]> git.koha-community.org Git - koha.git/log
koha.git
6 weeks agoUpdate release notes for 23.05.15 release v23.05.15
Wainui Witika-Park [Wed, 2 Oct 2024 01:02:42 +0000 (14:02 +1300)]
Update release notes for 23.05.15 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
6 weeks agoIncrement version for 23.05.15 release
Wainui Witika-Park [Wed, 2 Oct 2024 00:49:29 +0000 (13:49 +1300)]
Increment version for 23.05.15 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
6 weeks agoMerge remote-tracking branch 'upstream/23.05.x' into HEAD
Wainui Witika-Park [Tue, 1 Oct 2024 22:23:43 +0000 (11:23 +1300)]
Merge remote-tracking branch 'upstream/23.05.x' into HEAD

6 weeks agoBug 37720: (follow-up) Adjust tests
Lucas Gass [Mon, 30 Sep 2024 20:45:04 +0000 (20:45 +0000)]
Bug 37720: (follow-up) Adjust tests

Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
6 weeks agoBug 36879: Spurious warning in QueryBuilder
Andreas Jonsson [Thu, 16 May 2024 07:38:09 +0000 (09:38 +0200)]
Bug 36879: Spurious warning in QueryBuilder

Test plan:

With ElasticSearch enabled,
* Perform a search using the default  sort order
  (i.e. 'relevance').
* Verify that no warnings are generated in
  plack-intranet-error.log

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
7 weeks agoBug 37720: Prevent XSS in label creator
Jonathan Druart [Wed, 28 Aug 2024 10:18:06 +0000 (12:18 +0200)]
Bug 37720: Prevent XSS in label creator

Because labels/label-edit-batch.pl fills a DataTable with things that include
a link created by C4/Creators/Lib.pm, it outputs them with the $raw filter,
so HTML in author/title/callnumber is executed in the label batch editor.
While we wait for a fix that moves the link creation into the template and
out of C4, encoding HTML in Lib.pm for the bits going into the link, and
switching from $raw to the html filter for the rest of the things, will at
least get rid of the XSS.

Test plan:
 1. Without this patch, but with the patch from bug 37654 so you don't get
    alert()s in batch import, download attachment 170675 [details]
 2. Cataloging - Stage records for import - browse to the downloaded file -
    Upload file - when the upload finishes Stage for import - when staging
    finishes View batch (get alert()s if you didn't apply bug 37654) - Import
    this batch into the catalog
 3. Once the import finishes, Cataloging - Manage staged records
 4. In the row for your import, in the # Items column, click "(Create label
    batch)"
 5. In the "Label batch #n created" message, click the link to the batch #
 6. Because the batch includes a call number with an open <script>, you'll
    get XSS alert()s and then one about something going wrong while loading
    the table, with only one of the two records showing in the batch editor
 7. Apply patch, restart_all
 8. Cataloging - Label creator - Manage Label batches
 9. In the row for your batch, click Edit
10. You will see both labels, with their attempts at XSS visible as text
    rather than being interpreted as HTML

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
8 weeks agoBug 37285: (QA follow-up) Perl Tidy
Laura_Escamilla [Thu, 25 Jul 2024 15:22:00 +0000 (15:22 +0000)]
Bug 37285: (QA follow-up) Perl Tidy

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e7a017e663bd0376c626a692a85cda4dc7e68324)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 1374290f7a75ecf32d192c8bd5fe82e6286de016)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
8 weeks agoBug 37285: Printing lists only prints the ten first results
Baptiste Wojtkowski [Tue, 9 Jul 2024 14:08:39 +0000 (16:08 +0200)]
Bug 37285: Printing lists only prints the ten first results

GIVEN koha in a version later than 22.11, a list with more than ten entries
WHEN the user tries to print the list
THEN only the ten first results are printed

EXPECTED THEN all results are printed

It looks like it is an undesired effect of BZ36858. Page remains set
even while printing, therefore, however the number of rows is not set,
default value (10) is used.

TEST PLAN

1 - create a list with more than 10 items
2 - print the list -> there is a pagination and that only 10 items
  are printed
Apply patch
3 - print the list again -> every items are being printed

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 64027daadcea8c44cb73aae71a48ac64d527ed3f)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 0f8f20a01fede0991500bff529d540959fea6251)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
8 weeks agoBug 37044: Added library branch to SCO OPAC message
Sam Lau [Thu, 6 Jun 2024 14:29:54 +0000 (14:29 +0000)]
Bug 37044: Added library branch to SCO OPAC message

This patch simply adds the correct branch at the end of an OPAC message on the SCO page.

To Test:
1) From the staff interface, click on a patron and add an OPAC message
   to their account.
2) Log into the SCO with this patron.
   (http://localhost:8080/cgi-bin/koha/sco/sco-main.pl)
3) Notice how in the "Messages for you" at the top, you will see the
   message, however, at the timestamp, it says something like "Written
   on 06/06/2024 by " w/o listing the library that sent it.
4) Apply patch
5) Log back into SCO module
6) Note that now in the message timestamp, it correctly lists the
   library that sent the message.
7) Sign-off

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4801037abe0f8d294eb03503c2b5a275ed06f62a)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit da490f117af20f4307d2c62e01bc1db7bc0b7695)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
8 weeks agoBug 37198: Improve GetPreparedLetter documentation
Martin Renvoize [Wed, 26 Jun 2024 14:24:01 +0000 (15:24 +0100)]
Bug 37198: Improve GetPreparedLetter documentation

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 149412cb62a074ccdef1e1c2bbbd2bee35c48498)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 84814bbef33ac9c04b12cb3f063b2a11cfd0b2ce)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
8 weeks agoBug 35240: Add missing IDs to input
Eric Garcia [Tue, 25 Jun 2024 17:18:13 +0000 (17:18 +0000)]
Bug 35240: Add missing IDs to input

1. Tools -> Rotating collections -> Edit collection
2. Use browser dev tools to notice that the inputs don't have matching
   IDs
3. Apply patch
4. Do step 2 again and notice IDs are no longer missing.
5. Sign off :)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 21a66bf17c867734271e57c9f06b0b3e619d9ff0)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 27cbe1d0cf85a79ac57505452189d025f5841437)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
8 weeks agoBug 36891: Restore returning 404 from svc/bib when the bib number doesn't exist
Phil Ringnalda [Fri, 17 May 2024 00:01:54 +0000 (17:01 -0700)]
Bug 36891: Restore returning 404 from svc/bib when the bib number doesn't exist

Changing from GetMarcBiblio to Biblios->find plus metadata->record lost the
way that svc/bib used to return 404 when the bib number wasn't found. This
patch restores that by checking for undef after the Biblios->find step.

Test plan:
1. Load e.g. http://127.0.0.1:8081/cgi-bin/koha/svc/bib/289 which returns an
   XML bib record
2. Load http://127.0.0.1:8081/cgi-bin/koha/svc/bib/99999999 and get a 500 error
2. Appply patch, restart_all
4. Reload http://127.0.0.1:8081/cgi-bin/koha/svc/bib/289 and get the bib again
5. Reload http://127.0.0.1:8081/cgi-bin/koha/svc/bib/99999999 and get a 404

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
8 weeks agoBug 34444: [22.11.x] Correct handling of sort1 and sort2 values
Nick Clemens [Wed, 8 May 2024 13:22:58 +0000 (13:22 +0000)]
Bug 34444: [22.11.x] Correct handling of sort1 and sort2 values

Removed extraneous sort_1 data elements
Update selectors to use field names for statistics field
Updated code to set the value after finding the correct selector

To test:
* Make sure you have at least 2 funds with different stat settings, using AV and not
* Create a basket with an order line
* Close it and receive shipment
* Create an invoice and receive the order line
* Finish receiving

* Click "Modify fund"
* Switch fund, verify the stat fields are updated accordingly
* Change values for statistical values
* Update fund
* Edit fund again, pull downs are correct
* Change values in form and close, do not update
* Click 'Modify fund' - confrim form is filled with the saved values

Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 25387: (follow-up) Slightly change wording of alert
Katrin Fischer [Thu, 27 Jun 2024 07:03:20 +0000 (07:03 +0000)]
Bug 25387: (follow-up) Slightly change wording of alert

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1004d47d0093bd5a7547fb7d943837df895ae3eb)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 3dc5bd07d50bb3ab892407888a4b6e28e8519df4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 25387: (QA follow-up) Tidy
Nick Clemens [Tue, 25 Jun 2024 21:12:39 +0000 (21:12 +0000)]
Bug 25387: (QA follow-up) Tidy

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4c677600f2a3f8b019d54676dcd95faac1784532)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 39449c76c46325391e20a169d595094554c8c4a8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 25387: Warn when merging different authority types
Marion Durand [Wed, 6 Oct 2021 12:49:58 +0000 (14:49 +0200)]
Bug 25387: Warn when merging different authority types

Merging two different authorities types can result in the loss of some
field. This patch adds a warning when merging different type of
authorities and add more display of authorities types during merge.

To test:
1- Find two authorities you what to merge. Be sure that these
authorities have different type
2- Search for these authorities (be sure to have both results on the
results page)
3- For the first authority click on "Actions" then on "Merge", same for
the second one
4- Check that koha is asking you to choose a framework and that
authority types are not displayed
5- Choose a framework, then click on next
6- Check that the authority type is not displayed in the tabs and that
no warning appear
7- Apply the patch
8- Repeat step 1 to 3 again
9- Check that authority type is now displayed next to their ID
10- Repeate setp 5 again
11- Check that the authority types is now displayed in the tabs next to
their ID and that a warning appear

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit b2ae5380b0741e1d2277a58f264df88f243ecadb)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8e7ea9baafcba3e02a4c13ba707b4f45abf5c695)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 37003: (follow-up) Amend 22.11 RMaint
Martin Renvoize [Tue, 25 Jun 2024 13:14:46 +0000 (14:14 +0100)]
Bug 37003: (follow-up) Amend 22.11 RMaint

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 16e35d5f107031e9573f5f565dedfb428b9c5696)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 5e69aef19d71c62681a5ebeeab6a0df2fb14fa4e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 37003: Add the 24.11 release team
Martin Renvoize [Thu, 6 Jun 2024 10:27:33 +0000 (11:27 +0100)]
Bug 37003: Add the 24.11 release team

This patch updates the teams.yaml to include the voted in 24.11
release team.

Test plan
1/ Check against https://wiki.koha-community.org/wiki/Release_Teams

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a2ebd5ad2833a84c67ecf8dbbd8820065013f2e9)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit a7b870fdfd0245e5b572d94ab11f377d2c26fe5b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 30493: (QA follow-up) Fix for the only_my_library case as well
Emily Lamancusa [Fri, 14 Jun 2024 19:10:24 +0000 (15:10 -0400)]
Bug 30493: (QA follow-up) Fix for the only_my_library case as well

Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 94e1d8ed0c4742f48d23dc0241c0d04f058ee316)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit bcb520d69e4e65e5278fc8c57d04817d8b816db7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 30493: Pending archived suggestions appear on intranet home page
Baptiste Wojtkowski [Thu, 13 Jun 2024 13:36:18 +0000 (15:36 +0200)]
Bug 30493: Pending archived suggestions appear on intranet home page

If suggestions are archived before their status is changed to something other than "Pending", they still appear on the intranet home page and the acquisitions home page as suggestions to be managed.

WITHOUT PATCH:
1. Go to Acquisitions > Suggestions
2. Click on New purchase suggestion
3. Fill in the form (title only is fine)
4. Click on Submit your suggestion
5. Go to the home page (click the Koha logo)
   --> Notice it says that there is 1 pending suggestion
6. Go to Acquisitions
   --> Notice it says that there is 1 pending suggestion
7. Go to Suggestions
8. Click on the up arrow to the right of the Edit button and choose Archive
   --> There are no more pending suggestions
9. Go to the home page (click the Koha logo)
   --> Notice it says that there is 1 pending suggestion
10. Go to Acquisitions
   --> Notice it says that there is 1 pending suggestion

The search function was fetching suggestions without considering the
"archived" field. I now pick only suggestion that are pending AND not
archived.

WITH PATCH:
9. Go to the home page (click the Koha logo)
   --> Notice it says that there is no pending suggestion
10. Go to Acquisitions
   --> Notice it says that there is no pending suggestion

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e87f4cd550e60d7955551abf44f4dd9c1fd332d5)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 5db98bbd65bc0498bbb916c148076b258e5135ad)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 35294: Fix typos in catalogue code comments
Brendan Lawlor [Thu, 6 Jun 2024 13:14:43 +0000 (13:14 +0000)]
Bug 35294: Fix typos in catalogue code comments

Test plan:
1. git grep -n -E 'barocode|preproccess' to find the files and line # of typos
2. Apply the patch
3. git grep -E 'barocode|proccess'
4. See no results

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e8ef0f9417588345d6c9f7e2e5986e4e53986f52)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 96097d8058f6de34036fc4b26dec83c485ed08d9)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 36930: Item search gives irrelevant results when using 2+ added filter criteria
Janusz Kaczmarek [Wed, 22 May 2024 21:08:35 +0000 (21:08 +0000)]
Bug 36930: Item search gives irrelevant results when using 2+ added filter criteria

In the Item search the librarian is allowed, in the first step, to define
additional filters like Title, Author, Publisher, Publication date etc.
(in the third fieldset).  This works fine but only for one criterion.
If one adds two or more criteria, the filter does not apply at all.

Test plan
=========
1. Make an Item search with the Pulblisher filter. Put
   %University of California% as the value.
   You should get 5 rows (with standard ktd test data set), three
   from 1982, and two from 1988.
2. Edit search -> add the second criterion: AND Publication date is 1982.
   You would expect three rows but you get 900+ rows.
3. Apply the patch; restart_all.
4. Repeat p. 2. You should get the expected three rows.

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit bdc7ac2c93f9af9ac196c77da47758a1078c47d7)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit dca760d5b24428143a0e0de7b52c131c813488fc)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 36940: Resolve two warnings on undefined branchip
Marcel de Rooy [Thu, 23 May 2024 08:47:50 +0000 (08:47 +0000)]
Bug 36940: Resolve two warnings on undefined branchip

If you enabled AutoLocation and have a branch without ip, this
triggers warnings.

Test plan:
Check logs in this situation with/without this patch by logging out
and in again on staff.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 2f1ffbc6ec088c6c18bad967086db1e51084403f)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 2d4537ba124d40201a4a0d164e714479474749ce)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 36937: Remove warning from unit tests
Matt Blenkinsop [Thu, 23 May 2024 09:23:10 +0000 (09:23 +0000)]
Bug 36937: Remove warning from unit tests

This patch fixes a warning in the unit tests

Test plan:
1) prove t/db_dependent/api/v1/password_validation.t
2) There will be a warning in the output - 'Use of uninitialized value $status in numeric eq (==)'
3) Apply patch
4) Re-run the test
5) The warning will disappear

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 30715: Terminology for the log viewer - use 'Staff interface' instead of 'Intranet'
David Nind [Mon, 3 Jun 2024 02:01:30 +0000 (02:01 +0000)]
Bug 30715: Terminology for the log viewer - use 'Staff interface' instead of 'Intranet'

The log viewer (Tools > Additional tools > Log viewer) uses
'Intranet' as:
- an option for filtering what log entries to display.
- a value in the log entries interface column, for log entries.

Koha's terminology guideline is to use 'Staff interface' instead of
'Interface' (https://wiki.koha-community.org/wiki/Terminology#I).

Test plan:
1. Perform some actions that will create log entries when using the
   staff interface. For example:
   1.1 Enable the UseRecalls system preference.
   1.2 Edit the title for a record.
   1.3 Add an item for a record.
2. Use the log viewer to view the logged changes:
   2.1 Go to Tools > Additional tools > Log viewer.
   2.2 Select Submit.
   2.3 Log entries are displayed for the changes made.
3. Note that:
   3.1 For the log viewer 'Interface' filter options, "All" is
       selected by default, and other options are Intranet, OPAC,
       SIP, Command-line, REST API, and Cron job.
   3.2 For the changes viewed in step 2, the value displayed in
       the 'Interface' column is 'Intranet'.
4. Apply the patch.
5. Refresh the page.
6. Note that:
   5.1 For the interface filter options, 'Intranet' is now changed
       to 'Staff interface'.
   5.2 In the list of log entries, the value in the interface column
       is now 'Staff interface'.
7. Sign off D:

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 37656: XSS in Advanced editor from Z39.50 search results
Phil Ringnalda [Fri, 16 Aug 2024 04:22:12 +0000 (21:22 -0700)]
Bug 37656: XSS in Advanced editor from Z39.50 search results

The Advanced editor inserts data from Z39.50 results into the search results
page without escaping HTML. Whether it's German records with "<<A>> Title"
or someone with a compromised catalog or a book with the title "<em> for
emphasis" it shouldn't.

Test plan:
 1. Not a dependency, but you'll avoid getting even more alerts while batch
    importing by starting with the patch from bug 37654
 2. Without this patch applied, download attachment 170421
 3. Administration - set the preference EnableAdvancedCatalogingEditor to
    Enable
 4. Cataloging - Stage records for import - browse to the downloaded file -
    Upload file - Stage for import
 5. Once the background job finishes, View batch (getting alerts if you
    didn't apply the patch from bug 37654) - Import this batch into the
    catalog
 6. When the import finishes, Search the catalog for script, on the imported
    record Edit record (if you wind up in the basic editor, Settings - Switch
    to Advanced editor)
 7. In the left sidebar below the search inputs, click Advanced », check
    the checkbox for Local catalog and uncheck any others, then search for
    the Title script
 8. You'll get five alerts, and the word "edition" displayed in huge text
 9. Close the search popup, apply patch, shift+reload the advanced editor
    page to clear your cache
10. Repeat step 7, but this time you won't get any alerts, and you'll see
    the title and the other <script> inclusions.

Sponsored-by: Chetco Community Public Library
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 37654: XSS in Batch record import for Citation column
Phil Ringnalda [Fri, 16 Aug 2024 02:57:42 +0000 (19:57 -0700)]
Bug 37654: XSS in Batch record import for Citation column

Viewing a staged MARC record batch loads a DataTable from
/tools/batch_records_ajax.pl, and both batch_records_ajax.pl and the
DataTable just trust the author/title/isbn/issn to be free of HTML. They
shouldn't.

Test plan:
1. Without this patch applied, download attachment 170418, then Cataloging
   - Stage records for import - Select the downloaded file - Upload file -
   Stage for import
2. When the background job completes, View batch - you'll get three alert()s
   from the title, author, and ISSN, and the author and ISSN displayed huge
3. Apply patch, restart_all
4. Manage staged records - click HTMLescapingimporttestrecord.mrc - get zero
   alerts and no <h2> display

Sponsored-by: Chetco Community Public Library
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 37655: Basic editor needs to HTML-escape the bib record title used as a heading
Phil Ringnalda [Thu, 15 Aug 2024 22:41:18 +0000 (15:41 -0700)]
Bug 37655: Basic editor needs to HTML-escape the bib record title used as a heading

We stick the title of a bib record you are editing in the basic editor into
an <h1> without escaping any HTML it might contain. We should instead escape
it.

Test plan:

1. Without the patch, search for any record in the catalog and click Edit
   record (if you are in the advanced editor, switch to the basic one)
2. Tab 2, Field 245, Subfield a, paste <script>alert('boo ❤')</script><h2>
   at the end of the subfield
3. Save, then from the record detail page select Edit - Edit record
4. You will have gotten an alert(), and the entire form will be the size
   of an <h2>. That's ugly, so go back to the detail page.
5. Apply patch, restart_all
6. Edit - Edit record
7. Now you should not get an alert, the whole title inluding the <script>
   should display in italics, and the "(Record number nnn)" after it should
   not be italicized.

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
2 months agoBug 13342: Not logged user can place a review/comment
Hammat Wele [Tue, 3 Sep 2024 20:31:21 +0000 (20:31 +0000)]
Bug 13342: Not logged user can place a review/comment

We are able to comment a notice even when no user is connected

To test

1. Log in to OPAC.
2. Find a Biblio and open the comments tab.
3. Open another tab/window, and log out from the account.
4. Return to the first tab.
5. Click "Post your comments on this title."
 --> We are able to post a comment
6. Apply the patch
7. Repeat step 1, 2, 3, 4, 5
 --> You should be redirected to the login page.

Signed-off-by: David Cook <dcook@prosentient.com.au>
Bug 13342: Tidy

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoUpdate release notes for 23.05.14 release v23.05.14-1
Katrin Fischer [Wed, 14 Aug 2024 05:58:51 +0000 (05:58 +0000)]
Update release notes for 23.05.14 release

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
3 months agoRevert "Bug 37255: Fix handling of "All" values on waiting hold cancellation policy"
Katrin Fischer [Wed, 14 Aug 2024 05:56:12 +0000 (07:56 +0200)]
Revert "Bug 37255: Fix handling of "All" values on waiting hold cancellation policy"

This reverts commit e0211501384a72481ade9d6ca74162b7d7059dd7.

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
3 months agoUpdate release notes for 23.05.14 release v23.05.14
Tomas Cohen Arazi [Tue, 13 Aug 2024 14:05:18 +0000 (11:05 -0300)]
Update release notes for 23.05.14 release

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoIncrement version for 23.05.14 release
Tomas Cohen Arazi [Tue, 13 Aug 2024 13:51:55 +0000 (10:51 -0300)]
Increment version for 23.05.14 release

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (QA follow-up) Move sth error check up
Tomas Cohen Arazi [Tue, 13 Aug 2024 04:08:44 +0000 (01:08 -0300)]
Bug 37508: (QA follow-up) Move sth error check up

This patch moves the error check right before the ->check_columns call.
This is how main and 24.05 behave. 23.11 doesn't have bug 35907
backported so things are not exactly the same. With this patch tests
pass and the only difference in behavior is logging.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: Don't return Internal server error when running report
Nick Clemens [Mon, 12 Aug 2024 12:10:12 +0000 (12:10 +0000)]
Bug 37508: Don't return Internal server error when running report

To test:
1 - Create a report like:
SELECT "a"
FROM borrowers
WHERE <<Test>> != ''
2 - Run report
3 - Enter "password"
4 - Internal server error / stacktrace
5 - Apply patch
6 - Repeat
7 - Get a yellow warning box

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (QA follow-up) Use ->check_columns
Marcel de Rooy [Fri, 9 Aug 2024 09:56:11 +0000 (09:56 +0000)]
Bug 37508: (QA follow-up) Use ->check_columns

Add shebang to Guided.t too.

Test plan:
See also previous commits.
Try sql like:
  select access_token from oauth_access_tokens

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (QA follow-up) Move check to Koha::Report, extend
Marcel de Rooy [Fri, 9 Aug 2024 09:50:44 +0000 (09:50 +0000)]
Bug 37508: (QA follow-up) Move check to Koha::Report, extend

Do not allow password but allow password_expiry_days etc.
Do not allow token, secret and uuid too.

Test plan:
Run t/db_dependent/Koha/Reports.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (follow-up) Don't pass the column or sql containing password
Aleisha Amohia [Thu, 8 Aug 2024 23:53:47 +0000 (23:53 +0000)]
Bug 37508: (follow-up) Don't pass the column or sql containing password

This patch replaces these variables with a non-translatable message.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (follow-up) Throw error is password is in SQL query at all
Aleisha Amohia [Wed, 7 Aug 2024 04:37:25 +0000 (04:37 +0000)]
Bug 37508: (follow-up) Throw error is password is in SQL query at all

Confirm tests pass t/db_dependent/Reports/Guided.t

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: Test for errors when returning an aliased password column
David Cook [Wed, 7 Aug 2024 01:15:10 +0000 (01:15 +0000)]
Bug 37508: Test for errors when returning an aliased password column

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: Throw error if password column is detected in SQL report
Aleisha Amohia [Mon, 29 Jul 2024 03:53:06 +0000 (03:53 +0000)]
Bug 37508: Throw error if password column is detected in SQL report

This enhancement prevents SQL queries from being run if they would return a password field from the database table.

To test:

1. Run tests and notice they fail t/db_dependent/Reports/Guided.t

2. Apply patch and restart services

3. Create a public report with an SQL report which would access a password column in a database table
4. Try to run the report. Notice you are met with an error and the results are not shown.
5. Access the JSON URL, you should not get the results and should be shown an error
6. Confirm tests pass t/db_dependent/Reports/Guided.t

Sponsored-by: Reserve Bank of New Zealand
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37370: Return 400 if OpacExportOptions does not contain the passed format
Tomas Cohen Arazi [Tue, 16 Jul 2024 15:43:39 +0000 (12:43 -0300)]
Bug 37370: Return 400 if OpacExportOptions does not contain the passed format

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37466: Add correct filter for sort_by in results.tt
David Cook [Thu, 25 Jul 2024 06:44:37 +0000 (06:44 +0000)]
Bug 37466: Add correct filter for sort_by in results.tt

This patch replaces the $raw filter with the correct uri filter
for the sort_by in results.tt

Test plan:
1. Apply patch
2. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=1
3. Click on "Edit this search"
4. Note that the "Popularity (most to least)" Sort by option is selected
5. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=24y24ty2498294t9824yt9y23
6. Click on "Edit this search"
7. Note that the "Popularity (most to least)" Sort by option is selected

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37464: Validate "type" sent to barcode/svc
David Cook [Thu, 25 Jul 2024 06:56:18 +0000 (06:56 +0000)]
Bug 37464: Validate "type" sent to barcode/svc

This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37488: Validate paths in datalink.txt/idlink.txt files
David Cook [Fri, 26 Jul 2024 04:01:43 +0000 (04:01 +0000)]
Bug 37488: Validate paths in datalink.txt/idlink.txt files

This change validates the paths in datalink.txt/idlink.txt,
so that only images in the unpacked archive directory are allowed

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Create a datalink.txt file with the following:
42,selfie.jpg
3. Create a jpeg at selfie.jpg
4. ZIP the datalink.txt and selfie.jpg files
5. Upload to the "Upload patron images" tool
(after enabling the "patronimages" system preference)
6. Note that the image uploads correctly

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37323: Tidy
David Cook [Fri, 26 Jul 2024 03:27:22 +0000 (03:27 +0000)]
Bug 37323: Tidy

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37323: Don't allow symlinks in link files in zip and validate filepaths
Chris Cormack [Thu, 18 Jul 2024 23:57:32 +0000 (23:57 +0000)]
Bug 37323: Don't allow symlinks in link files in zip and validate filepaths

Test plan:
0. Apply patch and restart/reload Koha
1. Test that uploading a patron image still works, in single file format and as a zip

Work as suggested

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37323: Escape characters in patron image picture upload
Amit Gupta [Thu, 11 Jul 2024 17:43:06 +0000 (23:13 +0530)]
Bug 37323: Escape characters in patron image picture upload

To Test
1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip
   where the domain is one you can watch the logs from.
2. Go to Tools and click on Upload patron images choose option zip file and upload the file.
3. Check /var/log/apache2/access.log and see the curl with the IP
   "xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0"
4. Apply the patch
5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.
6. Test uploading actual zip file and images still works.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37255: Fix handling of "All" values on waiting hold cancellation policy
Emmi Takkinen [Thu, 4 Jul 2024 11:23:31 +0000 (14:23 +0300)]
Bug 37255: Fix handling of "All" values on waiting hold cancellation policy

If one creates a default waiting hold cancellation policy with
patron categories set as "All" and itemtype set as "All", Koha
breaks on 500 error. This happens because in we try to match
template policy with "All" values either in category or itemtype
with *, not undef. This patch fixes this.

To test:
1. Create a new default waiting hold cancellation policy and
set both patron category and itemtype as "All".
2. Save policy.
=> Error page for error 500 is displayed.
3. Apply this patch.
4. Reload page.
=> Page is displayed and policy listing displays new policy
as it should.

Sponsored-by: Koha-Suomi Oy
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37533: fix query in orderreceive.tt
Andreas Jonsson [Wed, 31 Jul 2024 09:06:02 +0000 (09:06 +0000)]
Bug 37533: fix query in orderreceive.tt

The new validation in the REST API will no longer allow
the operator "in".  Consequently, it has to be replaced
with the allowed "-in".

Test plan:

 * Open an invoice and click "Go to receipt page" and
   on any basket click "receive" and make sure the dialog
   box appears.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoUpdate release notes for 23.05.13 release v23.05.13
Wainui Witika-Park [Sun, 28 Jul 2024 23:50:06 +0000 (11:50 +1200)]
Update release notes for 23.05.13 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
3 months agoIncrement version for 23.05.13 release
wainuiwitikapark [Thu, 25 Jul 2024 05:10:44 +0000 (05:10 +0000)]
Increment version for 23.05.13 release

Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoMerge branch '23.05.x' into 23.05.x-security
wainuiwitikapark [Thu, 25 Jul 2024 04:53:25 +0000 (04:53 +0000)]
Merge branch '23.05.x' into 23.05.x-security

3 months agoBug 37247: [23.05.x] Send Koha::Subscription to template
Fridolin Somers [Wed, 24 Jul 2024 08:21:26 +0000 (10:21 +0200)]
Bug 37247: [23.05.x] Send Koha::Subscription to template

Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37247: [23.05.x] Fix display of "closed"
Jonathan Druart [Fri, 5 Jul 2024 12:47:42 +0000 (14:47 +0200)]
Bug 37247: [23.05.x] Fix display of "closed"

The subscription was not shown as closed after we closed it.
This is because "closed" is not passed to the template.
It seems more reliable to rely on the subscription object (that is passed to both
serials/serials-collection.tt and serials/subscription-detail.tt, the
others are not showing the Reopen/Close buttons)

Also fetch the subscription object after and reopen/close it to display
accurate values.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37247: [23.05.x] Fix subscriptions operation allowed without authentication
Fridolin Somers [Thu, 4 Jul 2024 14:18:17 +0000 (16:18 +0200)]
Bug 37247: [23.05.x] Fix subscriptions operation allowed without authentication

Move close and reopen after get_template_and_user().
Also move Koha::Subscriptions->find(), not a good idea to run DB queries
before authentication.

Test plan :
1) Apply patch
2) Authenticate to staff interface
3) Go to an existing open subscription
4) Open a new browser tab and use it to log-out
5) Go to first tab and click on 'Close'
6) You get login page
7) Authenticate
8) Check subscription is not closed
9) Check you can close and reopen subscription

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37210: Properly escape SQL query parameters by using bind values
Julian Maurice [Tue, 2 Jul 2024 14:32:32 +0000 (16:32 +0200)]
Bug 37210: Properly escape SQL query parameters by using bind values

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37210: Escape single quote in search string in overdue.pl
Hammat Wele [Thu, 27 Jun 2024 14:09:04 +0000 (14:09 +0000)]
Bug 37210: Escape single quote in search string in overdue.pl

To Test:
1. Go to /cgi-bin/koha/circ/overdue.pl
2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'»
3. Apply the filter
   ==> It takes 10 seconds, sleep(10) is executed
4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value
5. select the option from the filter and Apply the filter
   ==> It takes 10 seconds, sleep(10) is executed
we can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch
6. Apply the patch
7. Repeat step 1,2,3
   ==> it doesn't take 10 seconds, the injected sql is not executed
8. Repeat step 5
==> it doesn't take 10 seconds, the injected sql is not executed
9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch
   ==> it doesn't take 10 seconds, the injected sql is not executed

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Add 400 response definition to all routes
Tomas Cohen Arazi [Mon, 8 Jul 2024 20:21:25 +0000 (17:21 -0300)]
Bug 37018: Add 400 response definition to all routes

This patch adds a test for well defined 400 responses on all verbs and
paths on the API spec.

The tests verify:

* Presence of 400 response definition
* The description must start with 'Bad request' (needs coding guideline)
* If DBIC queries are allowed on the route, then `invalid_query` needs
  to be mentioned in the description.

All routes get fixed to make the tests pass.

To test:
1. Apply this patch
2. Run:
   $ ktd --shell
  k$ yarn api:bundle
  k$ prove xt/api.t
=> SUCCESS: Tests pass!

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Clarify operators
Martin Renvoize [Wed, 10 Jul 2024 08:39:33 +0000 (09:39 +0100)]
Bug 37018: Clarify operators

This patch clarifies the list of operators both in the validate routine
and in the swagger descrption block where we document this feature for
the end user.

JD amended patch: tidy

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Silence useless warning
Tomas Cohen Arazi [Mon, 8 Jul 2024 20:30:01 +0000 (17:30 -0300)]
Bug 37018: Silence useless warning

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Handle exception in unhandled_exception() helper
Tomas Cohen Arazi [Mon, 8 Jul 2024 19:48:01 +0000 (16:48 -0300)]
Bug 37018: Handle exception in unhandled_exception() helper

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: (follow-up) adding some allowed operators
Hammat Wele [Wed, 3 Jul 2024 13:59:48 +0000 (13:59 +0000)]
Bug 37018: (follow-up) adding some allowed operators

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Use validation in search_rs helper
Martin Renvoize [Wed, 5 Jun 2024 13:20:22 +0000 (14:20 +0100)]
Bug 37018: Use validation in search_rs helper

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Add validation method to Koha::REST::Plugin::Query.pm
Martin Renvoize [Wed, 5 Jun 2024 13:19:54 +0000 (14:19 +0100)]
Bug 37018: Add validation method to Koha::REST::Plugin::Query.pm

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Add Koha::Exceptions::REST
Tomas Cohen Arazi [Mon, 8 Jul 2024 17:34:25 +0000 (14:34 -0300)]
Bug 37018: Add Koha::Exceptions::REST

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Unit tests
Martin Renvoize [Wed, 5 Jun 2024 13:19:06 +0000 (14:19 +0100)]
Bug 37018: Unit tests

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37018: Regression tests
Tomas Cohen Arazi [Sat, 6 Jul 2024 13:32:07 +0000 (10:32 -0300)]
Bug 37018: Regression tests

This patch adds regression tests. With the current codebase, the
malicious query returns a 200. It should be caught and a 400 needs to be
returned.

To test:
1. Apply this patch
2. Run:
   $ ktd --shell
  k$ prove t/db_dependent/api/v1/query.t
=> FAIL: It returns a 200
3. Once the rest of the patches are ready, repeat 2
=> SUCCESS: It returns a 400

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37146: Add tests
Jonathan Druart [Thu, 11 Jul 2024 09:40:35 +0000 (11:40 +0200)]
Bug 37146: Add tests

Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
3 months agoBug 37146: Prevent path traversal by validating input
David Cook [Fri, 21 Jun 2024 01:45:51 +0000 (01:45 +0000)]
Bug 37146: Prevent path traversal by validating input

This patch validates the plugin_name passed to plugin_launcher.pl
against the base path containing the "value_builder" directory.

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=29
3. Check that the tag editor for leader still works
4. Go to http://localhost:8081/cgi-bin/koha/cataloguing/additem.pl?biblionumber=29
5. Check that the pluginf or "Date acquired" still works

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
4 months agoBug 35115: (QA follow-up):
Pedro Amorim [Fri, 10 Nov 2023 15:07:35 +0000 (15:07 +0000)]
Bug 35115: (QA follow-up):

Spelling.
Tidyness.
Removal of leftover warn

Nick's patch fixes the issue as described, and I agree that it is the ideal solution here.
prove t/db_dependent/api/v1/erm_eholdings* passes
prove t/db_dependent/Koha/BackgroundJob/CreateEHoldingsFromBiblios.t passes

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
4 months agoBug 35115: Move store routine from Resource to Title and update code
Nick Clemens [Wed, 8 Nov 2023 18:36:29 +0000 (18:36 +0000)]
Bug 35115: Move store routine from Resource to Title and update code

These patches move the store routine from Koha::ERM::EHoldings::Resource to Koha::ERM::EHoldings::Title as the code deals exclusively with title fields.

It updates the code to ensure that records are created when a title is not attched to a biblio, and that only the biblio title field is updated when updating an eholdings title.

To test:
 1 - Enable ERMModule sys pref
 2 - Create a new public list, visit:
     /cgi-bin/koha/virtualshelves/shelves.pl
 3 - Click "New list" enter name, set public -> public
 4 - Click "Add items", enter 112\n113\n114 (new line for each), in "Biblio numbers"
 5 - Notice that all added biblios have quite a few MARC fields
 6 - Go to packages, visit:
     /cgi-bin/koha/erm/eholdings/local/packages
 7 - Create a new package, add a name and hit 'Submit'
 8 - Go to titles, visit:
     /cgi-bin/koha/erm/eholdings/local/titles
 9 - Click "import from list"
10 - Pick the package created in 7)
11 - On the row of the list created in 2), click "Import"
12 - Go back to the list, visit:
     /cgi-bin/koha/virtualshelves/shelves.pl?op=view&shelfnumber=1
13 - Notice all the biblios have been stripped of their MARC data, and only title remains.
14 - Go to details page for one of the bibs
15 - Edit -> Replace record via Z39.50
16 - You can search for anything, just make sure to import a mostly full record
17 - Go back to ERM - eHoldings - Local - Titles
18 - Edit the title for the record that was replaced
19 - Save
20 - Go to record details - note the record is gone again
21 - Apply patches
22 - Search the catalog
23 - Check some titles
24 - Add to a new list
25 - repeat 8 - 11 with the new list
26 - View and confirm records are intact
27 - Edit the eholdings title for one of the records, changing the title field
28 - Save and view record details
29 - Confirm record is intact and title updated

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
4 months agoBug 36816: Remove warning
Jonathan Druart [Wed, 22 May 2024 08:08:30 +0000 (10:08 +0200)]
Bug 36816: Remove warning

Use of uninitialized value in string eq at /kohadevbox/koha/opac/opac-memberentry.pl line 629.

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 98637f17a7e59b2fbf0d8d9331b2508065211913)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
4 months agoBug 36816: Restore clearing patron attributes - OPAC
Jonathan Druart [Wed, 22 May 2024 08:05:16 +0000 (10:05 +0200)]
Bug 36816: Restore clearing patron attributes - OPAC

1) Add a new patron attribute type, visit:
<staff_url>/cgi-bin/koha/admin/patron-attr-types.pl?op=add_attribute_type
2) Add a code and a description (whatever) - Make it 'Display in OPAC' and 'Editable in OPAC'
3) Access OPAC patron personal details page, visit:
<opac_url>/cgi-bin/koha/opac-memberentry.pl
4) Scroll down and add some info to 'whatever'. Click 'Submit update request'.
5) Visit the INTRA 'update patron requests from opac' page:
<staff_url>/cgi-bin/koha/members/members-update.pl
6) Notice the entry is there. Select 'approve' and click "Submit"
7) Repeat 3)
8) Scroll down and notice the approved value is there. Clear that data and "Submit update request" (as if you're requesting for that data to be removed/cleared)
9) Repeat 5)
10) Notice there's an entry, and it is not empty. Select 'approve' and click "Submit"
11) Repeat 3)
12) Scroll down and notice the request to update (clear) that field did go through, i.e. the data is not there anymore.

Also test self-registration and mandatory attributes

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit f4e999bb9f9a714eedc5bac22dd6902abe288af1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
5 months agoUpdate release notes for 23.05.12 release v23.05.12
Lucas Gass [Tue, 11 Jun 2024 14:37:49 +0000 (14:37 +0000)]
Update release notes for 23.05.12 release

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoIncrement version for the 23.05.12 release
Lucas Gass [Fri, 7 Jun 2024 15:40:54 +0000 (15:40 +0000)]
Increment version for the 23.05.12 release

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36520: Sanitize input in opac-sendbasket.pl
Chris Cormack [Mon, 13 May 2024 02:26:13 +0000 (02:26 +0000)]
Bug 36520: Sanitize input in opac-sendbasket.pl

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36520: Prevent SQL injection in GetPreparedLetter
Jonathan Druart [Mon, 13 May 2024 12:47:28 +0000 (14:47 +0200)]
Bug 36520: Prevent SQL injection in GetPreparedLetter

Actually in _get_tt_params

The following query will delay the response

SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
  FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
    SELECT 1
      FROM
    SELECT SLEEP( 6 ) x
   ) -- - )

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36520: Add tests
Jonathan Druart [Wed, 15 May 2024 09:25:47 +0000 (11:25 +0200)]
Bug 36520: Add tests

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36818: Escape characters in file names uploaded
Chris Cormack [Wed, 8 May 2024 22:41:43 +0000 (22:41 +0000)]
Bug 36818: Escape characters in file names uploaded

To test:
1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip'
   Where the domain is one you can watch the logs from
2/ Upload this file as a cover image
3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames
4/ Choose process, check the logs of the webserver see the connection has been made
5/ Apply the patch
5/ Repeat 2 & 3 and see the filename is now escaped
6/ Choose process and check no errors but no no remote execution occurs
7/ Test uploading actual zip file and images still works

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: (Rmaint follow-up) Fix number of tests
Lucas Gass [Mon, 3 Jun 2024 15:10:06 +0000 (15:10 +0000)]
Bug 36575: (Rmaint follow-up) Fix number of tests

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: (QA follow-up) Shibboleth POD and checkpw_internal call
Marcel de Rooy [Tue, 30 Apr 2024 14:39:36 +0000 (14:39 +0000)]
Bug 36575: (QA follow-up) Shibboleth POD and checkpw_internal call

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: Adjust checkpw_internal to return patron
Nick Clemens [Wed, 24 Apr 2024 15:06:22 +0000 (15:06 +0000)]
Bug 36575: Adjust checkpw_internal to return patron

This patch refactors checkpw_internal to remove the SQL code, use patron ojbects, and return the
patron that correctly matches the userid/caerdnumber when auth is successful

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: (bug 34893 follow-up) Return patron when autocreating in Shibboleth
Nick Clemens [Wed, 24 Apr 2024 14:25:40 +0000 (14:25 +0000)]
Bug 36575: (bug 34893 follow-up) Return patron when autocreating in Shibboleth

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: (bug 34893 follow-up) Return patron from LDAP
Nick Clemens [Wed, 24 Apr 2024 14:23:51 +0000 (14:23 +0000)]
Bug 36575: (bug 34893 follow-up) Return patron from LDAP

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: (QA follow-up)
Martin Renvoize [Thu, 11 Apr 2024 10:18:30 +0000 (12:18 +0200)]
Bug 36575: (QA follow-up)

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: Return correct patron when there is a shared userid / cardnumber
Nick Clemens [Thu, 11 Apr 2024 09:39:03 +0000 (09:39 +0000)]
Bug 36575: Return correct patron when there is a shared userid / cardnumber

This patch moves some patron fetching code in C4/Auth to use to patron returned from the validation
methods and only try to fetch the patron (to check if locked, update attempts, etc) if we didn't authenticate

To test:
1 - Set a user to have userid = BANANA password = Password1
2 - Set a user to have cardnumber = BANANA password = Password2
3 - Hit the patron authentication API:
    http://localhost:8080/api/v1/auth/password/validation
    with data:
    { "identifier": "BANANA", "password":"Password1" }
    and:
    { "identifier": "BANANA", "password":"Password2" }
4 - Note you receive the same response for both
5 - Apply patch, restart all
6 - Repeat the API and confirm you get the correct patron for the password submitted

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: Unit tests for checkpw_shib
Tomas Cohen Arazi [Thu, 30 May 2024 16:15:09 +0000 (16:15 +0000)]
Bug 36575: Unit tests for checkpw_shib

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36575: Unit tests for checkpw_ldap
Tomas Cohen Arazi [Thu, 30 May 2024 14:51:11 +0000 (14:51 +0000)]
Bug 36575: Unit tests for checkpw_ldap

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36792: Limit POSIX imports
Janusz Kaczmarek [Mon, 6 May 2024 12:06:22 +0000 (12:06 +0000)]
Bug 36792: Limit POSIX imports

A Marcel's QA patch to Bug 36552 added use POSIX; in two spots.
In https://metacpan.org/pod/POSIX we read:

CAVEATS
Everything is exported by default (with a handful of exceptions). This is
an unfortunate backwards compatibility feature and its use is strongly
discouraged. You should either prevent the exporting (by saying use
POSIX ();, as usual) and then use fully qualified names (e.g.
POSIX::SEEK_END), or give an explicit import list. If you
do neither and opt for the default (as in use POSIX;), you will
import hundreds and hundreds of symbols into your namespace.

This patch fixes this.

No test plan.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8d9ccd6fc371877fbd4d016ee3bc1de54721787e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ca023b334cc9b79cfd85e6bb9a75c7037ae1fd95)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 34263: (QA follow-up): Use flatpickr .clear instead
Pedro Amorim [Fri, 3 May 2024 14:22:13 +0000 (14:22 +0000)]
Bug 34263: (QA follow-up): Use flatpickr .clear instead

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 1137793e44ce6b5d2a4e7759e46218f6ddeb9e8b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit dcddcda37d1efb586cb75a89df4ad6af0bf438ee)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 34263: Suspending holds consecutively populates previously used date falsely
Katariina Pohto [Thu, 2 May 2024 13:09:39 +0000 (16:09 +0300)]
Bug 34263: Suspending holds consecutively populates previously used date falsely

Suspending a hold doesn't clear the date from the date picker. When another hold is suspended
the previously used date will show on the date picker but the value is not set on the hold.
Suspending the hold will suspend it indefinitely. Also the link "Clear date to suspend indefinitely"
will not clear the date picker. This patch will make both the Suspend button and the Clear date link
clear the dates from both the date picker and the variable passed on, making the suspending consistent
with what is seen on the date picker.

Test plan:
1) Place 3 holds on a patron.
2) Suspend a hold and set a date for it.
3) Suspend a second hold and notice the previously used date is shown on the date picker.
   Note that the hold will be suspended indefinitely.
4) Open the suspending window for the third hold and pick a date. Click "Clear date to suspend indefinitely"
   and note the date picker doesn't get cleared. The hold will be suspended indefinitely.
5) Apply patch.
6) Suspend a hold and set a date for it.
7) Suspend a second hold and notice the date picker does not have a preset date.
8) Pick a date and clear it with the "Clear date to suspend indefinitely link".
   See that the date picker also gets cleared.

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0f0479e87aaa324b455fbbf40674f15e2fa862c0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 44a26cbec7d63d873c0b13cbd8097138431480d0)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36939: Remove a warning from Serials.t
Jonathan Druart [Thu, 23 May 2024 07:50:59 +0000 (09:50 +0200)]
Bug 36939: Remove a warning from Serials.t

t/db_dependent/Serials.t .. 2/57 Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Serials.pm line 2029.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 7d75ec3e2602dcadbb238dfb7cbec76020ebafef)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f41e7398857cc9f76c0bcdf01e3426c192e773e0)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36923: Remove warnings from Holds/LocalHoldsPriority.t
Jonathan Druart [Wed, 22 May 2024 12:01:28 +0000 (14:01 +0200)]
Bug 36923: Remove warnings from Holds/LocalHoldsPriority.t

t/db_dependent/Holds/LocalHoldsPriority.t .. 1/7 Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
t/db_dependent/Holds/LocalHoldsPriority.t .. 2/7 Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
t/db_dependent/Holds/LocalHoldsPriority.t .. 5/7 Use of uninitialized value in numeric gt (>) at /kohadevbox/koha/C4/Reserves.pm line 866.
t/db_dependent/Holds/LocalHoldsPriority.t .. ok
All tests successful.

We didn't have the default values generated by the DBMS

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 6827c9061ffc57c2e1f7087aced8ce2e65196558)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 233e92f8996958e66363557daec1859a4f76c93b)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36589: Advanced cataloging - restore the correct height of the clipboard
Phil Ringnalda [Thu, 16 May 2024 20:54:41 +0000 (13:54 -0700)]
Bug 36589: Advanced cataloging - restore the correct height of the clipboard

A simple direct fix for the height of the advanced editor's clipboard,
which is a <select size="10"> that's currently cut down to the height of
one thick line by CSS intended for non-multiple, non-sized selects with
dropdown menus.

Test plan:
1. Set the pref EnableAdvancedCatalogingEditor to Enable
2. Cataloging -> Advanced editor
3. Note the Clipboard is a single line tall
4. Apply patch, shift+reload Advanced editor
5. Note the Clipboard is ten lines tall

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 10a8dc5108dc58d91786ead95f5130a7a147d5b1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0413d06b0e0f9e2bb8ec3bf26a55d445a7df7119)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36943: (follow-up) 24.05.00 - Update .mailmap
Katrin Fischer [Thu, 23 May 2024 17:11:33 +0000 (17:11 +0000)]
Bug 36943: (follow-up) 24.05.00 - Update .mailmap

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit f044310808bd26fb856ed26e78290f972889a9cc)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 57ec82f6e86a230a6ace571e7c5e54e8ddf702fc)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36943: 24.05.00 - Update .mailmap
Martin Renvoize [Thu, 23 May 2024 10:47:05 +0000 (11:47 +0100)]
Bug 36943: 24.05.00 - Update .mailmap

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit d8863160da07c81b0b7356c8b923737b401db481)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6c89d4eeb6348683d32a1928a2e410e3f81c44fe)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36908: (Rmaint follow-up) Fix number of tests
Lucas Gass [Fri, 31 May 2024 15:27:24 +0000 (15:27 +0000)]
Bug 36908: (Rmaint follow-up) Fix number of tests

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36908: (QA follow-up) Proposed improvement to prefernce description
Martin Renvoize [Thu, 23 May 2024 09:36:55 +0000 (10:36 +0100)]
Bug 36908: (QA follow-up) Proposed improvement to prefernce description

I found the initial addition of 'or the branch chosen at login' to the
system preference description more misleading than the original. After
discussion on mattermost and with training staff here at PTFS the best
alternative we could come up with is proposed here.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 85735e86f4f927d8e455aec08ef90a1381694059)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit b478d91b59a11574b0fd7689b5037c2c29ee8d42)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
5 months agoBug 36908: Sort branches based on branchcode
Nick Clemens [Tue, 21 May 2024 12:44:25 +0000 (12:44 +0000)]
Bug 36908: Sort branches based on branchcode

This adds a sort based on branchcode, it's a fallback for an edge case that should be rare
so I think is acceptable, as long as documented.

I added test coverage, but it may no longer be possible to encounter this scenario.

System preference descriptions are updated as well.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 46cecfdd72ee45bfad03c6875fdc078df48eabec)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 7682763fca0e1d14c27a32e9987e8c66712229cb)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>