Kyle M Hall [Fri, 19 Jul 2024 16:23:43 +0000 (12:23 -0400)]
Bug 36362: (QA follow-up) Tidy code
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit a62d39ea11a9b6986c155f6333ac6e3afde0dd87) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Gustafsson [Tue, 19 Mar 2024 17:33:18 +0000 (18:33 +0100)]
Bug 36362: Only call Koha::Libraries->search() if necessary in Item::pickup_locations
To test:
1) Make sure the following tests pass:
- t/db_dependent/Koha/Item.t
- t/db_dependent/Koha/Biblios.t
- db_dependent/Koha/Biblio.t
Sponsored-by: Gothenburg University Library Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 2c1e95562188a6d93c22055e30d6a5e9d7e50034) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Emmi Takkinen [Mon, 19 Feb 2024 10:55:26 +0000 (12:55 +0200)]
Bug 36129: Make check on "Hide all columns" persist on item patch modification/deletion
On item patch modification/deletion tool, if one checks
"Hide all columns" checkbox and then reloads the page,
checkbox is no longer selected. Columns are hidden as
they should. This patch adds line to batchMod.js which
sets "checked" attribute and class "selected" to checkbox.
To test:
1. Find items to modify/delete and modify/delete them with
corresponding tool.
2. Check checkbox "Hide all columns".
3. Refresh the page.
=> Note that columns are still hidden, but checkbox is now
unselected.
4. Apply this patch.
5. Check checkbox again and refresh page.
=> Checkbox should be still checked.
Sponsored-by: Koha-Suomi Oy Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 1a154f1f0e1fa4d5c7295ba181fc27eaff99fd09) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Owen Leonard [Wed, 10 Apr 2024 11:30:33 +0000 (11:30 +0000)]
Bug 36566: Correct eslint errors in OPAC enhanced content JS
This patch fixes various eslint errors in enhanced content JS files:
- Consistent indentation
- Remove variables which are declared but not used
- Add missing semicolons
- Add missing "var" declarations
To test, apply the patch and clear your browser cache if necessary.
- Go to Administration -> System preferences and enable these
preferences:
- OPACAmazonCoverImages
- BakerTaylorEnabled
- GoogleJackets
- OPACLocalCoverImages
- OpenLibraryCovers
- Go to the OPAC and confirm that covers from these services appear
correctly in search results and on detail pages.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 3d82116830ac7fbafe7414e08f155a54b7bb723f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Mon, 22 Jul 2024 19:46:33 +0000 (19:46 +0000)]
Bug 37425: Check for existence of biblio object before fetching cover images
This patch simply adds a conditional to ensure the biblio object has been retrieved and assumes no cover images otherwise
To test:
1 - Enable system preference LocalCoverImages
2 - Perform a search in staff interface
3 - Find the biblionumebr for one of the results and delete it via the SQL backend:
DELETE FROM biblio WHERE biblionumber=3;
4 - Search again.
5 - KO!
Can't call method "cover_images" on an undefined value at /usr/share/koha/intranet/cgi-bin/catalogue/search.pl line 671.
6 - Reindex, confirm error is gone
7 - Apply patch
8 - Search again
9 - Delete a record from the results via SQL
10 - Reload and confirm no error
11 - Reindex and repeat search and confirm no error
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8fdddccffb2fa165b32e6a9c9b8d6d3dcacd5b08) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Fri, 12 Jul 2024 09:23:22 +0000 (10:23 +0100)]
Bug 37340: Restore sorting on 'Details' column in edifactmsgs
This patch restores the sorting options on the 'Details' field in the
edifact messages page.
We sort by basket_id followed by type behind the scenes, so the
resulting order for a Descending sort will group by basket id highest to
lowest with Quotes coming before Orders.
This is generally what the end user actually wants to see, even though
it may be somewhat unintuitive intially as it's not a clear alpha sort
for what's displayed in the column in the UI.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Mary Blomley <mary.blomley@uwl.ac.uk> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e828f5f839ae709fd8425a0ee46401cb835b2ce1) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Mon, 22 Jul 2024 23:41:46 +0000 (23:41 +0000)]
Bug 37383: Use libraries_where_can_edit_items to check if items are editable
To test:
1 - have a system with 2+ branches
2 - have a bib with 2+ items, all with holdingbranch=A
3 - set logged in library to A
4 - go to bib details page, confirm each item has an Edit button in the holdings table
5 - edit one item, set holdingbranch=B
6 - reload bib details page
7 - confirm the item now at branch B does not have an edit button
8 - APPLY PATCH and restart_all
9 - Try 1 - 6 again, this time you should see the proper edit buttons
10 - Set up library group:
* Create a library group for library A + B
* Action: Limit item editing by group
11 - Set up test user:
* Create a staff patron with these permissions:
* catalogue
* fast_cataloguing
* edit_items
* view_borrower_infos_from_any_libraries
* edit borrowers
* Home library: library A
12 - Set up test items:
* Create a record with 3 items with different home libraries:
* A
* B
* C
13 - We expect the use to be able to edit A and B, but not C.
14 - With the same user turn OFF the view_borrower_infos_from_any_libraries permission
15 - Behavior should not change, we expect the use to be able to edit A and B, but not C.
16 - Make sure StaffDetailItemSelection still works as expected for all users. With the sys pref on the checkbox should show up for superlibrarians and users with 'tools' permissions.
Signed-off-by: Michaela Sieber <michaela.sieber@kit.edu> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 66c332a78977b97c753bdc0e1acf60b243df9eca) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch removes the 'About Koha' link as a module button, and
instead uses the 'Koha xx.xx.xx' version URL on the mainpage as a
shortcut to the 'About Koha' page.
Additionally, a link to the Koha Community website has been added to
the bottom of the 'About Koha' page, in the same place the 'Koha
xx.xx.xx' version URL appears on the mainpage.
To test:
a) Log in to Koha's staff client
b) Notice the 'About Koha' module button, and that the 'Koha xx.xx.xx'
version URL goes to the Koha Community website.
c) Notice that on the 'About Koha' page, there is no link to the Koha
Community website.
d) --> Apply patch <--
e) Notice that the About Koha module button is now missing
f) Notice that the 'Koha xx.xx.xx' version URL now goes to 'About
Koha'
g) Notice that on the 'About Koha' page, there is now a link for the
Koha Community website at the bottom of the page.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 4743e4639ae0296205077bd57c3687be9a0df770) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit a5710c49dbcf7127ed19bb497ab0cf9e48d90b54) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 56621b992669b0b04e4134dd034cb5a4ac427e5c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Mon, 22 Jul 2024 19:02:22 +0000 (19:02 +0000)]
Bug 28762: (QA follow-up) Restore protection against unknown itemtypes
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 5ff47fc40c2e6be3e10eb5aef0a7dfcd8ac03b16) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Mon, 22 Jul 2024 15:32:34 +0000 (16:32 +0100)]
Bug 28762: Rename not_for_loan as effective_not_for_loan_status
This patch updates the method name to follow current conventions.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit fdefef14445bc8d680496ae9f52f221983db2ec5) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Mon, 22 Jul 2024 15:14:08 +0000 (16:14 +0100)]
Bug 28762: Replace is_notforloan with not_for_loan
This patch replaces the use of is_notforloan with not_for_loan and
removes the older is_notforloan method and tests
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 4e6d9d13bf879593303eed8188bcfc615111519c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Mon, 22 Jul 2024 15:09:30 +0000 (16:09 +0100)]
Bug 28762: Confirm return of not_for_loan in boolean context matches is_notforloan
This patch is simply here to prove that is_notforloan is just
not_for_loan but in a boolean context.. we'll remove it in the next
patch.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0d5c224cc30a74a0b258bd3e929b82bbd3e2e088) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Mon, 22 Jul 2024 12:29:06 +0000 (13:29 +0100)]
Bug 28762: (follow-up) Remove warning in tests
Looks like a recent bug introduced a superflous warning, we just clean
that up here whilst we're in the code.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e45a595996c69a980c47ea68102188ffea76c93f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Mon, 29 Jan 2024 10:46:07 +0000 (10:46 +0000)]
Bug 28762: Unit tests for not_for_loan accessor
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 99b800620e17f2cbeec2aa472d03e8106d3243af) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Mon, 29 Jan 2024 09:41:08 +0000 (09:41 +0000)]
Bug 28762: Add test for new 'instructors' accessor
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit fdd6a019320788c47f38bef716ec752befe3d492) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Fri, 24 Sep 2021 09:25:53 +0000 (10:25 +0100)]
Bug 28762: Move notforloan fallback into object
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 294447d07e1a880e58dc28a458a1229dddf20767) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Fri, 24 Sep 2021 07:39:52 +0000 (08:39 +0100)]
Bug 28762: Update item-status include
This patch updates the item-status include so that it expects just an
item object making if simpler and more widely re-usable.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8ff4d3740e92194fb5e3df0739af89d8ac2d4842) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Thu, 23 Sep 2021 18:06:43 +0000 (19:06 +0100)]
Bug 28762: Use Koha::Course in course-details controller
This patch updates Koha::Course to include the 'instructors' relation
accessor and then update the course-details controller to use the
Koha::Course object and pass it to the template instead of building a
hash using GetCourse.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 7f38c77d091cd4192b039041bcc3a00a05e10583) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Wed, 8 Sep 2021 17:01:03 +0000 (17:01 +0000)]
Bug 28762: (follow-up) fix template logic with Available
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 316c14c1bf75cec6f3fcae61fa29a69223a292c6) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Tue, 27 Jul 2021 21:45:12 +0000 (21:45 +0000)]
Bug 28762: handle notforloan better
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e3e306efdb622f4c4857aa645c72c89320dac63d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Tue, 27 Jul 2021 21:17:48 +0000 (21:17 +0000)]
Bug 28762: add staff item-status.inc and better handle statues on course-details.tt
This patch adds an item-status.inc to the staff side much like what is already in place on the OPAC.
To test:
1. create a course in course reserves, add an item to it.
2. confirm your item shows Available for its status on course-details.pl
3. edit your item to be withdrawn, lost, damaged, notforloan, and restricted use
4. reload course-details.pl, confirm it still shows available
5. apply patch
6. repeat step 3 with each of the statuses and make sure it correctly shows on course-details.pl
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 38427cc357de46d60114ca308329c89f3220a9dd) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Thu, 25 Jul 2024 09:54:36 +0000 (10:54 +0100)]
Bug 37374: (follow-up) Add csrf token and op to form
This patch adds a hidden op input and csrf token to the clubs hold
request form.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 83966f4273093dc2d31f13a81ed563c2d5b16dd6) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Sam Lau [Mon, 22 Jul 2024 15:48:01 +0000 (15:48 +0000)]
Bug 37374: Fix functionality of 'Place hold' button for club holds
To test:
1) create a club
2) put 1 patron in your club
3) find a bib
4) Click Holds, then Clubs
5) search for your club, confirm hold detail
6) click Place Hold
7) nothing happens
8) Apply patch
9) Refresh page and click 'Place hold' again
10) Hold is properly placed
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0f7d3fab6cef893b3fa7c0bdb8e71c8f5b960b55) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch changes the data-order attribute for the item callnumber column
to use the item's cn_sort instead of the callnumber value.
Test plan:
1. Create a bib
2. Add three items with source of classification LLC
call numbers:
JC43 .G6 1890
JC330 .F74 2000
JC480 .R63 2006
4. On additem.pl sor the items table by 'Full call number'
5. Confirm the items are now ordered correctly by cn_sort
6. Confirm the other columns still sort correctly
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 033e9abc302d14b8edf83051af5b8f07c4314a61) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Wed, 24 Jul 2024 06:49:18 +0000 (07:49 +0100)]
Bug 37302: (follow-up) Update yarn.lock
We were having some issues with package building because we missed the
update to the yarn.lock file here.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 5c8baafc6111d34c4804dbd5094d000215d14d88) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Wed, 10 Jul 2024 10:26:09 +0000 (11:26 +0100)]
Bug 37302: Add swagger-cli to devDependancies
This patch adds swagger-cli 4.0.4+ to the devDependancies section of
package.json. This should ensure it gets installed when appropriate
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 86938e11fbdd3d9d3475d30a986aaef8912ea9c8) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Wed, 10 Jul 2024 10:12:56 +0000 (11:12 +0100)]
Bug 37302: Set test to failed if swagger-cli missing
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit be3924a70f1a610330c631175f01ac8f2cfd8f49) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Kyle M Hall [Thu, 18 Jul 2024 11:27:47 +0000 (07:27 -0400)]
Bug 37400 - In returns.pl don't search for a patron unless needed
In returns.pl we find a patron, then use it in an if statement.
Test Plan:
Cancel a hold with other holds remaining on the record.
No change should be noted.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 82535a488764be5437c47d38953eb0aea81ce4ee) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Owen Leonard [Thu, 16 May 2024 13:57:11 +0000 (13:57 +0000)]
Bug 36885: Fix Bootstrap tooltip on budget planning page
This patch finishes the process of adding a Bootstrap tooltip to the
listing of funds which are locked.
To test, apply the patch and go to Administration -> Budgets.
- Edit a budget and make it locked: Check the "Lock budget" checkbox and
save.
- View the budget you locked.
- From the toolbar, click Planning -> Plan by months.
- In the table of funds, hover your mouse over a fund.
- You should see a Bootstrap-styled tooltip, "Fund locked."
Signed-off-by: David Nind <david@davidnind.com>
Bug 36885: (follow-up) Correct popup hint
Bug 36885: (follow-up) Remove tooltip from unlocked budgets (copy-paste error)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit deb9bf78b8197eeb90e2c9c9088104a0b91d498b) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jan Kissig [Mon, 15 Jul 2024 11:01:39 +0000 (13:01 +0200)]
Bug 37324: Self registration complete login form won't login user
This patch fixes the self registration complete login form which appears after a complete self registration process.
To test:
a) open http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=PatronSelfRegistrationDefaultCategory
b) set PatronSelfRegistration to allow
c) set PatronSelfRegistrationDefaultCategory to Self registration
d) logout or open a private tab
e) http://localhost:8080/cgi-bin/koha/opac-memberentry.pl and enter required fields
f) Registration complete! appears with a prefilled login form. Click Log in.
g) Check you are not logged in
apply patch and redo steps e-f and check that login worked.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0988be4a599209d4b8a72659c39198b060d28e6f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Kyle M Hall [Fri, 19 Jul 2024 13:54:44 +0000 (09:54 -0400)]
Bug 29509: (QA follow-up) Tidy atomic update
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0505531cde2e0513a2c8fbc3c91d18f9ae3a3a89) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Tue, 7 May 2024 13:18:04 +0000 (14:18 +0100)]
Bug 29509: (QA follow-up) Check top level permissions too
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 56c7c3782b2ceacbbd2777ec0f3fa9955e877d2c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Mon, 22 Jan 2024 16:49:56 +0000 (16:49 +0000)]
Bug 29509: Update swagger specification and add permissions to users
This patch removes the 'edit_borrowers', 'manage_bookings',
'lable_creator', 'routing' and 'order_manage' permissions from the list
of options in the patrons list endpoint.
We then assign the new 'list_borrowers' permission to any users who have
those removed permissions
Test plan
1) Apply patch and run the database update
2) Users with any of the permissions listed above should now also have
the 'list_borrowers' permission too.
3) Check that patron searching continues to work from the various
locations in the UI for the above affected users
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Incorporated second patch and removed 1<<4. 16 reads much better :)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 85ea79c45b6f95baee9ec955c6c09046808771b5) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
If syspref "noItemTypeImages" is disabled, holdings table won't display
itemtype column. This patch fixes this.
To reproduce:
1. Enable syspref "noItemTypeImages".
2. Find biblio with items.
=> Note that itemtype column is displayed on holdings table.
3. Disable syspref "noItemTypeImages".
=> Itemtype column is no longer displayed on holdings table.
4. Apply this patch.
=> Now column should be displayed correctly.
Sponsored-by: Koha-Suomi Oy Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 313f7e86b8b9bb063d07be292dd352c2f889fa99) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Andreas Roussos [Mon, 1 Jul 2024 14:27:42 +0000 (14:27 +0000)]
Bug 37226: append a random number to the `id` attribute of each <li>
When you view the authority details page for a term that contains more
than one terms with broader relationship, clicking on the expand/collapse
arrows next to the top-level terms in the hierarchy tree will not work
properly, i.e. *only one* broader term will show the narrower term under
it at any given time.
This is affecting both the OPAC and the Staff interface.
This is happening because in the HTML source of the page the individual
<li> elements associated with each node do not have unique `id` values,
which confuses the JavaScript library (jsTree) responsible for rendering
the hierarchy tree.
This patch fixes that by appending a random number to each `id` attribute.
Test plan:
0) Enable the AuthDisplayHierarchy System Preference (set to 'Show').
1) Copy the provided MARC21 Authority sample data (sample-data.mrc)
to your KTD Koha container (it must have MARC21 marc flavour):
2) Import the provided authorities (the sample file contains three
Geographic Name records):
WARNING! the --delete switch is passed to bulkmarcimport.pl
WARNING! this will erase any authority data you have in your instance!
(this is done to retain the broader/narrower authid associations)
In the authority hierarchy tree, click the arrows next to 'Europe'
and 'Greece' to expand and show the narrower term: notice how only
one item works at any given time.
4) Apply the patch.
5) Repeat step 3) (refresh the pages) -- this time you should be able
to view 'Athens' as a narrower term of both 'Europe' and 'Greece'
at the same time.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 24e54b1fd4b241a0d5723ff7ec97b2fe9645d577) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Eric Garcia [Tue, 16 Jul 2024 17:00:43 +0000 (17:00 +0000)]
Bug 37343: Fixed search for vendors when transferring an item in acquistions
To test:
1. Have several vendors in acquistions
2. Add a basket and click "+Add to basket"
3. I used an mrc file to add an order from a new file
4. Stage for import -> add staged files to basket
5. Select the items and choose an item type
6. In the Orders table click 'Transfer' under the 'Modify' column
7. Try searching for vendors, nothing happens.
8. Apply patch restart_all
9. Click 'Transfer' again and try searching for vendors.
10. Notice vendors appear
NOTE:
Vendor search is a GET operation not POST. Use 'do_search' instead of 'cud-do_search'.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 54575f3c30f6eab9adf2078ffcb92cee05a987dc) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Matt Blenkinsop [Fri, 28 Jun 2024 13:53:10 +0000 (13:53 +0000)]
Bug 29087: (QA follow-up): Fix QA tests
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Conform BZ comment31 Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 7f5e1fac86bf7eaa3f217a8e41cc4522e7fe9c3c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Matt Blenkinsop [Tue, 16 Apr 2024 12:47:16 +0000 (12:47 +0000)]
Bug 29087: Add unit tests
prove t/db_dependent/Koha/Items.t
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 44d3762a6921a323443ca56996fc55d5e96cc9b8) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Fri, 19 Nov 2021 12:27:44 +0000 (13:27 +0100)]
Bug 29087: Prevent filter_by_for_hold to crash if default holdallowed is not_allowed
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8c804c17493ecc9cb993c5434644c1b2a860bae3) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Pedro Amorim [Fri, 5 Jul 2024 13:28:24 +0000 (13:28 +0000)]
Bug 37260: Check message broker for both 'about' and 'sysinfo' tabs
Test plan:
1) Apply test patch only
2) Visit <staff_url>/cgi-bin/koha/about.pl
3) Notice it shows 'Using RabbitMQ' (it should show 'Using SQL polling')
4) Apply this patch, repeat 3)
5) Notice it now shows 'Using SQL polling'
6) Remove test patch. Notice it shows 'Using RabbitMQ' again.
7) Repeat test plan but for /cgi-bin/koha/about.pl?tab=sysinfo tab
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 6a321c6ee44413e1e3601d1d9fcd727788e2bb3f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Tue, 18 Jun 2024 19:34:52 +0000 (19:34 +0000)]
Bug 37111: Fix renew link on opac-user.tt
To test:
1. Check some items out to a patron
2. Set the username and apssword for the patron so that you can log in as that patron.
3. Log in to the OAPC as that patron.
4. Go to Your account > Summary (the default landing page after you log in).
5. Click "Renew" for one of the items.
6. You get the error as above.
7. APPLY PATCH
8. Try steps 1 -5 again, you should not get an error.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Alexander Wagner <alexander.wagner@desy.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 58838fc263ecc9a843c94520e373030c77fc4eed) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Tue, 18 Jun 2024 19:34:24 +0000 (19:34 +0000)]
Bug 37111: Add submit-form asset to OPAC assets
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Alexander Wagner <alexander.wagner@desy.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 6c56d3d90b92a4ca6f7120a187adb35d3e6fd914) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Wed, 17 Jul 2024 15:10:24 +0000 (15:10 +0000)]
Bug 37371: Move Maskito instantiation to onReady ( OPAC )
To test:
1. Find a any date picker in Koha, like DOB in the patron record.
2. Add a date, either manually or using the date picker.
3. Once there is a date like 07/15/2024 try to edit only part of the
date, or the '15'.
4. The date easily becomes malformed.
5. APPLY PATCHSET, maybe clear your browser cache too
6. Try directly inputing dates. I would suggest the following places:
-Patron record DOB
-Specify due date on circ/circulation.pl as this includes time
-Add item screen, this is the dateaccessioned plugin
-OPAC self reg/self modify
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit bae3203f700cdac634b5bd3c65e02902c8ae50bf) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Wed, 17 Jul 2024 14:58:14 +0000 (14:58 +0000)]
Bug 37371: Move Maskito init to onReady in dateaccessioned.pl
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit f723c33d480dbd1883fa32dc85e6cc0bd8a5c0a0) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Lucas Gass [Wed, 17 Jul 2024 14:50:42 +0000 (14:50 +0000)]
Bug 37371: Set overwrite mode to replace
In our case I think overwriteMode needs to be set to replace:
https://maskito.dev/core-concepts/overwrite-mode Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0f04c9a26afe02824e1c3b213a4c0f8ad212278c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Wed, 17 Jul 2024 14:08:58 +0000 (15:08 +0100)]
Bug 37371: Move Maskito instantiation to onReady
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 7e1de5b5574bf09cdc9c4f83f6f0acd916c6d6cf) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Emily Lamancusa [Fri, 28 Jun 2024 21:02:50 +0000 (17:02 -0400)]
Bug 37216: (follow-up) Clear invalid value
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 37683ffd695f6cc0c356325e8b9f2c2a516e1477) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Fri, 28 Jun 2024 15:03:03 +0000 (16:03 +0100)]
Bug 37216: (QA follow-up) Add update to set existing options
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit fbcdce5e0a00da4eb8884a7786ead92db966ad16) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Emily Lamancusa [Thu, 27 Jun 2024 20:27:37 +0000 (16:27 -0400)]
Bug 37216: Fix SQL for EmailFieldSelection
Test plan:
Part A: New installation
1. Start a fresh test instance
2. Set EmailFieldPrimary to "selected addresses", and do not touch
EmailFieldSelection
3. Edit a patron to ensure the following fields are set:
- Primary email
- Secondary email
- Alternate email
- Enable email notices for item checkout
4. Attempt to check an item out to that patron
--> Koha explodes!
5. Apply patch
6. reset_all
7. Repeat steps 2-4
--> Checkout succeeds!
8. Ensure test plan for bug 12802 still passes
Part B: Upgraded installation
1. Start a fresh test instance at version 23.11
2. Switch to main
3. Install database update
4. Set EmailFieldPrimary to "selected addresses", and do not touch
EmailFieldSelection
5. Edit a patron to ensure the following fields are set:
- Primary email
- Secondary email
- Alternate email
- Enable email notices for item checkout
6. Attempt to check an item out to that patron
--> Koha explodes!
7. Go back to 23.11 and reset_all
8. Switch to main and apply patch
9. Repeat steps 4-6
--> Checkout succeeds!
10. Ensure test plan for bug 12802 still passes
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 89a0c62da407e5981f7bc30b12691f0a1546905d) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Nick Clemens [Mon, 12 Aug 2024 12:10:12 +0000 (12:10 +0000)]
Bug 37508: Don't return Internal server error when running report
To test:
1 - Create a report like:
SELECT "a"
FROM borrowers
WHERE <<Test>> != ''
2 - Run report
3 - Enter "password"
4 - Internal server error / stacktrace
5 - Apply patch
6 - Repeat
7 - Get a yellow warning box
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Wed, 7 Aug 2024 01:15:10 +0000 (01:15 +0000)]
Bug 37508: Test for errors when returning an aliased password column
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 37508: Throw error if password column is detected in SQL report
This enhancement prevents SQL queries from being run if they would return a password field from the database table.
To test:
1. Run tests and notice they fail t/db_dependent/Reports/Guided.t
2. Apply patch and restart services
3. Create a public report with an SQL report which would access a password column in a database table
4. Try to run the report. Notice you are met with an error and the results are not shown.
5. Access the JSON URL, you should not get the results and should be shown an error
6. Confirm tests pass t/db_dependent/Reports/Guided.t
Sponsored-by: Reserve Bank of New Zealand Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 37370: Return 400 if OpacExportOptions does not contain the passed format
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit a164c51d78f375d9d660e2c079cc7e05d2d1d326) Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Thu, 25 Jul 2024 06:44:37 +0000 (06:44 +0000)]
Bug 37466: Add correct filter for sort_by in results.tt
This patch replaces the $raw filter with the correct uri filter
for the sort_by in results.tt
Test plan:
1. Apply patch
2. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=1
3. Click on "Edit this search"
4. Note that the "Popularity (most to least)" Sort by option is selected
5. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=24y24ty2498294t9824yt9y23
6. Click on "Edit this search"
7. Note that the "Popularity (most to least)" Sort by option is selected
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5148e05d408b43c0eb330683ffa4c26c90faa696) Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Thu, 25 Jul 2024 06:56:18 +0000 (06:56 +0000)]
Bug 37464: Validate "type" sent to barcode/svc
This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 73b0c3cf621250008845f22f7a36f90a48e00b06) Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Fri, 26 Jul 2024 04:01:43 +0000 (04:01 +0000)]
Bug 37488: Validate paths in datalink.txt/idlink.txt files
This change validates the paths in datalink.txt/idlink.txt,
so that only images in the unpacked archive directory are allowed
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Create a datalink.txt file with the following:
42,selfie.jpg
3. Create a jpeg at selfie.jpg
4. ZIP the datalink.txt and selfie.jpg files
5. Upload to the "Upload patron images" tool
(after enabling the "patronimages" system preference)
6. Note that the image uploads correctly
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 8fcb767fe2836c90ceacb5b5d8211524571eb8aa) Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Fri, 26 Jul 2024 03:27:22 +0000 (03:27 +0000)]
Bug 37323: Tidy
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 579c28c764257a250c12aa11207772c074c1335e) Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Chris Cormack [Thu, 18 Jul 2024 23:57:32 +0000 (23:57 +0000)]
Bug 37323: Don't allow symlinks in link files in zip and validate filepaths
Test plan:
0. Apply patch and restart/reload Koha
1. Test that uploading a patron image still works, in single file format and as a zip
Work as suggested
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 9bc0521493fbe2f9fe0dde051d0b2f52c8a14a9a) Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Amit Gupta [Thu, 11 Jul 2024 17:43:06 +0000 (23:13 +0530)]
Bug 37323: Escape characters in patron image picture upload
To Test
1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip
where the domain is one you can watch the logs from.
2. Go to Tools and click on Upload patron images choose option zip file and upload the file.
3. Check /var/log/apache2/access.log and see the curl with the IP
"xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0"
4. Apply the patch
5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.
6. Test uploading actual zip file and images still works.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5c931e00f73e91467581fd29721e5af8d7fa98ab) Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 37255: Fix handling of "All" values on waiting hold cancellation policy
If one creates a default waiting hold cancellation policy with
patron categories set as "All" and itemtype set as "All", Koha
breaks on 500 error. This happens because in we try to match
template policy with "All" values either in category or itemtype
with *, not undef. This patch fixes this.
To test:
1. Create a new default waiting hold cancellation policy and
set both patron category and itemtype as "All".
2. Save policy.
=> Error page for error 500 is displayed.
3. Apply this patch.
4. Reload page.
=> Page is displayed and policy listing displays new policy
as it should.
Sponsored-by: Koha-Suomi Oy Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Andreas Jonsson [Wed, 31 Jul 2024 09:06:02 +0000 (09:06 +0000)]
Bug 37533: Fix query in orderreceive.tt
The new validation in the REST API will no longer allow
the operator "in". Consequently, it has to be replaced
with the allowed "-in".
Test plan:
* Open an invoice and click "Go to receipt page" and
on any basket click "receive" and make sure the dialog
box appears.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Hammat Wele [Thu, 27 Jun 2024 14:09:04 +0000 (14:09 +0000)]
Bug 37210: Escape single quote in search string in overdue.pl
To Test:
1. Go to /cgi-bin/koha/circ/overdue.pl
2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'»
3. Apply the filter
==> It takes 10 seconds, sleep(10) is executed
4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value
5. select the option from the filter and Apply the filter
==> It takes 10 seconds, sleep(10) is executed
we can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch
6. Apply the patch
7. Repeat step 1,2,3
==> it doesn't take 10 seconds, the injected sql is not executed
8. Repeat step 5
==> it doesn't take 10 seconds, the injected sql is not executed
9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch
==> it doesn't take 10 seconds, the injected sql is not executed
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
The /libraries/{library_id}/cash_registers endpoint was missing the
library_id parameter definition from the swagger specification.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 466d38f18d43e968f3b69562c1ee018177953681) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
The /libraries/{library_id}/desks endpoint was missing the
library_id parameter definition from the swagger specification.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 6aadc4a42308815803ac77c124ac4e778141e349) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37018: Add 400 response definition to all routes
This patch adds a test for well defined 400 responses on all verbs and
paths on the API spec.
The tests verify:
* Presence of 400 response definition
* The description must start with 'Bad request' (needs coding guideline)
* If DBIC queries are allowed on the route, then `invalid_query` needs
to be mentioned in the description.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Wed, 10 Jul 2024 08:39:33 +0000 (09:39 +0100)]
Bug 37018: Clarify operators
This patch clarifies the list of operators both in the validate routine
and in the swagger descrption block where we document this feature for
the end user.
JD amended patch: tidy
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37018: Handle exception in unhandled_exception() helper
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37018: (follow-up) adding some allowed operators
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Wed, 5 Jun 2024 13:20:22 +0000 (14:20 +0100)]
Bug 37018: Use validation in search_rs helper
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Wed, 5 Jun 2024 13:19:54 +0000 (14:19 +0100)]
Bug 37018: Add validation method to Koha::REST::Plugin::Query.pm
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Martin Renvoize [Wed, 5 Jun 2024 13:19:06 +0000 (14:19 +0100)]
Bug 37018: Unit tests
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch adds regression tests. With the current codebase, the
malicious query returns a 200. It should be caught and a 400 needs to be
returned.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/api/v1/query.t
=> FAIL: It returns a 200
3. Once the rest of the patches are ready, repeat 2
=> SUCCESS: It returns a 400
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Fri, 5 Jul 2024 12:47:42 +0000 (14:47 +0200)]
Bug 37247: Fix display of "closed"
The subscription was not shown as closed after we closed it.
This is because "closed" is not passed to the template.
It seems more reliable to rely on the subscription object (that is passed to both
serials/serials-collection.tt and serials/subscription-detail.tt, the
others are not showing the Reopen/Close buttons)
Also fetch the subscription object after and reopen/close it to display
accurate values.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37247: Fix subscriptions operation allowed without authentication
Move close and reopen after get_template_and_user().
Also move Koha::Subscriptions->find(), not a good idea to run DB queries
before authentication.
Test plan :
1) Apply patch
2) Authenticate to staff interface
3) Go to an existing open subscription
4) Open a new browser tab and use it to log-out
5) Go to first tab and click on 'Close'
6) You get login page
7) Authenticate
8) Check subscription is not closed
9) Check you can close and reopen subscription
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Fri, 21 Jun 2024 01:45:51 +0000 (01:45 +0000)]
Bug 37146: Prevent path traversal by validating input
This patch validates the plugin_name passed to plugin_launcher.pl
against the base path containing the "value_builder" directory.
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=29
3. Check that the tag editor for leader still works
4. Go to http://localhost:8081/cgi-bin/koha/cataloguing/additem.pl?biblionumber=29
5. Check that the pluginf or "Date acquired" still works
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Wed, 15 May 2024 12:47:30 +0000 (14:47 +0200)]
Bug 36863: Deal with non-listed methods in CSRF plack middleware
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Owen Leonard [Wed, 12 Jun 2024 17:49:25 +0000 (17:49 +0000)]
Bug 37074: Comment approval and un-approval should be CSRF-protected
This patch converts the "Approve" and "Unapprove" controls in the staff
client's comment moderation page so that the operations are POST instead
of GET.
To test, apply the patch and restart services.
- If necessary, enable OPACComments and submit a few comments on a few
titles in the OPAC
- Go to Tools -> Comments
- Test the process of approving, unapproving, and deleting comments
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Kyle M Hall [Thu, 18 Jul 2024 12:54:30 +0000 (12:54 +0000)]
Bug 37385: Fix Transfer not triggering automatically when cancelling a hold by checking in an item
Upadates for CSRF are inadvertently stopping AddReturn from being trigger
when a hold is canceled. This is necessary to generate the transfer
back to the originating library.
Test Plan:
1) Find item with a waiting hold, and check it in
2) In the popup notifying me of the waiting hold, select 'Cancel hold'
3) Note no second popup appears notifying you of the need to transfer the item to its home library
4) Apply this patch
5) Restart all the things!
6) Repeat steps 1-2
7) Second popup appears!
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 554efbe35483dbc3dd7615f7feeaa6edf14619e6) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Chris Cormack [Sat, 29 Jun 2024 22:52:42 +0000 (22:52 +0000)]
Bug 37183: Batch edit serial subscriptions sets expiration date to today
Test plan:
Add some serials:
1) Add a new serial, visit:
/cgi-bin/koha/serials/subscription-add.pl
2) Put a biblionumber in the 'record' field, e.g. '112'.
Press 'next' and click 'ok' on the alert box.
3) Fill all the required fields and click 'test prediction'.
4) Fill the Subscription end date (= Expiration Date).
5) Click 'save subscription'.
6) Repeat steps 1-5 to create a second serial.
Batch edit serials:
1) Visit serials and hit the 'Search' button:
/cgi-bin/koha/serials/serials-home.pl
2) Click the 2 checkboxes for the 2 serials we created
previously and click the new link that pops up
'Edit selected serials'.
3) Click 'Save' without changing anything.
4) Go back to either of the serials, notice the value
for Expiration date is changed to TODAY
(the date of the batch edit).
Apply the patch and retest the batch editing (before
retesting, change the expiration dates of the two
serials back to the original expiration date).
Note that the expiration date now only changes if you
enter a date in the 'Expiration date' field.
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 5a07a04fdb23aa13f85df64b1f2a4739397f5f28) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
This patch fixes the orders search in Acquisitions.
The form method is GET no need to prepend with cud-
Test plan:
1. Create an order that you can search for
2. Try order search, nothing happens
3. Apply patch restart all, refresh browser
4. Try order seach again and get results
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit f80cc53470ebba24b92c05e71ac74a7c3058234c) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
David Cook [Thu, 23 May 2024 00:47:08 +0000 (00:47 +0000)]
Bug 36741: Skip auto_too_soon issues in auto renew digest
This change adds a line to skip auto_too_soon issues/checkouts
in the auto renew digest template.
Since auto_too_soon do not trigger notifications and don't require
any special action, let's skip them in the breakdown of checkouts in
the AUTO_RENEWALS_DGST email.
Test plan:
0. Apply the patch
1. reset_all (in koha-testing-docker)
2. Note the following line in the AUTO_RENEWALS_DGST template:
[% NEXT IF (checkout.auto_renew_error == 'auto_too_soon') %]
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 05432982cf8a407872fd643206a14550c0d0a53a) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>