no reserve is found for the available item, the subroutine uses the
biblionumber to grab what is essentially an arbitrary reserve to use for
the status. This makes no sense and this functionality should be
entirely removed from the subroutine so regressions like this will be
prevented in the future.
Test Plan:
1) Create one record with 4 items
a) check two of the items out to patrons
b) set one of the items as a waiting hold
c) leave the fourth item as available
2) Run a search where this record will be in the results list
3) Note that the results list 2 items on loan, two unavailable
4) Apply this patch, reload the search results
5) Note that the results list 1 available, 2 on loan, 1 unavailable
Signed-off-by: John Andrews <jandrews@washoecounty.us> Signed-off-by: Sheila Kearns <sheila.kearns@state.vt.us> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Note: This is for the staff search result list!
The holds ratio report ignores ordered items. This could cause a library
to inadvertently order more copies of a title than they actually need.
An option should be added to count ordered items ( i.e. any negative
notforloan value ).
Test Plan:
1) Apply this patch
2) Create a record with two items, one regular, one ordered.
3) Place 3 holds on the item
4) Run the reserve ratios report, by default you should see this record
5) Check the new 'include ordered' checkbox, rerun the report
6) Note that record is no longer displayed
Signed-off-by: Heather Braum <hbraum@nekls.org> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Jonathan Druart [Mon, 17 Nov 2014 16:17:49 +0000 (17:17 +0100)]
Bug 13270: Don't display "vendor note" label if nothing to display
Bug 12111 removes the vendor note edition on receiving.
The label should not be displayed when it's empty.
Test plan:
1/ Receive an order without a vendor note and verify that the label is not
displayed.
2/ Receive an order with a vendor note and verify that the note is
displayed.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Works as described, small template change.
Jonathan Druart [Thu, 11 Dec 2014 08:50:38 +0000 (09:50 +0100)]
Bug 13268: the size should not be emptied in pl script
It duplicates what the first patch does.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Fridolin Somers [Mon, 17 Nov 2014 15:32:20 +0000 (16:32 +0100)]
Bug 13268 - biblioitems.size value not correctly displayed (more)
Bug partially corrected by Bug 11357.
The size column in biblioitems is a bit problematic when used in TT, because instead of the size value from the biblio column it will give you the size of the variable or current loop.
It's currently used in the templates like opac-topissues.tt :
[% IF results_loo.size %][% results_loo.size %][% END %]
This patch corrects by using item() TT method.
See http://stackoverflow.com/questions/2311303/how-can-i-handle-hash-keys-containing-illegal-identifier-characters-in-template.
Test plan :
- Be sure there is a mapping between a MARC field and biblioitems.size
- Create a record A with biblioitems.size defined : like "10x12"
- Create a record B with no value in biblioitems.size
- Check each modified page :
=> Without this patch : you see a number (loop size) for both records
=> With this patch : you only see the correct value for A and nothing for B
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Fridolin Somers [Thu, 19 Jun 2014 12:47:15 +0000 (14:47 +0200)]
Bug 11357 - biblioitems.size value not correctly displayed in list emails sent from OPAC and intranet
The size column in biblioitems is a bit problematic when used in TT, because instead of the size value from the biblio column it will give you the size of the variable.
It's currently used in the templates for sending shelves from OPAC and intranet and maybe also in other places:
[% END %]
[% IF BIBLIO_RESULT.size %]
, [% BIBLIO_RESULT.size %]
[% END %]
This patch corrects by using item() TT method.
See http://stackoverflow.com/questions/2311303/how-can-i-handle-hash-keys-containing-illegal-identifier-characters-in-template.
Test plan :
In each display :
=> Without this patch you see biblioitems.pages and then a number
=> With this patch you only see biblioitems.pages
- Create a record with biblioitems.pages defined (like "12p") but without biblioitems.size defined
Same for OPAC and intranet :
- Add it to the cart
- Open the cart
- Check the "Title" column
- Click on "More Details"
- Check the "Details" row
- Send the basket via email and check the result
- Add to a list
- Send the list via email and check the result
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Works well!!
Tested on staff & opac, cart & list.
No koha-qa errors
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes QA script and tests.
Mason James [Thu, 9 Apr 2015 03:33:02 +0000 (15:33 +1200)]
Bug 12954: Failed login should retain anonymous session (3.16.x)
A failed login should not leave the user in a half logged authenticated
state, but rather return them to an anonymouse session as per the
pre-login attempt state.
To replicate error:
1. Try to log in with some nonexisting user id or wrong password in the
OPAC
2. Go directly to /opac-user.pl (e.g., enter it in the browser address
bar, or just click on the "Log in" link)
3. Observe a DBI error displayed on the screen
4. You are now in the "deadloop" of sorts (opac/opac-user.pl refuses to
display the login screen, no matter how many times you try to reload
it); to break the deadloop, one needs to:
- remove session cookie from the browser (or cause the session to
expire in some other way - closing browser window would be probably
enough for that)
- remove offending session on the server (from mysql sessions table,
..)
- log in with proper credentials using some other page (like
opac/opac-main.pl right-side panel), which does not involve
opac/opac-user.pl being called without "userid" CGI parameter.
To test:
1. Test as above, the DBI error should no longer be present
2. Check that search history works across failed and sucessful login
attempts
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Martin Renvoize [Tue, 6 Jan 2015 06:54:00 +0000 (06:54 +0000)]
Bug 13521: Add missing semicolon
Add a missing semicolon to the end of a template variable assignment
line. This patch should not affect operation.
Note: With Bug 13499 we did a non-destructive perltidy, as such we only
affected indenting and whitespace to maintain blame history. However, a
number of minor code issues were also highlighted, in this series of
patches I hope to correct other minor style issues.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Martin Renvoize [Tue, 6 Jan 2015 06:48:29 +0000 (06:48 +0000)]
Bug 13521: Removed superflous semicolon
Removed an uneeded semicolon from the end of an 'if' block. This should
not affect operation of the script.
Note: With Bug 13499 we did a non-destructive perltidy, as such we only
affected indenting and whitespace to maintain blame history. However, a
number of minor code issues were also highlighted, in this series of
patches I hope to correct other minor style issues.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Mason James <mtj@kohaaloha.com>
Kyle M Hall [Thu, 31 Jul 2014 15:28:44 +0000 (11:28 -0400)]
Bug 12507 - News does not always display in staff or OPAC
News will not display on the last day of each month due to the
way the date is calculated in the SQL code for grabbing news.
Test Plan:
1) Create a news item that should display
2) Change your server's date to the last day of the month
3) Note you can no longer see that news item
4) Apply this patch
5) Note you can now see your news item again
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Mason James <mtj@kohaaloha.com>