Chris [Sun, 21 Jun 2015 08:46:40 +0000 (08:46 +0000)]
Bug 14423: XSS issues in marc_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice all the alert boxes
3/ Apply patch
4/ Reload page, no more alerts
5/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 91a8584aa845fb1695a46fe3b89197f7d1365d94) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Sun, 7 Jun 2015 23:30:58 +0000 (01:30 +0200)]
Bug 14356: Improvements to the 'Transfers to receive' page
Patch makes several small changes to the template for the
'Transfers to receive page'
1) Show the branch name instead of the branchcode in the
table of incoming transfers.
If there is a hold connected with the transfer:
2) Show the patron's name as 'surname, firstname'
intead of 'surname firstname'
3) Restore broken feature: Show a mailto: link with a
generated subject of 'Hold: <title>'.
The mailto: feature actually existed in the templates, but
was broken to a misnamed database column. I made some small
changes to make the subject translatable (see bug 8330).
To test:
- Create a transfer by placing a hold with pickup at another library
- Craete a transfer manually
- Go to the circulation > transfers to receive
- Check the changes explained above, compare before and after
- Check the mailto: link works as expected
Bonus: Check the Hold: bit in the subject is really translatable now.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e5cea455d00c52b4a81e87b4dc77315c03ce8630) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Tue, 16 Jun 2015 15:39:16 +0000 (17:39 +0200)]
Bug 14253: (follow-up) Same fix for the basket page
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit b61782f1e78c771d66351b380755182e111eaf81) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
The 'notify on receiving' patron search on the new order form
in acquisitions didn't allow you to scroll, so there was no
way to select users from the bottom of a longer result list.
To test:
- Create a new order in acquisitions
- On the order form, use the 'Add user' button to open
the popup
- Perform a patron research with a lot of results
- Verify that with the patch you can scroll, but
that you couldn't without it
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
without patch: no scroll bar in Firefox 38
with patch: scrolling works fine
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e835e03ccf1c7f8cf9f2e9949d2d19889c3610a5) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Mark Tompsett [Tue, 16 Jun 2015 04:39:31 +0000 (04:39 +0000)]
Bug 5025: discrepancy between opac doc-head-open.inc and staff doc-head-open.inc
http://library.debiankoha.ca/cgi-bin/koha/errors/400.pl
http://library.debiankoha.ca/cgi-bin/koha/errors/401.pl
http://library.debiankoha.ca/cgi-bin/koha/errors/402.pl
http://library.debiankoha.ca/cgi-bin/koha/errors/403.pl
http://library.debiankoha.ca/cgi-bin/koha/errors/404.pl
http://library.debiankoha.ca/cgi-bin/koha/errors/500.pl
http://library.debiankoha.ca/cgi-bin/koha/ilsdi.pl
Set OpacMaintenance to "Show" in the Staff client system preferences.
http://library.debiankoha.ca/cgi-bin/koha/maintenance.pl
Set OpacMaintenance to "Don't show" in the Staff client system preferences.
http://library.debiankoha.ca/cgi-bin/koha/opac-ISBDdetail.pl?biblionumber=5390
http://library.debiankoha.ca/cgi-bin/koha/opac-MARCdetail.pl?biblionumber=5390
Log into OPAC Client
http://library.debiankoha.ca/cgi-bin/koha/opac-account.pl
http://library.debiankoha.ca/cgi-bin/koha/opac-search.pl
-- This is actually the advanced search.
FIXME: Don't know how to trigger opac-alert-subscribe.tt
FIXME: Don't know how to trigger opac-auth-MARCdetail.tt
FIXME: Don't know how to trigger opac-auth-detail.tt
FIXME: Don't know how to trigger opac-auth.tt
Click 'Authority search' in OPAC
Click 'Submit'
Search for something in the catalog
Click 'Select all'
Change 'With selected titles:' drop down to 'cart'
View the cart.
Click 'Send'
Click 'Cancel'
Click 'Download'
Click 'Cancel'
Close cart window
Search for something in the catalog
Select 'Select all'
Change 'With selected titles:' drop down to '[ New List ]'
Save the list
Click 'Lists'
Click the list you saved
Click 'Download list'
Click 'Cancel'
Click 'Send list'
Click 'Cancel'
Copy the URL from download list and remove the '&context=modal'
Click 'Cancel'
http://library.debiankoha.ca/cgi-bin/koha/opac-blocked.pl
http://library.debiankoha.ca/cgi-bin/koha/opac-browser.pl
FIXME: Don't know how to trigger opac-course-details.tt
http://library.debiankoha.ca/cgi-bin/koha/opac-course-reserves.pl
http://library.debiankoha.ca/cgi-bin/koha/opac-detail.pl?biblionumber=5336
FIXME: Don't know how to trigger opac-full-serial-issues.tt
http://library.debiankoha.ca/cgi-bin/koha/opac-imageviewer.pl
http://library.debiankoha.ca/cgi-bin/koha/opac-main.pl
Click on the user name in the top area.
Click the 'your personal details' tab.
Change the birth date.
Click 'Submit'
http://library.debiankoha.ca/cgi-bin/koha/opac-messaging.pl
http://library.debiankoha.ca/cgi-bin/koha/opac-overdrive-search.pl
Click on the user name in the top area.
Click the 'change your password' tab.
Set OPACPrivacy to "Allow" in the Staff client system preferences.
Refresh OPAC page
click on the user name in the top area.
Click the 'your privacy' tab.
Click the 'your reading history' tab.
Change the PatronSelfRegistration to "Allow" in the Staff client system preferences.
Change the PatronSelfRegistrationCategory to "PT" or some other valid patron category code.
Change the PatronSelfRegistrationAdditionalInstructions to something.
Refresh OPAC page
Log out
Click the 'Register Here' link.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Tested most pages, inspected all of them.
No errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit cb28aa454a4c97d0dcf7772d13dfb14635596291) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Thu, 18 Jun 2015 16:14:36 +0000 (18:14 +0200)]
Bug 11804: Remove references to circ-menu.tt
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit b9ae37ae38886a1b37293f7238302a5300d86087) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Sat, 6 Jun 2015 11:03:43 +0000 (13:03 +0200)]
Bug 11804: Remove unused circ-menu.tt
The formerly used circ-menu.tt is no longer referenced in the
templates and can be removed.
To test:
- Verify all tabs in the patron account still work as
they should.
- git grep circ-menu.tt
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No problems on patron pages, no more circ-menu.tt
No errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 46a2585b01255b4257ccb6ca4617e341b0bbb301) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Nicolas Legrand [Thu, 28 May 2015 14:32:29 +0000 (16:32 +0200)]
Bug 14290: Add a table foot to circulation matrix
Reprint circulation matrix header in a footer helps editing entries in
big matrix. Otherwise, the header disapears and it's hard to tell
which columns we're editing.
Test plan : try do add, modify or delete some entries in the
circulation matrix, everything should work as expected.
Patch works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 1ea3465d30b1b0fcd12a5592ce5a4c34a9a58462) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Bug 12616: Locale in subscriptions not preselecting correctly
There is a problem if a language is present but
don't have ISO639-2 code. Locale pulldown on serial
suscription is malformed.
To reproduce on master:
a) remove some entries on language_rfc4646_to_iso639
b) go to Serials > New suscription
c) Put any value on Vendor and record, press Next>>
d) Look at locale pulldown, it must default to last
removed lang from a), also other langs has no value
and are also 'selected' on html
To test:
1) Reproduce the problem
2) Apply the patch
3) Add New suscription, pulldown must be fixed
NOTE: Deleted Urdu and Chinese.
Master had both "selected" in the HTML.
Applied patch, neither were added.
Defaults to first item, which is blank meaning English.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit b9c4061479235d0d79ecbd917b015db5441d8118) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Sun, 7 Jun 2015 22:55:22 +0000 (00:55 +0200)]
Bug 8330: Overdue email link contains untranslatable 'Overdue:'
The translation scripts don't pick up text from href attributes,
which is what we want, with a small exception for this script.
Patch uses a TT trick to make the Overdue: in the subject
of the mailto: link translatable.
Regression test:
- Make sure you have an overdue item
- Go to Circulation > Overdues
- Verify the [email] link works and a subject
with 'Overdue: <title>' is generated
- Apply patch and repeat steps
Bonus: Verify the branch name now shows instead of
the branchcode in the table
To test translatability:
- cd misc/translator
- perl translate update de-DE
- Open file po/de-DE-staff-prog.po
- Search for Overdue:
- Translate string, remove 'fuzzy' marker
- perl translate install de-DE
- Test again, subject should now be translated
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 67881bd907b4c28843c73bb26b051a69dd489094) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Nick Clemens [Wed, 10 Jun 2015 01:51:44 +0000 (21:51 -0400)]
Bug 14371: Facets should be sorted by label (displayed) not title (link value)
This patch changes one small line in catalogue/search.pl and opac/opac-search to sort facets by:
facet_label_value
instead of
facet_title_value
To test:
1 - Perform a search with results in two branches e.g. Centerville (code CPL) and Fairfield (code FPL)
2 - Notice that branch facets appear correctly sorted
3 - Rename the branches Centervile->Zebra and Fairfeild->Aardvark (but don't change codes)
4 - Repeat original search
5 - Note that branch facets are no longer correctly sorted
6 - Apply patch
7 - Repeat search
8 - Facets should be correctly sorted
9 - Test in both staff and opac search
10 - Ensure there are no unintended consequences/regressions
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described, staff AND opac
No errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 219f7b5c8fe59034fc7aff1ab81e42bc8cb6eba2) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Mulitple 082 fields are already separated by |, but multiple
$a in one 082 field were only separated by space, making those
not easy to read.
Patch takes care that the | separator is used in all cases.
To test:
- Catalog a record with multiple 082 fields
- Add one or multiple $a subfields to each
- Verify every single classification is separated from
the others with a | in staff and in OPAC detail pages
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 6d9d66e32afaef73cbf2a33ce58d49f373e99dd8) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Mon, 8 Jun 2015 03:29:16 +0000 (05:29 +0200)]
Bug 13874: 'Rotating collections' are a circulation tool
Moves the entry for 'Rotating collections' from the Catalog
column to the 'Patrons and circulation' column.
To test:
- Verify the entry has been moved on the tools home page
NOTE: I agree that collections makes more sense under the new
column.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit da8ec2d37a43c87ad5b087511dd8e4ce082f022f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Mark Tompsett [Wed, 15 Apr 2015 16:33:29 +0000 (12:33 -0400)]
Bug 14001: Inventory has bad $_ references
After receiving an error while attempt a simple inventory run,
Two lines were changed from:
...$_->...
to
...$item->...
since the loop variable is $item. And $_ is not set to the
expected hash reference, when there is a loop variable.
This also helps explain the "Why are there blank dates on my
last seen field?" problem that has been mentioned by users.
TEST PLAN
---------
1) Apply this patch after a reset to master.
2) Log in to staff client
3) Add one item via z39.50, setting barcode to a known value (BARCODE1)
4) Wait for the reindex
5) Home -> Tools -> Inventory/Stocktaking
6) Browse for a file with the barcode in it
7) Set the library dropdown to the library branch of the added item.
8) Check 'Compare barcodes list to results:'
9) Click 'Submit'
-- This should not die under plack.
This should not generate blank last seen dates.
The last seen dates should be as expected.
10) run koha qa test tools
11) Confirm the two change point correspond to the two change points
in the patch which shall not be pushed to master.
The test result comply with expected outcome outlined in test plan.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 3ebc081962247ce0c598da810451c459909842bc) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Wed, 17 Jun 2015 10:28:39 +0000 (12:28 +0200)]
Bug 14401: Zebra index configuration doesn't allow exact search for C.
2 lines in the Zebra configuration files prevent an exact search for C.,
while all other [A-Z]. searches work correctly.
After taking a look at the /etc/zebradb/etc/word-phrase-utf.chr
those 2 lines cause the problem:
map (^c\.) @
map (^C\.) @
I propose to remove them.
To test:
- Catalog a record with an item with callnumber: C.
- Catalog a record with an item with callnumber: B.
- Try seaching for the second using callnum,ext:B. (exact field search)
- Verify search works.
- Try searching for the other with callnum,ext:C.
- Verify no result.
- Apply the patch - copy the zebra config file if necessary into the right spot
- Reindex
- Repeat searches - both should not bring up the correct record.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit f86743d893b61a4609d2f02a175db9944710067e) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Robin Sheat [Wed, 27 May 2015 00:25:34 +0000 (12:25 +1200)]
Bug 14394: fix documentation of OpacHiddenItems
The current documentation of OpacHiddenItems told people to go and read
a file on the server, which most people don't have access to. This
replaces it with a link to the wiki.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
It doesn't apply for some reason. Fixed
Added target attribute to open in new window/tab,
hope you don't mind.
Updated documentation
No errors
Belongs to Aleisha or Robin?
Update assignee please :)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 865321f3726c3b6065ef72107017c4171630d140) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Mark Tompsett [Fri, 19 Jun 2015 13:00:33 +0000 (09:00 -0400)]
Bug 14422: Typo in updatedatabase.pl
TEST PLAN
---------
1) backup db
2) git checkout -b my_3.6.x origin/3.6.x
3) drop db and create blank one
4) git reset --hard origin/3.6.x
5) run web installer
6) set HomeorHoldingBranchReturn system preference to 'holdingbranch'.
7) create a Default checkout, hold rule
home -> koha administration -> Circulation and fines rules
-- I put 10 checkouts total and clicked 'Save'
-- there currently is not 'returnbranch' in default_circ_rules.
8) git reset --hard origin/3.20.x
-- or whatever version you apply this to
(3.8.x, 3.10.x, 3.14.x, 3.16.x, 3.18.x, or 3.20.x
-- 3.21.00.008 deletes the systempreference involved)
9) ./installer/data/mysql/updatedatabase.pl
10) check HomeorHoldingBranchReturn systempreference
-- Currently says 'holdingbranch', but
the value of 'returnbranch' in default_circ_rules is
'homebranch'.
11) repeat steps 3-8
12) apply this patch
13) repeat steps 9-10
-- Currently says 'holdingbranch', and
the value of 'returnbranch' in default_circ_rules is
'holdingbranch'.
14) run koha qa test tools
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Tested using 3.6.x install, updated to 3.8.x
Value is preserved
No errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Note: I haven't followed the test plan, but the fix is trivial.
Maybe it could worth to upate 3.21.00.008 and check the value of
HomeOrHoldingBranchReturn before deleting it.
We could raise a warning if HomeOrHoldingBranchReturn ==
'holdingbranch'. Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 8c91ca7903846da0cf7a73914a0b78484c0429df) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Mon, 8 Jun 2015 00:15:03 +0000 (02:15 +0200)]
Bug 4925: Remove Smithsonian as a delivered z39.50 target
Removes the Smithsonian as a target installed with the
sample data during installation.
Also adds the newer LOC authority targets to files where
they were missing.
To test:
- Verify the Smithsonian has been removed from all
translated installers
- Verify the files are still valid SQL and install
correctly
NOTE: There was tiny scope creep which included ensuring
there were two Authority z39.50 servers as well.
Text files properly reflect the removal.
SQL 'source' of SQL files worked properly.
Was able to Z39.50 search for all of the 'en'.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 0ca21c1e488f150cca74beb9a67b285e5531f3b5) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Intranet:
1/ Marc view link
2/ The Please upload one image link
Test plan:
On a record detail page (staff and OPAC), print the page and confirm
these blocks no longer appear.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 68f0fe7b6f152a6db100525724c1ece507258652) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Fri, 19 Jun 2015 13:47:58 +0000 (15:47 +0200)]
Bug 10063: Remove outdated FIXME
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 9ed3d83dcbc609e9d658d965257b87bdc42e0606) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Mon, 8 Jun 2015 02:17:53 +0000 (04:17 +0200)]
Bug 10063: Correct documentation of C4::Members::IsMemberBlocked
Rephrased documentation a bit, replacing fine days with the
more general term restriction. As IsDebarred checks for existing
active restrictions.
TEST PLAN
---------
1) apply patch
2) git diff origin/master
-- do the changes make sense
3) perldoc C4::Members
-- look for the IsMemberBlocked.
-- Does it reflect current state
4) koha qa test tools
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 307f7a064cdaf16bca5a762344563b87651a1664) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Mon, 8 Jun 2015 00:58:53 +0000 (02:58 +0200)]
Bug 10119: Add note about CalculateFinesOnReturn to description of finesmode
This adds a note to the descrpition of the finesmode system
preference mentioning that CalculateFinesOnReturn is another
option for charging fines:
Note: Fines can also be charged by the CalculateFinesOnReturn system preference.
To test:
- Search for the finesmode system preference
- Verify the new text shows and is correct
NOTE: New text appears as expected. You can also just scroll for
it on the Circulation preferences tab.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 45c1b8f7b261493c27aa4d734e9795be619c1c70) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Bug 14421: Corrected example in SMS.pm to working version with hashref.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Test:
1) Apply patch
2) perldoc C4/SMS.pm
3) Check fixed argument in example
Argument is hashref, POD is now right
Added additional space on second arg
No errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 0cb82c8d02cc4b672b169c8b0261c4bb6360cd00) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Mark Tompsett [Fri, 19 Jun 2015 15:24:57 +0000 (11:24 -0400)]
Bug 14425: Typo in C4::Context IsSuperLibrarian perldoc
TEST PLAN
---------
1) git checkout -b bug_14425 origin/master
2) perldoc C4::Context
/IsSuperlibr
-- see it is bad.
3) apply patch
4) perldoc C4::Context
/IsSuperLibr
-- see it is fixed.
5) koha qa test tools.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Fix typo, no errors.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
% git grep -i IsSuperLibrarian|wc -l
55
% git grep IsSuperLibrarian|wc -l
55 Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 2b255be22c919b11d690f4dcf8a5e84e93290878) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Nicole C. Engard [Fri, 19 Jun 2015 16:32:18 +0000 (11:32 -0500)]
Bug 14424: Tools Help Files for 3.20
This patch updates and adds help files to 3.20+
To test:
* Visit batch record modification and note that there is a help file
and confirm the text is right
* Visit export data, import borrowers, stage marc for import, and log viewer
* Confirm updated text is right
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 469275fef5f4cfd7b251cd0a8ba2b53009b10f03) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Nicole C. Engard [Fri, 19 Jun 2015 16:08:56 +0000 (11:08 -0500)]
Bug 14424: Admin Help Files for 3.20
This patch updates some of the help files for Admin areas in 3.20+
To test:
* Visit
* Frameworks, add field, add subfield
* Column settings
* Patron attributes
* Circ rules
* Confirm help loads up and is right
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit d3983e563ffbce5c3276108c5840394bcb7b8593) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Katrin Fischer [Tue, 9 Jun 2015 22:11:19 +0000 (00:11 +0200)]
Bug 11458: Improve confusing description of syspref 'gist'
The description of "gist" was:
"Default tax rates are ... (enter in numeric form, 0.12 for 12%.
First is the default. If you want more than 1 value, please
separate with |) "
The doubled use of "default" is confusing here.
With the patch it reads:
Tax rates are ... Enter in numeric form, 0.12 for 12%.
The first item in the list will be selected by default.
For more than one value, separate with | (pipe)
To test:
- Verify that the gist system preference description is
correct.
The use of "default" is confusing here.
Signed-off-by: Aleisha <aleishaamohia@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 6c94fe52f954f93916993f71c472b068096806da) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Katrin Fischer [Tue, 9 Jun 2015 00:32:46 +0000 (02:32 +0200)]
Bug 14215: Change the 'delimiter' syspref description for its wider use
Patch changes 'report files' to 'CSV files' as there are more
options now for downloading and creating CSV files where this
preference is taken into account.
To test:
- Verify the changed system preference description for
'delimiter' is correct.
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 2eaeb708795e7624eb8873b617d4a38d69fa84fc) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Jonathan Druart [Tue, 24 Mar 2015 16:01:30 +0000 (17:01 +0100)]
Bug 4137: Fix the OPACViewOthersSuggestions behavior
This pref does not work at all, the interface let the user choose to
list all suggestions, but whatever he chooses the suggestion list is the
same.
This patch cleans a bit the suggestedby management.
There are a lot of cases to test, because linked to 2 prefs:
AnonSuggestions and OPACViewOthersSuggestions.
1/ AnonSuggestions = 0 and OPACViewOthersSuggestions = 0
- A non logged in user is not able to make a suggestion.
- A logged in user is not able to see suggestions made by someone else.
2/ AnonSuggestions = 0 and OPACViewOthersSuggestions = 1
- A non logged in user is not able to make a suggestion.
- A logged in user is able to see suggestions made by someone else.
3/ AnonSuggestions = 1 and OPACViewOthersSuggestions = 0
- A non logged in user is able to make a suggestion.
The suggestedby field will be filled with the AnonymousPatron pref value.
He is not able to see suggestions, even the ones made by AnonymousPatron.
- A logged in user is not able to see suggestions made by someone else.
4/ AnonSuggestions = 1 and OPACViewOthersSuggestions = 1
- A non logged in user is able to make a suggestion.
He is able to see all suggestions.
- A logged in user is able to see suggestions made by someone else.
In all cases a logged in user should be able to search for suggestions
(except if he is not able to see them).
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
All use cases tested, work as expected
No errors
Only comment is perhaps (in the future) a gracefull failure
when AnonymousPatron is not set, or has '0' value
Message is DBIx::Class::ResultSet::create(): Column 'suggestedby' cannot be null at ...
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit be35039b55a351c97f2c1f9a5b373cb26ac5e0b0) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Jonathan Druart [Wed, 22 Apr 2015 10:14:24 +0000 (12:14 +0200)]
Bug 10866: Hide patron's history if intranetreadinghistory is set to not allow
If set to "not allow", the intranetreadinghistory pref prevent staff
members to access patron's checkout history.
But:
1/ The page is still accessible if you know the url
2/ The history can be consulted on the item history page
Test plan:
0/ Don't apply this patch
1/ Set the intranetreadinghistory to allow
2/ Go on a patron's checkout history page
3/ Open a new tab and go on a item's checkout history page
4/ Set the intranetreadinghistory to not allow
5/ Refresh both pages => no change
6/ Apply this patch
7/ Refresh both page.
On the first page, you should see a warning
On the other one, you should see that the patron column is not displayed
anymore.
Followed test plan, results were as expected. Signed-off-by: Marc Véron <veron@veron.ch>
http://bugs.koha-community.org/show_bug.cgi?id=10886 Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Nice addition! Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit d847b1d92a9df6db2bb5321f032f3ec13d6ba55d) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Magnus Enger [Wed, 17 Jun 2015 12:36:44 +0000 (14:36 +0200)]
Bug 14403: Remove warn in Koha::NorwegianPatronDB
Line 99 has an unconditional warn, left over from development:
warn "$combined_username => $combined_password";
This patch deletes the line i question.
To test:
No testing needed, just have a look at the diff and see that
it makes sense to delete the warn.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit b740b1b412e11b1d540b243e7b1767cc0c1cb962) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Katrin Fischer [Mon, 8 Jun 2015 03:04:56 +0000 (05:04 +0200)]
Bug 13427: jQuery Timepicker is not translated on returns page
The returns page was missing an include with the translated strings.
To test:
- Install an additional language, like de-DE
- Confirm the bug on the returns page
- Make sure SpecifyReturnDate is activated
- Open the datepicker, look at the time settings
- Apply the patch
- Reinstall the language, no update of the po files is needed
- Retest
- Verify, that now the time settings are translated
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Works as expected
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 688452ad7e9131a53a96bd826e6228e73494fa53) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Katrin Fischer [Mon, 8 Jun 2015 01:18:35 +0000 (03:18 +0200)]
Bug 11467: Bug Untranslatable srings in opac-detail.tt (IDreamBooks*, OpacBrowseResults)
Patch marks several strings in the Javascript on the OPAC detail
and result page for translation.
1) IDreamBooks*
- Activate the 3 IDreamBooks* system preferences
- Check the 'cloud' and additional content shows up correctly on
the detail and result pages
- Verify everything works as expected and the same as without the patch
2) OpacBrowseResults
- Activate OpacBrowseResults
- Do various searches
- Verify the nex, previous, browse result list features still
work the same as without the patch
Bonus: Check new strings appear in the .po files by updating one
language with the patch applied (perl translate update de-DE)
NOTE: Really should have read the test plan more closely.
I couldn't find the 'Go to detail:' section, until I clicked
'Browse results'.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 7ab873aaea298c787e93438012fa8792345664f4) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Conflicts:
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
Jonathan Druart [Wed, 24 Jun 2015 09:03:22 +0000 (11:03 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (quote*_ajax.pl)
This patch uses check_api_auth instead of get_template_and_user.
Test plan:
Confirm that you are still able to access to the quote editor with the
edit_quotes permission.
Confirm that you are not if you don't have the permission.
wget your_url/cgi-bin/koha/tools/quotes/quotes_ajax.pl
should return "403 : Forbidden."
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 08871a324fa731ffdbbe87afde1ee145c604a22b) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Fridolin Somers [Tue, 23 Jun 2015 15:45:30 +0000 (17:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)
Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()
This patch corrects opac/opac-ratings.pl
Test plan :
- Apply patch
- Set sysopref OpacStarRatings to 'results and details'
- Disable Javascipt on your browser (otherwise it will use ajax)
- Login at OPAC
- Go to a record
- Click on a button left of 'Rate me' to choose a rating, ie 4
- Click on 'Rate me'
=> The page is reloaded and you see 'your rating: 4'
- Loggout from OPAC
- Try to access URL : http://<serveur>/cgi-bin/koha/opac-ratings.pl
=> You see the loggin page
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit f1acb5615d0cbcba5db5b84e12fbad3d41454347) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Fridolin Somers [Tue, 23 Jun 2015 14:45:21 +0000 (16:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (updatesupplier.pl)
Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()
This patch corrects acqui/updatesupplier.pl
Test plan :
- Apply patch
- Connect to intranet with a user having "vendors_manage" permission
- Go to acquisition module
- Create a new vendor
- Click on "Edit vendor"
- Change some information and save
=> Your change is saved
- Connect to intranet with a user not having "vendors_manage" permission
- Try to access <intranet>/cgi-bin/koha/acqui/updatesupplier.pl
=> Access is denied
- Disconnect from intranet
- Try to access <intranet>/cgi-bin/koha/acqui/updatesupplier.pl
=> Access is denied
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 015c26a5e36dae5070eab57f400237715d93ae44) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Liz [Wed, 24 Jun 2015 09:52:05 +0000 (09:52 +0000)]
Bug 14450: itemsearch no longer working
To test:
Click Advanced search in staff client
Click the link for "Go to Item Search" at the top of the page
Do a search, you should get results. Try some combinations and make sure it works like it should.
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f900ea03bf15746bd2c310b59f2fb06972f6bdee) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Aleisha [Tue, 9 Jun 2015 18:20:52 +0000 (18:20 +0000)]
Bug 11011: Rephrasing 'in keyword' in OPAC authority search
Using 'in the complete record' rather than 'in keyword'. I think this fits well as it seems that this means the search looks anywhere in the record.
To test:
1) In the OPAC, click on Authority Search
2) Notice that in the drop-down menu for the 'Where:' field, there is an 'in keyword' option.
3) Apply patch
4) Now says 'in the complete record'
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 892d374b64fa4eed98955d75b517702f78f1ca40) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Sun, 7 Jun 2015 21:45:10 +0000 (23:45 +0200)]
Bug 8686: Raise required version of URI::Escape to 3.31
Raises the minimum required version of URI::Escape from
1.36 to 3.31.
TEST PLAN
---------
1) git branch -b bug_8686 origin/master
2) ./koha_perl_deps.pl -a | grep URI
-- it will list 1.36 required
3) git bz apply 8686
4) ./koha_perl_deps.pl -a | grep URI
-- it will list 3.31 required
5) koha qa test tools
NOTE: Also default in Ubuntu 14.04 LTS,
not just Wheezy as noted in comment #15.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signoff based on Nicole's comment (bug 9990 comment 6):
"This stops happening if you upgrade URI::Escape to
3.31. We should make it clear in the Perl Modules page that an upgrade
is needed." Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 7c0c92807f49ef61aa975e84cf26d42f7dfa425f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris [Sun, 21 Jun 2015 09:35:07 +0000 (09:35 +0000)]
Bug 14423 : Multiple XSS bugs in suggestion.pl
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl?author=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&accepteddate_to=
2/ Notice alert box(es)
3/ Apply patch
4/ Reload and notice alert is gone
Repeat for
collection_title
copyrightdate
isbn
manageddate_from
manageddate_to
publishercode
suggesteddate_from
suggesteddate_to
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris [Sun, 21 Jun 2015 09:20:51 +0000 (09:20 +0000)]
Bug 14423 : Multiple XSS vulnerabilities in serials-search
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/serials/serials-search.pl?bookseller_filter=%22%22%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&searched=1&title_filter=
2/ Notice alert boxes
3/ Apply patch
4/ Reload, notice fixed
Repeat for
callnumber_filter
EAN_filter
ISSN_filter
publisher_filter
title_filter
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris [Sun, 21 Jun 2015 09:01:32 +0000 (09:01 +0000)]
Bug 14423 : XSS bugs in catalogue search
To test
1/ hit a url like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?limit=%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice alert boxes
3/ Apply patch
4/ Reload url, no alerts
5/ Check search still works
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris [Sun, 21 Jun 2015 08:33:13 +0000 (08:33 +0000)]
Bug 14423 XSS bug in auth_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris [Sun, 21 Jun 2015 08:18:20 +0000 (08:18 +0000)]
Bug 14423 : XSS bug in lateorders
1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris [Sun, 21 Jun 2015 08:10:20 +0000 (08:10 +0000)]
Bug 14423 : XSS in authorities-home
To test:
1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice you get 3 alert boxes
3/ Apply patch
4/ Hit the url again, no js
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Mon, 22 Jun 2015 08:24:51 +0000 (10:24 +0200)]
Bug 14408: Allow integers in template paths
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 64e47c63dc59669c3c651b93630c470e06107fd6) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Fri, 19 Jun 2015 08:25:30 +0000 (10:25 +0200)]
Bug 14408: Add tests to get_template_and_user
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5dd7c8f0d5fae67ea6177fdbac77a04f70661864) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris [Mon, 22 Jun 2015 05:23:52 +0000 (05:23 +0000)]
Bug 14408: Path Traversal error
Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc
Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5a7f459290326e1cea8460bb0817492340dd4150) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
To exploit the vulnerability, no authentication is needed
To test
1/ Turn on mysql query logging
2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
3/ Check the logs notice something like
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
PROCEDURE ANALYSE
(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
4/ Apply patch
5/ Hit the url again
6/ Notice the log now only has
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed the problem and the fix for it. Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 57b01fb655955ac630d6018d03f4d134e7e3e25a) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris Cormack [Thu, 18 Jun 2015 23:41:45 +0000 (11:41 +1200)]
Bug 14418: More XSS vulnerabilities in opac-shelves.pl
To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script> Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it. Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit cd4c959f7226b060f683f5571f030cc2df7539ca)
Chris Cormack [Thu, 18 Jun 2015 23:30:22 +0000 (11:30 +1200)]
Bug 14418: XSS flaw in opac-shelves.pl
To test:
1/ Create a list and add at least one item to it
2/ Hit a url like http://192.168.2.18/cgi-bin/koha/opac-shelves.pl?viewshelf=7&sort=author&direction=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
Where the shelf id is the number of the list you created, notice the js is executed
3/ Apply the patch
4/ Reload the page notice the js is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit b6ca2b0cd2d95e8aedbfd7c0c58ace8200620bf1) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris Cormack [Thu, 18 Jun 2015 21:25:22 +0000 (09:25 +1200)]
Bug 14418: XSS Vulnerabilities in OPAC search
Fix for /cgi-bin/koha/opac-search.pl
To test
1/ Hit /cgi-bin/koha/opac-search.pl?tag="><script
src='http://cst.sba-research.org/x.js'/>&q=a
2/ Notice the js is executed
3/ Apply patch
4/ Reload page, notice it is no longer executed
5/ Test the rss links work still
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed bug and that the patch fixes it. Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 45dd7754019e8f525c8d52bf33c41016e5ccbfab) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 542b06f065bf550a2a625bbfb34ce73bb65d01a1) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Fri, 19 Jun 2015 09:21:47 +0000 (11:21 +0200)]
Bug 14416: (follow-up) opac addbybilionumber
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit abd2bc99e886c11fa9abe15ef01c3298d00757cb) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris Cormack [Thu, 18 Jun 2015 23:26:02 +0000 (11:26 +1200)]
Bug 14416: Stored XSS vulnerability
opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.
To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit fb51a4bb0f3ac8b42b53579fe3d6d73d0b3438cd) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris Cormack [Thu, 18 Jun 2015 22:54:40 +0000 (10:54 +1200)]
Bug 14416: Stored XSS vulnerability
The affected page in the OPAC client is:
http://testbox:9001/cgi-bin/koha/opac-shelves.pl
the vulnerable parameter: addshelf
The affected page in the STAFF client is:
http://testbox:9002/cgi-bin/koha/virtualshelves/shelves.pl
To test:
1/ Create a shelf in the opac that contains some malicious js
eg Bad stuff <script>alert('oh noes');</script> as the name
2/ Go to /cgi-bin/koha/virtualshelves/shelves.pl in the staff client
Note the js is executed
3/ View
http://192.168.2.18:8080/cgi-bin/koha/svc/virtualshelves/search?template_path=virtualshelves/tables/shelves_results.tt&type=1
Notice the html is not escaped
4/ Apply patch
5/ View
http://192.168.2.18:8080/cgi-bin/koha/svc/virtualshelves/search?template_path=virtualshelves/tables/shelves_results.tt&type=1
Notice the html is now escaped
6/ View /cgi-bin/koha/virtualshelves/shelves.pl - no more exploit
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 703a928b9d81e974d56c306cd0bee3670f243c55) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Sun, 7 Jun 2015 23:49:24 +0000 (01:49 +0200)]
Bug 14351: Remove given-when from opac-search.pl
Reformats given-when to if-elsif-else in opac-search.pl
to remove the experimental feature and with it a lot
of warnings from the logs.
To test:
- Do several different advanced searches with and
without expanded search options
- Verify the link back to the search appears above
the results list and works correctly
See also: test plan on bug 13307
NOTE: Even installed firefox plug in to edit cookies to
trigger else case. :)
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 38048bc420ffa6f2a5a73287fdff5e2d8cbe63ef) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Katrin Fischer [Sat, 6 Jun 2015 12:34:57 +0000 (14:34 +0200)]
Bug 14350: Missing statement in kohastructure.sql - DROP TABLE IF EXISTS borrower_sync
Reported by Jonathan on bug 11401:
DROP TABLE IF EXISTS borrower_sync;
is missing in installer/data/mysql/kohastructure.sql
To test:
- Run the web installer and confirm all tables are
created correctly
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 2fe241cc0f774799b8dca329d41d03f2217ffcaa) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Tue, 28 Apr 2015 09:26:44 +0000 (11:26 +0200)]
Bug 11941: Add link to patron lists from the patron home page
The patron lists are only accessible from the tools module, which is not
easily accessible when you are in the patron module.
Test plan:
Go on the patron home page.
In the toolbar, you should see a link to the patron lists.
NOTE: Tweaked button to a to get the click to work.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Liz Rea <liz@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 27ef1410a7784577149bed6a466937c7ded6ba70) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Bug 14206: Adds test for getletter() call from overdue_notices.pl
Adds missing test for getletter() when called from overdue_notices.pl
Test plan
=========
1/ apply this patch
2/ run prove -v t/db_dependent/Letters.t
all tests should pass, especially test #40 which tests call from
overdue_notices.pl
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit c07f83f643e6b8820d90487a23e91e9b062a5cd6) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Bug 14206: Adds delete function for non email templates
C4::Letters::getletter() is called in tools/letter.pl by the function
delete_confirm() to display the selected notice for deletion. Due to
current implementation of getletter(), a notice that does not use
the 'email' template (but uses any/all of the other templates - sms,
print or phone) can't be deleted from the staff client.
This patch adds deletion capability for notices that do not use email
template, but uses any/all of the other templates i.e. sms, print or
phone. This also adds 2 tests to t/db_dependent/Letters.t for testing
both conditions - a) when message_transport_type is specified b) when
it is not.
Test plan
=========
1/ Go to Tools -> Notices & Slips. Add a new notice only for print,
leave 'Library' and 'Koha module' options as default selections.
Enter 'KOHA_14206' and 'Koha Test 14206' against Code and Name
respectively, and 'Test' and 'Test Message' for subject and body.
Leave the Email, Phone and SMS tabs blank. Save the notice.
2/ On the notices listing page the new notice will be listed. Try to
delete it. It will load the 'Delete notice' dialog form, but the
table will not show any data under <th>s - 'Library', 'Module',
'Code' or 'Name'.
3/ Click the "Yes, delete" button. The page will be submitted and the
Notices listing reloaded. The print-only KOHA_14206 notice should
continue to exist. This is *wrong*.
4/ Apply this patch
5/ Reload the listings page and click on the 'Delete' link for Notice
KOHA_14206. This time, it should show the data under 'Module',
'Code' or 'Name' at least.
6/ Click on 'Yes, delete'. The page should submit and the listing page
reload. This time KOHA_14206 will be gone.
7/ Run prove -v t/db_dependent/Letters.t
All tests should PASS without any error.
Followed test plan. Works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 8895caa33985bbb0cad9b011c4706d4591d2869b) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Wed, 8 Apr 2015 13:24:50 +0000 (15:24 +0200)]
Bug 13970: Remove category_type related code
Working on bug 13497 and bug 9314, I run into some Koha vestiges.
The category_type parameter should not be passed to memberentry.
On creating a new patron, the categorycode should be passed, and on
editing, it's useless. We can work with the borrowernumber and retrieve
these values.
Details of the changes:
- members-toolbar.inc: Remove the category_type parameter passed to
memberentry.pl
- memberentrygen.tt: Just remove the useless category_type parameter on
editing a patron. Also remove the unused one passed to
guarantor_search.pl.
- tables/members_results.tt: the borrowernumber is enough to edit a
patron.
- memberentry.pl: check_categorytype is never used in the template, all
the process to calculate/retrieve it is unnecessary.
- members/nl-search.tt: The borrowernumber is enough to edit a patron.
Test plan:
Try to create and edit patrons and verify that
- the guarantor search still work
- the form (memberentry) behave as before
Edit a patron from the nl-search.pl script (Magnus?)
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 9314 (13497 already pushed)
No evident regressions found, add/edit patron works,
search/set guarantor works.
Cant test nl-patron.pl save for exec it.
prove -v t/NorwegianPatronDB.t runs
No koha-qa errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit c34569480884a543d19f3e87d13153cc771fa135) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Wed, 8 Apr 2015 11:29:28 +0000 (13:29 +0200)]
Bug 9314: Remove useless code related to the type_only parameter
Since the pref AddPatronLists has been removed in bug 13497, the code
related to type_only and category_type in memberentry.pl is useless.
Test plan:
Confirm you don't the information message.
You can also confirm that the message was wrong and nothing was saved.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Dead code removed, no errors
Think that bug description can be updated to commit message
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 9d793b2f7e229251887e96c13c1ad6cb9410de38) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Kyle M Hall [Fri, 5 Jun 2015 12:06:29 +0000 (08:06 -0400)]
Bug 14338: Unable to delete patron images
The call to RmPatronImage is still passing cardnumber as its parameter
instead of borrowernumber.
Test Plan:
1) Upload a patron image
2) Ensure the card number is not the same as the borrower number
3) Attempt to delete patron image
-- Image will remain
4) Apply this patch
5) Attempt to delete patron image
-- Image will be removed
6) run koha qa test tools
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 721a77e6696c26efedd1955569a00e1dff2aa6b8) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Fri, 22 May 2015 11:11:19 +0000 (13:11 +0200)]
Bug 13265: Use sessionStorage to store searches instead of cookies
This is a counter patch.
The idea is to provide a permanent solution for the cookie length issue
we occurred on storing the searches (intranet side).
Test plan:
Launch as many searches as you can (don't forget to sleep).
You should not get any error.
Confirm there is no regression using the results browser.
Tested with 6 parralel searches in different tabs (with alternatively browising up and down). No problems found. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 41b9687d975a3c2a54cc28229d4ba76edf175de9) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Aleisha [Tue, 9 Jun 2015 02:02:55 +0000 (02:02 +0000)]
Bug 14360: Unescaped variable causes alert pop-up
To test:
1) Create a list in the OPAC, name it: <script>alert('Hello');</script>
2) Delete the list
3) Confirm deletion
4) See the alert say 'Hello'
5) Apply patch
6) Recreate list with same name
7) Delete list
8) Confirm deletion and alert no longer pops up
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 9bef8f8738492564af7da78cba841366c70ada3c) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Aleisha [Mon, 8 Jun 2015 02:30:23 +0000 (02:30 +0000)]
Bug 14360: Unescaped variable causes alert
Adding |html to [% resultsperpage %] to escape the variable and get rid of the alert.
To test:
1) Go to URL such as ... /cgi-bin/koha/opac-authorities-home.pl?op=do_search&resultsperpage=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
2) Notice pop-up box with alert
3) Apply patch, refresh page
4) Notice alert is gone
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 9e920f7479df6d36db3e3450d6e6c2524fa9fe56) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Mark Tompsett [Wed, 15 Apr 2015 05:02:08 +0000 (01:02 -0400)]
Bug 10625: Inventory/Stocktaking tool cannot handle windows file uploads
The current code uses
$barcode = <fh>;
logic. This reads until \n, as far as I can tell.
EOL is indicated by \n, \r, and \r\n depending on OS and software.
So, to this end, rather than File::Slurp (which is a potential
memory hog, which is already an issue with no filters), a loop
to pre-read the barcodes was written.
This loop includes:
$barcode =~ s/\r/\n/g;
$barcode =~ s/\n\n/\n/g;
my @data = split(/\n/, $barcode);
push @uploadedbarcodes,@data;
So, that means that lines ending in \n would have it stripped
and pushed into the uploaded barcodes array.
Lines ending in \r would likely be read as one giant block,
have everything converted to single \n's and then using a split,
the set of barcodes are pushed into the uploaded barcodes array.
Lines ending in \r\n would get that stripped and pushed into the
uploaded barcodes array.
It is then the uploaded barcodes array that is looped over for
validating the barcodes.
TEST PLAN
---------
1) Back up your database
2) Download the three sample files (or create your own)
3) Log in to staff client
4) Create a branch with no inventory.
5) Home -> Tools -> Inventory/Stocktaking
6) Browse for your '\r' test file.
7) Limit to just that branch
8) Click 'Submit'
-- Confirm expected errors
9) Repeat steps 5-8 with the '\n' test file.
10) Repeat steps 5-8 with the '\r\n' test file.
-- one of these repetitions should have problems.
11) Apply patch
12) Repeat steps 5-8 for each of the 3 test files.
-- there should be no issues.
13) run koha qa test tools.
Note: This is a tweak based on Jonathan Druart's comment #16
I have reset it to needs sign off again.
Followed test plan. Works as expected. qa OK. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit d75a751d49ad65b007572e02320735d2b02c9e1f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Thu, 4 Jun 2015 09:35:15 +0000 (11:35 +0200)]
Bug 14256: (follow-up) Check for unique constraint to regenerate random data
There were some issues in the previous patch. This patch fixes the
following:
- rename $value with $original_value
- remove $at_least_one_constraint_failed and $values_ok which make the
code unnecessarily complicated
- the constraints have to be checked only if no original value is passed
- _buildColumnValue created a key to the default value hashref, it broke
the test:
last BUILD_VALUE if exists( $default_value->{$source} );
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit c5bc51d7d1b6c98e9d897022f91d8e0806cf4524) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Bug 14256: Check for unique constraint to regenerate random data
Unique constraints should be checked when creating random data. Otherwise
we get failures when the generated data already exists on the DB.
This patch takes advantage of ->unique_constraints() to do the job,
looping through all the unique constraints defined for the source.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 395304d3b58d79bb1306c4e6f799548e2d875356) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Thu, 16 Apr 2015 14:39:09 +0000 (16:39 +0200)]
Bug 10355: paramater 'object' lost on the road
Test plan:
1) Go to any detail page in staff
2) Click on the modification log tab
3) Verify, that the object is prefilled with the records biblionumber
and you can also see it as parameter in the url
4) Click a second time on modification log to reset your search
Before this patch, the object parameter was empty.
It now contains the value of the biblionumber.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described, no koha-qa errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 0002126a2ab0ac38a8d3f144f446dc3ba69dab59) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Bug 14344: uninitialized value warning C4/Utils/DataTables/Members.pm
The condition for the assignment depends on $searchtype to be defined
and equal to 'contains'. So this change doesn't change the semantics.
- if $term !~ /^%/
- and $searchtype eq "contain";
+ if (defined $searchtype) && $searchtype eq "contain"
+ && $term !~ /^%/;
To test:
- Home -> Circulation -> Checkout
- Search for a user that does not exist (I searched 'whywouldthisexist') on the intranet interface.
- Look at the intranet logs
=> FAIL: you get "Use of uninitialized value $searchtype in string eq at.,,"
- Apply the patch
- Repeat the search
=> SUCCESS: No warning
- Sign off :-D
NOTE: Other pages are more forgiving. Tweaked test plan.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit d82aeb352f35ec37fdd62fed7e9a713168a21c28) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marc Véron [Tue, 2 Jun 2015 09:39:17 +0000 (11:39 +0200)]
Bug 14314: System Preferences: Better explanation for syspref 'ShowReviewerPhoto'
[PASSED QA] If syspref ShowReviewerPhoto is enabled, the reviewer's avatar is displayed beside comments in OPAC. The avatar will be searched on www.libravatar.org using the patron's email address.
This patch changes the text for 'ShowReviewerPhoto'.
To test:
Apply patch
Go to Home > Administration > System preferences
Search for ShowReviewerPhoto
Verify that the new explanation makes sense.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Better explanation, no errors.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Changed mail to e-mail. Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit d763d7cf3c28149b5d7f82de8a98789ee97814d6) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Thu, 4 Jun 2015 10:47:13 +0000 (12:47 +0200)]
Bug 14330: Remove unused email_sender from sendbasket/sendshelf
The sendbasket/sendshelf scripts and templates do not use email_sender
as a cgi parameter or as a template var. Probably a leftover from previous
changes.
Let's make Koha cleaner :)
Test plan:
[1] Send your cart from opac or staff.
[2] Send a shelf from opac or staff.
[3] Git grep email_sender. No results.
Followed test plan. Works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 0114465ced0d87aed51e8632e0ec1c005ae4fce3) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Fri, 24 Apr 2015 15:03:09 +0000 (17:03 +0200)]
Bug 11790: Remove dependency C4::Context from C4::Charset
C4::Context is only used to retrieve a syspref value.
This patch moves the use of C4::Context to a require.
Test plan:
Try to reach the SetMarcUnicodeFlag subroutine (batchmod, add/update a biblio, etc.)
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Tested on French UNIMARC install
No errors adding/editing biblios
No koha-qa errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 34fe5c24167f6bc27cff519d4a26c347d06341b3) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Thu, 4 Jun 2015 10:03:42 +0000 (12:03 +0200)]
Bug 14329: Useless copy/pasta from Template::Plugin::HtmlToText
The synopsis of this TT plugin contains two example lines:
[% myhtml FILTER html2text(leftmargin => 0, rightmargin => 0) %]
[% myhtmltext | html2text %]
These lines have been copied (without too much thought :) to a few templates. Since we do no use the variables myhtml or myhtmltext in these templates, these lines are useless.
Test plan:
[1] Put some items in your cart. And send it.
[2] Send a shelf.
[3] Git grep on myhtml. Should not have results.
NOTE: Sent carts and lists in Intranet and OPAC successfully.
Though, this does bring into question why the letters
have HTML formatting if it is getting removed. That,
however, is beyond the scope of this bug.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 4fd923e12eea70b7e871f0068471ff5ef91dda01) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Thu, 4 Jun 2015 07:15:24 +0000 (09:15 +0200)]
Bug 14327: Fix js error "TypeError: events is null" in additem.js
If you have no item plugins, the events variable in BindPluginEvents
of additem.js will be null. So testing events.length will generate
the described error.
This patch adds a check to prevent that from happening again.
Test plan:
[1] Do not yet apply this patch !
[2] Temporarily remove framework plugins from your items (in ACQ or default
framework). Probably you have to clear dateaccessioned.pl and
barcode.pl.
[3] Open js console in your browser.
[4] Go to Acquisition. Open a basket and add an order from a new empty
record.
[5] You should see js error: "TypeError: events is null" (additem.js:176)
[6] Apply this patch and reload the page (make sure that you refresh so
that the new javascript code is read).
[7] The TypeError should be gone.
[8] Restore the framework plugins from step 2. Refresh the page again and
verify that they still work as expected.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5132d5f991515b86a9282b214a9418b65b4c0881) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Tue, 26 May 2015 12:52:07 +0000 (14:52 +0200)]
Bug 14276: Keep highlight on the active item in item editor
The highlight only works on even items.
This patch should resolve it.
Test plan:
Edit biblio with multiple items.
Verify that the highlight is visible on the selected item you edit.
And that there is no highlight for a new item.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 83c6817a86de68fb08cb73aef3b8b46d12587116) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Bug 14173: Paging on 'recent comments' page in OPAC is not displaying correctly
This patch corrects the display of current page on
a multipage recent comments.
To test:
1) Enable OpacShowRecentComments
2) Add multiple comments to multiple records
I used a script to add multiple lines like
"insert into reviews values ($i, 51, $i, 'Comment $i', 1, '2015-06-01 00:00:00')"
to table reviews
3) On OPAC, go to 'Recent comments', verify the bug
4) Apply the patch
5) Reload and check correct display
Can't found missing space near 'by' from description.
Display is correct for me.
Followed test plan, displays as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 7928cdfbd405de9d4a8fffc535d3dcbd9a95226c) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Josef Moravec [Fri, 15 May 2015 09:03:21 +0000 (11:03 +0200)]
Bug 13656: "Change"/"Set to patron" button for linking a member to an organisation (or child to guarantor) not translatable
Test plan:
1. install and activate an additional language
2. create patron in organization category
3. create professional patron
4. try to add this patron to an organization (Guarantor information section)
5. note that the left button text changed to "Change" - untranslated english string
6. push the "Delete" button, the guarantor patron field is cleared and the left button text changed to "Set to patron" - again original english text
7. apply the patch
7.1. update translation (koha-translate -u language_code)
8. repeat 4-6, note, that button text are still translated in all sitations
9. sign off ;)
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described, no errors
Fixed message capitalization
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit c2650e20f9cc5c9e17eea199d19022a144c6e9c8) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Jonathan Druart [Tue, 3 Feb 2015 12:25:47 +0000 (13:25 +0100)]
Bug 13662: Fix the serials.receive_serials permissions
There are some issues with serial permissions.
For instance it's not possible to receive serials if the
edit_subscription is not set.
Also the toolbar is empty.
Test plan:
1/ Set the serials => receive_serials permissions to a patron (and only
this one for the serials module).
2/ Verify you cannot create a new subscription, you can search
subscriptions but cannot edit them.
3/ On the serial result list, receive a serial (action > Serial
receive).
You can now change the status and receive it.
4/ On the serial collection, you can edit 1+ serials to reveice it.
5/ Set the serials => edit_subscription permission and confirm there is
no regression.
QA note: I think we should introduce a C4::Serials::can_receive_serials
subroutine, to test the IndependentBranches pref, but I don't want to
add to much processing to check permissions.
Signed-off-by: Paola Rossi <paola.rossi@cineca.it> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit e6040977409ffe4dc6a23f6d76c3bd1f528837d0) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Kyle M Hall [Fri, 29 May 2015 13:36:34 +0000 (09:36 -0400)]
Bug 14299: Today's checkouts not always sorting correctly
Sometimes the today's checkouts do not sort correctly. This is due to a
simple typo in the comparison line where the bad key 'timstamp' is
compared against the correct key 'timestamp'.
Test Plan:
1) Check out a decent number of items in a row ( 5+ )
2) Hopefully you will see they are sorted incorrectly
3) Apply this patch
4) Reload the page
5) Note they are now sorted correctly
Followed test plan. Works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 8e9f89e92b48f1aac786e9b5608338a14603f52f) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Kyle M Hall [Mon, 4 May 2015 16:50:28 +0000 (12:50 -0400)]
Bug 14142 - Holds queue viewer only displays first subtitle from marc keyword mappings
Despite the point of the Keyword to MARC Mappings being to simplify the
handling and display of repeated values from multiple subfields, the
holds queue viewer will only display the first value found. What it
should be doing instead is displaying all fields that match the subtitle
keyword.
Test Plan:
1) Apply this patch
2) Define multiple Keyword to MARC mappings for the subtitle keyword
3) Place a hold on a record using those subtitle fields
4) View the hold in the holds queue viewer
5) Note that all the subtitles now appear
Signed-off-by:Heather Braum <hbraum@nekls.org>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit d76c9f4850c9ba7605f2c405838f973c70a70b61) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
This is major problem for plack installations with utf-8 encoding.
In this case, we are overriding CGI->new to setup utf-8 flag and
get correctly decoded $cgi->params, and reset syspref cache using
C4::Context->clear_syspref_cache
Test scenario:
1. under plack try to search with utf-8 charactes
2. try to find patron with utf-8 characters
Signed-off-by: Gaetan Boisson <gaetan.boisson@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 3cd086b6b6be08d902a479f302ccf18e55de911b) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Marcel de Rooy [Mon, 25 May 2015 09:32:51 +0000 (11:32 +0200)]
Bug 14267: How active is active?
git grep on function active in additem.tt:
koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/additem.tt:function active(n
koha-tmpl/intranet-tmpl/prog/en/modules/serials/serial-issues-full.tt:active([%
koha-tmpl/intranet-tmpl/prog/en/modules/serials/serial-issues-full.tt:function a
koha-tmpl/intranet-tmpl/prog/en/modules/serials/serial-issues-full.tt:
t/Cache.t: unless ( $cache->is_cache_active() && defined $cache );
t/Cache.t: unless ( $cache->is_cache_active() );
Conclusion: active in additem seems to be quite inactive.
Test plan:
Add, edit or delete items and verify that you did not miss active :)
NOTE: The active function has a loop which is always run.
Inside that loop 'ong' would always be defined as some number
concatenated with XX.
Both sides of the if/else reference document.getElementById(ong),
but there is only one occurence of XX in the file: the concatenation!
Similarly, the 'link' logic does not correspond to any of the
id= or name= strings in the file.
koha-tmpl/intranet-tmpl/prog/en/modules/admin/marc_subfields_structure.tt
is the only file with "id=\"link" that matches the logic.
This is likely a cut-and-paste remnant made useless by datatable upgrades
and HTML/CSS class changes.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit f327ebe540103905ccc4d36dcc5275b1b5644be5) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Katrin Fischer [Mon, 25 May 2015 10:13:08 +0000 (12:13 +0200)]
Bug 14269: OPAC: Some template improvements for the full serial history page
- Fix filter labels:
Library : -> Library:
Subscription : -> Subscription:
- Make '(All)' entry in filter pull downs translatable
- Show branch name instead of branchcode in table and filter
To test:
- Verify changes as described above
- Verify filters still work as expected
Followed test plan. Works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 5bbea3ea2ca08e7d1b785cdfb90524bb29f553ac) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Marc Véron [Tue, 2 Jun 2015 07:54:15 +0000 (09:54 +0200)]
Bug 14313: OPAC - Adding a comment makes result browser disappear
To reproduce:
- Allow commenting in OPAC (Syspref reviewson)
- Log in to OPAC
- Do a search with many results
- Click on a biblio in result list
- Verify that you can browse the results in detail view ("Browse results")
- Repeat teh search above
- Click on the same biblio as above
- Add a comment (Tab "Comments")
- Close commenting window
- Click on "Next" in result browser
Result: The next biblio is displayed, but result browser has disappeared.
To test:
- Apply patch
- Try to reproduce issue above, verify that result browser does no longer disappear
AMended to remove whitespace chars. / MV
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Bug & solution checked, works well. No koha-qa errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 22c5c4b468b3584ed8bf45039c1494e969f2d66b) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Jonathan Druart [Sun, 24 May 2015 16:00:57 +0000 (18:00 +0200)]
Bug 14263: Fix export of item search results when translated
This csv does not use the correct way to display headers.
They should be put in a separate file to get a correct display.
Without this patch, the first line of the generated file contains the
headers + data
Test plan:
1/ choose a language and update + translate the templates
for instance:
cd misc/translate;
./translate update es-ES; ./translate install es-ES
2/ Go to the item search form using this language
3/ Launch a search and select CSV to display the results.
The CSV headers should be correct
Signed-off-by: Frederic Demians <f.demians@tamil.fr>
Seen the bug. Works as described.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit ece2b02a57fdb692c02f00540df436af1f5ba971) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Jonathan Druart [Tue, 28 Apr 2015 10:52:36 +0000 (12:52 +0200)]
Bug 12320: Remove deprecated construct to delete cookie showColumns
$.cookie('foo', null);
is deprecated and should be replaced with
$.removeCookie('foo');
This patch replaces the occurrences for the "showColumns" cookie.
Before this patch, there was a bug on the batchmod tools.
To reproduce the issue:
1/ Go on the Batch item modification tool
2/ Fill the textarea with barcodes and submit
3/ Click on some column names (to create the cookie)
4/ Click on 'Show all columns" (to set the cookie to null)
5/ Don't submit and repeat steps 1 & 2
6/ You should see a js error:
Error: Syntax error, unrecognized expression: :nth-child
...break;q=a}return s},m.error=function(a){throw new Error("Syntax error, unrecogni...
Test plan:
Confirm the issue has gone away and there is no regression on the column
selection
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No js error, no regressions, no errors
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 0fa0297d7da7af6a9f4cd82b34ac86018391289f) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Jonathan Druart [Tue, 28 Apr 2015 10:52:00 +0000 (12:52 +0200)]
Bug 12320: Remove deprecated construct to delete cookie holdfor
$.cookie('foo', null);
is deprecated and should be replaced with
$.removeCookie('foo');
This patch replaces the occurrences for the "holdfor" cookie.
Test plan:
1/ Search for a patron
2/ On the patron detail page, click on "search to hold"
3/ Search for records
4/ On the results page, click on "Place hold" > "Forget PATRON"
5/ Reload the page.
6/ The "Place hold" button should not contain the patron anymore
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Works as described, no errors
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 04f5e7d4e7db833c18afe27a4dc4fd5b66b41099) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Jonathan Druart [Wed, 29 Apr 2015 10:59:23 +0000 (12:59 +0200)]
Bug 5010: Fix - replace tab with spaces
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No errors.
Tested what I can, not plack/shibboleth/cas
Perhaps this can pass and we can fix any problem later (for 3.22)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 3b4c4a486133882d435369c264dc7b74b5e769f6) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
projects / koha.git / log