Janusz Kaczmarek [Tue, 14 May 2024 13:06:05 +0000 (13:06 +0000)]
Bug 36798: Add 'SearchCancelledAndInvalidISBNandISSN' system preference
This patch adds a new system preference SearchCancelledAndInvalidISBNandISSN:
whether to search for cancelled / invalid forms of ISBN/ISSN
when performing ISBN/ISSN search. (By default, with ES, only valid forms,
i.e. 020 $a / 022 $a are considered).
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Johanna Raisa [Tue, 4 Jun 2024 11:44:56 +0000 (14:44 +0300)]
Bug 37023: Update timestamp when filling a hold
This patch updates the timestamp of the hold when it is filled and moved to old_reserves.
Test plan:
1) Apply the patch
2) prove t/db_dependent/Koha/Hold.t
Sponsored-by: Koha-Suomi Oy Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Paul Derscheid [Mon, 23 Sep 2024 10:14:48 +0000 (10:14 +0000)]
Bug 37972: (follow-up) Correct syntax error in opac/opac-user.pl
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Paul Derscheid [Fri, 20 Sep 2024 13:41:26 +0000 (13:41 +0000)]
Bug 37972: Allow selection of tab in patron's summary table by query param
To test:
1) Apply the patch
2) Place a hold on any biblio with the 'koha' patron for example
3) Authenticate in the OPAC with the patron you picked in step 1
4) Open opac-user.pl with the query param 'tab': /cgi-bin/koha/opac-user.pl?tab=opac-user-holds
5) Note that the holds tab in the patron's user summary is automatically selected
6) Sign-off
I'm totally open to renaming the query param, so if you have a suggestion that's more consistent
with the rest of koha, I'm all ears.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Owen Leonard [Thu, 6 Jun 2024 12:13:38 +0000 (12:13 +0000)]
Bug 36694: (follow-up) Remove some missed instances
This patch removes some missed HCSticky code/mentions as well as the
entry on the About page.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Mon, 20 May 2024 17:12:27 +0000 (17:12 +0000)]
Bug 36694: (follow-up) Remove Sticky JS from member-flags.tt
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Tue, 14 May 2024 16:39:36 +0000 (16:39 +0000)]
Bug 36694: (follow-up): fix pages where toolbar was not sticky
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Fri, 26 Apr 2024 17:43:35 +0000 (17:43 +0000)]
Bug 36694: Remove remaining HC stick assets
To test:
1. Apply patch and regenrate CSS
(https://wiki.koha-community.org/wiki/Working_with_SCSS_in_the_OPAC_and_staff_interface)
2. You'll need to check that the 'sticky' header still sticks on each of
these pages.
3. Do a patron search, the toolbar should stick as you scroll down.
4. In Acquisitions, Add a vendor. The toolbar should stick as you scroll
down.
5. In Acquisitions, Add a basket. The toolbar should stick as you scroll
down.
6. Search for a system pref, or go directly to the OPAC category (
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?tab=opac ).
The toolbar should stick as you scroll down.
7. Do an authorties search. The toolbar should stick as you scroll down.
8. Go to advanced search. Without doing a search the toolbard should
stick as you scroll down.
9. Go to item search. Without doing a search the toolbard should stick
as you scroll down.
10. Do a catlog search. The toolbar should stick as you scroll down.
11. Add a bibliographic record, or edit one. The toolbar should stick
as you scroll down.
12. Find a patron and go to the permissions page. The toolbar should
stick as you scroll down.
13. Try each of the other members pages like memberentry.pl,
moremember.pl, circulation.pl. On each of the pages the toolbar
should stick.
14. Place multiple holds on a record. From reserve/request.pl the
toolbar underneath 'Existing holds' should stick.
15. Edit a HTML customization, new item, and page. The toolbar should
stick.
16. Cataloging > Automatic item modifications by age > Edit rules. The
toolbar should stick.
17. Edit a notice, the toolbar should stick.
18. Tools > Log viewer > Submit. UNder Log entries, the toolbar should
stick.
19. Create some lists and make sure the toolbar sticks.
OPAC:
20. Add many items to an OPAC cart. Make sure the toolbar sticks.
21. Try the OPAC results, the toolbar should stick
22. Add many items to a list, on the OPAC list display the toolbar
should stick.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Fri, 26 Apr 2024 17:37:52 +0000 (17:37 +0000)]
Bug 36694: Remove HC sticky from OPAC pages
Rebased-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Fri, 26 Apr 2024 17:01:06 +0000 (17:01 +0000)]
Bug 36694: Remove HC sticky from remaining staff pages
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Fri, 26 Apr 2024 16:27:59 +0000 (16:27 +0000)]
Bug 36694: Remove HC sticky from members/ pages
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Rebased-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Fri, 26 Apr 2024 16:18:13 +0000 (16:18 +0000)]
Bug 36694: Remove HC stikcy from cataloguing/ pages
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Thu, 25 Apr 2024 19:58:59 +0000 (19:58 +0000)]
Bug 36694: Remove HC sticky from catalogue/ pages
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Thu, 25 Apr 2024 19:27:24 +0000 (19:27 +0000)]
Bug 36694: Remove HC sticky from preferences.tt/authorities.tt
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Thu, 25 Apr 2024 19:18:36 +0000 (19:18 +0000)]
Bug 36694: Remove HC sticky from acqui/supplier.tt
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Thu, 25 Apr 2024 16:44:43 +0000 (16:44 +0000)]
Bug 36694: Set sticky element top to -1px
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Wed, 24 Apr 2024 23:18:15 +0000 (23:18 +0000)]
Bug 36694: Add JS observer to detect stuck sticky element
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Wed, 24 Apr 2024 22:45:50 +0000 (22:45 +0000)]
Bug 36694: Remove HC sticky from acqui/basket.tt
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Wed, 24 Apr 2024 22:30:33 +0000 (22:30 +0000)]
Bug 36694: Remove HC sticky from patron search searchbar
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Owen Leonard [Tue, 17 Sep 2024 15:40:57 +0000 (15:40 +0000)]
Bug 36454: (follow-up) Tweak CSS and add restricted status output
This patch makes some tweaks to the style of the new information: We can
use the Bootstrap 5 "badge" class and "warning" style to get the
appearance we want.
This patch also adds output of the patron's restricted status if
present.
To test, apply the patch and rebuild the staff interface CSS. Perform a
patron search (from the checkout header search form for instance) and
confirm that a "restricted" badge appears alongside the branch and
expired badge.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Pedro Amorim [Mon, 16 Sep 2024 08:53:33 +0000 (08:53 +0000)]
Bug 36454: Add 'expired' information on patron auto complete results
Test plan:
1) Alter the 'Expiry date' of any patron.
2) Search for that patron on any search input that provides auto
complete results (e.g. top 'Search patrons' input)
3) Notice the expired patron has a 'expired' indication. Those who
aren't do not.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Nick Clemens [Fri, 23 Aug 2024 13:14:58 +0000 (13:14 +0000)]
Bug 35466: (follow-up) Go to next if error, add to indexing call if not
Before the previous patch we were indexing with every AddAuthority/ModAuthority call and I assumed
we were also indexing during the commity, however, it appears we were not. This patch ensures we push
the record and ids into the arrays for indexing during commit.
Additionally I add a skip to next record on error, to match biblio behaviour.
I also correct a log referring to biblios during authority importing
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Thomas Klausner <domm@plix.at> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Nick Clemens [Mon, 5 Aug 2024 12:48:04 +0000 (12:48 +0000)]
Bug 35466: Add skip_indexing parameter to bulkmarcimport.pl
This patch adds a new optoin to skip indexing to bulkmarcimport.
It also fixes a bug where authorities were being indexed multiple times
during import.
To test:
1 - Apply patch
2 - Download the sample files on this bug
3 - Perform asearch engine search that should retrieve all records( 'a' in Zebra, '*' in ES)
4 - Note the total (435 in KTD)
5 - perl misc/migration_tools/bulkmarcimport.pl -b -v --file=bug_35466_b.mrc
6 - Search again, note increaed by 100
7 - perl misc/migration_tools/bulkmarcimport.pl -b -v --file=bug_35466_b.mrc --skip_indexing
8 - Search again, no increase
9 - perl misc/search_tools/rebuild_elasticsearch.pl -v
10 - Search again, increase, records were added but not initially indexed
11 - Browse to authorities and search as for biblios
12 - perl misc/migration_tools/bulkmarcimport.pl -a -v --file=bug_35466_a.mrc
13 - Search again, note increase
14 - perl misc/migration_tools/bulkmarcimport.pl -a -v --file=bug_35466_a.mrc --skip_indexing
15 - Search again, no increase
16 - perl misc/search_tools/rebuild_elasticsearch.pl -v
17 - Search again, increase, records were added but not initially indexed
18 - Sign off! Hi5!
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Thomas Klausner <domm@plix.at> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Owen Leonard [Mon, 17 Jun 2024 15:41:53 +0000 (15:41 +0000)]
Bug 37103: Link log viewer options to corresponding system preference
This patch updates the log viewer interface so that users with the
correct permissions can click a module's "Log not enabled" icon to go
directly to the corresponding system preference for enabling the log.
To test, apply the patch and go to Tools -> Log viewer (must have
"view_system_logs" permission).
- You should see an icon next to each module for which logging is
disabled. Hovering over the icon should give a tooltip: "Log not
enabled."
- If you are logged in as a user with "manage_sysprefs" permission,
clicking the icon should take you directly to the system preference
for enabling or disabling that module's logs.
- If your user does not have "manage_sysprefs" permission the icon
should not be a link.
Sponsored-By: Athens County Public Libraries Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Hammat Wele [Thu, 14 Dec 2023 13:59:42 +0000 (13:59 +0000)]
Bug 35508: Update borrowers.updated_on when modifying a patron's attribute
Currently, if you have patron attributes and modify the values in a patron's account, the patron's updated_on date is not updated. This patch makes the "Updated on" change when a patron attribute is updated.
To test:
1. Create a patron attribute type
1.1. Go to Administration > Patron attribute types
1.2. Click New patron attribute
1.3. Fill out the code and description
1.4. Click Save
2. Edit a patron (normal)
2.1. Go to Patrons and find a patron account
2.2. Click Edit
2.3. Change a regular field (e.g. Middle name)
2.4. Click Save
--> Notice the "Updated on" date in the left column has been updated to now
3. Edit a patron attribute
3.1. In another patron account*, click Edit
3.2. Change the value of an attribute
3.3. Click Save
--> Notice the "Updated on" date did not change
4. Apply the patch
4.1 Repeat step 3.1, 3.2, 3.3
--> Notice the "Updated on" date has now changed
Signed-off-by: Esther <esther@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Test plan:
0. Apply the 1st patch (the revert)
1. Go to `misc/translator/po`
2. es-ES-messages-js.po
3. Mark "Edit" string as fuzzy (around line 48). It should look like:
```
msgid "Edit"
msgstr "Editar"
```
4. Edit ./intranet-main.tt and add the following lines at the bottom,
inside the `$(document).ready` block:
5. Install the templates
k$ koha-translate --install es-ES --dev kohadev && restart_all
6. Enable *es-ES* by searching for `language` in the sysprefs and switch
to it for the staff interface.
7. Go to the Koha home page, open the browser console
=> FAIL: Notice that the second log in the console is displaying the
fuzzy string (i.e. is being translated when it shouldn't)
8. Apply this patch
9. Re-install the translated templates:
k$ koha-translate --update es-ES --dev kohadev && restart_all
10. Repeat 7
=> SUCCESS: With this patch applied both logs show the English version of the
string.
11. Remove the fuzzy flag on `es-ES-messages-js.po`
12. Repeat 9 and 10
=> SUCCESS: The results are similar to step 7, but in this case they are
expected as the string is not marked fuzzy.
13. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
In fact the system adds a previous value to the progress. As if the system keeps a previous value and adds the correct count of records in addition.
This patch removes the previously stored value.
To test:
1. Go to Cataloging > Stage records for import
2. Choose a file with bibliographic records and click Upload file
3. In "Look for existing records in catalog?" choose a record matching rule (e.g. ISBN)
4. Click Stage for import
5. Click View detail of the enqueued job
--> Progress show 2/1
6. Apply the patch
7. Repeat steps 1 to 4
8. Click View detail of the enqueued job
--> Progress show 1/1
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
qa script:
Commit title does not start with 'Bug XXXXX: ' - d1bebb34d7
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Fixed patch subject line Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bug 37304: Fix created by filter in Acquisitions advanced search
This patch updates the field for the created by filter from
ui.item.borrowernumber to ui.item.patron_id
Test plan:
1. Add a vendor and a basket
2. Use advanced order search to search for created by 'koha'
3. Use the autofill dropdown to make the selection and click 'Search'
4. Your search returned no results.
5. Apply patch and repeat steps 2 and 3
6. Confirm the search returns the basket you created earlier
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bo Gustavsson [Wed, 4 Sep 2024 19:49:47 +0000 (21:49 +0200)]
Bug 37836: Prevent submitting empty barcodes in Self check-in
This patch disbles the "Submit" button when the barcode field is empty.
To test this patch:
Add the patch to your koha clone
Enable the "SelfCheckInModule".
Open the page and the "Submit" button should be disabled when the barcode field is empty.
Signed-off-by: Sam Sowanick <sam.sowanick@corvallisoregon.gov> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Hammat Wele [Tue, 11 Jun 2024 14:08:45 +0000 (14:08 +0000)]
Bug 37070: Incorrect barcode generation when adding orders to basket
When the autoBarcode preference is set to « generated in the form 1, 2, 3 » and the maximum barcode is length 16 (ex 1000000000000000),
when adding orders to the basket,the numbers generated are in the hexadecimal form.
to reproduce:
1- Set the system preference autoBarcode to « generated in the form 1, 2, 3 »
2- Search for a biblio record
3- In the record details, click on New -> New item
4- fill the Barcode field to a number with length 16 (1000000000000000) and add the item
5- Create a suggestion
5-1- Go to Acquisitions and click on suggestions
5-2- Create a suggestion and accept it
6- Add a new order to a basket
6-1- Go to Acquisitions and find a vendor
6-2- Create a new Basket
6-3- on the Basket click on 'Add to basket' and select 'From a suggestion'
6-4- Add the order created on 5-2- to the basket
6-5- On the item form click on Add item
6-6- Select a Fund and save the order
7- In the orders table click on the record and check the item Barcode
---> the Barcode is in hexadecimal form
8- Cancel order and delete the catalog record
9- Apply the patch
10- Repeat step 6-4, 6-5, 6-6
11- Check the item Barcode
---> the Barcode is not in hexadecimal form
12- run prove t/db_dependent/Barcodes.t
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bug 37606: Fix framework export module to escape double quotes
When exporting a framework as csv, the exporter does not check the presence of double quote in the fields. Hence, if there is one double quote, the csv is broken.
TEST PLAN:
1 - Change a framework to add a field containing double quote in name
2 - Export it in csv
3 - Create a new framework
4 - Import the csv in the new framework -> every fields after the one
containing double quotes should be broke. Every other fields should have
no subfield
5 - APPLY PATCH
6 - Repeat 2-5 -> everything should be correctly exported
Signed-off-by: Sukhmandeep Benipal <sukhmandeep.benipal@inLibro.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bug 38012: Remove ispermanent from returns and branchtransfers
To test:
There should be no change in behavior, as this code is not referred to elsewhere in Koha. Make sure you can still do checkeckins and transfers.
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Phil Ringnalda [Fri, 20 Sep 2024 21:43:35 +0000 (14:43 -0700)]
Bug 37977: Fix some issues with labels in inventory form
The inventory form has several issues with labels with a for attribute that
doesn't match the id of the input, so the label doesn't actually get linked
to anything.
Test plan:
1. Without the patch, go to Cataloging - Inventory
2. In the section for "Item location filters" click the label for "Shelving
location (items.location) is", which will focus the select menu, then
press the down arrow on the keyboard to see that it's focused by opening
the select menu.
3. Click in a blank spot to close the select menu, then click the label for
"Collection" and press the down arrow key, which will scroll the page
since the label didn't focus the menu, and repeat with "Call number
classification scheme" which also will scroll the page when you press
down arrow.
4. In the section for "Optional filters for inventory list or comparing
barcodes" click any of the labels below items.notforloan - clicking a
checkbox label should toggle whether the checkbox is checked, but it
will not
5. Apply patch, refresh page
6. Repeat steps 3 and 4, but this time you will get the proper behavior,
focusing the select menus and toggling the checkboxes
Sponsored-by: Chetco Community Public Library Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Wed, 4 Sep 2024 12:24:45 +0000 (14:24 +0200)]
Bug 37905: Fix parameter name
It's named enqueued_date on the API side, not enqueued_on (which is the DB
column's name)
No behaviour change expected here.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Wed, 4 Sep 2024 12:20:33 +0000 (14:20 +0200)]
Bug 37905: Use correct RFC3339 formatted date to the server
This patch suggests to revert the previous attempt to fix this problem.
The date was using the client-side's tz and so the "last hour" was not
matching the one from the server.
With bug 37831 with simply need to pass a rfc3339-formatted date and the
filtering will be done as expected.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
https://bugs.koha-community.org/show_bug.cgi?id=37905 Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Wed, 18 Sep 2024 07:49:50 +0000 (09:49 +0200)]
Bug 37902: Apply exact match for datetime
We do not want to apply "like" and do a "contains" search if a correctly
formatted date is passed (ie. starting with "YYYY-MM-DD HH:MM:SS")
It causes underlying problems if we add '%' characters to this string as
it will then become an invalid date.
There are several ways of dealing with this problem. This patch is
suggesting the easiest path: Apply an exact search (ie. do not add '%')
if the value appears to be a datetime.
Certainly not the best looking patch but it seems to be quite effective:
* no need to change the client
* no need to rework build_query_params, merge_q_params, attributes_from_api
We could (to confirm) pass the result set, but it seems a lot of additional processing
(that is done later already, in attributes_from_api)
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Thu, 12 Sep 2024 10:01:58 +0000 (12:01 +0200)]
Bug 37902: Add tests
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Mon, 16 Sep 2024 08:43:13 +0000 (10:43 +0200)]
Bug 37902: Do not convert a date if it has like markers
If we pass a datetime parameter we are adding "like" operator and % at
the beginning and ending of the attribute value.
For instance:
attributes=2024-09-16 10:11:12
attributes:{ like => '%2024-09-16 10:11:12%' }
We do not want to reach the fixup code and raise an exception.
However I don't think we should add the like for datetime attributes
actually. But can we modify this behaviour now?
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Thu, 12 Sep 2024 14:06:36 +0000 (16:06 +0200)]
Bug 37902: Adjust timezone
We didn't take into account the server's timezone.
This does not feel right, we are not supposed to deal with time zone
outside of Koha::DateUtils.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Thu, 12 Sep 2024 10:35:33 +0000 (12:35 +0200)]
Bug 37902: TODOs
There are still different structures we won't handle properly.
This patch adds conditionals to prevent failures or warnings.
Should be done, but later.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Thu, 12 Sep 2024 09:19:36 +0000 (11:19 +0200)]
Bug 37902: Make sure we loop over if a structure is passed
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Thu, 12 Sep 2024 08:41:18 +0000 (10:41 +0200)]
Bug 37902: Make sure filtered_params are converted
Previously we only adjusted the attributes that were passed directly,
not the ones in 'q' (which is the recommended way now)
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Mon, 26 Aug 2024 09:03:05 +0000 (11:03 +0200)]
Bug 37728: Adjust test to catch more missing 'op' in POSTed forms
The test is not catching missing op in forms that are not the first POST
form of the template.
Found when fixing the test for bug 37309. It was not catching the
missing op in the second form.
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Phil Ringnalda [Tue, 24 Sep 2024 02:40:32 +0000 (19:40 -0700)]
Bug 37728: (follow-up) Tell the test that opac-illrequests.tt has an op
xt/find-missing-op-in-forms.t wants to see name="op" value="cud-..." in any
form with method="post", but opac-illrequests.tt inserts its op input by
passing around whole and unpack and repacking whole.keys which includes
the op. We just need to tell the test that it really exists.
At first, I thought of this approach as a joke, faking out the test, but
when I tried to be more responsible and put a whole <input type="hidden" etc.
in the comment, I realized that would be more likely to confuse someone
who thought that was uncommented and that they were making real changes than
it would be to future-proof against changes in the test's approach.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
members/cancel-charge.pl will take either a POST or a GET, and as long as the
accountline_id it is passed can be cancelled, will cancel it. That means any
link you click anywhere while logged in to Koha might cancel a charge. It also
takes a borrowernumber which isn't used for the cancelling, only to determine
what account to show after a charge is cancelled, letting a malicious link
show an account other than the one whose charge was just cancelled.
Test plan:
1. Without the patch, Circulation - Checkout - search for the 'koha' patron
you log in as
2. Accounting - Create manual invoice - Make it a Manual fee of 100.00 and
Save
3. Pretending it's a well-disguised link in a spear-phishing email, load
http://localhost:8081/cgi-bin/koha/members/cancel-charge.pl?borrowernumber=5&accountlines_id=1
4. You are now looking at charges for the patron Acosta, Edna rather than for
the patron koha, but if you look at the patron koha, its 100.00 charge
has been cancelled.
5. Apply patch and reset_all (or if you don't, you'll have to manually adjust
the link to reflect the charge being accountlines_id 3 rather than 1)
6. Circulation - Checkout - search for the 'koha' patron you log in as
7. Accounting - Create manual invoice - Make it a Manual fee of 100.00 and
Save
8. Click the link http://localhost:8081/cgi-bin/koha/members/cancel-charge.pl?borrowernumber=5&accountlines_id=1
9. You got a 403 because you didn't pass the op cud-cancel, but if you did
pass that op, you would also get a 403 for having a cud- op in a GET (and
if you POST, you won't have a csrf_token)
10. Checkout - search for koha - Accounting - Cancel charge
11. Having done it the right way, you're now on koha's list of transactions,
where you can see you just cancelled it
Sponsored-by: Chetco Community Public Library Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Thu, 17 Oct 2024 09:11:26 +0000 (11:11 +0200)]
Bug 38190: Remove JS error on suggestion page
This code could appear several time as we include it in modals
Test plan:
Go on http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl
Open the console
Notice that without this patch you see a JS error
Uncaught SyntaxError: redeclaration of const av_bsort1
With this patch applied the error is gone.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bug 37892: (QA follow-up) Add tests for ->is_guarantor/ee
Test plan:
Run t/db_dependent/Koha/Patron.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Nick Clemens [Wed, 11 Sep 2024 14:04:17 +0000 (14:04 +0000)]
Bug 37892: Fix guarantor restriction, add tests
[SQUASHED IN QA]
These patches will alter the checks for a patron that prevent a category with
'can_be_guarantee' from being a guarantor. Two patrons in the same category should be
allowed to have a guarantee/guarantor relationship
The tests below assume you are using the KTD sample data. Update borrowernumbers if not.
To test:
0 - Apply tests patch
1 - Set the 'Patron' category as 'Can be a guarantee'
2 - Add a relationship between two patrons of the same category
This is restricted from the staff interface
perl -e 'use Koha::Patrons; my $p = Koha::Patrons->find(5)->add_guarantor({ guarantor_id => 23, relationship => 'father'});'
3 - Note there is no warning or exception. This should be allowed.
4 - Checkout an item to Edna (borrowernumber 5)
5 - Set 'TrackLastPatronActivityTriggers' to 'Checking in an item'
6 - Try to check the item in, KABOOM
7 - Set 'TrackLastPatronActivityTriggers' to 'Checking out an item'
8 - Try to issue an item to Enda, KABOOM
9 - prove -v t/db_dependent/Koha/Patron.t, fail
10 - Apply second patch
11 - prove -v t/db_dependent/Koha/Patron.t, one more test passes, but then fail
12 - Apply third patch
13 - prove -v t/db_dependent/Koha/Patron.t, pass!
14 - restart_all
15 - Checkout to Enda, OK!
16 - Checkin from Edna, OK!
17 - Find two more patrons in the category and attempt to link them
18 - 'Guarantor cannot be a guarantee'
19 - Apply fourth patch
20 - You can add a guarantor from the same category in interface
21 - Try to add a guarantor to the guarantor assigned in 20
22 - Confirm you cannot add a guarantor - "Guarantor cannot be a guarantee"
TEST PLAN:
1 - Do the 22 parts of the test plan
2 - Add a guarantor to one patron not selected before (let's say A is
the guarantee, B the guarantor)
3 - Try and add a guarantor to B -> you will success
4 - Remove B's guarantor
5 - Apply this patch
6 - Repeat 3 -> you will not be able to
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT]
Renamed a subtest to patron creation tests in Patron.t. Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Johanna Räisä [Thu, 1 Aug 2024 05:46:09 +0000 (08:46 +0300)]
Bug 37528: check if selected relationship is valid
This patch checks if the selected relationship is valid before trying to save the patron record.
It takes the list of valid relationships from borrowerRelationships syspref and checks if the selected relationship is in the list.
Also this patch fixes relationship field required message when BorrowerMandatoryField is not set.
The required message is shown when adding the guarantee from guarantor's detail page.
Test plan:
1) Add at least one option to borrowerRelationships syspref.
2) Leave the relationship unchecked from BorrowerMandatoryField syspref.
3) Create a new guarantee patron.
4) Add a guarantor to the guarantee patron.
5) Leave the relationship field empty and try to save the patron record.
6) Notice the 500 error page.
7) Apply the patch.
8) Repeat steps 3-5.
9) Notice the error message "Guarantor relationship is invalid".
Sponsored-by: Koha-Suomi Oy Signed-off-by: Olivier V <olivier.vezina@inLibro.com> Signed-off-by: Baptiste Wojtkowski <baptiste.wojtkowski@biblibre.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Tue, 15 Oct 2024 23:50:00 +0000 (23:50 +0000)]
Bug 38183: Get the active tab number from data-attribute
To test:
1. Have more than 1 staff member who can manage suggestions
2. Create some suggestions
3. Move some suggestions to different statuses (Pending/Accepted/Rejected) so you have multiple tabs on the "Suggestions management" page.
4. Go to the first tab, check some suggestions, and click "Select manager" under "Update manager".
5. Pick a new manager, notice nothing changes on that tab.
6. Now look at the last tab in your list of tabs, see the suggestion manager has been set incorrectly to the last tab.
7. APPLY PATCH
8. Try 4-5 again. The manager should be selected correctly.
9. Try setting the manaager from every tab, making sure it works right.
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Emily Lamancusa [Fri, 11 Oct 2024 19:26:25 +0000 (15:26 -0400)]
Bug 38156: Sort issues by borrowernumber before parallel chunking
When the automatic renewal cron job is using parallel processing, it
aims to process all of the renewals for any given patron together in one
chunk to avoid data conflicts. To accomplish this, it starts a new data
chunk each time it encounters a new patron. However, if a patron's
renewing checkouts aren't all consecutive in the database, that patron's
data ends up split across multiple chunks.
We need to sort the issues by borrowernumber before attempting to chunk
them in order to make sure they are chunked and processed correctly.
To test (using KTD default test data):
Setup:
1. Edit the default circulation rule:
- Set Automatic renewal to "Yes"
- Set No automatic renewal before to 3
2. Open the following patron accounts in separate tabs:
- Floyd Delgado
- Joyce Gaines
- Edna Acosta
- Mary Burton
3. Perform the following patron account edits for each of the above
patrons (and keep the tabs open):
- Enable automatic renewal notices, and set them to digests only
- Add a value to the email field
4. Enter the kshell (ktd --shell)
5. Edit /etc/koha/sites/kohadev/koha-conf.xml, and add the following
lines near the end, just above the </config> and </yazgfs> closing
tags:
<auto_renew_cronjob>
<parallel_loops_count>2</parallel_loops_count>
</auto_renew_cronjob>
6. restart_all
Reproducing the issue:
7. Apply the test patch only
8. Run perl generate_checkouts.pl to generate test data
9. perl misc/cronjobs/automatic_renewals.pl -v -c
--> The test patch added output that will show how the renewals were
chunked into "chunk 0" and "chunk 1" for the two parallel loops.
Note that the issues for each borrower are not processed nicely in
one chunk, but are separated across multiple chunks and alternated
with other borrowers.
10. Check the checkouts for each of the four patrons from above
--> All checkouts should have renewed
11. Check the notices tab for each of the four patrons
--> Notice errors in the automatic renewal digest notices. A patron's
renewals may be split across multiple digests, a digest may be
missing renewals, or a patron may not have received a digest at all
Testing the patch:
12. Apply the second patch
13. Reset the due dates on all checkouts so that they will all be
eligible for automatic renewal again:
- koha-mysql kohadev
- UPDATE issues SET date_due=<two days from today>;
14. perl misc/cronjobs/automatic_renewals.pl -v -c
--> Note that the renewals are now correctly chunked by patron
15. Check the checkouts and notices tab for each of the four patrons
--> All checkouts should have renewed, and all patrons should have a
single new Auto Renewals Digest notice that correctly lists all of
their renewed items
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Edit: tidied the code block inline (tcohen) Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bug 13342: Not logged user can place a review/comment
We are able to comment a notice even when no user is connected
To test
1. Log in to OPAC.
2. Find a Biblio and open the comments tab.
3. Open another tab/window, and log out from the account.
4. Return to the first tab.
5. Click "Post your comments on this title."
--> We are able to post a comment
6. Apply the patch
7. Repeat step 1, 2, 3, 4, 5
--> You should be redirected to the login page.
Signed-off-by: David Cook <dcook@prosentient.com.au>
Bug 13342: Tidy
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Wed, 28 Aug 2024 10:18:06 +0000 (12:18 +0200)]
Bug 37720: Prevent XSS in label creator
Because labels/label-edit-batch.pl fills a DataTable with things that include
a link created by C4/Creators/Lib.pm, it outputs them with the $raw filter,
so HTML in author/title/callnumber is executed in the label batch editor.
While we wait for a fix that moves the link creation into the template and
out of C4, encoding HTML in Lib.pm for the bits going into the link, and
switching from $raw to the html filter for the rest of the things, will at
least get rid of the XSS.
Test plan:
1. Without this patch, but with the patch from bug 37654 so you don't get
alert()s in batch import, download attachment 170675 [details]
2. Cataloging - Stage records for import - browse to the downloaded file -
Upload file - when the upload finishes Stage for import - when staging
finishes View batch (get alert()s if you didn't apply bug 37654) - Import
this batch into the catalog
3. Once the import finishes, Cataloging - Manage staged records
4. In the row for your import, in the # Items column, click "(Create label
batch)"
5. In the "Label batch #n created" message, click the link to the batch #
6. Because the batch includes a call number with an open <script>, you'll
get XSS alert()s and then one about something going wrong while loading
the table, with only one of the two records showing in the batch editor
7. Apply patch, restart_all
8. Cataloging - Label creator - Manage Label batches
9. In the row for your batch, click Edit
10. You will see both labels, with their attempts at XSS visible as text
rather than being interpreted as HTML
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
David Cook [Tue, 20 Aug 2024 00:54:38 +0000 (00:54 +0000)]
Bug 37681: Fix XSS in staff interface item URLs on detail page
This patch uses Javascript objects and safe sinks to prevent XSS
in the item URLs on the staff interface detail page.
It also makes sure those URLs don't get double-escaped. Yippee!
Test plan:
0. Apply the patch
1. Add/edit an item with the following URL:
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au
2. Add/edit a different item with the following URLs:
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au |
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au
3. Go to the staff interface detail page
4. Notice that the URLs are not double-encoded!
5. Try out a malicious payload (talk to QA/security about this)
6. Confirm that the malicious payload fails to execute the XSS
7. Celebrate!
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Julian Maurice [Tue, 14 May 2024 07:34:31 +0000 (09:34 +0200)]
Bug 36598: Add comments asking to keep both CSRF checks in sync
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Julian Maurice [Tue, 14 May 2024 07:15:50 +0000 (09:15 +0200)]
Bug 36598: Prevent use of unsafe HTTP method with non-cud op parameter
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Julian Maurice [Mon, 13 May 2024 13:06:04 +0000 (15:06 +0200)]
Bug 36598: Improve documentation and error message in CSRF plugin
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Julian Maurice [Fri, 3 May 2024 07:17:37 +0000 (09:17 +0200)]
Bug 36598: Fix CSRF header name (underscore -> hyphen)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Julian Maurice [Mon, 15 Apr 2024 07:08:48 +0000 (09:08 +0200)]
Bug 36598: Prohibit CUD operations with safe HTTP methods (GET/HEAD/...)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Julian Maurice [Fri, 12 Apr 2024 13:08:17 +0000 (15:08 +0200)]
Bug 36598: Enable CSRF protection for Mojolicious apps
Test plan:
1. Run bin/opac daemon -l http://*:3001/
2. Go to http://localhost:3001/cgi-bin/koha/opac-user.pl
3. With browser devtools, locate csrf_token hidden input within the
login form and remove it or modify it
4. Try to submit the form with correct credentials, it should fail
("Wrong CSRF token")
5. Reload the page, try to log in normally without modifying the DOM, it
should succeed
6. Run bin/intranet daemon -l http://*:3002/
7. Go to http://localhost:3002/cgi-bin/koha/mainpage.pl
8. With browser devtools, locate csrf_token hidden input within the
login form and remove it or modify it
9. Try to submit the form with correct credentials, it should fail
("Wrong CSRF token")
10. Reload the page, try to log in normally without modifying the DOM,
it should succeed
11. Run prove t/db_dependent/mojo/csrf.t
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Phil Ringnalda [Fri, 16 Aug 2024 02:57:42 +0000 (19:57 -0700)]
Bug 37654: XSS in Batch record import for Citation column
Viewing a staged MARC record batch loads a DataTable from
/tools/batch_records_ajax.pl, and both batch_records_ajax.pl and the
DataTable just trust the author/title/isbn/issn to be free of HTML. They
shouldn't.
Test plan:
1. Without this patch applied, download attachment 170418, then Cataloging
- Stage records for import - Select the downloaded file - Upload file -
Stage for import
2. When the background job completes, View batch - you'll get three alert()s
from the title, author, and ISSN, and the author and ISSN displayed huge
3. Apply patch, restart_all
4. Manage staged records - click HTMLescapingimporttestrecord.mrc - get zero
alerts and no <h2> display
Sponsored-by: Chetco Community Public Library Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Phil Ringnalda [Fri, 16 Aug 2024 04:22:12 +0000 (21:22 -0700)]
Bug 37656: XSS in Advanced editor from Z39.50 search results
The Advanced editor inserts data from Z39.50 results into the search results
page without escaping HTML. Whether it's German records with "<<A>> Title"
or someone with a compromised catalog or a book with the title "<em> for
emphasis" it shouldn't.
Test plan:
1. Not a dependency, but you'll avoid getting even more alerts while batch
importing by starting with the patch from bug 37654
2. Without this patch applied, download attachment 170421
3. Administration - set the preference EnableAdvancedCatalogingEditor to
Enable
4. Cataloging - Stage records for import - browse to the downloaded file -
Upload file - Stage for import
5. Once the background job finishes, View batch (getting alerts if you
didn't apply the patch from bug 37654) - Import this batch into the
catalog
6. When the import finishes, Search the catalog for script, on the imported
record Edit record (if you wind up in the basic editor, Settings - Switch
to Advanced editor)
7. In the left sidebar below the search inputs, click Advanced », check
the checkbox for Local catalog and uncheck any others, then search for
the Title script
8. You'll get five alerts, and the word "edition" displayed in huge text
9. Close the search popup, apply patch, shift+reload the advanced editor
page to clear your cache
10. Repeat step 7, but this time you won't get any alerts, and you'll see
the title and the other <script> inclusions.
Sponsored-by: Chetco Community Public Library Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Phil Ringnalda [Thu, 15 Aug 2024 22:41:18 +0000 (15:41 -0700)]
Bug 37655: Basic editor needs to HTML-escape the bib record title used as a heading
We stick the title of a bib record you are editing in the basic editor into
an <h1> without escaping any HTML it might contain. We should instead escape
it.
Test plan:
1. Without the patch, search for any record in the catalog and click Edit
record (if you are in the advanced editor, switch to the basic one)
2. Tab 2, Field 245, Subfield a, paste <script>alert('boo ❤')</script><h2>
at the end of the subfield
3. Save, then from the record detail page select Edit - Edit record
4. You will have gotten an alert(), and the entire form will be the size
of an <h2>. That's ugly, so go back to the detail page.
5. Apply patch, restart_all
6. Edit - Edit record
7. Now you should not get an alert, the whole title inluding the <script>
should display in italics, and the "(Record number nnn)" after it should
not be italicized.
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bug 37838: Fix broken remove button in course reserves
To test:
1) Go to staff client -> Course reserves
2) Create a course or go to an existing course
3) Add reserves to the course (will need at least 21 items to be able to go to a second page of results)
4) Go to the second page of results on the course details page
5) Click the Remove button next to a result
6) Notice how the button just makes the page move to the top
7) Apply patch
8) Repeat steps 1-5
9) Notice how the remove button is working as expected
Sponsored-by: Toi Ohomai Institute of Technology Signed-off-by: Sam Sowanick <sam.sowanick@corvallisoregon.gov> Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Tue, 8 Oct 2024 08:43:41 +0000 (10:43 +0200)]
Bug 38112: Restore description of patrons search
Certainly caused by bug 35329.
We used to display a description of the patrons search, but it is no longer displayed.
Test plan:
On the main patrons search select some values in the form on the left
and search. You should see a "Patrons found for: " h3 that will be
displayed and is supposed to describe the current search.
I don't think it's working very well to be honest, maybe a candidate for
candidate, especially if nobody else noticed its disappearance.
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Lucas Gass [Sat, 12 Oct 2024 14:28:57 +0000 (14:28 +0000)]
Bug 38162: Pass the rota_id correctly when deleting
To test:
1. Enable StockRotation
2. Got to Cataloging -> Stock rotation
3. Create a new Rota
4. Try to delete it
5. See the error "Can't call method "delete" on an undefined value at /kohadevbox/koha/tools/stockrotation.pl line 231"
6. APPLY PATCH
7. Try again, the rota should be deleted properly.
Signed-off-by: Laura ONeil <laura@bywatersolutions.com> Signed-off-by: Alyssa <alyssa.drake@bywatersolutions.com> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Emily Lamancusa [Thu, 10 Oct 2024 18:31:45 +0000 (14:31 -0400)]
Bug 38146: Display full datetime of datelastseen in item holdings
To test:
1. Check in an item
2. Look at the item holdings table for the bib record that item is on
--> Note the date last seen column displays dates, but not the time
3. Apply patch and restart_all
4. Refresh the page
--> Date last seen column now shows the time you checked the item in
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Nick Clemens [Tue, 8 Oct 2024 18:10:46 +0000 (18:10 +0000)]
Bug 38126: Skip allocated holds when filling from transport cost matrix
This patch simply weeds out allocated holds before filling from the matrix
To test:
1 - Enable RealTimeHoldsQueue
2 - Enable UseTransportCostMatrix
3 - Enable LocalHoldsPriority Give/Home/Home
4 - Administration - Transport cost matrix - enable transfers to/from Centreville and other libraries, add a cost, and save
5 - Find a bib with a Centerville item
6 - Place a hold for a centerville patron
7 - Circulation - Holds queue - All libraries
8 - Note hold is entered twice
9 - On command line:
perl misc/cronjobs/holds/build_holds_queue.pl --force
10 - Run holds queue again, still there twice
11 - Apply patch
12 - On command line:
perl misc/cronjobs/holds/build_holds_queue.pl --force
Confirm allocated only once
13 - Delete hold, place again from bib record (to test real time allocation)
14 - Confirm allocated only once
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This enhancement renames the bookings circulation rules to better describe what they do.
To test:
1. Go to Koha Administration -> Circulation and fines rules
2. Scroll to the 'Default holds and bookings policies by item type' section
3. Notice the bookings rules in this table:
- Booking preparation period
- Booking precaution period
4. Apply the patch and refresh the page
5. Confirm the bookings have been renamed to:
- Booking pre-processing (days)
- Booking post-processing (days)
6. Confirm these names make sense and it is clear what the rules are used for and how they are applied
7. Put values in the input fields for these rules and confirm saving a rule works as expected
Sponsored-by: Catalyst IT Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
1. In the staff interface, go to More > Suggestions > New purchase
suggestion
2. Click 'Select manager'
=> With this patch you see a note regarding permissions
3. Search for 'alford' (for example)
=> User is not returned, they do not have the suggestion permission
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Owen Leonard [Thu, 27 Jun 2024 19:15:11 +0000 (19:15 +0000)]
Bug 36742: Do not show library selection options if there is one or fewer public libraries
If a system has only one library or only one library which is public we
don't need to show library-selection menus. It doesn't make sense to
show a dropdown with only one choice.
This patch updates instances of Branches.all to add a "public => 1"
parameter.
To test, apply the patch and start with a set of multiple public
libraries in your system (where public means the entry in Administration
-> Libraries for that library has the "Public" option set to "Yes").
Log in to the OPAC test these pages, in each case confirming that the
the library dropdown appears correctly.
- OPAC home page (with OpacAddMastheadLibraryPulldown enabled)
- OPAC news section (with existing news items and OpacNewsLibrarySelect
enabled)
- Advanced search (Location and availability section)
- The "Most popular" page (with OpacTopissue enabled)
- The suggestion entry form (with suggestion enabled)
- The article request entry form (with ArticleRequests enabled and
circulation rules configured to allow requests)
Test again with only one library or only one public library.
Test again with no public libraries.
Sponsored-by: Athens County Public Libraries Signed-off-by: Jake Deery <jake.deery@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
1: Enable ShowAllCheckins
2: Check in an item that was not checked out
3: Find "Item was not checked in" message in checkin table, confirm its only class is "problem"
4: apply patch, restart_all
5: repeat 2
6: confirm "Item was not checked in" now has the class "not_returned"
Signed-off-by: Eric Phetteplace <phette23@gmail.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
CJ Lynce [Thu, 3 Oct 2024 18:02:47 +0000 (18:02 +0000)]
Bug 38081: maskitoTimeOptionsGenerator does not properly support 12-hour times in calendar.inc
This patch corrects an issue where flatpickr time-only input boxes
boxes were not having their inputs masked (limited) properly
due to maskitoTimeOptionsGenerator not properly supporting
12-hour time inputs for time-only input boxes.
To test:
1. Login to the staff intranet.
2. Open Administration->Libraries-> Edit any library.
3. Open your browser's development console (typically via F12)
Verify a 'TypeError' message has been thrown for this page.
4. Type in any text into any of the opening hours
This should be limiting only to properly formatted HH:MM.
5. Apply patch
6. Repeat steps 2-4
Verify no errors show on your browser's development console.
Verify opening hours entry are limited to proper HH:MM format.
7. Open Administration->System Preferences and change TimeFormat
to 12-hours, Save.
8. Repeat steps 2-4
Verify opening hours text entry are limited to properly
formatted HH:MM AM/PM (or am/pm)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Laura Escamilla [Wed, 15 May 2024 15:34:22 +0000 (15:34 +0000)]
Bug 13945: Prevent multiple dialog modals from popping up when capturing a hold at checkin
1. Select/Create Library Branches:
- Select or create two library branches: Library A and Library B.
2. Locate/Create Item:
- Locate or create an item with the "Current library" and "Home library" set to Library A.
3. Place Hold:
- Place a hold on the item for a patron whose pickup location is Library B.
4. Check-in at Library A - First Attempt:
- Check in the item at Library A.
- Verify that the 'Hold found' modal pops up.
- Click on 'Confirm hold and transfer'.
5. Check-in at Library A - Second Attempt:
- Check in the item at Library A again.
- Verify that the 'Hold found' modal pops up.
- Click on 'Ignore'.
- Verify that the 'Please return this item to (Library B)' modal has popped up behind it.
6. Apply Patch and Restart:
- Apply the patch to the system.
- Restart all relevant services.
7. Repeat Check-in Process:
- Repeat steps 4 and 5.
- Verify that no matter how many times you check in the item and hit 'Ignore' or 'Confirm the hold', the second modal does not pop up.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jan Kissig [Thu, 25 Apr 2024 09:13:55 +0000 (11:13 +0200)]
Bug 23426: Add fine items to patron information response in SIP2
This patch adds fine items (AV) to patron information response in SIP2
In addition the active currency we be part of the response (BH)
This also fixes the number of items in the response which are specified in BP and BQ in the request
to test:
a) create a manual invoice for patron 23529000035676 : http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=19
b) in ktd call: perl /usr/share/koha/bin/sip_cli_emulator.pl -a 127.0.0.1 -p 6001 -su term1 -sp term1 -l CPL --patron 23529000035676 -m patron_information -s " Y "
c) verify that no |AV field is in response
d) apply patch
e) in ktd call: perl /usr/share/koha/bin/sip_cli_emulator.pl -a 127.0.0.1 -p 6001 -su term1 -sp term1 -l CPL --patron 23529000035676 -m patron_information -s " Y "
f) verify that response includes fields like '|AVManual fee '
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Tidied inline Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Olivier V <olivier.vezina@inLibro.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Bug 37791: Fix 'Biblio not found' messages on the API
This patch fixes some API-related cases of 'Biblio' terminology
incorrectly used.
To test:
1. Run:
$ ktd --shell
k$ git grep 'Biblio not found'
=> FAIL: Several occurences
2. Run:
k$ git grep 'render_resource_not_found("Biblio")'
=> FAIL: Several occurences
3. Apply this patches
4. Repeat 1 and 2
=> SUCCESS: No more occurences!
5. Run:
k$ prove t/db_dependent/api/v1/
=> SUCCESS: Tests pass!
6. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Olivier V <olivier.vezina@inLibro.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Jonathan Druart [Wed, 9 Oct 2024 14:01:48 +0000 (16:01 +0200)]
Bug 37945: Remove fixedHeader for sysprefs
It breaks the scroll when a subsection is clicked.
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Phil Ringnalda [Wed, 2 Oct 2024 04:34:10 +0000 (21:34 -0700)]
Bug 38057: Fix checkmarks in Change framework menu in Advanced editor after Bootstrap5 update
The advanced editor was using a class hidden from bootstrap.min.css to
hide checkmarks in the part of the Settings menu that lets you change
frameworks. Now that's gone, so it needs to have its own class.
Test plan:
1. Set the preference EnableAdvancedCatalogingEditor to Enable
2. Cataloging - Advanced editor - click the Settings menu
3. In Change framework, ... checkmarks, checkmarks everywhere, and they
don't change when you choose a different one, so after the first
change you can't even tell what's current
4. Apply patch, Shift+Reload the advanced editor page to bypass the cache
5. Click the Setting menu, see that only the current framework has a
checkmark, change to a different one and reopen the Settings menu,
see that the one you changed to now has the only checkmark
Sponsored-by: Chetco Community Public Library Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>