Marcel de Rooy [Thu, 10 Aug 2017 11:02:23 +0000 (13:02 +0200)]
Bug 19049: [Follow-up] Make sure that GetPlugins finds the plugin
We have to mock_config the pluginsdir before Plugins is loaded, and
we should pass an absolute path (not a relative one).
If you did not install the test to_marc plugin, this test would fail.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Verified patch is compatible with original KitchenSink to_marc plugin
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0987b135ea0bb8fbd4fc39643b19715dc6e3a1c8) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 3bbb89c57181c113d64ec7649195de30b52d0806) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marcel de Rooy [Tue, 8 Aug 2017 12:51:41 +0000 (14:51 +0200)]
Bug 19049: Testing RecordsFromMarcPlugin with a to_marc plugin
This patch adds a simple to_marc plugin in t/Koha/Plugin that is used
in the added subtest in ImportBatch.t.
Test plan:
[1] Run t/db_dependent/ImportBatch.t
[2] Copy the to_marc test plugin from t to your plugin directory.
Under Debian packages, you should do something like:
mkdir -p /var/lib/koha/master/plugins/Koha/Plugin/
cp [yourclone]/t/Koha/Plugin/MarcFieldValues.pm /var/lib/koha/master/plugins/Koha/Plugin/
[3] Check if you see this plugin on plugins/plugins-home.pl
[4] Create a text file with some fields like:
(Note: The plugin needs an empty line between both "records".)
100,a = Test Author 1
245,a = Title One
100,a = Author 2
245,a = Title Two
[5] Go to stage-marc-import.pl. Upload the created file. Select the plugin
in the format combo and proceed. Did you create two records ?
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 83f60adbab8e96f0f14ec547029582623ac3a068) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c6e3f2ac0575849a0b48170506a4986a50ac8bf1) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marcel de Rooy [Mon, 7 Aug 2017 19:24:48 +0000 (21:24 +0200)]
Bug 19049: Fix regression on stage-marc-import with to_marc plugin
Bug 12412 added the use of to_marc plugins allowing arbitrary file formats
in stage-marc-import (as long as the plugins can handle them). The feature
was not very visible in the code, and when bug 10407 added the marcxml
format, it made some changes that broke the use of to_marc.
This patch restores the functionality by:
[1] Adding a sub RecordsFromMarcPlugin to ImportBatch.pm, specifically
addressing the conversion from arbitrary formats to MARC::Record.
The original to_marc interface is used: pass it the file contents,
and it returns a string consisting of a number of MARC blobs separated
by \x1D.
Consequently, the call of to_marc is removed from routine
BatchStageMarcRecords where it did not belong. The to_marc_plugin
parameter is removed and two calls are adjusted accordingly.
[2] Instead of a separate combo with plugins, the format combo contains
MARC, MARCXML and optionally some plugin formats.
[3] The code in stage-marc-import.pl now clearly shows the three main
format types: MARC, MARCXML or plugin based.
Note: This patch restores more or less the situation after bug 12412, but
I would actually recommend to have the to_marc plugins return MARC::Record
objects instead of large text strings. In the second example I added a
to_marc plugin that actually converts MARC record objects to string format,
while RecordsFromMarcPlugin reconverts them to MARC::Records.
Test plan:
See second patch.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit d24568b67256fab79b42ead54302c76d1c9653d7) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4dd020a3019cd7e2b357153ec737b15eea95f671) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Mon, 7 Aug 2017 16:50:32 +0000 (13:50 -0300)]
Bug 19053: Keep auto_renew flag if a confirmation is needed
If an item is checked out with the auto renewal flag and a confirmation
is needed (holds exist, past due date, etc.) the auto renewal flag will
get lost.
Test plan:
- Check an item out and specify a past due date
- Confirm the checkout on the confirmation screen
=> Without this patch the checkout is not marked as auto renewal
=> With this patch applied the auto renewal flag will be set to the
checkout
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 3808dbc1d22b3adc43a09ba7ce00aaca01f95f5a) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 8f3a7d800271cb2611de0cb369e907b16c30fb0b) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ff41b87302c1b242f9edd7b2e8c253bd18b57ac1) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4c50a19ab920b488193d78ee18d89bb143ddae4a) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
I dug into this a little bit, it seems the issue is that we were double
processing the query because of an extra call to
C4::AuthoritiesMarc::SearchAuthorities
I think we can simply remove this call
To test:
1 - Perform an authority search for a value that returns results
2 - Wrap it in quotes and search
3 - 'Internal server error'
4 - Apply patch
5 - Search with quotes succeeds
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 9c8a04acb05466356fec8e9d6d13183295719c7d) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 39a2f6421e3d0b2c415ad9abc655193357e24328) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Josef Moravec [Tue, 8 Aug 2017 08:23:57 +0000 (08:23 +0000)]
Bug 18331: Followup - fix path to orders_by_budget csv header
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 14484ba4234fd1cbb925b5f3a4844da863c65d5a) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c6a3c7c39babf64ad916650277ab752e54072916) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 2ee4e0ac381ed23fa23b1117725b2f6a0e0db4de) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ad4c173bca27de2b05a1c47a3977212f72654c40) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Thu, 3 Aug 2017 15:50:30 +0000 (17:50 +0200)]
Bug 18331: Force tt to insert newline to empty_line.inc
See end of comment #4 and IRC:
http://irc.koha-community.org/koha/2017-08-03#i_1958062
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit a10e5383016a5cb4117719ac858cbe02a53e457b) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c4e608d29954195f01ea170ff06d7e8da4814707) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Mon, 12 Jun 2017 20:04:47 +0000 (17:04 -0300)]
Bug 18331: Fix CSV export (once and for all!)
I am going to try and explain the problem here in order to make it a
have-to-read for next changes.
There are several things to test when and most of the time we break
something when we try to fix something else.
You have to test different CSV export, not only one. There are not all
processed the same way. For instance acqui/csv/basket.tt does not
contain any strings to translate and the translate script will copy the
original file as it.
But reports/csv/orders_by_budget.tt will not! Indeed it contains "TOTAL"
which will be translated. The generated tt file for the translated
language will remove all the carriage returns! That's why we cannot rely
on TT for newlines (contrary to bug 16914 assumption).
There are two possible methods:
1/ Fix the translate script
=> Hum... nope
2/ Remove all carriage returns and make them explicit by including an
file that only contains 1 carriage return
This second method is implemented in this patch.
How it works: Use the PRE_CHOMP "[%-" and POST_CHOMP "-%]"
(http://www.template-toolkit.org/docs/manual/Config.html#section_PRE_CHOMP_POST_CHOMP)
to remove all the newlines that could be added by TT in the original
(en) files. Then include the new_line.inc to add a new line.
That way original and translated files will behave the same way.
The BLOCK in the csv_headers avoid to have the newlines added, in any
cases. For instance: by default we will have an empty line at the end of
the headers, but the translated headers will not have it.
Test plan:
At least 2 signoffs will be needed, please test carefully!
You will need to generate CSV with at least 2 entries!
Test with the non-translated interface (en) and with the language you
want. To test with a translated language you will *have to*:
- cd misc/translator
- perl translate update LANG
- manually edit the po file, remove the fuzzy tags, correctly translate
the string (do not forget the additional %s in the headers)
- perl translate install LANG
1/ Export basket and basketgroup as CSV
2/ Export late orders as CSV
3/ Export items (from the item search) as CSV
4/ Export the 2 reports "Orders by fund" and "Cash register" as CSV
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 8403799c7212349bee70090249e3425afd62423b) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5b1c9cd3f27d377ddee5635f32fd1a3e2626409c) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Amit Gupta [Sun, 20 Aug 2017 15:23:06 +0000 (20:53 +0530)]
Bug 16069 - XSS issue in basket.pl page
1. Hit /cgi-bin/koha/acqui/basket.pl?basketno=xx<script>alert('amit')</script>
xx - is a basketno
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/acqui/basket.pl?basketno==xx<script>alert('amit')</script>
xx - is a basketno.
5. Notice it is no longer executed.
Amit Gupta [Thu, 10 Aug 2017 16:21:38 +0000 (21:51 +0530)]
Bug 19078 - XSS Flaws in System preferences
1. Hit /cgi-bin/koha/admin/preferences.pl
2. Enter <script>alert('amit')</script> in search system preferences box.
3. Notice the java script is executed.
4. Apply patch.
5. Reload page, and enter <script>alert('amit')</script> in search system preferences box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Mon, 7 Aug 2017 17:04:05 +0000 (22:34 +0530)]
Bug 19054 - XSS Flaws in Report - Top Most-circulated items
1. Hit /cgi-bin/koha/reports/cat_issues_top.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in Callnumber, Day, Month, Year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Callnumber, Day, Month, Year search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Mon, 7 Aug 2017 16:47:14 +0000 (22:17 +0530)]
Bug 19052 - XSS Flaws in - Invoice search page
1. Hit /cgi-bin/koha/acqui/invoices.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Invoiceno,
ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Invoiceno,
ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Mon, 7 Aug 2017 16:34:30 +0000 (22:04 +0530)]
Bug 19052 - XSS Flaws in vendor search page
1. Hit /cgi-bin/koha/acqui/booksellers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> vendor search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on vendor search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
1. Hit /cgi-bin/koha/tools/batchMod.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Mon, 7 Aug 2017 15:54:44 +0000 (21:24 +0530)]
Bug 19051 - XSS Flaws in Batch item deletion page
1. Hit /cgi-bin/koha/tools/batchMod.pl?del=1
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Mon, 7 Aug 2017 15:38:36 +0000 (21:08 +0530)]
Bug 19051 - XSS Flaws in - Batch record deletion page
1. Hit /cgi-bin/koha/tools/batch_delete_records.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Record number list (one per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Record number list (one per line) text area.
6. Notice it is no longer executed.
7. Fixes for both biblio and authority records.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Mon, 7 Aug 2017 15:19:56 +0000 (20:49 +0530)]
Bug 19050 - XSS Flaws in Quick spine label creator
1. Hit /cgi-bin/koha/labels/spinelabel-home.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> barcode text box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on barcode text box.
6. Notice it is no longer executed
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Fri, 4 Aug 2017 05:11:49 +0000 (10:41 +0530)]
Bug 19034: XSS Flaws in Z39.50/SRU servers administration
1. Hit /cgi-bin/koha/admin/z3950servers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search Z39.50/SRU servers box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search Z39.50/SRU servers box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Amit Gupta [Fri, 4 Aug 2017 05:08:12 +0000 (10:38 +0530)]
Bug 19034: XSS Flaws in Cities
1. Hit /cgi-bin/koha/admin/cities.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search cities box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search cities box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Amit Gupta [Fri, 4 Aug 2017 05:04:19 +0000 (10:34 +0530)]
Bug 19034: XSS Flaws in Patron categories pages
1. Hit /cgi-bin/koha/admin/categories.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search patron categories box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search patron categories box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Amit Gupta [Fri, 4 Aug 2017 04:14:52 +0000 (09:44 +0530)]
Bug 19033: XSS Flaws in Currencies and exchange page
1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes the issue, follows common practice on the codebase.
Amit Gupta [Fri, 11 Aug 2017 15:38:14 +0000 (21:08 +0530)]
Bug 19079 - XSS Flaws in Membership page
1. Hit /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber
2. Notice the java script is executed.
4. Apply patch.
5. Reload page, and hit the page again /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amit Gupta [Tue, 15 Aug 2017 03:53:13 +0000 (09:23 +0530)]
Bug 19105 - XSS Stored in holidays.pl
To Test
1. Hit the page /cgi-bin/koha/tools/holidays.pl
2. Select the date
3. Add a text in the field Title and Description that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Fixed for all holidays
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Tue, 15 Aug 2017 17:52:32 +0000 (23:22 +0530)]
Bug 19100 - XSS Flaws in memberentry.pl
1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid.
5. Notice it is no longer executed.
NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Tue, 15 Aug 2017 09:30:55 +0000 (15:00 +0530)]
Bug 19110 - XSS Stored in branches.pl
To Test
1. Hit the page /cgi-bin/koha/admin/branches.pl?op=add_form_category
2. Add a text in the field Name and description that contains js.
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Fixed for js escaped execute for both pages
1. /cgi-bin/koha/admin/branches.pl?op=delete_confirm&branchcode=xx
xx is branchcode
2. /cgi-bin/koha/admin/branches.pl?op=add_form with Group(s):
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Tue, 15 Aug 2017 14:21:48 +0000 (19:51 +0530)]
Bug 19112 - Stored XSS in basketheader.pl page
To Test
1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.
Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Tue, 15 Aug 2017 15:28:34 +0000 (20:58 +0530)]
Bug 19114 - Stored XSS in parcels.pl
Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped
Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amit Gupta [Tue, 15 Aug 2017 03:03:41 +0000 (08:33 +0530)]
Bug 19035 - Stored XSS in lists.pl
To Test
1. Hit the page /cgi-bin/koha/patron_lists/lists.pl
2. Click on new patron list
3. Add a text in the field Name that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Fixed in both the pages list.pl and list.pl?patron_list_id=xx
xx is patronlist id
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
To replicate:
1. Check the row count of borrowers, branches, categories, sessions, sms_providers
tables
2. prove t/db_dependent/Search/History.t
3. Repeat step 1
4. Observe borrowers the following tables have increased in row count:
- borrowers
- branches
- categories
- sessions
- sms_providers
To test:
1. Before applying the patch, go through steps at "To replicate" plan
2. Apply patch
3. Go through steps at "To replicate" plan
4. Observe step 4 no longer applies and those tables have the same number of
rows as before executing the test.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test t/db_dependent/Auth.t seems to have an ineffective test data cleanup.
Data generated by TestBuilder is left in borrowers, branches, categories,
sms_providers and sessions tables after the test.
To replicate:
1. Check the row count of borrowers, branches and categories tables
2. prove t/db_dependent/Auth.t
3. Repeat step 1
4. Observe borrowers the following tables have increased in row count:
- borrowers
- branches
- categories
- sessions
- sms_providers
To test:
1. Before applying the patch, go through steps at "To replicate" plan
2. Apply patch
3. Go through steps at "To replicate" plan
4. Observe step 4 no longer applies and those tables have the same number of
rows as before executing the test.
This issue has been happening in REST tests as well, and this solution is
directly copy-pasted from t/db_dependent/api/v1/cities.t
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Jonathan Druart [Thu, 18 May 2017 20:42:02 +0000 (17:42 -0300)]
Bug 18632: Remove 'CGI::param called in list context' warnings
Once again, after bug 16154 and bug 16259 we need to remove more
occurrence of CGi->param called in list context.
Refer to bug 15809 for more information.
Test plan:
Make sure you do not see the error on the modified scripts.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Josef Moravec [Tue, 9 May 2017 13:33:52 +0000 (13:33 +0000)]
Bug 18551: [16.11.x] followup - hide advanced filters in header, move hidding to css file
Test plan:
The same as first patch, but also with advanced search form in header hidden
on page load - see comment 4
Issue with advanced search form is gone. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Philippe <philippe.audet-fortin@inlibro.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Add schema calls.
Remove an unneeded AddBiblio call.
Test plan:
Run t/db_dependent/Biblio/Isbd.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 40c719a5248877d200920c2c9a028e273a5f1370) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ce8ddbf8ea7d463a822a70f474310b8b618d6347) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Adding schema and caching statements.
Adjust it so that the Koha to MARC mappings are not assumed to be present,
but are created as needed.
Remove the mock on marcflavour. It is no longer needed.
Resolving a small typo.
Test plan:
Run t/db_dependent/Biblio/TransformKohaToMarc.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit f839955db707415368d23ae81bdb14505dd058ee) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 36c3bbedfe80a1a55f34aedb6931784da1043c84) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 18951: Some t/Biblio tests are database dependent (git mv)
Move Isbd.t and TransformKohaToMarc.t to db_dependent.
Next patch will add a few adjustments too.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 50bc4170cec172de04db2033d464c96348d5a508) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 216b13e51fbdaa0ede2eb3218338f955c6c2aa48) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marcel de Rooy [Fri, 31 Mar 2017 11:52:15 +0000 (13:52 +0200)]
Bug 18361: [SQUASHED FOR 16.11] Koha::Objects->find should accept composite primary keys
Changes the $id parameter to an array. (IssuingRule has three keys.)
The build_object method in TestBuilder.pm has been adjusted to pass
multiple primary key values to find.
Also adjusted the POD section to show more clearly that we accept
the same parameters as DBIx ResultSet does.
Test plan:
Run t/db_dependent/Koha/Object.t
Run t/db_dependent/Koha/Objects.t
Run t/db_dependent/TestBuilder.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18361: Additional tests for Koha::Objects->find
Adding a subtest find in t/db_dependent/Koha/Objects.t.
Test plan:
Run t/db_dependent/Koha/Objects.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18361: (QA followup) Add tests for the no params case
This patch adds a test for the trivial case in which no param is passed
and the ->find method returns undef.
For completeness purposes.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18361: [QA Follow-up] Resolve warning on undef values supplied
The following warning was raised in Letters.t:
DBIx::Class::ResultSource::_minimal_valueset_satisfying_constraint():
NULL/undef values supplied for requested unique constraint 'primary' (NULL
values in column(s): 'id'). This is almost certainly not what you wanted,
though you can set DBIC_NULLABLE_KEY_NOWARN to disable this warning.
This warning is triggered by this line in C4/Letters.pm:
Koha::SMS::Providers->find( $member->{'sms_provider_id'} );
As you already guessed, the sms_provider_id returns undef.
Resolved in sub find by testing if there are parameters and if so, they
should not be all undefined. (In most cases there will be only one
parameter; but this report is about composite keys.)
Added a trivial test case in Objects.t too.
Test plan:
Run t/db_dependent/Koha/Object.t
Run t/db_dependent/Koha/Objects.t
Run t/db_dependent/Letters.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Jonathan Druart [Tue, 18 Apr 2017 16:49:18 +0000 (13:49 -0300)]
Bug 18539: Forbid list context calls for Koha::Objects->find
Reading https://perlmaven.com/how-to-return-undef-from-a-function
this sound like the more correct behaviour.
Considering:
$template->param(
stuff => Koha::Stuffs->find( $id ),
foo => 1,
);
without this patch, if the $id does not represent any rows in the DB,
stuff will be assigned to 'foo' and $foo will be undef in the template.
That can lead to very bad side-effects.
With this patch we make sure that it will never happen again.
Test plan:
prove t/db_dependent/Koha/Objects.t
should return green
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 15cbf14f4d4f8039ad7820ce37da202b19e0075d) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5a2604144f114d242d7e4860603fd4811937f44c) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Nick Clemens [Tue, 11 Apr 2017 20:09:27 +0000 (16:09 -0400)]
Bug 18367 - Fix untranslatable string from Bug 18264
Restore display of message when no barcode found
To test:
1 - Go to course reserves
2 - Add an item to a course
3 - Try adding an invalid barcode - should get an alert
4 - Try force adding an item with itemnumber:
http://localhost:8081/cgi-bin/koha/course_reserves/add_items.pl?op=lookpup&course_id=11&itemnumber=1234523546
5 - Should recieve an error
Signed-off-by: Frédéric Demians <f.demians@tamil.fr> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 1fc3751804146e92c0d8d85517ffcd6ec338808e) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 456e849ec29e9a5b1499ea8e492dc157b381f8d5) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
There is an action_logs entry via logaction() without transaction to be rolled
back in t/db_dependent/Log.t. This leaves an entry in action_logs after
the test is over.
To replicate:
1. prove t/db_dependent/Log.t
2. Observe a new entry in action_logs table
To test:
1. Apply patch
2. prove t/db_dependent/Log.t
3. Observe there are no new entries in action_logs
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit f49f5a67d3512ea75d92cb551ebd79a9de7e53d7) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 2af6365fc66a0dcb6246d90432c3998bac8bf43f) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Owen Leonard [Fri, 9 Jun 2017 15:50:41 +0000 (15:50 +0000)]
Bug 18545 [Follow-up] Remove use of onclick from OPAC Cart
This patch makes a few corrections:
- Use 'e.preventDefault()' instead of 'return false' in changed
sections.
- Modify the event handler on checkboxes to successfully handle the
un-check action as well as the check action. (QA comment 5).
To test, follow the original test plan.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Jesse Maseto <jesse@bywatersolutions.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 04a601ef659c64446790758ebbe369a2ce090875) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 970442bc39583a0491120fa60816ec4d819a7653) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Aleisha Amohia [Fri, 5 May 2017 03:58:49 +0000 (03:58 +0000)]
Bug 18545: Remove use of onclick from OPAC cart
To test:
1) Apply patch and add one or more items to your cart
2) Confirm that clicking the following things still works as expected:
- more details
- brief display
- send
- download
- print
- select all
- clear all
- selecting by clicking checkbox
- remove title
- add title to list
- place hold
- add tag
- empty and close
Sponsored-by: Catalyst IT
Followed test plan, works as expected. Resolves issue with two
print dialogues from Bug 18544. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 1b4d4f989b1d6c589a08f21ce19a48dca9072ec7) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 38597cee18757669e450b8ce2d0941ee7a97173b) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marcel de Rooy [Mon, 15 May 2017 08:38:43 +0000 (10:38 +0200)]
Bug 18605: Remove TRUNCATE from C4/HoldsQueue.pm
Replaces TRUNCATE by DELETE, since truncate implicitly commits. We don't
need to do that here. (Would complicate testing it too.)
Fixes typo disablig.
Add a simple test to HoldsQueue.t.
Test plan:
Run t/db_dependent/HoldsQueue.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit db64c94953be772fb316d508fdfffd374ea1d835) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit bede0cc328f6acff69489fe3139d64c35eb7b589) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 18965 - branch transfer limits pagination save bug
In branch transfer limits, tables are paginated with 20 rows by default.
The bug is that datatable not only hides rows, they are not in form.
So when submitting form, rows not visible are erased.
Test plan :
Wihout patch :
- Create 22 branches, you can hack the creation form by manualling calling URL : /cgi-bin/koha/admin/branches.pl?op=add_validate&branchcode=Bxx&branchname=Bxx
- Go to Administration > Library transfer limits
- You see table first page : only 20 first rows are shown
- You see all checkboxes are checked
- Go to second page of this table
- Save
=> You see table first page with all checkboxes unchecked
With patch the is no pagination, all checkboxes are shown when you save
Signed-off-by: Axelle Clarisse <axelle.clarisse@univ-amu.fr> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 7a306d72ab98f2abf2266716761820f1098ede9b) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ca7f2f5aa48d8d5136029d10d8c15ffacf010103) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 18977: Rollback branch in t/db_dependent/SIP/Message.t
To test:
1. Before applying patch, check the amount of branches in database
2. prove t/db_dependent/SIP/Message.t
3. See that a new branch is stored
4. Apply patch
5. prove t/db_dependent/SIP/Message.t
6. See that a new branch is no longer stored
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 139b66f65611cff0a2551662e0fd5c2e50b4c10f) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5b71a4150571b0d9013341b6f64e41f12a7f1f29) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Wed, 21 Jun 2017 07:47:13 +0000 (09:47 +0200)]
Bug 18832: Missing space between icon and label in button 'Patron lists'
On page Home > Patrons the button 'Patron lists' misses a space between
icon and text. This patch adds it to make the button display like the other
ones.
To test, apply patch and verify that the button displays as expected.
Signed-off-by: fcouffignal <fcouffignal@gmail.com> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 85b895c2dfdf9499fdb12bd108c740144597c89e) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 7a9bd6247b2bb079837f170179e12d731222fb65) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 18918: Disable CSV option if no CSV profiles exist
To test:
1) Confirm you have no MARC CSV profiles (tools -> csv profiles)
2) Go to Tools -> Export data
3) Select the CSV file format for biblios
4) Notice the CSV profile dropdown shows up but the dropdown is empty
5) Click the Export button, notice Koha breaks
6) Go back and apply the patch, refresh
7) Notice the CSV option is now disabled in the file format menu
8) If you hover over CSV, an appropriate message should show explaining
why it is disabled
9) Create a CSV profile for MARC
10) Go back to Export and you should be able to use CSV now without
problem
Sponsored-by: Catalyst IT Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 7723ffdd130996ec946d5b9149f90cb0cdc447fc) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ae341f962c0f57dd59d9807417cbd571e3f2e5b5) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Tue, 25 Jul 2017 19:49:38 +0000 (16:49 -0300)]
Bug 18982: Create a circ rule for the data we created
No need to have a default circ cule, we create one for the categorycode
and itemtype we are going to use.
The 3 checkouts will not be rejected (5 are allowed)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 5b84987f28b43f0c92eeff9ed1067ed61f822a4b) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0f654af1816bffc4bada443ac0b5fa1784e5a8e9) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Marc Véron [Sun, 21 May 2017 16:28:48 +0000 (18:28 +0200)]
Bug 16711: OPAC Password recovery: Handling if multiple accounts have the same mail address
To reproduce:
- Create 3 Accounts, login names are test01, test02, test03, Email is the same
for all.
- Go to OPAC -> Password recovery and indicate E-Mail only
- You will get an email for only one of the accounts above.
To test:
- Apply patch, restart memcached and plack
- Go to db, delete from borrower_password_recovery;
- Try steps above to reproduce. You will get an error message:
Account identification with this email address only is ambiguous.
Please use the field 'Login' as well.
- Verify that other cases work as before (provide valid / invalid login only,
provide valid email for an existing account, provide unknown email, provide
both login and email with all combinations of valid / invalid)
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 16711: (QA-followup) Use count directly
See comment # 13
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 3829020c2664ec531354f78f0c04d00f5dd6795d) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 739a0f4b9b6bfba236d297608001180f4cb38af3) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Nick Clemens [Fri, 23 Jun 2017 12:27:19 +0000 (12:27 +0000)]
Bug 18572 - Improper branchcode set during OPAC renewal
To test:
1 - Set 'OpacRenewalBranch' to various settings
2 - Renew an item for a ptron under each setting
3 - Confirm action_log entries reflect the correct branch for each
secnario
4 - prove t/db_dependent/Circulation/issue.t
Signed-off-by: David Kuhn <techservspec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit e9374dcf6308256f4597e1c83920559d2673b90c) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit d8722dde9b028adbda9d46f9c181713eb0615052) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Wed, 12 Jul 2017 20:24:24 +0000 (17:24 -0300)]
Bug 18826: rollback transaction for api tests
The holds.t tests for the REST api do no rollback properly and modify
the DB (no cleanup).
This comes from a bug caused by SessionStorage = mysql (default)
The error is:
"rollback ineffective with AutoCommit enabled"
Test plan:
select count(*) from borrowers;
prove t/db_dependent/api/v1/holds.t
select count(*) from borrowers;
=> The number of entry must be the same before and after the tests have
been executed
Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit d5dc473382ccfa118e78e91507384245ce0dcfcb) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit da0ed1cba584a7eb182876d75ccd535bbd5d5b35) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 18955 - autocomplete is on in OPAC password recovery
In OPAC password recovery form autocomplete is not disabled.
So when login or email is entered, it is saved in browser input history for autocomplete.
This is a major issue for OPAC on computers with public access.
This patch adds autocomplete off on forms.
Test :
- Enable system preferences OpacPasswordChange and OpacResetPassword
- Go to OPAC
- Be sure to not be logged in
- Click on "Forgot your password?"
- Enter a loggin and email and Submit
=> Without patch there is an autocompletion with values you entered
=> With patch there is no autocompletion
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 214a0e61021934c7e6deee5a24cf11606a57199b) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 7943a4500d45344e5ac4b02d2075ae039faf3d83) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Thu, 20 Jul 2017 16:39:43 +0000 (13:39 -0300)]
Bug 18966: Do not deal with duplicate issue_id on checkin
Koha suffers of big bugs due to its history: When data are deleted, they are moved to another tables.
For instance issues and old_issues: when a checkin is done, it is moved to the old_issues table.
That leads to a main problem that is described on https://wiki.koha-community.org/wiki/DBMS_auto_increment_fix
However we tried first to fix the problem (for issues/old_issues) at code level on bug 18242.
The goal was to prevent data lost.
Data lost may happens in this case:
Check an item out (issue_id = 1)
Check an item in (issue_id = 1)
Restart MySQL (reset auto increment for issue_id to 1)
Check an item out (issue_id = 1)
Check an item in => BOOM, the issue_id is a PK in old_issues and the move fails.
Before bug 18242 the data were lost, we inserted the value into old_issues, which fails silently (because of RaiseError set to 0 in Koha::Database), then delete the row from issues.
That has been fixed using a transaction.
This patch introduced a regression we tried to fix on bug 18651 comment 0, the patron was charged even if the checkin was rejected.
A good way to fix that would have been to LOCK the tables:
1- Start a transaction
2- LOCK the table to make sure nobody will read id and avoid race conditions
3- Move the content from one table to the other, dealing with ids
4- UNLOCK the table
5- Commit the transaction
But there were problems using LOCK and DBIx::Class (See commit 905572910b3a - Do no LOCK/UNLOCK the table).
Finally the solution implemented is not acceptable for several reasons:
- batch checkins may fail
- issue_id will always stay out of sync (between issues and old_issues)
See 18651 comment 66.
Since the next stable releases are very soon, and we absolutely need to fix this problem, I am suggesting to:
1- Execute the move in a transaction to avoid data lost and reject the checkin if we face IDs dup
=> It will only reject 1 checkin (max is 1 * MySQL restart), no need to deal with race conditions,
2- Display a warning on the checkin page and link to a solution/explanation
3- Communicate as much as we can on the proper fix: Update auto increment values when the DBMS is restarted - https://wiki.koha-community.org/wiki/DBMS_auto_increment_fix
4- Display a warning on the about page for corrupted data (see bug 18931)
5- Write and make available a maintenance script to fix corrupted data (TODO LATER)
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit f5988bb3d233fa29f2af649748bbca611c99b739) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e882b8bb4a66a86483a5766dadaad7ab45c576c0) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Katrin Fischer [Mon, 24 Jul 2017 21:26:04 +0000 (23:26 +0200)]
Bug 18931 - Follow up - Typo fix in SQL statement
Fixes the table alias in the SQL statement for items and
adds items to the if clause for showing data problems.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit c3dca8c24b53aa63838687f536a5509855ccc21c) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 62529a83e9398e3ee23bbca7b8b6bd6fb3b509df) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Mon, 24 Jul 2017 20:46:27 +0000 (17:46 -0300)]
Bug 18931: Add items/deleteditems tables
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 193ecb0a2bb397bf67488f6342f02adda0328031) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 84edd3900fa42b74f96402e19b19be28ba31584c) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Wed, 12 Jul 2017 18:52:19 +0000 (15:52 -0300)]
Bug 18931: Add a "data corrupted" section on the about page - MySQL AI
See the following wiki page for more information
https://wiki.koha-community.org/wiki/DBMS_auto_increment_fix
Test plan:
Create (at least) a patron, a checkout, a biblio and a hold
Then fill the old_* or deleted* tables with:
INSERT INTO deletedborrowers SELECT * from borrowers WHERE borrowernumber=XXX;
INSERT INTO deletedbiblio SELECT * from biblio WHERE biblionumber=XXX;
INSERT INTO old_issues SELECT * from issues WHERE issue_id=XXX;
INSERT INTO old_reserves SELECT * from reserves WHERE reserve_id=XXX;
Go to the about page, 'System information' tab. You should see a new
"Data problems" section with the list of the ids that are wrong
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 1d1d6ddc9d1e4929d9eb232e0745bcf31749cfdb) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 197dd2d4c7473b81fe18ff32bb0fdde0f13a94a0) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 18613: Remove letter rule correctly as superlibrarian
TEST PLAN
(reproducing bug)
1 - Set 'IndependantBranches' to enable
2 - Log in as Superlibrarian.
3 - Create 3 rules
- 1 for all librairies (1)
- 1 for the library of the superlibrarian (2)
- 1 for another library (3)
4 - Try to delete them and see them and see that (3) isn't the good one
(checking patch)
5 - Apply patch
6 - Try again 3-
7 - Connect as not superlibrarian
8 - Try again 3-
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 648e2a2b808efac22a8b88545d53b05112a1f6f0) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 513205b5770e8ebf8d489c9ea7d671e136fc4a25) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Bug 18901: [QA Follow-up] Do not translate zzpref either
Adding one backslash makes a difference :)
We need to escape the dot in the regex to exclude a file like zzpref
from translation too. Perfect_regexes++
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit a2c9513b1c3449a34f942d8fa53f8ce1fe374e3f) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6896fdc5b31178ad9cde381d2b3b3edb2e8e37f9) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Julian Maurice [Thu, 6 Jul 2017 12:39:20 +0000 (14:39 +0200)]
Bug 18901: Sysprefs translation: translate only *.pref files (not *.pref*)
Text editors can create temporary files in this folder and this can
confuse the translator.
For instance, vim can create a file named '.opac.pref.swp' which will
make the translator dies with the following error message:
Can't use string ("b0VIM 8.0") as a HASH ref while "strict refs" in use
at LangInstaller.pm line 248.
Test plan:
1. echo 'Oops' > .../en/modules/admin/preferences/whatever.pref.whatever
2. cd misc/translator && ./translate update fr-FR
3. Verify that you have the error message mentioned above
4. Apply patch
5. cd misc/translator && ./translate update fr-FR
6. No more errors!
Signed-off-by: Frédéric Demians <f.demians@tamil.fr> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ec51335e9cc4e090ef80f592cc0cc7a0786661f8) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4f8fac147633c7272959e058dc7ea56ae7ecc403) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
This noise is from a failure. This patch expands the delete
to 952$c for the ACQ framework as per comment #5.
TEST PLAN
---------
insert into marc_subfield_structure (tagfield,tagsubfield,liblibrarian, libopac, repeatable, mandatory, kohafield,tab,authorised_value,authtypecode,value_builder,isurl,hidden,frameworkcode,seealso,link,defaultvalue,maxlength) values (952,'c','Shelving location','Shelving location',0,0,'items.location',10,'LOC','','',0,0,'ACQ','','',null,9999);
-- this makes sure you have a pre-existing 952$c ACQ record.
prove t/db_dependent/AuthorisedValues.t
-- should have ugly message like in comment #0
apply patch
prove t/db_dependent/AuthorisedValues.t
-- should be green
run koha qa test tools
Signed-off-by: Lee Jamison <ldjamison@marywood.edu> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 441f6fac33975f7e0f7c96b262bc0c0ee3b0c82e) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 97498a6a7b2ab43fc1d0a42bb93b91f3020e9ffd) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Jonathan Druart [Wed, 5 Jul 2017 13:44:55 +0000 (10:44 -0300)]
Bug 18854: Make sure offset will not be < 0 - protect from DoS
There was a bug that meant a very large offset in the search params
will cause the search script to run forever (or long enough to crash
the machine)
To test
1/ Get ready with sudo top so you can kill the thread before it causes
your machine to OOM
2/ Hit a page like yourdomain.com/cgi-bin/koha/opac-search.pl?q=1&offset=-9999999999999999999
3/ Notice the process runs for a long time
4/ Kill the process
5/ Apply the patch
6/ Hit the page again, notice the it loads (offset is set to zero)
7/ Do the same to search in the staff client
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit aabf001232fc46ee04cecb3a43fe8c0366a091df) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 9939c7f3bf961e5b7789f4d64e0fc074408b71b1) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Chris Cormack [Sun, 25 Jun 2017 05:34:12 +0000 (17:34 +1200)]
Bug 18854 - Protect from DOS
There was a bug that meant a very large offset in the search params
will cause the search script to run forever (or long enough to crash
the machine)
To test
1/ Get ready with sudo top so you can kill the thread before it causes
your machine to OOM
2/ Hit a page like yourdomain.com/cgi-bin/koha/opac-search.pl?q=1&offset=-9999999999999999999
3/ Notice the process runs for a long time
4/ Kill the process
5/ Apply the patch
6/ Hit the page again, notice the it loads (offset is set to zero)
7/ Do the same to search in the staff client
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: changed -2 to 0 in opac-search.pl. Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 99b32717cd2596ce89a2d46b8cb4ddbba2dea5ad) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a64d14db20ac55fe4bcc8de06207c516d2237788) Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>