]> git.koha-community.org Git - koha.git/log
koha.git
5 months agoBug 36575: Adjust checkpw_internal to return patron
Nick Clemens [Wed, 24 Apr 2024 15:06:22 +0000 (15:06 +0000)]
Bug 36575: Adjust checkpw_internal to return patron

This patch refactors checkpw_internal to remove the SQL code, use patron ojbects, and return the
patron that correctly matches the userid/caerdnumber when auth is successful

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36575: (bug 34893 follow-up) Return patron when autocreating in Shibboleth
Nick Clemens [Wed, 24 Apr 2024 14:25:40 +0000 (14:25 +0000)]
Bug 36575: (bug 34893 follow-up) Return patron when autocreating in Shibboleth

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36575: (bug 34893 follow-up) Return patron from LDAP
Nick Clemens [Wed, 24 Apr 2024 14:23:51 +0000 (14:23 +0000)]
Bug 36575: (bug 34893 follow-up) Return patron from LDAP

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36575: (QA follow-up)
Martin Renvoize [Thu, 11 Apr 2024 10:18:30 +0000 (12:18 +0200)]
Bug 36575: (QA follow-up)

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36575: Return correct patron when there is a shared userid / cardnumber
Nick Clemens [Thu, 11 Apr 2024 09:39:03 +0000 (09:39 +0000)]
Bug 36575: Return correct patron when there is a shared userid / cardnumber

This patch moves some patron fetching code in C4/Auth to use to patron returned from the validation
methods and only try to fetch the patron (to check if locked, update attempts, etc) if we didn't authenticate

To test:
1 - Set a user to have userid = BANANA password = Password1
2 - Set a user to have cardnumber = BANANA password = Password2
3 - Hit the patron authentication API:
    http://localhost:8080/api/v1/auth/password/validation
    with data:
    { "identifier": "BANANA", "password":"Password1" }
    and:
    { "identifier": "BANANA", "password":"Password2" }
4 - Note you receive the same response for both
5 - Apply patch, restart all
6 - Repeat the API and confirm you get the correct patron for the password submitted

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36520: Sanitize input in opac-sendbasket.pl
Chris Cormack [Mon, 13 May 2024 02:26:13 +0000 (02:26 +0000)]
Bug 36520: Sanitize input in opac-sendbasket.pl

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36520: Prevent SQL injection in GetPreparedLetter
Jonathan Druart [Mon, 13 May 2024 12:47:28 +0000 (14:47 +0200)]
Bug 36520: Prevent SQL injection in GetPreparedLetter

Actually in _get_tt_params

The following query will delay the response

SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
  FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
    SELECT 1
      FROM
    SELECT SLEEP( 6 ) x
   ) -- - )

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36520: Add tests
Jonathan Druart [Wed, 15 May 2024 09:25:47 +0000 (11:25 +0200)]
Bug 36520: Add tests

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36818: Escape characters in file names uploaded
Chris Cormack [Wed, 8 May 2024 22:41:43 +0000 (22:41 +0000)]
Bug 36818: Escape characters in file names uploaded

To test:
1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip'
   Where the domain is one you can watch the logs from
2/ Upload this file as a cover image
3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames
4/ Choose process, check the logs of the webserver see the connection has been made
5/ Apply the patch
5/ Repeat 2 & 3 and see the filename is now escaped
6/ Choose process and check no errors but no no remote execution occurs
7/ Test uploading actual zip file and images still works

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoUpdate release notes for 22.05.21 release v22.05.21
Wainui Witika-Park [Mon, 6 May 2024 01:48:54 +0000 (01:48 +0000)]
Update release notes for 22.05.21 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoIncrement version for 22.05.21 release
Wainui Witika-Park [Mon, 6 May 2024 01:45:47 +0000 (01:45 +0000)]
Increment version for 22.05.21 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoMake DBRev 220518000 executable
Wainui Witika-Park [Wed, 1 May 2024 05:37:55 +0000 (05:37 +0000)]
Make DBRev 220518000 executable

5 months agoBug 19613: Use the 'note' profile
Jonathan Druart [Wed, 20 Mar 2024 07:35:29 +0000 (08:35 +0100)]
Bug 19613: Use the 'note' profile

WNC amended patch: tidied

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 3cb586b72165bcbd029948f46407359be9d5e9a8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 55931114b62557dfbbe01e7bcf0cd150b5733262)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 19613: Scrub borrowers fields: borrowernotes opacnote
Jonathan Druart [Fri, 15 Mar 2024 10:37:43 +0000 (11:37 +0100)]
Bug 19613: Scrub borrowers fields: borrowernotes opacnote

To prevent XSS

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 83db8696ca7a83aba224a0ab645f03447a96887b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 383984a0164adabc79e91ad11e2e930f5e070ed9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36149: Add userenv middleware to app.psgi
Julian Maurice [Tue, 9 Apr 2024 12:45:39 +0000 (14:45 +0200)]
Bug 36149: Add userenv middleware to app.psgi

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36149: (follow-up) POD and tidy
Nick Clemens [Fri, 29 Mar 2024 18:09:30 +0000 (18:09 +0000)]
Bug 36149: (follow-up) POD and tidy

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36149: Unset userenv from middleware
Jonathan Druart [Fri, 8 Mar 2024 15:06:11 +0000 (16:06 +0100)]
Bug 36149: Unset userenv from middleware

The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?

This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).

To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl  and add a line after: CGI->new:
    warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
     enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl  - only "Something's wrong" - you no longer see any user info

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36328: (QA follow-up) Expand tests and reorder elements to clarify differences
Nick Clemens [Mon, 1 Apr 2024 16:03:37 +0000 (16:03 +0000)]
Bug 36328: (QA follow-up) Expand tests and reorder elements to clarify differences

Also tidy

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36328: Add a separate 'note' profile
Jonathan Druart [Wed, 20 Mar 2024 07:34:09 +0000 (08:34 +0100)]
Bug 36328: Add a separate 'note' profile

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36328: Add test
Jonathan Druart [Fri, 15 Mar 2024 10:40:57 +0000 (11:40 +0100)]
Bug 36328: Add test

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
5 months agoBug 36328: Add p span div to Scrubber
Jonathan Druart [Fri, 15 Mar 2024 10:39:33 +0000 (11:39 +0100)]
Bug 36328: Add p span div to Scrubber

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
6 months agoBug 36511: Some scripts missing a dependency following Bug 24879 v22.05.20-2
Owen Leonard [Tue, 9 Apr 2024 15:55:57 +0000 (15:55 +0000)]
Bug 36511: Some scripts missing a dependency following Bug 24879

These files needed the addition of 'use C4::Auth qw( check_cookie_auth
);'.

To test, apply the patch and restart services.

- If necessary, enable the LocalCoverImages system preference.
- Open the browser console and then the "Network" tab. You can click
  "Images" to filter for the correct kind of request.
- Perform a catalog search. After the search has loaded, check that
  there are no 500 errors in the Network tab.

- Go to Cataloging -> Label creator.
- If necessary, create a label batch and add some items.
- Export your batch and test both the "Download as CSV" and "Download as
  XML" links. Both should trigger the correct download.

- Go to Serials -> Claims, and select a vendor with late issues.
- Select all late issues and click "Download selected claims" at the
  bottom of the page.
- Your CSV file should download correctly.

The file acqui/check_uniqueness.pl has been corrected as well but I'm
not sure how to test it!

Signed-off-by: danyonsewell <danyonsewell@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 747f5132311ea51ea6babbfc92a775ac0c67f93a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01b22fb71d30f56d3102837b5c9b4cfdacbc9e76)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
6 months agoMerge remote-tracking branch 'koha-security/22.05.x-security' into HEAD
Wainui Witika-Park [Wed, 3 Apr 2024 22:05:46 +0000 (11:05 +1300)]
Merge remote-tracking branch 'koha-security/22.05.x-security' into HEAD

7 months agoMake DBRev 220520000 executable
Tomas Cohen Arazi [Thu, 28 Mar 2024 11:32:19 +0000 (08:32 -0300)]
Make DBRev 220520000 executable

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
7 months agoUpdate release notes for 22.05.20 release v22.05.20
Aleisha Amohia [Thu, 28 Mar 2024 00:09:48 +0000 (00:09 +0000)]
Update release notes for 22.05.20 release

Signed-off-by: Aleisha Amohia <aleisha@catalyst.net.nz>
7 months agoIncrement version for 22.05.20 release
Wainui Witika-Park [Wed, 27 Mar 2024 23:04:09 +0000 (23:04 +0000)]
Increment version for 22.05.20 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 24879: (follow-up) Fix test suite
Fridolin Somers [Wed, 27 Mar 2024 09:20:03 +0000 (10:20 +0100)]
Bug 24879: (follow-up) Fix test suite

Running cataloguing pluings (in cataloguing/value_builder) now requires
authentification.

This patch adds in failing unit tests a mock of C4::Auth::check_cookie_auth

Test with:
prove t/db_dependent/FrameworkPlugin.t t/db_dependent/Koha/UI/Form/Builder/Biblio.t t/db_dependent/Koha/UI/Form/Builder/Item.t t/db_dependent/Serials.t

(cherry picked from commit f8a23b8ef46aea60eda9211a3e89af85d650ac26)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
suite

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
7 months agoBug 23352: [22.05] (follow-up) change number of tests
Wainui Witika-Park [Wed, 27 Mar 2024 01:11:42 +0000 (01:11 +0000)]
Bug 23352: [22.05] (follow-up) change number of tests

7 months agoBug 24879: Exclude koha_perl_deps.pl
Jonathan Druart [Fri, 15 Mar 2024 09:19:16 +0000 (10:19 +0100)]
Bug 24879: Exclude koha_perl_deps.pl

And tidy.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 24879: Use perl shebang to list the exec
Jonathan Druart [Thu, 14 Mar 2024 15:53:35 +0000 (16:53 +0100)]
Bug 24879: Use perl shebang to list the exec

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 24879: Add check_cookie_auth when missing
Jonathan Druart [Thu, 14 Mar 2024 15:19:06 +0000 (16:19 +0100)]
Bug 24879: Add check_cookie_auth when missing

This can certainly be improved to adjust the permissions, but at least
they are no longer opened to the world..

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 24879: Adjust tests
Jonathan Druart [Thu, 14 Mar 2024 15:17:55 +0000 (16:17 +0100)]
Bug 24879: Adjust tests

Installer scripts cannot be run from the UI:
debian/templates/apache-shared-intranet.conf:RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 24879: Remove installer/externalmodules.pl
Jonathan Druart [Thu, 14 Mar 2024 15:14:17 +0000 (16:14 +0100)]
Bug 24879: Remove installer/externalmodules.pl

It is not used, if we need it back it must be moved to misc.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 24879: Add new test to catch missing auth statement
Jonathan Druart [Tue, 17 Mar 2020 10:54:12 +0000 (11:54 +0100)]
Bug 24879: Add new test to catch missing auth statement

in intranet scripts

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 31988: Remove reports/itemtypes.plugin
Jonathan Druart [Fri, 15 Mar 2024 09:12:41 +0000 (10:12 +0100)]
Bug 31988: Remove reports/itemtypes.plugin

This "plugin system" is only used for the itemtypes report. We can
simply remove the reports/manager.pl script and this plugin in favor of
a dedicated report.

Test plan:
Same behaviour expected before and after this patch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36322: Redirect docs dir to 404
Jonathan Druart [Thu, 14 Mar 2024 15:42:08 +0000 (16:42 +0100)]
Bug 36322: Redirect docs dir to 404

http://localhost:8081/cgi-bin/koha/docs/CAS/CASProxy/examples/proxy_cas.pl

Test plan:
Hit the link
=> Erk
Copy the apache config to /etc/koha/apache-shared-intranet-git.conf
restart_all
Hit the link
=> 404

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36323: Move koha_perl_deps.pl to misc/devel
Fridolin Somers [Mon, 18 Mar 2024 15:32:57 +0000 (16:32 +0100)]
Bug 36323: Move koha_perl_deps.pl to misc/devel

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35960: Use .val() instead of string concat to prevent potential XSS
Julian Maurice [Thu, 1 Feb 2024 08:15:23 +0000 (09:15 +0100)]
Bug 35960: Use .val() instead of string concat to prevent potential XSS

Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
   fragment. It should be URI-encoded.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36244: DBRev 22.05.19.001
Wainui Witika-Park [Tue, 26 Mar 2024 01:16:03 +0000 (01:16 +0000)]
Bug 36244: DBRev 22.05.19.001

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36244: Add atomic update to check for affected notices
Kyle M Hall [Thu, 7 Mar 2024 16:10:35 +0000 (11:10 -0500)]
Bug 36244: Add atomic update to check for affected notices

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Fixed some typos in bug numbers and text.

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36244: Do template toolkit processing first
Andreas Jonsson [Thu, 7 Mar 2024 09:12:25 +0000 (09:12 +0000)]
Bug 36244: Do template toolkit processing first

To avoid injection of template toolkit code
from database fields that are controlled by
untrusted sources.

Test plan:

* review subtest 'Template toolkit syntax in
  parameters' in t/db_dependent/Letters.t
* Run the unit test:
  prove t/db_dependent/Letters.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36244: Unit test for tt syntax in parameters
Andreas Jonsson [Thu, 7 Mar 2024 09:07:49 +0000 (09:07 +0000)]
Bug 36244: Unit test for tt syntax in parameters

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36176: Exclude misc/releases_notes/*
Lucas Gass [Tue, 26 Mar 2024 20:32:15 +0000 (20:32 +0000)]
Bug 36176: Exclude misc/releases_notes/*

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36176: Reject cud- for stable branches
Jonathan Druart [Wed, 28 Feb 2024 15:28:33 +0000 (16:28 +0100)]
Bug 36176: Reject cud- for stable branches

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoUpdate release notes for 22.05.19 release
Wainui Witika-Park [Wed, 28 Feb 2024 21:50:56 +0000 (21:50 +0000)]
Update release notes for 22.05.19 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoIncrement version for 22.05.19 release
Aleisha Amohia [Wed, 28 Feb 2024 21:23:38 +0000 (21:23 +0000)]
Increment version for 22.05.19 release

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
7 months agoBug 36034: Add test
Jonathan Druart [Wed, 14 Feb 2024 07:49:33 +0000 (08:49 +0100)]
Bug 36034: Add test

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
7 months agoBug 36034: (bug 34893 follow-up) fix capture of return values from checkpw
Andreas Jonsson [Thu, 8 Feb 2024 10:57:03 +0000 (11:57 +0100)]
Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw

Adapt code to the change of return value type of checkpw
introduced in bug 34893

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
7 months agoBug 35518: Tidy the moved blocks
Martin Renvoize [Thu, 8 Feb 2024 15:55:43 +0000 (15:55 +0000)]
Bug 35518: Tidy the moved blocks

This patch just tidies the moved blocks to get us past the QA script
check.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit b577b6567045184adcb5bb55b7e5c70428e124ee)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1f182d45aba607dbfaf63c98f97b8615e5eea09d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit d44a697788c947b9deb08aafaeb965f0e2b069f0)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 870c18a6545092de9fd50c187f68dd0d6574b56b)

7 months agoBug 35518: Check authentication and set userenv before fetching userenv variables
Nick Clemens [Fri, 26 Jan 2024 14:10:01 +0000 (14:10 +0000)]
Bug 35518: Check authentication and set userenv before fetching userenv variables

Currently we get the userenv before we have set it correctly for the session

To test:
 1 - Sign in as a user with fast cataloging permission
 2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
 3 - Check the link, it should have your current signed in barcode
 4 - Sign in to a different browser with a different user and at a different branch
 5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
 6 - It may have your branch, but it may also have the other user's branch from the other window
 7 - Keep entering gibberish to get a link until one user has the correct branch
 8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
 9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90b6f68616e2ba5ca3fcbbd9698c97ef41a45593)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 26722f2a08af99b9e3cb4eb50398df896085f527)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 1460974627a7c094144fe4b834f07a5ee0c5b493)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 70c86eb8926def78636e69b02d4ad47cecce6323)

7 months agoBug 36092: Pass sessionID at the end of get_template_and_user
Jonathan Druart [Wed, 14 Feb 2024 08:45:45 +0000 (09:45 +0100)]
Bug 36092: Pass sessionID at the end of get_template_and_user

It seems safer to pass the logged in user and session info at the end of
the sub.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit c50372c0b5c490971e4e336541aa85fbb45033d2)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 2ba597ea70612aec6880a583e9436da2367b5644)

7 months agoBug 36092: Pass the sessionID from checkauth if we hit auth
Jonathan Druart [Wed, 14 Feb 2024 09:33:11 +0000 (10:33 +0100)]
Bug 36092: Pass the sessionID from checkauth if we hit auth

If we hit the auth page we were not passing sessionID to the template

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0decb260343455caabd4101b0b0e9499723f2951)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 9580111a206522e90a76d0fbaafdaaca0401d6fd)

7 months agoBug 36092: Add test
Jonathan Druart [Wed, 14 Feb 2024 09:56:17 +0000 (10:56 +0100)]
Bug 36092: Add test

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 7bc46ea231c3e63e017da2a26a7a8918ed161cab)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 14cce4e9364792e93c50a1d6bed01d4e85d150d4)

7 months agoBug 30524: (QA follow-up) Fix tests
Tomas Cohen Arazi [Fri, 28 Jul 2023 13:40:28 +0000 (10:40 -0300)]
Bug 30524: (QA follow-up) Fix tests

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 158edb411b32253fae4f068ce416d6ad4d1a67d3)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit 38725ed0af95c318077c46f337795054e31c60e4)

7 months agoBug 30524: (QA follow-up) Unit tests for GenerateCSRF()
Tomas Cohen Arazi [Thu, 27 Jul 2023 18:33:55 +0000 (15:33 -0300)]
Bug 30524: (QA follow-up) Unit tests for GenerateCSRF()

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 60d11ae7251a227fab3977ecd61cb01d0f062f79)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit d4187c77eb3b39977b759af7df7641e70cd96358)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit 26ab7e0b200ac8e5fe4d88603996d823bf63d8bc)

7 months agoBug 30524: (QA follow-up) Only generate CSRF token if it will be used
Kyle M Hall [Thu, 27 Jul 2023 11:45:57 +0000 (07:45 -0400)]
Bug 30524: (QA follow-up) Only generate CSRF token if it will be used

This patch avoids generating CSRF tokens unless the csrf-token.inc file
is included in the template.

Passed token doesn't need HTML escaped. The docs for WWW::CSRF state:
  The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option).

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit ddf1eb6cef14da365675890920ff72f010c59527)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 73ca151686b682aaa2b950ccbc89fcec14514112)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit b1bd7ec29a0febddc210dbdc3bef0a78e37c7719)

7 months agoBug 35942: OPAC user can enroll several times to the same club [23.05.x]
Kyle M Hall [Tue, 30 Jan 2024 15:58:02 +0000 (10:58 -0500)]
Bug 35942: OPAC user can enroll several times to the same club [23.05.x]

Test Plan:

1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e22768b018b017ed7c0e0016270f2570)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
7 months agoBug 35918: Fix auto library connect (AutoLocation)
Jonathan Druart [Fri, 26 Jan 2024 07:58:17 +0000 (08:58 +0100)]
Bug 35918: Fix auto library connect (AutoLocation)

This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.

To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
  branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
  branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
  branchip: 172.18.0.4

Connect and select CPL. Randomly FFL will be picked instead.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35918: Add test
Jonathan Druart [Fri, 26 Jan 2024 07:57:03 +0000 (08:57 +0100)]
Bug 35918: Add test

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35890: Add tests for AutoLocation
Jonathan Druart [Thu, 25 Jan 2024 08:36:01 +0000 (09:36 +0100)]
Bug 35890: Add tests for AutoLocation

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35890: Reject login if IP is not valid
Jonathan Druart [Wed, 24 Jan 2024 15:25:30 +0000 (16:25 +0100)]
Bug 35890: Reject login if IP is not valid

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35890: Remove var loggedin
Jonathan Druart [Wed, 24 Jan 2024 15:24:51 +0000 (16:24 +0100)]
Bug 35890: Remove var loggedin

It is never used and add confusion

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35904: (QA follow-up): tidy up code
Victor Grousset/tuxayo [Thu, 15 Feb 2024 03:18:37 +0000 (04:18 +0100)]
Bug 35904: (QA follow-up): tidy up code

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35904: Make C4::Auth::checkauth testable easily
Jonathan Druart [Thu, 25 Jan 2024 09:35:41 +0000 (10:35 +0100)]
Bug 35904: Make C4::Auth::checkauth testable easily

This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.

We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.

There are still 3 left:
1.
733         # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace

2.
806         # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.

3.
828         # Patron does not have the borrowers permission
Same as 2.

2. and 3. should be investigated a bit more.

This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.

Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 29510: (follow-up) Adapt GET /patrons/:patron_id
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:09:02 +0000 (18:09 -0300)]
Bug 29510: (follow-up) Adapt GET /patrons/:patron_id

This patch makes GET /patrons/:patron_id rely on this new behavior from the
objects.find helper.

To test:
1. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/patrons.t
=> SUCCESS: Tests pass!
2. Apply this patch
3. Repeat 1
=> SUCCESS: Tests still pass!
4. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 29510: Make objects.find call search_limited if present
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:03:00 +0000 (18:03 -0300)]
Bug 29510: Make objects.find call search_limited if present

This patch makes objects.find implicitly update the passed
*$result_set* to use search_limited. This way no object leaks could
happen without noticing.

To test:
1. Apply the regression tests patch
2. Run:
   $ kshell
  k$ prove t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Tests fail because search_limited is not used
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass! Results are correctly filtered based on userenv!
5. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 29510: Regression tests
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:02:17 +0000 (18:02 -0300)]
Bug 29510: Regression tests

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35941: (QA follow-up) Tidy clubs-tab.pl
Kyle M Hall [Tue, 30 Jan 2024 14:32:12 +0000 (14:32 +0000)]
Bug 35941: (QA follow-up) Tidy clubs-tab.pl

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35941: Limit club list to those from the logged in user
Jonathan Druart [Tue, 30 Jan 2024 13:53:03 +0000 (14:53 +0100)]
Bug 35941: Limit club list to those from the logged in user

clubs-tab get the patron's id from the parameter. At the OPAC we must
use the one from the logged in user, to prevent leak to other users

Test plan:
Have 2 clubs: A, B
Enroll to A with patron borrowernumber=1
Enroll to B with patron borrowernumber=2
Log in with patron 1 and hit:
  http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1
=> OK
Now hit
  http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2
=> oops

Apply this patch, try again.
The "borrowernumber" parameter is no longer used to fetch the club list.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 36072: opac-request-article should check syspref
Marcel de Rooy [Tue, 13 Feb 2024 12:36:44 +0000 (12:36 +0000)]
Bug 36072: opac-request-article should check syspref

Note: This is handled now just like opac-reserve.

Test plan:
Disable ArticleRequests and hit the page.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoUpdate release notes for 22.05.18 release
Wainui Witika-Park [Mon, 29 Jan 2024 00:06:42 +0000 (00:06 +0000)]
Update release notes for 22.05.18 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoIncrement version for 22.05.18 release
root [Sun, 28 Jan 2024 23:37:54 +0000 (12:37 +1300)]
Increment version for 22.05.18 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 35343: Add record accessor method to Koha::Authority
Martin Renvoize [Tue, 6 Dec 2022 20:07:02 +0000 (17:07 -0300)]
Bug 35343: Add record accessor method to Koha::Authority

Code lifted from bug 31794 to fix already backported bug 26611.

Unit tests included.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 40115a2c8cba3e081ffd0710899ef4556a3bbb54)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
7 months agoBug 27342: Fix C4::ILSDI::Services::AuthenticatePatron
Tomas Cohen Arazi [Wed, 17 Aug 2022 13:33:07 +0000 (10:33 -0300)]
Bug 27342: Fix C4::ILSDI::Services::AuthenticatePatron

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
7 months agoBug 27342: (QA follow-up) Fix test
Tomas Cohen Arazi [Tue, 16 Aug 2022 13:50:47 +0000 (10:50 -0300)]
Bug 27342: (QA follow-up) Fix test

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
7 months agoBug 27342: (QA follow-up) Remove dbh from new tests
Martin Renvoize [Wed, 10 Aug 2022 07:12:53 +0000 (08:12 +0100)]
Bug 27342: (QA follow-up) Remove dbh from new tests

7 months agoBug 27342: Remove dbh from C4::Auth
Jonathan Druart [Tue, 5 Jan 2021 10:28:16 +0000 (11:28 +0100)]
Bug 27342: Remove dbh from C4::Auth

We must not pass $dbh but retrieve it when needed instead

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
7 months agoBug 27342: Improve test for OPAC
Jonathan Druart [Tue, 5 Jan 2021 10:18:26 +0000 (11:18 +0100)]
Bug 27342: Improve test for OPAC

We don't need to build allowed_scripts_for_private_opac for staff

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
7 months agoBug 34893: [22.05] (follow-up) change number of tests
Wainui Witika-Park [Wed, 27 Mar 2024 01:03:49 +0000 (01:03 +0000)]
Bug 34893: [22.05] (follow-up) change number of tests

8 months agoUpdate release notes for 22.05.19 release v22.05.19
Wainui Witika-Park [Wed, 28 Feb 2024 21:50:56 +0000 (21:50 +0000)]
Update release notes for 22.05.19 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
8 months agoIncrement version for 22.05.19 release
Aleisha Amohia [Wed, 28 Feb 2024 21:23:38 +0000 (21:23 +0000)]
Increment version for 22.05.19 release

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
8 months agoBug 36034: Add test
Jonathan Druart [Wed, 14 Feb 2024 07:49:33 +0000 (08:49 +0100)]
Bug 36034: Add test

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
8 months agoBug 36034: (bug 34893 follow-up) fix capture of return values from checkpw
Andreas Jonsson [Thu, 8 Feb 2024 10:57:03 +0000 (11:57 +0100)]
Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw

Adapt code to the change of return value type of checkpw
introduced in bug 34893

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
8 months agoBug 35518: Tidy the moved blocks
Martin Renvoize [Thu, 8 Feb 2024 15:55:43 +0000 (15:55 +0000)]
Bug 35518: Tidy the moved blocks

This patch just tidies the moved blocks to get us past the QA script
check.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit b577b6567045184adcb5bb55b7e5c70428e124ee)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1f182d45aba607dbfaf63c98f97b8615e5eea09d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit d44a697788c947b9deb08aafaeb965f0e2b069f0)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 870c18a6545092de9fd50c187f68dd0d6574b56b)

8 months agoBug 35518: Check authentication and set userenv before fetching userenv variables
Nick Clemens [Fri, 26 Jan 2024 14:10:01 +0000 (14:10 +0000)]
Bug 35518: Check authentication and set userenv before fetching userenv variables

Currently we get the userenv before we have set it correctly for the session

To test:
 1 - Sign in as a user with fast cataloging permission
 2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
 3 - Check the link, it should have your current signed in barcode
 4 - Sign in to a different browser with a different user and at a different branch
 5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
 6 - It may have your branch, but it may also have the other user's branch from the other window
 7 - Keep entering gibberish to get a link until one user has the correct branch
 8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
 9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90b6f68616e2ba5ca3fcbbd9698c97ef41a45593)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 26722f2a08af99b9e3cb4eb50398df896085f527)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 1460974627a7c094144fe4b834f07a5ee0c5b493)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 70c86eb8926def78636e69b02d4ad47cecce6323)

8 months agoBug 36092: Pass sessionID at the end of get_template_and_user
Jonathan Druart [Wed, 14 Feb 2024 08:45:45 +0000 (09:45 +0100)]
Bug 36092: Pass sessionID at the end of get_template_and_user

It seems safer to pass the logged in user and session info at the end of
the sub.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit c50372c0b5c490971e4e336541aa85fbb45033d2)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 2ba597ea70612aec6880a583e9436da2367b5644)

8 months agoBug 36092: Pass the sessionID from checkauth if we hit auth
Jonathan Druart [Wed, 14 Feb 2024 09:33:11 +0000 (10:33 +0100)]
Bug 36092: Pass the sessionID from checkauth if we hit auth

If we hit the auth page we were not passing sessionID to the template

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0decb260343455caabd4101b0b0e9499723f2951)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 9580111a206522e90a76d0fbaafdaaca0401d6fd)

8 months agoBug 36092: Add test
Jonathan Druart [Wed, 14 Feb 2024 09:56:17 +0000 (10:56 +0100)]
Bug 36092: Add test

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 7bc46ea231c3e63e017da2a26a7a8918ed161cab)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
(cherry picked from commit 14cce4e9364792e93c50a1d6bed01d4e85d150d4)

8 months agoBug 30524: (QA follow-up) Fix tests
Tomas Cohen Arazi [Fri, 28 Jul 2023 13:40:28 +0000 (10:40 -0300)]
Bug 30524: (QA follow-up) Fix tests

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 158edb411b32253fae4f068ce416d6ad4d1a67d3)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit 38725ed0af95c318077c46f337795054e31c60e4)

8 months agoBug 30524: (QA follow-up) Unit tests for GenerateCSRF()
Tomas Cohen Arazi [Thu, 27 Jul 2023 18:33:55 +0000 (15:33 -0300)]
Bug 30524: (QA follow-up) Unit tests for GenerateCSRF()

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 60d11ae7251a227fab3977ecd61cb01d0f062f79)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit d4187c77eb3b39977b759af7df7641e70cd96358)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit 26ab7e0b200ac8e5fe4d88603996d823bf63d8bc)

8 months agoBug 30524: (QA follow-up) Only generate CSRF token if it will be used
Kyle M Hall [Thu, 27 Jul 2023 11:45:57 +0000 (07:45 -0400)]
Bug 30524: (QA follow-up) Only generate CSRF token if it will be used

This patch avoids generating CSRF tokens unless the csrf-token.inc file
is included in the template.

Passed token doesn't need HTML escaped. The docs for WWW::CSRF state:
  The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option).

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit ddf1eb6cef14da365675890920ff72f010c59527)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 73ca151686b682aaa2b950ccbc89fcec14514112)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
(cherry picked from commit b1bd7ec29a0febddc210dbdc3bef0a78e37c7719)

8 months agoBug 35942: OPAC user can enroll several times to the same club [23.05.x]
Kyle M Hall [Tue, 30 Jan 2024 15:58:02 +0000 (10:58 -0500)]
Bug 35942: OPAC user can enroll several times to the same club [23.05.x]

Test Plan:

1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e22768b018b017ed7c0e0016270f2570)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
8 months agoBug 35918: Fix auto library connect (AutoLocation)
Jonathan Druart [Fri, 26 Jan 2024 07:58:17 +0000 (08:58 +0100)]
Bug 35918: Fix auto library connect (AutoLocation)

This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.

To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
  branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
  branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
  branchip: 172.18.0.4

Connect and select CPL. Randomly FFL will be picked instead.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
8 months agoBug 35918: Add test
Jonathan Druart [Fri, 26 Jan 2024 07:57:03 +0000 (08:57 +0100)]
Bug 35918: Add test

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
8 months agoBug 35890: Add tests for AutoLocation
Jonathan Druart [Thu, 25 Jan 2024 08:36:01 +0000 (09:36 +0100)]
Bug 35890: Add tests for AutoLocation

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
8 months agoBug 35890: Reject login if IP is not valid
Jonathan Druart [Wed, 24 Jan 2024 15:25:30 +0000 (16:25 +0100)]
Bug 35890: Reject login if IP is not valid

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
8 months agoBug 35890: Remove var loggedin
Jonathan Druart [Wed, 24 Jan 2024 15:24:51 +0000 (16:24 +0100)]
Bug 35890: Remove var loggedin

It is never used and add confusion

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
8 months agoBug 35904: (QA follow-up): tidy up code
Victor Grousset/tuxayo [Thu, 15 Feb 2024 03:18:37 +0000 (04:18 +0100)]
Bug 35904: (QA follow-up): tidy up code

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
8 months agoBug 35904: Make C4::Auth::checkauth testable easily
Jonathan Druart [Thu, 25 Jan 2024 09:35:41 +0000 (10:35 +0100)]
Bug 35904: Make C4::Auth::checkauth testable easily

This patch suggests to add a new flag do_not_print to
C4::Auth::checkauth to not print the headers and allow to test this
subroutine more easily.

We do no longer need to mock safe_exit and redirect STDOUT to test its
return values.

There are still 3 left:
1.
733         # checkauth will redirect and safe_exit if not authenticated and not authorized
=> Better to keep this one, not trivial to replace

2.
806         # This will fail on permissions
This should be replaced but testing $template->{VARS}->{nopermission}
fails, I dont' think the comment is better.

3.
828         # Patron does not have the borrowers permission
Same as 2.

2. and 3. should be investigated a bit more.

This patch also move duplicated code to set patron's password to a
subroutine set_weak_password.

Test plan:
Read the code and confirm that everything makes sense.
QA: Do you have a better way for this? Yes it's dirty!

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
8 months agoBug 29510: (follow-up) Adapt GET /patrons/:patron_id
Tomas Cohen Arazi [Wed, 17 Nov 2021 21:09:02 +0000 (18:09 -0300)]
Bug 29510: (follow-up) Adapt GET /patrons/:patron_id

This patch makes GET /patrons/:patron_id rely on this new behavior from the
objects.find helper.

To test:
1. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/patrons.t
=> SUCCESS: Tests pass!
2. Apply this patch
3. Repeat 1
=> SUCCESS: Tests still pass!
4. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>