Owen Leonard [Mon, 24 Jun 2024 14:46:36 +0000 (14:46 +0000)]
Bug 37150: Can't delete single title from a list using the "Remove from list" link
In the OPAC display of titles on a list, the "Remove from list" control
needs to trigger a POST operation instead of GET. This patch
appends a form for handling single entry deletions, populating
the hidden input upon confirmation.
To test, apply the patch and create a list if necessary, adding multiple
titles to it.
- View the contents of your list.
- Each title on your list should have a "Remove from this list" link.
- Click one of these. You should see a modal confirmation, "Are you
sure you want to remove this item from the list?"
- Confirming should delete the title form the list.
- Check multiple checkboxes in the list of titles and click "Remove
from list" at the top of the list.
- You should see a modal confirmation, "Are you sure you want to
remove these items from the list?"
- Confirming should result in all checked titles being removed
from the list.
- Check one or more checkboxes and then click a single "Remove from
list" link. After confirming, you should find that only the one
title was removed from the list.
Sponsored-by: Athens County Public Libraries Signed-off-by: Eric Garcia <cubingguy714@gmail.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit ace488e50f67dfa0986c3dba3e9b85c911539ac1) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Phil Ringnalda [Thu, 27 Jun 2024 03:19:21 +0000 (20:19 -0700)]
Bug 37197: Reports option to send to batch patron modification needs to use POST
When you have an SQL report that selects cardnumber from borrowers, you
get a menuitem to send the results to Batch patron modification. Currently
that fails with a message about no card numbers or borrowernumbers given,
because it tries to do a GET with the op show, when modborrowers.pl is
expecting a POST with the op cud-show.
Test plan:
1. Without the patch, Reports - Create from SQL - name it and paste
select cardnumber from borrowers
in the SQL textarea and save, then Run report.
2. Above the results is a "Batch operations with 20 visible records" menu,
choose Batch patron modification
3. Note that instead of modifying the records, you're stuck with a message
saying "No patron card numbers or borrowernumbers given." even though
there's a whole string of them in the URL.
4. Apply patch, refresh the page with the results (oddly, no apparent need
to even restart_all), and choose the menuitem again, but this time with
a successful result.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit a85086d8278b3c0b5ad578c3af7b0e70637a47be) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 32530: When duplicating child card, guarantor is not saved
When duplicating a child card with a guarantor, the guarantor information
appears during the card creation process, but disappears as soon as saving
the card. To recreate:
1. Find a card with a guarantor, either patron or non-patron guarantor.
2. Duplicate the card. Note that it appears to be working on the card
creation screen.
3. Save the patron after completing the form. The guarantor is now gone.
New test plan:
1. Find a card with a guarantor, either patron or non-patron guarantor.
2. Duplicate the card. Note that it appears to be working on the card
creation screen.
3. Save the patron after completing the form. The guarantor is now gone.
Apply patch and repeat, the guarantor should stay after 3.
Note, I may not have understood the code but it looks like nothing is
searching for the content of the displayed information. Therefore I add
hidden fields that are copies of those provided in guarantor_template
class
Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit b64a3ce9ba376f7b0a5a2e5714f1147afd012ade) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Fri, 12 Jul 2024 14:00:49 +0000 (14:00 +0000)]
Bug 37339: Set messaging preferences from default on self registration
The change on bug 30318 prevented setting the default messaging preferences when none were passed.
Self registration relied on this for setting borrower preferences from the defaults.
This patch removes the call to handle_form_action and replaces it with a call to:
SetMessagingPreferencesFromDefault
To test:
1 - Ensure self registration is enabled
2 - Set default messaging preferences for the self registration category
3 - Self register a patron from the OPAC, confirm defaults not set
4 - Apply patch, restart all
5 - Self register a patron
6 - Confirm defaults have been set
7 - Enable PatronSelfRegistrationVerifyByEmail
8 - Self register a patron on OPAC with an email
9 - Find the email and grab the verification link (unless you have emails enabled)
SELECT * FROM message_queue;
10 - Visit the link and confirm registration
11 - Confirm messaging defaults are set
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2accac5fd9a210c9aa0107c47522c7393b257c8c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
1) Add circulation rules for a specific library
2) Attempt to remove one of those library specific rules -> get redirected to 'All'
3) Notice the rule for that specific branch is still there
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 72fd2c580d3bb9e2dce62cff602d93bab401eb4b) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Phil Ringnalda [Thu, 19 Sep 2024 04:01:56 +0000 (21:01 -0700)]
Bug 37961: Inventory problem resolution fails by POSTing without an op or csrf_token
After you upload a file or textarea of barcodes to inventory, the next step is
a list of the things that were missing, with checkboxes to check when you find
them, and buttons to Mark seen, which send a POST to
/cgi-bin/koha/tools/ajax-inventory.pl without an op param (since it doesn't
have an $op) and without a csrf_token, so the POST fails with a 403.
Test plan:
1. Without the patch, Cataloging - Inventory - in Item location filters
set Library to Centerville, Shelving location to Audio visual, Collection
code to Reference, and in Optional filters for inventory list or comparing
barcodes set Last inventory date to today.
2. Click Submit, and you'll have a table of 23 items. Check the checkbox for
the first item, click Mark seen and continue
3. What was supposed to happen was that you would be taken to the next
page, but instead you are still in the same page, and if you had the
browser console open, you would have seen that you sent a POST to
ajax-inventory.pl, and got a 403 error in response
4. Apply patch, restart_all
5. Repeat step 1 and 2, this time getting to the second page. Check the
checkboxes for the last two items, and click Mark seen and quit
6. Repeat step 1 and click Submit. You should now have only 20 items, since
the three you checked now have a Last inventory date of today.
Yeah, when you did Mark seen and continue they ought to have been removed from
the list, I agree. I had to go back to 23.11.x and make sure that was really
how it was supposed to function, but that is the existing behavior. Even
though they get marked as seen, nothing changes about your list until you quit
and go back to it. Maybe because then something that wasn't on the current
page would have moved there. Another bug.
Sponsored-by: Chetco Community Public Library Signed-off-by: Sonia Bouis <sonia.bouis@univ-lyon3.fr> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 801fa43c7cecd8e310f77a51e03ebeec3677015e) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37536: Update conditional to check for 'cud-saveitem'
In additem.pl and additem.tt all instances of 'saveitem' have been updated to 'cud-saveitem'
The javascript needs to be updated in the same way.
Test plan:
- Make sure acqcreateitem is set to "when placing an order"
- Create a basket with some orders
- Close the basket
- Go to your vendor and receive an order
- On the receive page, try to edit your item
=> Without the patch, the pop up page will open and then close, not allowing the item to be edited.
=> With this patch applied you will see the item edit form. Save and
confirm that the parent window is updated with the new value (actually
it's refreshed)
QA notes:
1. git grep 'saveitem'
2. Notice all instances in additem.pl and additem.tt have been updated to 'cud-saveitem'
3. Notice cataloging_additem.js checks if op != 'saveitem'
4. Check the files and verify the change makes sense
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e6b2b342d2ee06bdac05d829a96dc942a2534ebc) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
When you click on a cell in the Item circulation alerts table, the page sends
a POST to /cgi-bin/koha/admin/item_circulation_alerts.pl without including a
csrf_token, which gets back a 403 error because that's sketchy behavior. It
needs to include the token.
Test plan:
1. Administration - Item circulation alerts
2. Open the browser devtools to the console
3. Click on any green table cell
4. It should have turned red, but instead your console turned red with a 403
5. Apply patch, reload
6. Click on any green table cell, it will turn red
Sponsored-by: Chetco Community Public Library
https://bugs.koha-community.org/show_bug.cgi?id=37959 Signed-off-by: Jan Kissig <jkissig@th-wildau.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Thu, 19 Sep 2024 07:13:21 +0000 (09:13 +0200)]
Bug 37947: (bug 37429 follow-up) Fix addbiblio and frameworkcode="Default"
On bug 37429 we reordered the global var to assign them before anything
else. The logic is correct except for $frameworkcode, we want to do some
processings (like defaulting to "" if eq "Default") BEFORE we retrieve
the MARC structure ($tagslib, $usedTagsLib).
This patch also moved this code after get_template_and_user (and so
authentication), like it should be everywhere.
Test plan:
1. Go to Cataloging
2. Click on New from Z39.50/SRU
3. Make a search in the library of congress server for anything (Caroline searched for author: shakespeare)
4. Click on one of the results and choose Import
Without this patch the basic editor appears, but not the record
With this patch applied the bug is fixed and you can edit the record
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit dffc8cdd2ca85ac919fa8ca3fef3361d1116317c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Tue, 31 Oct 2023 08:00:11 +0000 (09:00 +0100)]
Bug 35191: Make entries per page configurable for items table on staff detail page
The new API driven items view defaults to 20 per page. This is a bit low, it would be great if it could be configurable to a higher value per the table configuration.
Test plan:
1. Apply this patch
2. restart_all (memcached restart is required)
3. Go to Administration > Table settings
4. Catalogue > holdings_table | otherholdings_table
=> Notice the new "Default display length"
5. Select something else than 20
6. Go to the detail page of a record with lot of records
=> Notice that the default value defined in the settings is used.
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8e211a1fefa13e54ea01f38fdfe972f1cd603fc7) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Fri, 14 Jun 2024 18:02:02 +0000 (18:02 +0000)]
Bug 37055: Check count of holds, not if defined
To test:
- enable WaitingNotifyAtCheckout
- have or create a waiting hold for a patron
- check out an item to a different patron who does not have a waiting hold
- Koha says "This patron has waiting holds that are available for checkout"
- Apply patch
- Reload patron (click 'Checkout' tab)
- Check out an item - no warning
- Find the patron with waiting hold
- Check out an item - warning
- Checkout the waiting item - no warning
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit b5f122696cc40aee33830cdf7ab1da20fa4e7b66) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37375: Fix holdings table not loading if MARC framework is missing certain 952 subfields
When you've catalogued a record with MARC framework that is for some reason missing
certain 952 subfields (8, a, b, c, or y), holdings table is no longer loading but
stuck in the "Processing..." loader.
To test, open Koha in two browser tabs:
IN TAB 1 (framework configuration):
1. Create a new MARC framework "TEST", based on the default MARC framework
IN TAB 2 (record view):
2. Create a new record using MARC framework "TEST"
3. Add an item to the newly created record
4. Observe item visible on the record's holdings list
IN TAB 1 (framework configuration):
5. Delete all 952 subfields in framework "TEST" except: 8, a, b, c, y
IN TAB 2 (record view):
6. Refresh page
7. Observe item visible on the record's holdings list
8. Open your browser's console for upcoming error messages
IN TAB 1 (framework configuration):
9. Delete subfield <FIELD> in framework "TEST"
IN TAB 2 (record view):
10. Refresh page
11. Observe error "Uncaught TypeError: <NAME> is undefined" (Firefox)
(or Cannot read properties of undefined (reading 'str') (Chromium))
12. Apply patch
IN TAB 2:
13. Refresh page
14. Observe item visible on the record's holdings list
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4c93ed758f95af0d5e06d3125ae3c6f19f937a6a) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 6bcc82815d727ee0d6faa94aa42a86909e5d9a57) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Emily Lamancusa [Tue, 6 Aug 2024 20:12:51 +0000 (16:12 -0400)]
Bug 37587: Fix priority of multiple item-level holds
The rank parameter is passed per biblio record, not per item. When
placing multiple item-level holds on one bib record, only $rank[0] is
defined.
To test:
1. System preference and circulation rule setup
i. Set the system preference DisplayMultiItemHolds to Enable
ii. Edit the default circulation rule to allow 5 holds per record
2. Find or create a bib with 4 or more items
3. Place several bib-level holds
4. Place 4 or more item-level holds at once on that same record
i. Search for a patron to place the holds for (not one of the
patrons you used in step 3)
ii. Select "Hold a specific item"
iii. Check the checkboxes for 4 or more items
iv. Click Place hold
--> Note that one of the new item-level holds is at the end of the list
as it should be, but the rest are out of order
5. Cancel the item-level holds from step 4
6. Apply patch and restart_all
7. Repeat step 4
--> All the new item-level holds are now at the end of the list
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e1517fc8c8d7c70a5d20004dc7c8c260c1183828) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Tue, 17 Sep 2024 12:14:23 +0000 (12:14 +0000)]
Bug 37483: Use cud-list for extend due dates tool
This patch switch the check in the script to 'cud-list' - we use the same form
submission if listing for preview or directly updating dates, so this may or may
not be a cud- action - assuming it is restores script functionality.
See bug 37941 for updating forms to not share actions
To test:
1 - Checkout some items to patrons of at least two libraries
2 - Tools -> Batch extend due dates
3 - Select nothing except 'preview' and submit
4 - Blank screen
5 - Apply patch, repeat
6 - It works!
7 - Filter by library and confirm it still works
8 - Sign off!
Signed-off-by: Janusz Kaczmarek <januszop@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit b2e396f08da6ebcaa23af0e9db29c68543cabfe5) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Wed, 28 Aug 2024 10:18:06 +0000 (12:18 +0200)]
Bug 37720: Prevent XSS in label creator
Because labels/label-edit-batch.pl fills a DataTable with things that include
a link created by C4/Creators/Lib.pm, it outputs them with the $raw filter,
so HTML in author/title/callnumber is executed in the label batch editor.
While we wait for a fix that moves the link creation into the template and
out of C4, encoding HTML in Lib.pm for the bits going into the link, and
switching from $raw to the html filter for the rest of the things, will at
least get rid of the XSS.
Test plan:
1. Without this patch, but with the patch from bug 37654 so you don't get
alert()s in batch import, download attachment 170675 [details]
2. Cataloging - Stage records for import - browse to the downloaded file -
Upload file - when the upload finishes Stage for import - when staging
finishes View batch (get alert()s if you didn't apply bug 37654) - Import
this batch into the catalog
3. Once the import finishes, Cataloging - Manage staged records
4. In the row for your import, in the # Items column, click "(Create label
batch)"
5. In the "Label batch #n created" message, click the link to the batch #
6. Because the batch includes a call number with an open <script>, you'll
get XSS alert()s and then one about something going wrong while loading
the table, with only one of the two records showing in the batch editor
7. Apply patch, restart_all
8. Cataloging - Label creator - Manage Label batches
9. In the row for your batch, click Edit
10. You will see both labels, with their attempts at XSS visible as text
rather than being interpreted as HTML
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Wed, 28 Aug 2024 10:18:06 +0000 (12:18 +0200)]
Bug 37720: Prevent XSS in label creator
Because labels/label-edit-batch.pl fills a DataTable with things that include
a link created by C4/Creators/Lib.pm, it outputs them with the $raw filter,
so HTML in author/title/callnumber is executed in the label batch editor.
While we wait for a fix that moves the link creation into the template and
out of C4, encoding HTML in Lib.pm for the bits going into the link, and
switching from $raw to the html filter for the rest of the things, will at
least get rid of the XSS.
Test plan:
1. Without this patch, but with the patch from bug 37654 so you don't get
alert()s in batch import, download attachment 170675 [details]
2. Cataloging - Stage records for import - browse to the downloaded file -
Upload file - when the upload finishes Stage for import - when staging
finishes View batch (get alert()s if you didn't apply bug 37654) - Import
this batch into the catalog
3. Once the import finishes, Cataloging - Manage staged records
4. In the row for your import, in the # Items column, click "(Create label
batch)"
5. In the "Label batch #n created" message, click the link to the batch #
6. Because the batch includes a call number with an open <script>, you'll
get XSS alert()s and then one about something going wrong while loading
the table, with only one of the two records showing in the batch editor
7. Apply patch, restart_all
8. Cataloging - Label creator - Manage Label batches
9. In the row for your batch, click Edit
10. You will see both labels, with their attempts at XSS visible as text
rather than being interpreted as HTML
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Phil Ringnalda [Thu, 15 Aug 2024 22:41:18 +0000 (15:41 -0700)]
Bug 37655: Basic editor needs to HTML-escape the bib record title used as a heading
We stick the title of a bib record you are editing in the basic editor into
an <h1> without escaping any HTML it might contain. We should instead escape
it.
Test plan:
1. Without the patch, search for any record in the catalog and click Edit
record (if you are in the advanced editor, switch to the basic one)
2. Tab 2, Field 245, Subfield a, paste <script>alert('boo ❤')</script><h2>
at the end of the subfield
3. Save, then from the record detail page select Edit - Edit record
4. You will have gotten an alert(), and the entire form will be the size
of an <h2>. That's ugly, so go back to the detail page.
5. Apply patch, restart_all
6. Edit - Edit record
7. Now you should not get an alert, the whole title inluding the <script>
should display in italics, and the "(Record number nnn)" after it should
not be italicized.
Signed-off-by: David Cook <dcook@prosentient.com.au>
Phil Ringnalda [Fri, 16 Aug 2024 04:22:12 +0000 (21:22 -0700)]
Bug 37656: XSS in Advanced editor from Z39.50 search results
The Advanced editor inserts data from Z39.50 results into the search results
page without escaping HTML. Whether it's German records with "<<A>> Title"
or someone with a compromised catalog or a book with the title "<em> for
emphasis" it shouldn't.
Test plan:
1. Not a dependency, but you'll avoid getting even more alerts while batch
importing by starting with the patch from bug 37654
2. Without this patch applied, download attachment 170421
3. Administration - set the preference EnableAdvancedCatalogingEditor to
Enable
4. Cataloging - Stage records for import - browse to the downloaded file -
Upload file - Stage for import
5. Once the background job finishes, View batch (getting alerts if you
didn't apply the patch from bug 37654) - Import this batch into the
catalog
6. When the import finishes, Search the catalog for script, on the imported
record Edit record (if you wind up in the basic editor, Settings - Switch
to Advanced editor)
7. In the left sidebar below the search inputs, click Advanced », check
the checkbox for Local catalog and uncheck any others, then search for
the Title script
8. You'll get five alerts, and the word "edition" displayed in huge text
9. Close the search popup, apply patch, shift+reload the advanced editor
page to clear your cache
10. Repeat step 7, but this time you won't get any alerts, and you'll see
the title and the other <script> inclusions.
Sponsored-by: Chetco Community Public Library Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Phil Ringnalda [Fri, 16 Aug 2024 02:57:42 +0000 (19:57 -0700)]
Bug 37654: XSS in Batch record import for Citation column
Viewing a staged MARC record batch loads a DataTable from
/tools/batch_records_ajax.pl, and both batch_records_ajax.pl and the
DataTable just trust the author/title/isbn/issn to be free of HTML. They
shouldn't.
Test plan:
1. Without this patch applied, download attachment 170418, then Cataloging
- Stage records for import - Select the downloaded file - Upload file -
Stage for import
2. When the background job completes, View batch - you'll get three alert()s
from the title, author, and ISSN, and the author and ISSN displayed huge
3. Apply patch, restart_all
4. Manage staged records - click HTMLescapingimporttestrecord.mrc - get zero
alerts and no <h2> display
Sponsored-by: Chetco Community Public Library Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Tue, 20 Aug 2024 00:54:38 +0000 (00:54 +0000)]
Bug 37681: Fix XSS in staff interface item URLs on detail page
This patch uses Javascript objects and safe sinks to prevent XSS
in the item URLs on the staff interface detail page.
It also makes sure those URLs don't get double-escaped. Yippee!
Test plan:
0. Apply the patch
1. Add/edit an item with the following URL:
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au
2. Add/edit a different item with the following URLs:
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au |
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au
3. Go to the staff interface detail page
4. Notice that the URLs are not double-encoded!
5. Try out a malicious payload (talk to QA/security about this)
6. Confirm that the malicious payload fails to execute the XSS
7. Celebrate!
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 13342: Not logged user can place a review/comment
We are able to comment a notice even when no user is connected
To test
1. Log in to OPAC.
2. Find a Biblio and open the comments tab.
3. Open another tab/window, and log out from the account.
4. Return to the first tab.
5. Click "Post your comments on this title."
--> We are able to post a comment
6. Apply the patch
7. Repeat step 1, 2, 3, 4, 5
--> You should be redirected to the login page.
Signed-off-by: David Cook <dcook@prosentient.com.au>
Bug 13342: Tidy
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Julian Maurice [Tue, 14 May 2024 07:34:31 +0000 (09:34 +0200)]
Bug 36598: Add comments asking to keep both CSRF checks in sync
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Julian Maurice [Tue, 14 May 2024 07:15:50 +0000 (09:15 +0200)]
Bug 36598: Prevent use of unsafe HTTP method with non-cud op parameter
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Julian Maurice [Mon, 13 May 2024 13:06:04 +0000 (15:06 +0200)]
Bug 36598: Improve documentation and error message in CSRF plugin
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Julian Maurice [Fri, 3 May 2024 07:17:37 +0000 (09:17 +0200)]
Bug 36598: Fix CSRF header name (underscore -> hyphen)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Julian Maurice [Mon, 15 Apr 2024 07:08:48 +0000 (09:08 +0200)]
Bug 36598: Prohibit CUD operations with safe HTTP methods (GET/HEAD/...)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Julian Maurice [Fri, 12 Apr 2024 13:08:17 +0000 (15:08 +0200)]
Bug 36598: Enable CSRF protection for Mojolicious apps
Test plan:
1. Run bin/opac daemon -l http://*:3001/
2. Go to http://localhost:3001/cgi-bin/koha/opac-user.pl
3. With browser devtools, locate csrf_token hidden input within the
login form and remove it or modify it
4. Try to submit the form with correct credentials, it should fail
("Wrong CSRF token")
5. Reload the page, try to log in normally without modifying the DOM, it
should succeed
6. Run bin/intranet daemon -l http://*:3002/
7. Go to http://localhost:3002/cgi-bin/koha/mainpage.pl
8. With browser devtools, locate csrf_token hidden input within the
login form and remove it or modify it
9. Try to submit the form with correct credentials, it should fail
("Wrong CSRF token")
10. Reload the page, try to log in normally without modifying the DOM,
it should succeed
11. Run prove t/db_dependent/mojo/csrf.t
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Fri, 30 Aug 2024 12:47:07 +0000 (12:47 +0000)]
Bug 37775: Remove delayed commits from update_totalissues.pl and add progress option
This patch removes setting AutoCommit to 0 and commiting only every X records.
Instead we commit as we go and report progress using a parameter.
Bug 36474 reduced the numebr of changes that are being committed, so this should be a reasonable change. The
use of commits without transactions was causing problems if the library was active while the script ran.
To test:
1 - perl misc/cronjobs/update_totalissues.pl -c
2 - Script runs, but with unknown parameter
3 - perl misc/cronjobs/update_totalissues.pl -p 10
4 - Script runs and reports every 10 records
5 - per; misc/cronjobs/update_totalissues.pl
6 - Script runs and reports every 100 records by default
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit dba9dd405339691a8671c243518f16cb20f4777f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Mon, 1 Apr 2024 15:00:34 +0000 (15:00 +0000)]
Bug 36474: Don't update records when total issues has not changed
This patch adds a new check in UpdateTotalIssues to check that we are changing the number
of total issues before calling ModBiblio
To test:
0 - Enable CataloguingLog
1 - Checkout an item
2 - Run : misc/cronjobs/update_totalissues.pl --use-stats --commit=1000 -v
3 - In report, note all biblios were updated
4 - Check action_logs - note a new entry for every biblio
5 - Apply patch
6 - Repeat
7 - Note no biblios reported updated
8 - Note no new cataloguing log entries
9 - Checkout the item again
10 - Run again
11 - Note biblionumber has updated count in verbose output
12 - Note report only rpeort 1 biblio modified, the rest only processed
13 - Only one line added to action_logs
14 - Run it again
15 - Confirm no updates
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit d7b36d7f692420a5b67dee88ce78529ce7509413) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Wed, 28 Aug 2024 13:28:35 +0000 (13:28 +0000)]
Bug 36474: Unit tests
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 1c875b01572d81c8f1fedd73e4399d0535f44f97) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
CJ Lynce [Tue, 10 Sep 2024 18:12:04 +0000 (18:12 +0000)]
Bug 37873: [24.05.x] Unable to delete user from routing list or preview/print routing list slip
This patch restores the ability to delete a recipient from a serials routing list.
It also fixes the slip preview when using the "Save and preview slip", and removes
the koha staff intranet head from the slip when using 'Print list' from the
Serial collection information screen.
To test:
1) Login to the staff client.
2) Open the Serials module.
3) + New subscription to add a new serial.
4) Create a new subscription.
a) Search for a record (I searched for 'dog') and chose that record.
b) Under 'When receiving this serial', select 'Create an item record'
c) Under the 'Item type' dropdown, select anything.
d) Click Next -> (and confirm the popup).
e) Select any 'First issue date'.
f) Select any 'Frequency'.
g) Enter a number larger than 5 in the 'Subscription length'.
h) Select any 'Subscription start date'.
i) Select your favorite numbering pattern.
j) Verify your prediction pattern using "Test prediction pattern".
k) Click "Save subscription".
5) On the 'Subscription details' screen, click "Receive".
6) Under the first volume, click "Add item" then "Save".
7) Repeat step 6 to receive one more issue.
8) On the 'Serial collection information' page click "+ Create routing list"
9) Click "+ Add recipients".
10) Search for and add several recipients.
11) Click "Close" to exit the 'Add recipients' page.
12) Click "Delete" next to any recipient.
*Note that the recipient is not deleted.
13) Click "Save" on the 'Modify routing list for ...' page.
14) Click "Save and preview routing slip" button.
*Note you are redirected to the Subscription details page, but no routing
slip preview appears.
15) Click "Serial collection" from the left-side menu.
16) Click "Print list" on either of the issues you previously received.
*Note the routing slip includes the staff intranet header, menu, etc.
17) Apply patch.
18) Return to the 'Serial collection information' screen for your subscription.
19) Click "Edit routing list".
20) Repeat steps 12-16 and verify the issues are fixed.
-"Delete" button works to remove a recipient from a list.
-"Save and preview routing list" button pops-up a preview before redirecting.
-"Print list" pops-up a vanilla routing list to print.
Sponsored-by: Westlake Porter Public Library Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Julian Maurice [Fri, 6 Sep 2024 09:02:30 +0000 (11:02 +0200)]
Bug 37763: (QA follow-up): Tidy
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0e359a5981f672aa49f5c44ef5e28e4281547347) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
CJ Lynce [Wed, 28 Aug 2024 18:45:24 +0000 (18:45 +0000)]
Bug 37763: Do not show SQL report editor after 'Update and run'
This patch corrects an error where the SQL editor screen would appear
after the report results when using 'Update and run SQL' when editing
reports.
This also corrects a related issue where the saved_sql.id of the report
would be repeatedly appended to SQL code when using 'Update and run
SQL'.
To test:
1) Login to staff client
2) Navigate to Reports -> Create from SQL
3) Create a short report (SELECT * FROM items), name it and SAVE it.
4) On the resulting "Edit SQL report' page, click 'Update and run SQL'
5) See the report runs, but at the 'Edit SQL report' screen shows at the
bottom.
6) Apply Patch
7) Return to Reports -> Saved Reports and Edit the report you created.
8) On "Edit SQL report' page, click 'Update and run SQL'
9) Verify that the report runs, but the 'Edit SQL report' section is
gone.
Sponsored-by: Westlake Porter Public Library Signed-off-by: Sam Sowanick <sam.sowanick@corvallisoregon.gov> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit bd79cbd858cb91a2e696a37922438d74e9c4a4e2) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Owen Leonard [Tue, 9 Jul 2024 18:40:33 +0000 (18:40 +0000)]
Bug 36276: Fix editing of identity provider and domains
This patch fixes identity_providers.pl to remove the "cud-" prefix for
two operations which are not POSTed: editing identity providers and
editing domains.
To test, apply the patch and restart services.
- Go to Administration -> Identity providers.
- If necessary, create an identity provider and then click "Manage
domains" -> New identity provider domain to create a new domain.
- From the list of domains, click "Edit"
- The edit form should appear with all the correct details prefilled.
- Check that the page title, breadcrumbs, and page header all show the
correct domain.
- Make a change to the domain and confirm that the changes are saved.
- From the list of identity providers, click "Edit"
- This form should also load correctly.
- Submitted changes should be saved correctly.
Sponsored-by: Athens County Public Libraries Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 32578e4f724d56ebb8905f6523b665026eea8e7a) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Mon, 26 Aug 2024 20:11:48 +0000 (20:11 +0000)]
Bug 37551: (24.05.x) Only delete price when there is already an itemprice
To test:
1. Have a mrc file with some different prices. In my case I am using the mrc file attached here with different price values in the 975$p and 975$a
2. Set the MarcFieldsToOrder to "price: 975$p" and MarcItemFieldsToOrder to "price: 975$a"
3. In Acquisitions create a new basket > add to basket > from a new file
4. The value from MarcFieldsToOrder (975$p) is always set as the price when it should be the value from MarcItemFieldsToOrder (975$a)
5. APPLY PATCH, restart_all
6. Try steps 1 - 3 again, this time item price should be correctly handled.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Pedro Amorim [Thu, 1 Aug 2024 11:59:58 +0000 (11:59 +0000)]
Bug 37413: Ensure itemnumber is sent
Fix condition to ensure the itemnumber is sent
Signed-off-by: Sam Lau <samalau@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 99c5e3bae40122bd8e8721aa186292388db9a7d6) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Brendan Lawlor [Wed, 21 Aug 2024 15:52:24 +0000 (15:52 +0000)]
Bug 37542: Fix patron search when dateofbirth is a DefaultPatronSearchField
This patch updates the call to dayjs to use strict parsing for patron search. See https://day.js.org/docs/en/parse/string-format
To test:
1. Create a patron with dateofbirth 1994-07-27
2. Add dateofbirth to DefaultPatronSearchFields
3. In patron or checkout search, type a cardnumber like '2908800092528'
4. Note the patron with that birth date is found in autocomplete
5. Apply patch and restart_all
6. Repeat step 3 and notice the patron is no longer found
7. In patron or checkout search, try searches using a formatted date
8. Confirm searches for '07/27/1994' and '1994-07-27' find the patron
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 764162cd6dc7c74a7028128d3d94ebc0eb5e90b0) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Thu, 11 Jul 2024 14:37:19 +0000 (16:37 +0200)]
Bug 31921: Include the modal code from acquisitions-toolbar.inc
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8619598d3b9b9b1db68d9f39d2cd84df8fbb0ea8) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Sam Lau [Tue, 9 Jul 2024 15:20:57 +0000 (15:20 +0000)]
Bug 31921: Add confirmation modal when deleting a vendor
This patch adds a new modal for confirming vendor deletion. It fixes
the previous functionality, showing a confirmation modal for each
vendor and appropriately handling the response.
To test:
1) Visit Acquisitions home. Under where it says 'Manage orders', click
the search bar to bring up the list of vendors.
2) Add a few vendors by clicking 'New' and 'Vendor'. After this, go back
to the vendor search so that all the vendors are showing.
3) For each vendor, click on 'Delete vendor' and ensure the modal shows
properly.
4) Attempt to delete one of the vendors. Go back to the vendor search
and ensure they are deleted correctly.
5) Click on a vendor's name to go their supplier page. Make sure modal
works properly and attempt to delete a vendor from here.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 81af57344d5efa19eae68acbf110df09b02dcfa2) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
CJ Lynce [Sun, 4 Aug 2024 20:33:51 +0000 (20:33 +0000)]
Bug 37563: Refund, payout, and discount modals in borrower transactions and Point of Sale have broken/bad formatting of values
This patch corrects formatting of amounts in both the POS and member
accounting module Payment, Discount, and Payout modals.
It also corrects an issue where amounts of a previous modal show up
when clicking on the same modal for a different accountline
the member Accounting page.
Finally, it corrects an issue with the member Accounting Discount
modal in that an amount without both decimal places will not
display.
Steps to test:
1) Login to staff client
2) Enable the 'EnablePointOfSale' system preference
3) Enable the 'UseCashRegisters' system preference
4) Open POS module and configure a cash register
5) In the POS module -> 'Configure items for purchase', create some
items with different costs (divisible by .10, e.g 25 or 1.10, etc.))
6) Use the POS module to make a few transactions
7) Open POS -> 'Cash Summary for [BRANCH]', and open your configured
register
8) Click 'Issue Refund' and check the formatting of the paid and
returned to patron numbers
*** Issue A) See that numbers are not formatted with two decimal places
9) Pull up the 'Accounting' tab for a borrower
10) Create at least 3 invoices for different amounts (divisible by .10,
e.g 25 or 1.10, etc.)
11) Pay TWO of your invoices then open the 'Transactions' tab
12) Create a manual credit for an amount (divisible by .10, e.g 25 or
1.10, etc.)
13) Click the 'Apply discount' button on one of your invoices
*** Issue B) No 'Amount charged' appears
14) Click 'Issue refund' for one of the paid invoices.
*** Issue C) The 'Return to Patron' line does not have 2 decimal places
15) Click 'Issue refund' for another paid invoice
*** Issue D) The 'Amount Paid' shows the amount from the first modal
16) Click 'Apply discount' for one of the unpaid invoices
*** Issue E) The 'Amount charged' line is blank
*** Issue F) The discount line is also blank, should at least have a
0.00 value
17) Click 'Issue Payout' for your manual credit.
*** Issue G) The 'Return to Patron' line does not have 2 decimal places
18) Apply patch
19) Repeat steps 7 & 8 and check the formatting is correct for issue A
20) Repeat steps 13-17 and check behavior and formatting is correct
for issues B-G
21) Celebrate that you are done with all the steps and looking at
numbers, and that all is right in the Koha payment world (maybe)
Sponsored by: Westlake Porter Public Library Signed-off-by: Barbara Johnson <barbara.johnson@bedfordtx.gov> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 538c943faa52f1571814642ab5a05a48b689b083) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Laura_Escamilla [Wed, 7 Aug 2024 13:44:36 +0000 (13:44 +0000)]
Bug 37586: Added aria-label for Login icon
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 57dc65bed597507c9b0433edaed5f535d46b7f0c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Laura_Escamilla [Wed, 7 Aug 2024 13:22:58 +0000 (13:22 +0000)]
Bug 37586: Updated aria-labels for masthead links
Update to my last comment: The Lists aria-label had an accessibility issue as the label did not match the visible text.
New test plan:
Check the OPAC Interface:
* Open the OPAC in a normal-sized browser window.
* You’ll see the text next to the 'Cart', 'Lists', and 'Login' icons clearly.
* Gradually reduce the window size until the text next to these icons disappears.
* Inspect the icon elements. You’ll find that there is no alternative text (like aria-label) provided for 'Cart' and 'Login'. The aria-label for 'Lists' does not match the visible text. It currently says "Show dropdown with detailed list information". This lack of alternative text is an accessibility issue and labels should match visible text.
Apply the Patch:
* Apply the patch
* Restart_all
Verify the Fix:
* Inspect the icons again.
* For the 'Cart' icon, you should see an aria-label attribute with the text "View your shopping cart".
* For the 'Login' icon, you should see an aria-label attribute with the text "Log in to your account".
* For the 'Lists' icon, you should see an updated aria-label attribute with the new text of "Lists".
* These changes will improve accessibility for users relying on screen readers.
Sign Off:
* Sign off and Have an amazing day!
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8318d27a7d08d6c8667adb0eba7662ab6ac545f4) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Phil Ringnalda [Fri, 9 Aug 2024 22:43:50 +0000 (15:43 -0700)]
Bug 37612: Batch patron modification should accept both cud-show and show ops
Just like with batch item modification, batch patron modification can accept
either a POST of a lot of data, which might be more than Apache's default
URL length limit, or a GET of a little data. Or at least it could, if both
the op 'cud-show' and the op 'show' were accepted. Show isn't doing any
creation or updating or deleting, it just has to be cud-show because it needs
to be able to accept large POSTs. So when it is only getting a little data, it
should be willing to take a GET with op=show just like batch item
modification does.
Test plan:
1. Without the patch, Tools - Patron lists - New patron list - give it a
name and Save
2. Type enough characters in the Patron search input to find a patron (I
like ace for poor often-used Henry Acevedo) and click on a patron in
the list of results
3. Click Add patrons
4. Click Patron lists, and in the Actions menu for your list, choose
Batch edit patrons. Note that the page that loads doesn't show any patrons
or UI to edit them, only a message about "No patron card numbers or
borrowernumbers given."
5. Apply patch, restart_all
6. Repeat step 4, but this time get a page with your patron listed, and a
form to change things about the patron record.
Sponsored-by: Chetco Community Public Library Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit fc5eed80a30c8562078289e5664d8685211f3597) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Paul Derscheid [Wed, 14 Aug 2024 09:24:49 +0000 (09:24 +0000)]
Bug 37643: Check for NaN instead of truthiness if calendar.inc accepts_time
To test:
1) Go to circulation.pl (checking out to a patron)
2) Click the settings in the barcode input
3) Set any due date with the time set to 00:00
4) Note that the picker resets the time to 23:59
5) Apply the patch
6) Repeat 1-3
7) Note that the time (00:00) stays put
8) Sign off
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e96a334aa830aa7f9aacd705d04ba544fd389e8b) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Matt Blenkinsop [Thu, 15 Aug 2024 09:37:10 +0000 (09:37 +0000)]
Bug 37647: Remove Text::CSV_XS import
There is an unnecessary import that has been left over from when KBART file processing logic was being handled directly in the API controller. This patch removes that import as it is no longer needed
Test plan:
1) Look at the patch diff and confirm that the import for Text::CSV_XS has been removed
Signed-off-by: Jake Deery <jake.deery@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 3c94b26c662c76792c36b1b8dd5a95411bf05d03) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Pedro Amorim [Thu, 16 May 2024 11:46:08 +0000 (11:46 +0000)]
Bug 36882: Reapply flatpickr to cloned entry
1) Add a patron attribute type:
http://localhost:8081/cgi-bin/koha/admin/patron-attr-types.pl?op=add_attribute_type
2) Make sure its repeatable + is_date
3) Visit overdues:
http://localhost:8081/cgi-bin/koha/circ/overdue.pl
4) Click the 'add' button under the date custom attribute
5) Click on the newly created input, notice the flatpickr pop up doesnt
show
6) Apply patch. Repeat.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4c3ef3b69d4660843261669f01a53c4d908ab270) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Owen Leonard [Tue, 21 May 2024 15:09:59 +0000 (15:09 +0000)]
Bug 36907: Add maxlength to OAI set mapping form fields
This patch adds a maxlength attribute to the field, subfield, and value
fields in the OAI set mapping form. This helps prevent an error when the
form data is too long for the database columns.
Unrelated: The patch also adds quotes around two unquoted name
attributes.
To test, apply the patch and go to Administration -> OAI sets.
- If necessary, create a new set.
- Click Actions -> Define mappings.
- Test that each form field is limited correctly:
Field: 3
Subfield: 1
Value: 80
- Test that the form can be submitted successfully with the maximum
number of characters in each field.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit c3f47091def8b03c9d5d4fbf5329d01d743398f5) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit da5aa7fabad0635535a7b1847ad9e8736414d38c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 32696: Recalls can inadvertently extend the due date
If an item is due sooner than the recall due date interval then placing
a recall on it can inadvertently extend the book's due date, possibly
causing the recalling patron to receive the item later than they would
otherwise.
Test plan:
=========
1. Turn on recalls with UseRecalls.
2. In circulation rules, set the recall due date interval to 7 days
or any other arbitrary period.
3. Check out an item to one patron & set the due date to be before the
recall due date interval will have elapsed (e.g. the next day)
4. As a second patron, place a recall on the item in question.
5. See that the item's due date is extended to the current date plus
the recalls due date interval.
6. Apply the patch, restart_all;
7. Repeat steps 3. and 4. See that the due date has not been extended.
BTW, the calculation of $due_interval has been changed, because with
the current code and empty 'Recall due date interval' $due_interval
is undefined, despite the intention of the author of the code.
(after calling get_effective_rule $recall_due_date_interval is defined, but
$recall_due_date_interval->rule_value is undefined; the patron gets
a message: '... return the item within days, by ...' - no days count).
Sponsored-by: Ignatianum University in Cracow Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e584b9adcb6fafb96ce77fcd84b68f6f697478f4) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Aleisha Amohia [Tue, 13 Aug 2024 03:07:17 +0000 (03:07 +0000)]
Bug 37623: Make t/db_dependent/Letters.t idempotent
The tests should be unaffected by system preference settings, such as EmailFieldPrimary.
To test:
1. Log into the staff interface
2. Go to Koha Administration -> Global system preferences, and search for EmailFieldPrimary
3. Change the EmailFieldPrimary preference to something other than 'primary email' and 'first valid email address', i.e. any of the following:
4. Run tests t/db_dependent/Letters.t and notice they fail
5. Apply the patch
6. Run the tests again t/db_dependent/Letters.t with different settings of EmailFieldPrimary. The tests should always pass.
Sponsored-by: Pymble Ladies' College Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0e61e56e5728fc0ed387e9a53f40a6e77e9bc793) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Matt Blenkinsop [Mon, 19 Aug 2024 13:16:00 +0000 (13:16 +0000)]
Bug 37620: Improve cypress test to reduce random failures
This patch makes some improvements to the Infinite Scroll cypress test to try and prevent random test failures
- Fixes X-Base-Count and X-Total-Count for intercepted requests
- Makes element selection more precise
- Adds an intercepted request returning the requrired result for the filtered search
- Awaits this request before selecting an element from the dropdown
- Awaits all 10 requests triggered by typing "License 50" rather than just the first one
- Ensures that the select dropdown is closed between operations by clicking into another field to remove focus from the select dropdown
Test plan:
1) yarn cypress run --spec t/cypress/integration/InfiniteScrollSelect_spec.ts
or
1) yarn cypress open and select the InfiniteScrollSelect test from the Cypress GUI
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 538868d5f5e6c9c98f73dbdefb93a6ae0a186b84) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Eric Garcia [Mon, 8 Jul 2024 17:11:06 +0000 (17:11 +0000)]
Bug 37186: Fixed deletion of rotating collections
To test:
1. Tools -> Rotating collections
2. Create a rotating collection
3. In new collection Actions -> Delete
4. Notice collection is not deleted
5. Apply patch
6. In new collection Actions -> Delete
7. Notice collection is deleted
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 37cb3f35a324678d7af79c7ad9fa179f62a1bb7d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch makes the tests check for the added exception instead of the
generic DBIx::Class::Exception.
A FIXME was set in place proposing we should throw a Koha::Exception
instead, so removing the FIXME as that's what this patch actually did.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8da67cec7217c4519fb0a73d33c65e967ecef529) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Johanna Räisä [Fri, 9 Aug 2024 05:58:31 +0000 (08:58 +0300)]
Bug 37591: Fix moredetail.tt performance issue
This patch fixes the performance issue in moredetail.tt by removing the
unnecessary call of checkout_renewals table.
To test:
1. Create lot of checkouts and renewals for a record.
2. Open the moredetail page for the record.
3. Check the timing of the page load.
4. Apply the patch and check the timing of the page load again.
5. The page load should be faster after applying the patch.
Sponsored-by: Koha-Suomi Oy Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 5c41c1c657eba6be37bd8ca4622fdc9eda658fcd) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Sam Lau [Fri, 26 Jul 2024 20:52:19 +0000 (20:52 +0000)]
Bug 37409: Fix 'Edit' button for items in course reserves list
To test:
1) Set the 'UseCourseReserves' sys pref to 'Use'
2) Go to the Course reserves page
3) Create a new course, fill in the required info and make sure the 'Enabled?' is checked
4) Add a reserve to this course
5) From the course details page, select edit on the reserve you just made.
6) Note it brings you back to the add reserves page, and you are required to enter the barcode/biblionumber again to edit
7) Apply patch, restart_all
8) Press the edit button again
9) Now you are directed towards the correct page for editing
10) Make some changes and press save
11) You should be redirected back to the details page and your changes have been made
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0dad564763e190dd59ed44606ca5af56e526d429) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37510: Make Koha::Object->delete throw Koha::Exception
This patch makes Koha::Object->delete wrap DBIC exceptions on FK
constraints and throw a Koha::Exception::Object::FKConstraint exception
instead. This will allow us better handling it from the callers.
To test:
1. Apply the unit tests patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/Koha/Object.t
=> FAIL: A DBIC exception is thrown instead, tests fail
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Sign off :-D
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 923dc5e078593f653b075813885bde34531c503e) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 30a5baa70623625d2856450293b00ce34a764cd8) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Thu, 15 Aug 2024 10:21:10 +0000 (12:21 +0200)]
Bug 37429: Set default value for global variables
The global variables needs to be assigned with a default value, or the
value from the previous request will be used.
Global variables are persistent from one request to another, in memory.
This patch:
* groups default value for global variables together
* removes $authorised_values_sth from this list (it is not a global var)
* set $changed_framework to 0 (which fix the issue)
Test plan:
1. Open an existing biblio (detail.pl)
2. Click "Edit record"
3. Change the framework (no need to change any details)
4. Change the framework back to the original one (no need to save anything)
5. Go back to the biblio overview page (detail.pl)
=> The form is populated
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8aced236e9360ea6186e0d4c79d77ecd272bdc09) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Phil Ringnalda [Fri, 16 Aug 2024 00:44:20 +0000 (17:44 -0700)]
Bug 37614: Printing patron cards from patron lists should be a GET
There's no creating, updating, or deleting about printing patron cards, and
the only time there's a lot of data (selecting individual patrons in a card
creator batch), it doesn't matter if the "Export selected" URL exceeds the
maxlength for Apache since the actual link to create the PDF also will.
Test plan:
1. Without the patch, Tools - Patron lists - New patron list - Name it and
Save
2. Type three characters in the Patron search form (mar works well) to get
at least three patrons. Click on each of three, then click Add patrons
3. You can only print cards from the list of lists, so back to Tools -
Patron lists
4. In the Actions menu choose Print patron cards, in the popup click Export
5. Watch the throbber spin around for a while (it will never stop), then
close the popup, apply the patch, restart_all
6. Tools - Patron lists - Actions menu - Print patron cards - Export
7. Click the PDF link, make sure it has all three of your patrons
8. Tools - Patron card creator - New - Card batch
9. Without putting anything in the textarea, click Add patrons, in the
search popup search for your three characters (mar) again, and click
the checkboxes to the left of three of the names, then Add selected
patrons, then Close, then Add patrons
10. Click the checkboxes for two of the three patrons, then Export selected
card(s), then Export in the popup
11. Hover the link to the PDF, verify that it doesn't have stray 'amp;'
after the & and before label_id= anymore
12. Click the PDF link, verify it has your two patrons
13. Back at the card batch, click Export card batch, then Export
14. Check the PDF to verify it has all three of your patrons
15. Tools - Patron lists - click your list's name to open it
16. Click the card number for a patron, then the Patron lists tab in Checkout
17. Actions menu - Print patron cards - Export, verify the PDF has all three
patrons
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0f255728c5101fbc90a1e18f3d6fdda96ed0182a) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Kyle M Hall [Wed, 14 Aug 2024 14:41:35 +0000 (14:41 +0000)]
Bug 37308: (QA follow-up) Tidy code
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 5a06bd0d73d51bbc87a7e4ff210434b8782b90ec) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Pedro Amorim [Wed, 10 Jul 2024 15:07:22 +0000 (15:07 +0000)]
Bug 37308: Add user-agent for SUSHI outgoing requests
Signed-off-by: Belal Ahmadi <belal.ahmadi@uwl.ac.uk> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8175cccca2f7f28c68445e702ec40c200010211c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Fridolin Somers [Tue, 6 Aug 2024 12:12:16 +0000 (14:12 +0200)]
Bug 37575: Typo 'AutoCreateAuthorites' in about.pl
Typo in system preference name 'AutoCreateAuthorites' -> 'AutoCreateAuthorit[i]es'
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4c5425bd2f2aeaf45e4fa185e1590d845ae6453d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
PerplexedTheta [Mon, 12 Aug 2024 14:26:13 +0000 (15:26 +0100)]
Bug 37593: Removed all instances of 'this this' in the codebase
To test:
a) do a grep for 'this this'
1) notice that there are five matching files
2) notice that all of these instances are in comments, or podfiles
b) apply this patch
c) do a grep for 'this this'
1) notice now that these instances are gone
d) apply these changes to schema.koha-community.org
e) result!
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2cc520cdeb6782f9370356f1c7a1bb7f78ea1057) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Matt Blenkinsop [Fri, 9 Aug 2024 16:05:55 +0000 (16:05 +0000)]
Bug 37607: Only default to manual form if we are editing
This patch fixes an issue where the form to add a provder would automatically default to the manual form. This patch prevents this behaviour and restores the intended functionality.
Test plan:
1) Don't apply the patch
2) In ERM, click to add a new provider
3) Type something in the provider name search box
4) The input will change from a select to a text input and the button next to it will now say "Create from registry"
5) Apply patch
6) Yarn build and hard refresh the browser
7) Repeat steps 1-3, the form should work as intended and return results in the select box
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a73cafda2daf020d41a86e8e80c5da50307ff277) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Sam Lau [Wed, 24 Jul 2024 16:53:25 +0000 (16:53 +0000)]
Bug 37450: Fix 'Close basket' button from list of baskets
To test:
1) In acquisitions, have a vendor with an item (or items) in their basket. Search for this vendor.
2) From the actions column, select the arrow and then press 'Close this basket'
3) Clicking on this option will not close the basket and brings us to the wrong page
4) Apply patch
5) Try to close the basket again, and this time, it is closed successfully
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a55e20e8c1eda4d5545eb7792f08cae26ab72bbf) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37254: Fix clearing of dropdown values on circulation rules
When one tries to clear the rule they are editing in circulation
rules page via "Clear" button, dropdown selectors aren't populated
with default value (first on the list).
To reproduce:
1. Select a rule to edit.
2. Press "Clear" button to return edit rows values back to default values.
=> Values in dropdowns aren't set back as default, instead they have
same values as rule you edited before pressing "Clear".
3. Apply this patch.
4. Select rule to edit, then press "Clear".
=> Dropdowns now have default values.
Sponsored-by: Koha-Suomi Oy Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit f1f08f92c52dc92eed71110f1c4d7711148c8b5c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Andreas Jonsson [Thu, 16 May 2024 07:38:09 +0000 (09:38 +0200)]
Bug 36879: Spurious warning in QueryBuilder
Test plan:
With ElasticSearch enabled,
* Perform a search using the default sort order
(i.e. 'relevance').
* Verify that no warnings are generated in
plack-intranet-error.log
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 347291727dd63cdba508b84336bed4d12efee57d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37461: Typo in SMSSendAdditionalOptions description
This patch correct a typo in the SMSSendAdditionalOptions system
preference description.
To test:
1. Apply patch
2. Go to Administration > System preferences
3. Search for SMSSendAdditionalOptions
4. Read the description, make sure there are no spelling or grammar
error
Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 41c455fd5837aef89364100c5e495d2c2019de21) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
1. Apply patch
2. Rerun and make sure the error "Use of uninitialized value $sub6 in pattern match (m//) at /usr/share/koha/lib/Koha/SearchEngine/Elastricsearch.pm" is no longer present.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Initial testing done, it works well, needs an additional sign off from an external party
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit b8049af6b1e2c7de954ffc08e22acc08031fd290) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Owen Leonard [Tue, 4 Jun 2024 17:17:33 +0000 (17:17 +0000)]
Bug 37030: Use template wrapper for breadcrumbs: Cash register stats
This patch updates the cash register statistics template so that they
use the new WRAPPER for displaying breadcrumbs.
To test, apply the patch and test page and its variations.
Breadcrumbs should look correct, and each link should be correct.
- Reports ->
- Cash register statistics
- Results
Sponsored-By: Athens County Public Libraries Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 938053b1cf35e90827354d731704a26b2c3f86c8) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 35235: Make "Koha module" label match the corresponding <select>
Test Plan
1. Go to Tools -> Notices and slips -> New notice
2. Select Acquisition
3. Click on the Koha module label
4. The corresponding drop down field should activate (greyed)
Signed-off-by: Sam Lau <samalau@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 9ba523f6b68ea1b7fcc0b9a52bba0518535f698d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Fri, 2 Aug 2024 02:02:10 +0000 (02:02 +0000)]
Bug 37553: Tidy to make QA tools happy
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1a747ddcb7645b7eb3bdb042175ff798339e7135) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Fri, 2 Aug 2024 01:49:06 +0000 (01:49 +0000)]
Bug 37553: Consistently send Csrf-Token in request header
This change consistently sends the Csrf-Token in the request header.
Previously, one POST sent it in the request body, while the other POST
sent it in the request header. Since we're using an API, it's best
for us to always send it in the request header
Test plan:
0. Apply the patch
1. perl ./misc/migration_tools/koha-svc.pl \
http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml
2. perl ./misc/migration_tools/koha-svc.pl \
http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml
3. Note that the following appears in STDOUT and there is no 403 error:
"update 29 from bib-29.xml"
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit bf427a2947113f73186c5de5f85479306e49daf5) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Fri, 2 Aug 2024 01:37:40 +0000 (01:37 +0000)]
Bug 37553: Use CSRF token for authenicated session for POSTing
This change fixes the Koha::SVC to store the CSRF token for
the authenticated session for further POSTing.
Test plan:
0. Apply the patch
1. perl ./misc/migration_tools/koha-svc.pl \
http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml
2. perl ./misc/migration_tools/koha-svc.pl \
http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml
3. Note that the following appears in STDOUT and there is no 403 error:
"update 29 from bib-29.xml"
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit eabd792ee93ce4dd84b36f143ee2ccaa184ed147) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Brendan Lawlor [Fri, 14 Jun 2024 19:11:56 +0000 (19:11 +0000)]
Bug 37077: Fix report mutli-select for zero and single selections
This patch updates the javascript overriding the form submission when reports have multi select parameters.
When there are more than one multi selects, and the user selcts one value from each, it skips updating the value of the select, so it doens't send duplicate parameters anymore.
If there are no selections made it will pass '%' for all values. This allows the multi select to be optional in the report. If no selections are made it is assumed that you are not using that parameter to limit the report.
Test plan:
1. Go to Reports and create a report from SQL
select *
from items
where
homebranch in <<Libraries|branches:in>>
and
itype in <<Item type|itemtypes:in>>
3. Run the report but pick only 1 library and 1 item type
4. Click the "Show SQL code"
5. Notice that the two parameters were filled correctly
6. Run the report again with zero selections
7. Click the "Show SQL code"
8. Notice that the '%' is used for the parameter
9. Run the report again with combinations of single, multiple and zero selections
10. confirm the SQL code is generated as you would expect.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 6c6982b983381bc6344fff1b7fb6a39bd9af157c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Pedro Amorim [Mon, 29 Jul 2024 11:23:51 +0000 (11:23 +0000)]
Bug 37509: Check Elasticsearch info for both 'about' and 'sysinfo' tabs
1) Notice 'Elasticsearch:' entry at http://localhost:8081/cgi-bin/koha/about.pl?tab=about is empty
2) Apply patch + restart plack
3) Repeat step 1) Notice it now shows elasticsearch info as expected.
4) Verify that Elasticsearch warning http://localhost:8081/cgi-bin/koha/about.pl?tab=sysinfo is the same before and applying patch.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 63e560a4323d0695853d4031053a057aa27f6394) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Fri, 9 Aug 2024 10:58:23 +0000 (10:58 +0000)]
Bug 37543: (follow-up) Tidy
Tidy the whole thing
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit cf315751cf52aa5e13304dc7bcf99975b1d1acdc) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Rudolf Byker [Thu, 1 Aug 2024 14:14:29 +0000 (16:14 +0200)]
Bug 37543: Use CSRF tokens in connexion_import_daemon.pl
Since version 24.05, due to the changes mentioned at
https://wiki.koha-community.org/wiki/Koha_/svc/_HTTP_API#Changes_coming_in_Koha_24.05 ,
the `connexion_import_daemon.pl` stopped working. The reason for this is that
it did not use CSRF tokens.
To test:
1. Get a Koha instance on 24.05, before applying the patch.
2. Create a plain text file somewhere on the server containing a raw MARC
record (not XML). Let's call it `marc.txt`.
3. On the server, create a config file like this:
```
host: 0.0.0.0
port: 5500
koha: http://localhost:82 # Where 82 is the port of the Koha staff interface.
user: foo # A Koha staff user.
password: Fooo1234 # The Koha staff user's password.
import_mode: stage
```
4. Run `./connexion_import_daemon.pl --config the-config-file-path`
5. In another terminal on the same server (or from anywhere that can reach the
port opened by the `connexion_import_daemon.pl` script,
run `nc localhost 5500 < marc.txt`
6. Observe in the stderr of the daemon script: `Response: Unsuccessful request`
7. Stop the daemon script.
8. Apply the patch and repeat steps 4 and 5.
9. Observe in the stderr of the daemon script:
`Response: Success. Batch number ... - biblio record number HASH(...) added to Koha`
10. Check at /cgi-bin/koha/tools/manage-marc-import.pl for a batch named
`(webservice)`. It should contain one record now. This is how we know that
authentication between the daemon and Koha worked, which is what this
patch tries to address.
Thanks-to: David Cook <dcook@prosentient.com.au> Sponsored-by: Reformational Study Centre <www.refstudycentre.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0e9ea3c9f5570addf666f2e0b103c09a85d89a72) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
CJ Lynce [Fri, 26 Jul 2024 18:53:37 +0000 (18:53 +0000)]
Bug 37382: Report download is empty except for headers if .tab format is selected
When exporting a report in tab delimited format, the downloaded file
would have the header rows but no data results.
Also, misc files are created on the server file system in koha/reports
with data that should have been in the .tab file.
This patch fixes both of these issues.
To test:
1. Login to staff client
2. Go to Reports and create a report from SQL - sample report
SELECT i.barcode, b.title, b.biblionumber, i.itemnumber
FROM items i
LEFT JOIN biblio b on i.biblionumber = b.biblionumber
WHERE i.itemnumber < 50
3. Run the report
4. Click 'Download'->'Tab separated text'
5. Download file
6. Open file in a text editor or favorite spreadsheet app
File will have headers rows, but no other item data
6a. If able, check the server filesystem in koha/reports
There may be files there related to report data. Remove.
7. Apply Patch
8. Repeat steps 3-6,
File will now have the table data, hooray!
8a. If able, check the server filesystem in koha/reports
No new files should be created.
Signed-off-by: Laura ONeil <laura@bywatersolutions.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 7d0563e1c568609559dab399535641e167a0795c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Thu, 11 Jul 2024 22:11:35 +0000 (22:11 +0000)]
Bug 37337: Pass the save $op when biblio_exists
To test:
1. Go to suggestions in the staff interface and enter a new suggestion.
2. Enter a title that matches something already in the catalog. In k-t-d I used "Lanark".
3. Submit the suggestion.
4. Get a blank page.
5. APPLY PATCH and restart_all
6. Now after step 3 you should get a page that shows the 'Click on "Confirm your suggestion" to ignore this message." warning, the form, and a Confirm your suggestion button.
Signed-off-by: Jake Deery <jake.deery@ptfs-europe.com> Signed-off-by: Jan Kissig <jkissig@th-wildau.de> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8e7208d7104bef61f45f10e2a3324e445d177094) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Thu, 11 Jul 2024 16:12:29 +0000 (16:12 +0000)]
Bug 37192: Adjust template for additem.tt
Test plan:
1. Search the catalog for something that will return results, like Perl
2. On any bib that has at least one item, click Edit items
3. In the Actions menu to the left of any item, choose Print label
4. That opened a popup with a 500 error rather than a label batch editor
5. Apply patch, restart_all
6. Repeat step 3, but this time you'll get a label batch editor with your
item in it.
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e1b78e1e2bf8badb27556eb749fe17c262a654bf) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Thu, 11 Jul 2024 16:11:43 +0000 (16:11 +0000)]
Bug 37192: Add ability to pass data-new_tab to form-submit.js and open in new tab
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4c244df82afa679bd8aa6ce3558e7516b77267cf) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37496: Restore parameter to limit to details of one item
To test:
1. Find a bib record with more than one item
2. Click on the barcode of an item to show the item details page
--> The item details page shows the details of all items, though it does
jump to the correct item
3. Apply patch
4. Reload the bib record, and click the barcode again
--> The item details page shows only the chosen item, with a link above
to show all items
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 34ac823619f78b61bef718a0467a5d2ca173f617) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Tue, 9 Jul 2024 20:19:05 +0000 (20:19 +0000)]
Bug 37294: Add modal to generate next
To test:
1. Serials -> Create or find a subscription
2. Receive the subscription
3. Save
4. Click 'Generate next'
5. Nothing happens
6. APPLY PATCH
7. Try again, now the "Generate next" button should work as expected.
Signed-off-by: Kelly <kelly@bywatersoutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 56cbc1f09295fe84dd67a93f73870e4d0fbeaae4) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Fri, 12 Jul 2024 12:40:08 +0000 (12:40 +0000)]
Bug 37342: Use get for launching authority popup
This patch simply switches to a GET as the operation is not cud
To test:
1 - Go to cataloging -> new record
2 - If not in basic editor, switch
3 - Go to tab 100
4 - Enter a name that has no authority in your system: McNotExist, Falsy
5 - Click 'Link authorities automatically'
6 - subfield 9 should turn red, and have an X and a + button
7 - Click the green +
8 - Boom
9 - Apply patch
10 - Reload page and repeat (clear cache so js reloads)
11 - Success! Authority window launches
Signed-off-by: Jake Deery <jake.deery@ptfs-europe.com> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit d4f4190f91f567b4432c88e5ff8603e8302b0e4d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 897f4f319b7b855cee2056eaa82d28fedce9006d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Pedro Amorim [Thu, 25 Jul 2024 15:28:37 +0000 (15:28 +0000)]
Bug 37389: ExtendedAttributes mixin
This is what we're doing here:
- Creating a new mixin called ExtendedAttributes.pm
- Moving the extended_attributes 'join' logic out of REST/Plugin/Query and instead applying it to the aforementioned Mixin. Moving this to this level allows for this consistent behavior to happen on all search queries including, but not limited to, search queries happening on the REST API.
- Applying this Mixin to Patrons and ILL::Requests (we don't apply it to AdditionalFields.pm here yet because no AdditionalFields supporting classes have the extended_attributes accessor yet, I'll tackle this when rebasing 35287)
- The aforementioned mixin does the following:
-- Generates dynamic accessors for extended_attributes e.g. if there is a borrower attribute with code 'height', the 'extended_attributes_height' accessor is generated dynamically if a search with 'prefetch'=>'extended_attributes' AND the extended_attribute.code = 'height' is performed.
-- Rewrites the 'join' entries in the query to have the aliases as above.
-- Rewrites the WHERE conditions to match the above ruleset.
SELECT
`me`.`borrowernumber`
FROM
`borrowers` `me`
LEFT JOIN `borrower_attributes` `extended_attributes_CODE_1` ON (
`extended_attributes_CODE_1`.`borrowernumber` = `me`.`borrowernumber`
AND `extended_attributes_CODE_1`.`code` = ?
)
LEFT JOIN `borrower_attributes` `extended_attributes_CODE_2` ON (
`extended_attributes_CODE_2`.`borrowernumber` = `me`.`borrowernumber`
AND `extended_attributes_CODE_2`.`code` = ?
)
WHERE
(
(
(
`extended_attributes_CODE_1`.`attribute` LIKE ?
AND `extended_attributes_CODE_1`.`code` = ?
)
AND (
`extended_attributes_CODE_2`.`attribute` LIKE ?
AND `extended_attributes_CODE_2`.`code` = ?
)
)
)
What fixes the performance issue that originated this work is the 'AND `extended_attributes_CODE_1`.`code` = ?' that was missing on the LEFT JOIN.
All of the above is explained using Borrowers and Borrower attributes, but it all also applies to ILL::Requests and ILL::Request::Attributes.
Co-authored-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 3b613fb73f0522c61c7e8941afdb4a3ee366064f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Co-authored-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit bbf52b754fc6782e8c2ab28fb597d1392fde6567) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 33453: Change the button class of the record cashup modal to btn-primary
To test:
1. Go to System Preferences > find and enable "Use cash registers"
2. Go to Administration > "Cash registers" and create a new cash register
3. Go to Tools > "Transaction history for" > "Record cashup"
4. Click "Record cashup"
5. Modal with change: "Confirm" should be yellow and primary.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 3a3d367922233c2422ffc5d216344c717170b64a) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Wed, 7 Aug 2024 17:31:46 +0000 (17:31 +0000)]
Bug 37373: (follow-up) Add id and adjust tests
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit d5f0191bda908aa071d4207dbf2f30018cb7db53) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
projects / koha.git / log