]> git.koha-community.org Git - koha.git/log
koha.git
9 years agoBug 14404: Rename class no-show to noshow for consistency with nosort
Jonathan Druart [Thu, 9 Jul 2015 09:31:07 +0000 (10:31 +0100)]
Bug 14404: Rename class no-show to noshow for consistency with nosort

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 0183cc0223678f6b3f0885213c7223ddb31acf5d)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
9 years agoBug 14404: Checkouts default sort order for Self Checkout (SCO) confusing for patrons
Kyle M Hall [Tue, 16 Jun 2015 23:05:10 +0000 (19:05 -0400)]
Bug 14404: Checkouts default sort order for Self Checkout (SCO) confusing for patrons

Libraries are reporting that patrons are very confused during
self-checkout. The problem is they are expecting the list of checkouts
to be in the order they checked out the items ( first checkout on the
bottom, last item checked out on top ). However, the checkouts
table is sorted by title ( ascending ) then due date ( descending ).
This is not intuitive.

Test Plan:
1) Enable Koha's self checkout
2) Use the SCO to check out a random assortment of items,
   make sure you don't check them out in alphabetical order
3) Note the order of the items in the list is not based on the order
   you checked them out in
4) Apply this patch
5) Refresh the page
6) Note the items are now in the order you checked them out
   with the last on top and the first on bottom

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit e9061028c1ba95b310be5e9333b224e735e64f40)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
9 years agoBug 14445: Silences warns in letter.tt
Aleisha [Wed, 1 Jul 2015 01:36:00 +0000 (01:36 +0000)]
Bug 14445: Silences warns in letter.tt

When creating a new notice, warn is triggered "Argument "" isn't numeric in numeric gt (>) at line 400". Same warn is triggered when changing Koha module option to any other module.

To test:
1) Go to Tools, then Notices & Slips
2) Click 'new notice'. Notice warn in intranet-error.log
3) Change Koha module to another module. Notice warn is triggered for every change
4) Apply patch and reload page
5) Change Koha module to another module. Notice there are no longer warns
6) Go back to Notices & Slips and click 'new notice' again. Notice there are no warns

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 7098a36b19c35a06a51361bd381416a1204de38d)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Conflicts:
koha-tmpl/intranet-tmpl/prog/en/modules/tools/letter.tt

9 years agoBug 14445: Silences warn in letter.pl
Aleisha [Wed, 24 Jun 2015 01:15:32 +0000 (01:15 +0000)]
Bug 14445: Silences warn in letter.pl

When changing Koha module to 'Circulation', there is a warn saying that $code is uninitialized. This patch sets $code to an empty string to silence the warn.

To test:
1) Go to Tools, the Notices & Slips
2) Click 'new notice' (This will trigger warns, but ignore these as they will be corrected in the next patch)
3) Change Koha module to 'Circulation'
4) Notice warn about uninitialized $code variable
5) Apply patch and reload page, change Koha module to 'Circulation'
6) Notice page still works and warns are gone

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit fe3a49e61133e1e66d0075f3300cd3a99e691890)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
9 years agoBug 14494: Terribly slow checkout caused by DateTime->new in far future
Marcel de Rooy [Mon, 6 Jul 2015 12:20:07 +0000 (14:20 +0200)]
Bug 14494: Terribly slow checkout caused by DateTime->new in far future

An expiry date like 9999-12-31 in the local timezone will make DateTime
spend a lot of time (maybe 60 seconds) on date calculation. See the
DateTime documention on CPAN.
A calculation in floating (or alternatively in UTC) would only take
a few milliseconds.

This patch makes two changes in this regard:

[1] The compare between expiry date and today in CanBookBeIssued has been
    adjusted in Jonathan's patch. I am moving the compare to the floating
    timezone (as was done in my original patch). This removes a hardcoded
    9999.
[2] If ReturnBeforeExpiry is enabled, CalcDateDue compares the normal due
    date with the expiry date. The comparison is now done in the floating
    timezone. If the expiry date is before the due date, it is
    returned in the user context's timezone.

NOTE: The calls to set_time_zone moving to or from floating do not adjust
the local time.

TEST PLAN:
First without this patch (and the one from Jonathan):
[1] Set expiry date to 9999-12-31 for a patron.
[2] Enable ReturnBeforeExpiry.
[3] Checkout a book to this patron. This will be (very) slow.

Continue now with this patch applied:
[4] Check in the same book.
[5] Check it out again. Should be much faster.

Bonus test:
[6] Set borrower expiry date to today. Change relevant circulation rule
    to loan period of 21 hours. Test checking out with a manual due date
    /time just before today 23:59 and after that. In the second case the
    due date/time should become today 23:59 (note that 23:59 is not
    shown on the checkout form).

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 17d04c46190880d3031adbc02553f82234d70fc1)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
9 years agoBug 14494: Prevent slow checkout if the patron does not have an expiry date
Jonathan Druart [Thu, 9 Jul 2015 08:52:28 +0000 (09:52 +0100)]
Bug 14494: Prevent slow checkout if the patron does not have an expiry date

If a patron has a expiry date set to 9999-12-31 (for organizations for
instance), the checkouts are very slow.

It's caused by 2 different calls to DateTime in CanBookBeIssued:
1/
  DateTime->new( year => 9999, month => 12, day => 31, time_zone => C4::Context->tz );
The time_zone should not be set (as it's done in Koha::DateUtils), set to UTC or floating tz.

2/
  DateTime->compare($today, $expiry_dt)
The comparaison of 2 DT with 1 related to 9999 is very slow, as you can
imagine.

For 1/ we need to call Koha::DateUtils::dt_from_string (actually, we
should never call DateTime directly).
For 2/ we just need to test if the date is != 9999, no need to compare
it in this case.

Test plan:
Before this patch, confirm that the checkouts are slow if the patron has a
dateexpiry set to 9999-12-31.
update borrowers set dateexpiry="9999-12-31" where borrowernumber=42;

After this patch, you should not see any regression when checking out
items to an expired patron and to a valid patron.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 8d58acc565c8500d4b9d55cacb3d6d21628a899b)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
9 years agoBumping version number for release v3.16.13
Mason James [Thu, 30 Jul 2015 02:32:47 +0000 (14:32 +1200)]
Bumping version number for release

9 years agoAdd release notes
Mason James [Thu, 30 Jul 2015 02:24:40 +0000 (14:24 +1200)]
Add release notes

Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoTranslation updates for Koha 3.16.13 release
Bernardo Gonzalez Kriegel [Wed, 29 Jul 2015 13:20:10 +0000 (10:20 -0300)]
Translation updates for Koha 3.16.13 release

9 years agoRevert "Bug 14602 - Fix failing t/Creators.t test"
Mason James [Thu, 30 Jul 2015 01:51:17 +0000 (13:51 +1200)]
Revert "Bug 14602 - Fix failing t/Creators.t test"

This reverts commit a6736a7e1660e09aab633e1493c45d39108c3a26.

9 years agoBug 14338 - Unable to delete patron images [3.16.x]
Kyle M Hall [Fri, 5 Jun 2015 12:06:29 +0000 (08:06 -0400)]
Bug 14338 - Unable to delete patron images [3.16.x]

The call to RmPatronImage is still passing cardnumber as its parameter
instead of borrowernumber.

Test Plan:
1) Upload a patron image
2) Ensure the card number is not the same as the borrower number
3) Attempt to delete patron image
   -- Image will remain
4) Apply this patch
5) Attempt to delete patron image
   -- Image will be removed
6) run koha qa test tools

NOTE: Deletion worked in 3.16.x, though the message for
      debugging differed (cardnumber vs. borrowernumber).
      This effectively removes cardnumber from the URL and
      messages for the delete operation.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 4925: Remove Smithsonian as a delivered z39.50 target [3.16.x]
Mark Tompsett [Sat, 25 Jul 2015 08:24:42 +0000 (04:24 -0400)]
Bug 4925: Remove Smithsonian as a delivered z39.50 target [3.16.x]

Removes the Smithsonian as a target installed with the
sample data during installation.

Also adds the newer LOC authority targets to files where
they were missing.

To test:
- Verify the Smithsonian has been removed from all
  translated installers
- Verify the files are still valid SQL and install
  correctly

NOTE: There was tiny scope creep which included ensuring
      there were two Authority z39.50 servers as well.
      Text files properly reflect the removal.
      SQL 'source' of SQL files worked properly.
      Was able to Z39.50 search for all of the 'en'.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14602 - Fix failing t/Creators.t test
Mason James [Sat, 25 Jul 2015 08:51:52 +0000 (20:51 +1200)]
Bug 14602 - Fix failing t/Creators.t test

to test..

1/ run t/Creators.t test from git repo, get a FAIL

2/ apply patch

3/ repeat step 1, get a PASS

mason@xen1:~/g/k/3.16.x$ sudo  koha-shell -c 'export PERL5LIB=/home/mason/g/k/3.16.x ; cd /home/mason/g/k/3.16.x ;  prove -v  t/Creators.t' k316x1
t/Creators.t ..
1..16
ok 1 - use C4::Creators;
ok 2 - use C4::Creators::PDF;
ok 3 - testing new() works
ok 4 - testing pdf file created
ok 5 - testing Add() works
ok 6 - testing Bookmark() works
ok 7 - testing Compress() works
ok 8 - testing Font() works
ok 9 - testing FontSize() is set to 12 by default
ok 10 - testing FontSize() can be set to a different value
ok 11 - testing Page() works
ok 12 - testing StrWidth() returns correct point width
ok 13 - testing Text() writes from a given x-value
ok 14 - testing Text() writes to the correct x-value
ok 15 - testing End() works
ok 16 - test file /tmp/4YjPQDExeS created OK
ok
All tests successful.
Files=1, Tests=16,  1 wallclock secs ( 0.03 usr  0.01 sys +  0.48 cusr  0.05 csys =  0.57 CPU)
Result: PASS

9 years agoBug 12647: PQF QueryParser driver and unit tests fixes
Tomas Cohen Arazi [Fri, 8 Aug 2014 17:48:59 +0000 (14:48 -0300)]
Bug 12647: PQF QueryParser driver and unit tests fixes

Due to Perl 5.18, QueryParser the default search class is no longer
'keyword' (see bug 12738), and needs to be set manually. This patch
adds a line that does that. The problem that gets fixed is with test
'super simple keyword query'.

The rest of the non-deterministically failing tests are due to the same
problem, keys returning differently sorted keys from hashes.

So this patch sorts keys in the step that concatenates attributes when building
the PQF queries (and tests get adjusted to match the now deterministic result).

I did that (sorting there) under Jared's recommendation. Hopefuly he will step
in and comment/fix any mistake I made. My main concern was a possible loss
in performance. That we agreed it is almost void, because of the tiny size
of the hash.

Sponsored-by: Universidad Nacional de Cordoba
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All tests are passing now again :)
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 12411: Preferences values should be utf8 encoded
Jonathan Druart [Thu, 12 Jun 2014 15:04:03 +0000 (17:04 +0200)]
Bug 12411: Preferences values should be utf8 encoded

Test plan:
Fill OPACMySummaryNote or NoLoginInstructions with something like "éàç"
and verify the display is broken.

Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14521 - SQL injection in local use system preferences
David Cook [Mon, 13 Jul 2015 04:06:46 +0000 (14:06 +1000)]
Bug 14521 - SQL injection in local use system preferences

This patch fixes a SQL injection vulnerability in the local use
system preferences.

_TEST PLAN_

Before applying:

1) Go to Global System Preferences
2) Click on the "Local use" tab
3) Add a new preference with the value "') or '1' = '1' -- "
(be sure to include the space at the end after the comment --).
4) When the page refreshes, you should now see about 99 other system
preferences which shouldn't be showing up.

5) Apply the patch

6) Refresh the page
7) Note that you now only see a system preference for "') or '1' = '1' -- "
and the other actual local use system preferences.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14524: Don't escape query_cgi with uri
Jonathan Druart [Mon, 13 Jul 2015 14:44:23 +0000 (15:44 +0100)]
Bug 14524: Don't escape query_cgi with uri

According to the doc, we should not escape query_cgi with the uri
filter:
http://www.template-toolkit.org/docs/manual/Filters.html#section_uri

Since query_cgi can contains something like: "idx=kw&q=42", we should
not escape the & char

Test plan:
0/ Don't apply the patch
1/ Go on launch a search at the OPAC
2/ Click on the RSS icon
3/ You should arrive on
opac-search.pl?idx%3Dkw%26q%3D42&count=50&sort_by=acqdate_dsc&format=rss2
The & has been escaped.
4/ Apply the patch
5/ Now you should get result and see an url correctly formatted.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14496 : Improving opac-detail.pl performances
Julian FIOL [Mon, 6 Jul 2015 10:27:08 +0000 (12:27 +0200)]
Bug 14496 : Improving opac-detail.pl performances

Get notes and subjects from MARC record
ONLY when XSLT is not activated.

It's useless doing it when XSLT is activated,
because XSLT takes care of it by its own.

=> With this patch, we are saving precious
milliseconds

I compared the display of some records in XSLT view with and without patch, was the same (as expected).
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
On a slower server, I saw a time save of 0.0274 to 0.0908 seconds (with XSLT).
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14485 - HTML comment disables translation in cataloguing/addbooks.tt
Fridolin Somers [Thu, 2 Jul 2015 08:37:22 +0000 (10:37 +0200)]
Bug 14485 - HTML comment disables translation in cataloguing/addbooks.tt

In cataloguing/addbooks.tt, the line :
  [% total %] result(s) found in catalog,
is not present in PO files even after an update.
I've found that the cause is the previous HTML comment line.

This patch converts HTML comment into TT comment and adds a div to have a more comprehensive string to translate.

Test plan :
- without patch
- go into <sources>/misc/translator
- run PO update for example in french : translate update fr-FR
=> the text "result(s) found in catalog" is missing from PO file : fr-FR-staff-prog.po
- restore default PO files
- apply patch
- go into <sources>/misc/translator
- run PO update for example in french : translate update fr-FR
=> You find text "result(s) found in catalog" in PO file : fr-FR-staff-prog.po

Sponsored-by: Universidad de El Salvador
Signed-off-by: Hector Eduardo Castro Avalos <hector.hecaxmmx@gmail.com>
Works as advertised. Just one msgid appear with msgid "%s result(s) found in catalog,"

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14366 - Units doesn't get saved usefully for patroncards
David Cook [Tue, 9 Jun 2015 04:25:23 +0000 (14:25 +1000)]
Bug 14366 - Units doesn't get saved usefully for patroncards

This patch causes the "Units" to be saved and displayed correctly
for the "Edit layout" screen in Patroncards.

_TEST PLAN_

Before applying:
0) Create a new layout
1) Edit the layout, change the units, and click Save
2) Edit the layout again, and notice the units are still "PostScript Points"

Apply the patch:
3) Edit the layout again, change the units, and click Save
4) Edit the layout again, note that the units have changed to your
selection

5) Rejoice

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14453: (followup) Fix shipped XSLT files
Mirko Tietgen [Thu, 25 Jun 2015 13:38:42 +0000 (15:38 +0200)]
Bug 14453: (followup) Fix shipped XSLT files

Make the shipped XSLTs for authorities (MARC21 and UNIMARC) the same as the generated version

Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14453: kohaidx is missing for id in authority-koha-indexdefs.xml
Fridolin Somers [Wed, 24 Jun 2015 14:06:05 +0000 (16:06 +0200)]
Bug 14453: kohaidx is missing for id in authority-koha-indexdefs.xml

In authority-koha-indexdefs.xml, all tags use the namespace "kohaidx" except the tag "id".

When re-generating authority-zebra-indexdefs.xsl, the line :
  <xslo:variable name="idfield" select="normalize-space(marc:controlfield[@tag='001'])"/>
is modified :
  <xslo:variable name="idfield" select="normalize-space()"/>
This is an error.

This patch adds kohaidx namespace to correct.

Test plan :
- Without patch
- go to etc/zebradb/marc_defs/marc21/authorities/
- run : xslproc xsltproc ../../../xsl/koha-indexdefs-to-zebra.xsl authority-koha-indexdefs.xml > authority-zebra-indexdefs.xsl
- read authority-zebra-indexdefs.xsl
=> the line has changed : <xslo:variable name="idfield" select="normalize-space()"/>
- Apply patch
- go to etc/zebradb/marc_defs/marc21/authorities/
- run : xslproc xsltproc ../../../xsl/koha-indexdefs-to-zebra.xsl authority-koha-indexdefs.xml > authority-zebra-indexdefs.xsl
- read authority-zebra-indexdefs.xsl
=> the line has not changed
(same for unimarc flavor)

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
As Mirko mentioned, the xslt's now generate the facet-processing templates in
the authority xslt's too. They are harmless because we don't define facets
for authority records. If we did, it would be harmless too.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14326 - XSLT Syntax error in MARC21slimOPACResults.xsl
Winona Salesky [Thu, 4 Jun 2015 02:46:23 +0000 (22:46 -0400)]
Bug 14326 - XSLT Syntax error in MARC21slimOPACResults.xsl

Test Plan:
1) Apply this patch
2) Ensure you are using the default XSLT setting for the staff and opac  record details
3) Perform an opac search check "Availability" for expected display values.
5) Note this patch corrects invalid syntax in xslt, there should be no visable changes to the results page.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14135: Adds 'Free' to variabletypes in systempreferences.tt
Indranil Das Gupta [Mon, 4 May 2015 13:25:15 +0000 (18:55 +0530)]
Bug 14135: Adds 'Free' to variabletypes in systempreferences.tt

The 'Local Use' system preference addition/modification template provides the following options against "Variable Type" - Choice, YesNo, Integer, Textarea, Float, Themes, Languages, Upload or ClassSource.

There is no option presented for "Free" which seems to be the most
used variable type out-of-the-box (i.e. INTRAdidyoumean,
OPACdidyoumean, UsageStatsID and UsageStatsLastUpdateTime)

This trivial patch proposes to modify the systempreferences.tt
and add the option 'Free' to the list offered to users.

Test Plan
=========

1/ Go to Home > Administration > System preferences > Local use
2/ Click on 'New preference'.
3/ In the fieldset 'Koha Internal', the variable types offered
   are Choice, YesNo, Integer, Textarea, Float, Themes,
   Languages, Upload or ClassSources.
4/ Clicking on 'Choice' should set the 'preftype' field as
   'Choice'.
5/ Apply this patch.
6/ Refresh the page.
7/ The variable types list should read - "Free, Choice, YesNo,
   Integer, Textarea, Float, Themes, Languages, Upload or
   ClassSources".
8/ Clicking on 'Free' should set the 'preftype' field as 'Free'.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: Discovered that there is no validation on the type field.
      However, that is beyond the scope of this bug.

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 9f008a102415c8b71a1f4a976bc15691c2663b5c)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
9 years agoBug 14467 - Security updates break some Koha plugins
Kyle M Hall [Thu, 25 Jun 2015 20:41:23 +0000 (16:41 -0400)]
Bug 14467 - Security updates break some Koha plugins

The new security updates break previously functioning plugins, most
notably the cover flow plugin and the Ebsco EDS plugin.

Test Plan:
1) Install and configure the cover flow plugin ( http://bywatersolutions.com/koha-plugins/ )
2) Note that attempting to access coverflow.pl from the OPAC results in an error
3) Apply this patch
4) Note that coverflow.pl now output html again

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14389 - Editing a syspref in a textarea does not enable the Save button
Liz Rea [Tue, 16 Jun 2015 04:12:57 +0000 (16:12 +1200)]
Bug 14389 - Editing a syspref in a textarea does not enable the Save button

Test plan:
  1. Navigate to the "opaccredits" syspref (or any other textarea, i.e.,
     "Click to Edit", syspref) in the system preferences editor.
  2. Change its contents, by either pasting or typing. The field may not
     be marked as modified, even after you click outside the box.
  3. Apply the patch.
  4. Reload the page and try again; either pasting or typing should mark
     the field as changed and allow you to save.

Signed-off-by: Jesse Weaver <pianohacker@gmail.com>
Confirmed working for normal input, paste and middle-click paste in
Chrome and Firefox in Linux.

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14324: Display "Add Child" for Organisations on circ/circulation.pl
Jonathan Druart [Tue, 23 Jun 2015 08:40:15 +0000 (10:40 +0200)]
Bug 14324: Display "Add Child" for Organisations on circ/circulation.pl

On moremember, the button is displayed for Organisations.
To be consistent, it should be displayed on the circulation page too.

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14324: Set "adultborrower" regardless of guarantor status.
Barton Chittenden [Thu, 18 Jun 2015 20:31:28 +0000 (13:31 -0700)]
Bug 14324: Set "adultborrower" regardless of guarantor status.

Signed-off-by: Jason Robb - SEKLS (jrobb@sekls.org)
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 8802: On editing a library group category type is not set
Jonathan Druart [Wed, 1 Apr 2015 14:23:48 +0000 (16:23 +0200)]
Bug 8802: On editing a library group category type is not set

The category type was always set to 'searchdomain', because it's the
first of the dropdown list.

Test plan:
1/ Create or edit a library group
2/ Set the category type to "properties"
3/ Edit it again
4/ Confirm "properties" is correctly selected

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14356: Improvements to the 'Transfers to receive' page
Katrin Fischer [Sun, 7 Jun 2015 23:30:58 +0000 (01:30 +0200)]
Bug 14356: Improvements to the 'Transfers to receive' page

Patch makes several small changes to the template for the
'Transfers to receive page'

1) Show the branch name instead of the branchcode in the
   table of incoming transfers.

If there is a hold connected with the transfer:
2) Show the patron's name as 'surname, firstname'
   intead of 'surname  firstname'
3) Restore broken feature: Show a mailto: link with a
   generated subject of 'Hold: <title>'.

The mailto: feature actually existed in the templates, but
was broken to a misnamed database column. I made some small
changes to make the subject translatable (see bug 8330).

To test:
- Create a transfer by placing a hold with pickup at another library
- Craete a transfer manually
- Go to the circulation > transfers to receive
- Check the changes explained above, compare before and after
- Check the mailto: link works as expected

Bonus: Check the Hold: bit in the subject is really translatable now.

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 13874: 'Rotating collections' are a circulation tool
Katrin Fischer [Mon, 8 Jun 2015 03:29:16 +0000 (05:29 +0200)]
Bug 13874: 'Rotating collections' are a circulation tool

Moves the entry for 'Rotating collections' from the Catalog
column to the 'Patrons and circulation' column.

To test:
- Verify the entry has been moved on the tools home page

NOTE: I agree that collections makes more sense under the new
      column.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14001 - Inventory has bad $_ references
Mark Tompsett [Wed, 15 Apr 2015 16:33:29 +0000 (12:33 -0400)]
Bug 14001 - Inventory has bad $_ references

After receiving an error while attempt a simple inventory run,
Two lines were changed from:
    ...$_->...
to
    ...$item->...
since the loop variable is $item. And $_ is not set to the
expected hash reference, when there is a loop variable.

This also helps explain the "Why are there blank dates on my
last seen field?" problem that has been mentioned by users.

TEST PLAN
---------
 1) Apply this patch after a reset to master.
 2) Log in to staff client
 3) Add one item via z39.50, setting barcode to a known value (BARCODE1)
 4) Wait for the reindex
 5) Home -> Tools -> Inventory/Stocktaking
 6) Browse for a file with the barcode in it
 7) Set the library dropdown to the library branch of the added item.
 8) Check 'Compare barcodes list to results:'
 9) Click 'Submit'
    -- This should not die under plack.
       This should not generate blank last seen dates.
       The last seen dates should be as expected.
10) run koha qa test tools
11) Confirm the two change point correspond to the two change points
    in the patch which shall not be pushed to master.

The test result comply with expected outcome outlined in test plan.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14401: Zebra index configuration doesn't allow exact search for C.
Katrin Fischer [Wed, 17 Jun 2015 10:28:39 +0000 (12:28 +0200)]
Bug 14401: Zebra index configuration doesn't allow exact search for C.

2 lines in the Zebra configuration files prevent an exact search for C.,
while all other [A-Z]. searches work correctly.

After taking a look at the  /etc/zebradb/etc/word-phrase-utf.chr
those 2 lines cause the problem:

map (^c\.)          @
map (^C\.)          @

I propose to remove them.

To test:
- Catalog a record with an item with callnumber: C.
- Catalog a record with an item with callnumber: B.
- Try seaching for the second using callnum,ext:B. (exact field search)
  - Verify search works.
- Try searching for the other with callnum,ext:C.
  - Verify no result.
- Apply the patch - copy the zebra config file if necessary into the right spot
- Reindex
- Repeat searches - both should not bring up the correct record.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14422: Typo in updatedatabase.pl
Mark Tompsett [Fri, 19 Jun 2015 13:00:33 +0000 (09:00 -0400)]
Bug 14422: Typo in updatedatabase.pl

TEST PLAN
---------
 1) backup db
 2) git checkout -b my_3.6.x origin/3.6.x
 3) drop db and create blank one
 4) git reset --hard origin/3.6.x
 5) run web installer
 6) set HomeorHoldingBranchReturn system preference to 'holdingbranch'.
 7) create a Default checkout, hold rule
    home -> koha administration -> Circulation and fines rules
    -- I put 10 checkouts total and clicked 'Save'
    -- there currently is not 'returnbranch' in default_circ_rules.
 8) git reset --hard origin/3.20.x
    -- or whatever version you apply this to
       (3.8.x, 3.10.x, 3.14.x, 3.16.x, 3.18.x, or 3.20.x
        -- 3.21.00.008 deletes the systempreference involved)
 9) ./installer/data/mysql/updatedatabase.pl
10) check HomeorHoldingBranchReturn systempreference
    -- Currently says 'holdingbranch', but
       the value of 'returnbranch' in default_circ_rules is
       'homebranch'.
11) repeat steps 3-8
12) apply this patch
13) repeat steps 9-10
    -- Currently says 'holdingbranch', and
       the value of 'returnbranch' in default_circ_rules is
       'holdingbranch'.
14) run koha qa test tools

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Tested using 3.6.x install, updated to 3.8.x
Value is preserved
No errors

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Note: I haven't followed the test plan, but the fix is trivial.
Maybe it could worth to upate 3.21.00.008 and check the value of
HomeOrHoldingBranchReturn before deleting it.
We could raise a warning if HomeOrHoldingBranchReturn ==
'holdingbranch'.
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)
Fridolin Somers [Tue, 23 Jun 2015 15:45:30 +0000 (17:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)

Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()

This patch corrects opac/opac-ratings.pl

Test plan :
- Apply patch
- Set sysopref OpacStarRatings to 'results and details'
- Disable Javascipt on your browser (otherwise it will use ajax)
- Login at OPAC
- Go to a record
- Click on a button left of 'Rate me' to choose a rating, ie 4
- Click on 'Rate me'
=> The page is reloaded and you see 'your rating: 4'
- Loggout from OPAC
- Try to access URL : http://<serveur>/cgi-bin/koha/opac-ratings.pl
=> You see the loggin page

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit f1acb5615d0cbcba5db5b84e12fbad3d41454347)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 3d8af819a84847b35ad08e62ba137d3febd878dd)

Conflicts:
opac/opac-ratings.pl

Signed-off-by: Liz <wizzyrea@gmail.com>
Conflicts:
opac/opac-ratings.pl

9 years agoBug 14421: Corrected example in SMS.pm to working version with hashref.
Eivin Giske Skaaren [Fri, 19 Jun 2015 11:08:29 +0000 (13:08 +0200)]
Bug 14421: Corrected example in SMS.pm to working version with hashref.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Test:
1) Apply patch
2) perldoc C4/SMS.pm
3) Check fixed argument in example

Argument is hashref, POD is now right
Added additional space on second arg
No errors

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14215: Change the 'delimiter' syspref description for its wider use
Katrin Fischer [Tue, 9 Jun 2015 00:32:46 +0000 (02:32 +0200)]
Bug 14215: Change the 'delimiter' syspref description for its wider use

Patch changes 'report files' to 'CSV files' as there are more
options now for downloading and creating CSV files where this
preference is taken into account.

To test:
- Verify the changed system preference description for
  'delimiter' is correct.

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 10866: Hide patron's history if intranetreadinghistory is set to not allow
Jonathan Druart [Wed, 22 Apr 2015 10:14:24 +0000 (12:14 +0200)]
Bug 10866: Hide patron's history if intranetreadinghistory is set to not allow

If set to "not allow", the intranetreadinghistory pref prevent staff
members to access patron's checkout history.
But:
1/ The page is still accessible if you know the url
2/ The history can be consulted on the item history page

Test plan:
0/ Don't apply this patch
1/ Set the intranetreadinghistory to allow
2/ Go on a patron's checkout history page
3/ Open a new tab and go on a item's checkout history page
4/ Set the intranetreadinghistory to not allow
5/ Refresh both pages => no change
6/ Apply this patch
7/ Refresh both page.
On the first page, you should see a warning
On the other one, you should see that the patron column is not displayed
anymore.

Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 13427: jQuery Timepicker is not translated on returns page
Katrin Fischer [Mon, 8 Jun 2015 03:04:56 +0000 (05:04 +0200)]
Bug 13427: jQuery Timepicker is not translated on returns page

The returns page was missing an include with the translated strings.

To test:
- Install an additional language, like de-DE
- Confirm the bug on the returns page
  - Make sure SpecifyReturnDate is activated
  - Open the datepicker, look at the time settings
- Apply the patch
- Reinstall the language, no update of the po files is needed
- Retest
- Verify, that now the time settings are translated

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Works as expected

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)
Fridolin Somers [Tue, 23 Jun 2015 15:45:30 +0000 (17:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)

Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()

This patch corrects opac/opac-ratings.pl

Test plan :
- Apply patch
- Set sysopref OpacStarRatings to 'results and details'
- Disable Javascipt on your browser (otherwise it will use ajax)
- Login at OPAC
- Go to a record
- Click on a button left of 'Rate me' to choose a rating, ie 4
- Click on 'Rate me'
=> The page is reloaded and you see 'your rating: 4'
- Loggout from OPAC
- Try to access URL : http://<serveur>/cgi-bin/koha/opac-ratings.pl
=> You see the loggin page

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Conflicts:
opac/opac-ratings.pl

9 years ago Bug 14440: get_template_and_user can not have an empty template_name (quote*_ajax.pl)
Jonathan Druart [Wed, 24 Jun 2015 09:03:22 +0000 (11:03 +0200)]
 Bug 14440: get_template_and_user can not have an empty template_name (quote*_ajax.pl)

This patch uses check_api_auth instead of get_template_and_user.

Test plan:
Confirm that you are still able to access to the quote editor with the
edit_quotes permission.
Confirm that you are not if you don't have the permission.

wget your_url/cgi-bin/koha/tools/quotes/quotes_ajax.pl
should return "403 : Forbidden."

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
9 years ago Bug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)
Fridolin Somers [Tue, 23 Jun 2015 15:45:30 +0000 (17:45 +0200)]
 Bug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)

Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()

This patch corrects opac/opac-ratings.pl

Test plan :
- Apply patch
- Set sysopref OpacStarRatings to 'results and details'
- Disable Javascipt on your browser (otherwise it will use ajax)
- Login at OPAC
- Go to a record
- Click on a button left of 'Rate me' to choose a rating, ie 4
- Click on 'Rate me'
=> The page is reloaded and you see 'your rating: 4'
- Loggout from OPAC
- Try to access URL : http://<serveur>/cgi-bin/koha/opac-ratings.pl
=> You see the loggin page

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14440: get_template_and_user can not have an empty template_name (updatesupplier.pl)
Fridolin Somers [Tue, 23 Jun 2015 14:45:21 +0000 (16:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (updatesupplier.pl)

Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()

This patch corrects acqui/updatesupplier.pl

Test plan :
- Apply patch
- Connect to intranet with a user having "vendors_manage" permission
- Go to acquisition module
- Create a new vendor
- Click on "Edit vendor"
- Change some information and save
=> Your change is saved
- Connect to intranet with a user not having "vendors_manage" permission
- Try to access <intranet>/cgi-bin/koha/acqui/updatesupplier.pl
=> Access is denied
- Disconnect from intranet
- Try to access <intranet>/cgi-bin/koha/acqui/updatesupplier.pl
=> Access is denied

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 8686: Raise required version of URI::Escape to 3.31
Katrin Fischer [Sun, 7 Jun 2015 21:45:10 +0000 (23:45 +0200)]
Bug 8686: Raise required version of URI::Escape to 3.31

Raises the minimum required version of URI::Escape from
1.36 to 3.31.

TEST PLAN
---------
1) git branch -b bug_8686 origin/master
2) ./koha_perl_deps.pl -a | grep URI
   -- it will list 1.36 required
3) git bz apply 8686
4) ./koha_perl_deps.pl -a | grep URI
   -- it will list 3.31 required
5) koha qa test tools

NOTE: Also default in Ubuntu 14.04 LTS,
      not just Wheezy as noted in comment #15.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signoff based on Nicole's comment (bug 9990 comment 6):
"This stops happening if you upgrade URI::Escape to
3.31.  We should make it clear in the Perl Modules page that an upgrade
is needed."
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14426: Escape or use placeholders for sql parameters
Jonathan Druart [Mon, 22 Jun 2015 08:56:26 +0000 (10:56 +0200)]
Bug 14426: Escape or use placeholders for sql parameters

Does this patch enough to prevent sql injection in borrowers_out.pl?

====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')"
| nc testbox 9002

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')"
| nc testbox 9002

====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a"
| nc testbox 9002

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b"
| nc testbox 9002

====================================================================

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 10355: paramater 'object' lost on the road
Jonathan Druart [Thu, 16 Apr 2015 14:39:09 +0000 (16:39 +0200)]
Bug 10355: paramater 'object' lost on the road

Test plan:
1) Go to any detail page in staff
2) Click on the modification log tab
3) Verify, that the object is prefilled with the records biblionumber
and you can also see it as parameter in the url
4) Click a second time on modification log to reset your search

Before this patch, the object parameter was empty.
It now contains the value of the biblionumber.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described, no koha-qa errors

http://bugs.koha-community.org/show_bug.cgi?id=10335

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 0002126a2ab0ac38a8d3f144f446dc3ba69dab59)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Conflicts:
tools/viewlog.pl

9 years agoBug 11790: Remove dependency C4::Context from C4::Charset
Jonathan Druart [Fri, 24 Apr 2015 15:03:09 +0000 (17:03 +0200)]
Bug 11790: Remove dependency C4::Context from C4::Charset

C4::Context is only used to retrieve a syspref value.
This patch moves the use of C4::Context to a require.

Test plan:
Try to reach the SetMarcUnicodeFlag subroutine (batchmod, add/update a biblio, etc.)

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Tested on French UNIMARC install
No errors adding/editing biblios
No koha-qa errors

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14329: Useless copy/pasta from Template::Plugin::HtmlToText
Marcel de Rooy [Thu, 4 Jun 2015 10:03:42 +0000 (12:03 +0200)]
Bug 14329: Useless copy/pasta from Template::Plugin::HtmlToText

The synopsis of this TT plugin contains two example lines:
[% myhtml FILTER html2text(leftmargin => 0, rightmargin => 0) %]
[% myhtmltext | html2text %]

These lines have been copied (without too much thought :) to a few templates. Since we do no use the variables myhtml or myhtmltext in these templates, these lines are useless.

Test plan:
[1] Put some items in your cart. And send it.
[2] Send a shelf.
[3] Git grep on myhtml. Should not have results.

NOTE: Sent carts and lists in Intranet and OPAC successfully.
      Though, this does bring into question why the letters
      have HTML formatting if it is getting removed. That,
      however, is beyond the scope of this bug.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14276: Keep highlight on the active item in item editor
Marcel de Rooy [Tue, 26 May 2015 12:52:07 +0000 (14:52 +0200)]
Bug 14276: Keep highlight on the active item in item editor

The highlight only works on even items.
This patch should resolve it.

Test plan:
Edit biblio with multiple items.
Verify that the highlight is visible on the selected item you edit.
And that there is no highlight for a new item.

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14173: Paging on 'recent comments' page in OPAC is not displaying correctly
Bernardo Gonzalez Kriegel [Mon, 1 Jun 2015 18:34:00 +0000 (15:34 -0300)]
Bug 14173: Paging on 'recent comments' page in OPAC is not displaying correctly

This patch corrects the display of current page on
a multipage recent comments.

To test:
1) Enable OpacShowRecentComments

2) Add multiple comments to multiple records
I used a script to add multiple lines like
"insert into reviews values ($i, 51, $i, 'Comment $i', 1, '2015-06-01 00:00:00')"
to table reviews

3) On OPAC, go to 'Recent comments', verify the bug

4) Apply the patch

5) Reload and check correct display

Can't found missing space near 'by' from description.
Display is correct for me.

Followed test plan, displays as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 11929: patron modification error shows borrowernumber
Marc Véron [Sun, 26 Apr 2015 19:36:25 +0000 (21:36 +0200)]
Bug 11929: patron modification error shows borrowernumber

If an error occurs in patron batch modification, a message similar to the following is displayed:
Can not update patron with borrowernumber 7055

It would be useful to have the cardnumber as well.

This patch adds the card number to the lists of errors.

It is not easy to trigger an error (see comments).
For testing, I tweaked the sub ModMember in C4/Members.pm to always return false.

TEST PLAN
---------
1) Log in as a superlibrarian and create a test user
2) Change the cardnumber to a number differing from the
   borrower number.
3) Home -> Tools -> Batch patron modification
4) Type in the cardnumber of that test user
5) Check the Library checkbox.
6) Click Save
   -- nice error, but it is borrower number instead of
      the card number which was entered.
7) Apply the patch
8) Repeat steps 3-6
   -- nice error, but it is now more informative.
9) run koha qa test tools.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 3b3f82de377c87f9108bf07dd0d293182e5b9bdc)
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
9 years agoBug 14266: Trim the email address in the pl script
Jonathan Druart [Tue, 26 May 2015 11:05:51 +0000 (13:05 +0200)]
Bug 14266: Trim the email address in the pl script

The original concern of bug 14266 was to provide a compatibility for
<IE9.
But actually we don't need to trim the email address template side.
It will even better to trim it in the perl script, so that the email
will be trimed even if JS is disabled.

Test plan:
1/ Share a list and does not provide any email address
2/ Submit
=> The form is not submited, no alert/message is displayed (same as
before this patch).
3/ Share a list and provide an email address with spaces before and
after
4/ Submit
=> You should receive the email

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Test output compliant with expected test plan outcome.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoReplace trim() with $.trim() in opac-shareshelf.tt
David Cook [Mon, 25 May 2015 04:07:27 +0000 (14:07 +1000)]
Replace trim() with $.trim() in opac-shareshelf.tt

This patch replaces trim() with $.trim() which is supported
in versions of IE older than IE9.

Revised test plan
=================

Before applying patch:

0) Use IE 8 or Document Mode 8 in a newer IE using F12 Developer Tools
1) Set OpacAllowSharingPrivateLists to "Allow" in Global System Preferences
2) Create a private list in the OPAC
3) Add a record to the private list
4) Click "Share" or "Share list" on one of the list screens
5) Type in an email address and click "Send"
6) Note the error in the console log
7) The page should submit

Apply the patch:

7) Hold shift + refresh the browser to update any Javascript cache
8) Try to "Share" the list again
9) Note that the form submit after clicking "Send" and
that there are no errors in the console log

http://bugs.koha-community.org/show_bug.cgi?id=14266

Signed-off-by: Indranil Das Gupta <indradg@gmail.com>
Remarks: Works as per revised test plan
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 12066: New renew page in staff client doesn't record branch in statistics
Kyle M Hall [Wed, 20 May 2015 15:31:18 +0000 (11:31 -0400)]
Bug 12066: New renew page in staff client doesn't record branch in statistics

Test Plan:
1) Apply this patch
2) Renew an item via circ/renew.pl
3) Note the branch code of your logged in library is set as the
   branch in the generated statistic line

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Tested pre and post patch, now branch is saved
No errors

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 13946: Change order status 'Pending' to 'Ordered'
Katrin Fischer [Mon, 25 May 2015 09:22:07 +0000 (11:22 +0200)]
Bug 13946: Change order status 'Pending' to 'Ordered'

The order status after closing the basket is 'ordered' in the
database, but displays as 'pending' in the staff interface.

As we use 'pending' when you have to review a suggestion, this
clashes in translations and the meaning is different. The patch
renames 'pending' for the order status to 'Ordered' to be more
clear.

To test:
- Verfiy 'Ordered' shows in the pull down on the acq advanced
  search and search still works correctly
- Verify the results table also display 'Ordered' as the status

Signed-off-by: Cédric Vita <cedric.vita@dracenie.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14275: Remove CGI::scrolling_list from guided_reports.pl
Bernardo Gonzalez Kriegel [Tue, 26 May 2015 14:00:02 +0000 (11:00 -0300)]
Bug 14275: Remove CGI::scrolling_list from guided_reports.pl

Remove an instance of CGI::scrolling_list from this file

To test:
1) Go to Reports, Guided report wizard, New SQL report

2) Create a report with some auth value list, e.g.

SELECT surname,firstname FROM borrowers WHERE branchcode=<<Enter patrons library|branches>>

Save

3) Clic on 'Run this report", look at the dropdown, that will be changed

4) Apply the patch

5) Reload, check dropdown and any regression

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14112 - Silence warnings in t/Charset.t
Mark Tompsett [Fri, 22 May 2015 13:02:23 +0000 (09:02 -0400)]
Bug 14112 - Silence warnings in t/Charset.t

After Jonathan said this was the wrong way to correct the issue,
www.utf8-chartable.de made it clear to me that the \c3\a9 were
missing x's.

TEST PLAN
---------
1) prove t/Charset.t
   -- noise
2) apply patch
3) prove t/Charset.t
   -- no noise
4) koha qa test tools

Signed-off-by: Aleisha <aleishaamohia@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14203 - Message for non-existent lang removal
Indranil Das Gupta [Thu, 14 May 2015 19:42:11 +0000 (01:12 +0530)]
Bug 14203 - Message for non-existent lang removal

A trivial string patch to update the error message displayed to
user if koha-translate is used to attempt removal of a language
that is not installed.

Test plan
=========

1/ attempt to remove a non-existent language by
   <installdir>/debian/scripts/koha-translate --remove <langcode>
2/ it should show "Error: the selected language is not already
   installed."
3/ apply patch
4/ repeat step 1; it should show "Error: the selected language is
   not installed."

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14184: Undefined $term causes noisy warns in C4/CourseReserves.pm
Aleisha [Tue, 12 May 2015 02:08:17 +0000 (02:08 +0000)]
Bug 14184: Undefined $term causes noisy warns in C4/CourseReserves.pm

This patch sets $term to be an empty string.

Test plan
=========

1/ enable 'UseCourseReserves' syspref in Circulation preferences
2/ in a terminal, run a `tail -f ` on your instance's opac-error.log
3/ go to the opac, click on 'Course reserve' tab to go to
   opac-course-reserves.pl
4/ notice the warning - "opac-course-reserves.pl: Use of uninitialized
   value $term" appear in the `tail`ed opac-error.log
5/ apply the patch
6/ reload the page (opac-course-reserves.pl)
7/ page works but the warning in step #4 is no longer logged
8/ run qa test (i.e. koha-qa.pl -c 1 -v 2), there should be no error

Remarks: Testing result match expected test plan output. The QA tests
         pass with "OK" for the commit.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14185: Undefined $limit causes warn in opac/opac-readingrecord.pl
Aleisha [Tue, 12 May 2015 03:01:35 +0000 (03:01 +0000)]
Bug 14185: Undefined $limit causes warn in opac/opac-readingrecord.pl

This patch sets $limit to be an empty string.

Test plan
=========

1/ login into the opac using your user account credentials
2/ in a terminal, run a `tail -f ` on your instance's opac-error.log
3/ go back to the opac, click on 'your reading history' tab to go to
   opac-readingrecord.pl
4/ notice the warning - "opac-readingrecord.pl: Use of uninitialized
   value $limit" appear in the `tail`ed opac-error.log
5/ apply the patch
6/ reload the page (opac-readingrecord.pl)
7/ page works but the warning in step #4 is no longer logged
8/ run qa test (i.e. koha-qa.pl -c 1 -v 2), there should be no error

Remarks: Testing result match expected test plan output. The QA tests
         pass with "OK" for the commit.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14186 [QA Followup]: Undefined $reservedfor causes warn in opac-reserve.pl
Indranil Das Gupta [Thu, 14 May 2015 01:53:16 +0000 (07:23 +0530)]
Bug 14186 [QA Followup]: Undefined $reservedfor causes warn in opac-reserve.pl

This is a followup for Bug 14186 that removes the extraneous tab
char on line 470, so that the patch can clear QA tools.

This patch sets $reservedfor to an empty string.

Test plan
=========

1/ in a terminal, run `tail -f ` on your instance's opac-error.log
2/ go to the opac and search from an item that exists on the Koha
   instance.
3/ Select the title (if more than one title is returned) and click on
   'Place hold' link to go to opac-reserve.pl
4/ notice the warning - "opac-reserve.pl: Use of uninitialized value
   $reservedfor" appear in the `tail`ed opac-error.log
5/ apply the patch
6/ reload the page (opac-reserve.pl)
7/ page works but the warning in step #4 is no longer thrown up
8/ run qa test (i.e. koha-qa.pl -c 1 -v 2), there should be no error

Remarks: Testing result match expected test plan output. The QA tests
         pass with "OK" for the commit.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14186: Undefined $reservedfor causes warn in opac-reserve.pl
Aleisha [Tue, 12 May 2015 03:30:46 +0000 (03:30 +0000)]
Bug 14186: Undefined $reservedfor causes warn in opac-reserve.pl

This patch sets $reservedfor to an empty string.

Test plan
=========

1/ in a terminal, run `tail -f ` on your instance's opac-error.log
2/ go to the opac and search from an item that exists on the Koha
   instance.
3/ Select the title (if more than one title is returned) and click on
   'Place hold' link to go to opac-reserve.pl
4/ notice the warning - "opac-reserve.pl: Use of uninitialized value
   $reservedfor" appear in the `tail`ed opac-error.log
5/ apply the patch
6/ reload the page (opac-reserve.pl)
7/ page works but the warning in step #4 is no longer thrown up
8/ run qa test (i.e. koha-qa.pl -c 1 -v 2), there should be no error

Remarks: The QA test failed - "forbidden pattern: tab char (line 470)".

         Marking this as 'FAILED QA'

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14130: Update columns.def
Katrin Fischer [Mon, 4 May 2015 20:08:04 +0000 (22:08 +0200)]
Bug 14130: Update columns.def

- Updates columns.def with new columns in items
- Adds some descriptions
- Corrects some existing column descrpitions

To test:
- Read the patch to see what has been changed
- Run the guided report builder for the 'circulation'
  module
- Observe changes show up

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Changes show up, no errors

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14408 (3.16/3.14) regex fix for .tmpl files too v3.16.12
Mason James [Wed, 24 Jun 2015 18:38:30 +0000 (06:38 +1200)]
Bug 14408 (3.16/3.14) regex fix for .tmpl files too

9 years agoBug 14408: Allow integers in template paths
Jonathan Druart [Mon, 22 Jun 2015 08:24:51 +0000 (10:24 +0200)]
Bug 14408: Allow integers in template paths

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
9 years agoBug 14408: Add tests to get_template_and_user
Jonathan Druart [Fri, 19 Jun 2015 08:25:30 +0000 (10:25 +0200)]
Bug 14408: Add tests to get_template_and_user

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14408 Path Traversal error
Chris [Mon, 22 Jun 2015 05:23:52 +0000 (05:23 +0000)]
Bug 14408 Path Traversal error

Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc

Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable.  I do think a whitelist is safer than trying to do a blacklist

/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search

Are vulnerable

To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
  Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  (You may have add more ..%2f or remove them to get the correct path)
  Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found

Repeat for the other script also

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoRevert "Bug 14408 Path traversal vulnerability"
Mason James [Wed, 24 Jun 2015 17:05:33 +0000 (05:05 +1200)]
Revert "Bug 14408 Path traversal vulnerability"

This reverts commit 0b7647eff31c85d8f7e1e5a50fd82d3b94eec816.

9 years agoRevert "Bug 14408: Add tests to get_template_and_user"
Mason James [Wed, 24 Jun 2015 17:05:14 +0000 (05:05 +1200)]
Revert "Bug 14408: Add tests to get_template_and_user"

This reverts commit e8a3febfe7050870116db0512e1a39690a72346c.

9 years agoupdate notes
Mason James [Tue, 23 Jun 2015 13:39:18 +0000 (01:39 +1200)]
update notes

9 years agoBumping DB version for 3.16.12
Mason James [Tue, 23 Jun 2015 13:20:11 +0000 (01:20 +1200)]
Bumping DB version for 3.16.12

9 years agoAdd release notes for 3.16.12
Mason James [Tue, 23 Jun 2015 12:19:27 +0000 (00:19 +1200)]
Add release notes for 3.16.12

9 years agoTranslation updates for Koha 3.16.12 release
Bernardo Gonzalez Kriegel [Tue, 23 Jun 2015 01:08:56 +0000 (22:08 -0300)]
Translation updates for Koha 3.16.12 release

Bengali files renamed, ben -> bn-IN

9 years agoBug 14423 : Multiple XSS bugs in suggestion.pl
Chris [Sun, 21 Jun 2015 09:35:07 +0000 (09:35 +0000)]
Bug 14423 : Multiple XSS bugs in suggestion.pl

To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl?author=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&accepteddate_to=
2/ Notice alert box(es)
3/ Apply patch
4/ Reload and notice alert is gone

Repeat for
collection_title
copyrightdate
isbn
manageddate_from
manageddate_to
publishercode
suggesteddate_from
suggesteddate_to

9 years agoBug 14423 : Multiple XSS vulnerabilities in serials-search
Chris [Sun, 21 Jun 2015 09:20:51 +0000 (09:20 +0000)]
Bug 14423 : Multiple XSS vulnerabilities in serials-search

To test

1/ Hit a url like http://localhost:8081/cgi-bin/koha/serials/serials-search.pl?bookseller_filter=%22%22%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&searched=1&title_filter=
2/ Notice alert boxes
3/ Apply patch
4/ Reload, notice fixed

Repeat for
callnumber_filter
EAN_filter
ISSN_filter
publisher_filter
title_filter

Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14423 : XSS bugs in catalogue search
Chris [Sun, 21 Jun 2015 09:01:32 +0000 (09:01 +0000)]
Bug 14423 : XSS bugs in catalogue search

To test

1/ hit a url like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?limit=%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice alert boxes
3/ Apply patch
4/ Reload url, no alerts
5/ Check search still works

Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14423 : XSS issues in marc_subfields_structure
Chris [Sun, 21 Jun 2015 08:46:40 +0000 (08:46 +0000)]
Bug 14423 : XSS issues in marc_subfields_structure

1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice all the alert boxes
3/ Apply patch
4/ Reload page, no more alerts
5/ Test functionality still works

Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14423 XSS bug in auth_subfields_structure
Chris [Sun, 21 Jun 2015 08:33:13 +0000 (08:33 +0000)]
Bug 14423 XSS bug in auth_subfields_structure

1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works

Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14423 : XSS bug in lateorders
Chris [Sun, 21 Jun 2015 08:18:20 +0000 (08:18 +0000)]
Bug 14423 : XSS bug in lateorders

1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works

Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14423 : XSS in authorities-home
Chris [Sun, 21 Jun 2015 08:10:20 +0000 (08:10 +0000)]
Bug 14423 : XSS in authorities-home

To test:
1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice you get 3 alert boxes
3/ Apply patch
4/ Hit the url again, no js

Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14412 : SQL injection possible
Chris Cormack [Thu, 18 Jun 2015 20:35:07 +0000 (08:35 +1200)]
Bug 14412 : SQL injection possible

There is a SQL Injection vulnerability in the
/cgi-bin/koha/opac-tags_subject.pl script.

By manipulating the variable 'number', the database can be accessed
via time-based blind injections.

The following string serves as an example:

/cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)

To exploit the vulnerability, no authentication is needed

To test
1/ Turn on mysql query logging
2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
3/ Check the logs notice something like
  SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
  PROCEDURE ANALYSE
  (EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
4/ Apply patch
5/ Hit the url again
6/ Notice the log now only has
   SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed the problem and the fix for it.
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14408: Add tests to get_template_and_user
Jonathan Druart [Fri, 19 Jun 2015 08:25:30 +0000 (10:25 +0200)]
Bug 14408: Add tests to get_template_and_user

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14408 Path traversal vulnerability
Jonathan Druart [Fri, 19 Jun 2015 08:12:45 +0000 (10:12 +0200)]
Bug 14408 Path traversal vulnerability

/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search

Are vulnerable

To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
  Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  (You may have add more ..%2f or remove them to get the correct path)
  Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found

Repeat for the other script also

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14416: Stored XSS vulnerability - add biblio to shelf (intranet)
Jonathan Druart [Fri, 19 Jun 2015 09:21:56 +0000 (11:21 +0200)]
Bug 14416: Stored XSS vulnerability - add biblio to shelf (intranet)

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14416: (follow-up) opac addbybilionumber
Jonathan Druart [Fri, 19 Jun 2015 09:21:47 +0000 (11:21 +0200)]
Bug 14416: (follow-up) opac addbybilionumber

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14416 Stored XSS vulnerability
Chris Cormack [Thu, 18 Jun 2015 23:26:02 +0000 (11:26 +1200)]
Bug 14416 Stored XSS vulnerability

opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.

To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14418 : More XSS vulnerabilities in opac-shelves.pl
Chris Cormack [Thu, 18 Jun 2015 23:41:45 +0000 (11:41 +1200)]
Bug 14418 : More XSS vulnerabilities in opac-shelves.pl

To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script>  Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it.

9 years agoBug 14418 : XSS flaw in opac-shelves.pl
Chris Cormack [Thu, 18 Jun 2015 23:30:22 +0000 (11:30 +1200)]
Bug 14418 : XSS flaw in opac-shelves.pl

To test:
1/ Create a list and add at least one item to it
2/ Hit a url like http://192.168.2.18/cgi-bin/koha/opac-shelves.pl?viewshelf=7&sort=author&direction=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
  Where the shelf id is the number of the list you created, notice the js is executed
3/ Apply the patch
4/ Reload the page notice the js is now escaped

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
9 years agoBug 14418 XSS Vulnerabilities
Chris Cormack [Thu, 18 Jun 2015 21:25:22 +0000 (09:25 +1200)]
Bug 14418 XSS Vulnerabilities

Fix for /cgi-bin/koha/opac-search.pl

To test

1/ Hit /cgi-bin/koha/opac-search.pl?tag="><script
src='http://cst.sba-research.org/x.js'/>&q=a
2/ Notice the js is executed
3/ Apply patch
4/ Reload page, notice it is no longer executed
5/ Test the rss links work still

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed bug and that the patch fixes it.
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14360: Unescaped variable causes alert pop-up
Aleisha [Tue, 9 Jun 2015 02:02:55 +0000 (02:02 +0000)]
Bug 14360: Unescaped variable causes alert pop-up

To test:

1) Create a list in the OPAC, name it: <script>alert('Hello');</script>
2) Delete the list
3) Confirm deletion
4) See the alert say 'Hello'
5) Apply patch
6) Recreate list with same name
7) Delete list
8) Confirm deletion and alert no longer pops up

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14360: Unescaped variable causes alert
Aleisha [Mon, 8 Jun 2015 02:30:23 +0000 (02:30 +0000)]
Bug 14360: Unescaped variable causes alert

Adding |html to [% resultsperpage %] to escape the variable and get rid of the alert.

To test:

1) Go to URL such as ...  /cgi-bin/koha/opac-authorities-home.pl?op=do_search&resultsperpage=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
2) Notice pop-up box with alert
3) Apply patch, refresh page
4) Notice alert is gone

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBumping DB version for 3.16.11 v3.16.11
Mason James [Sun, 31 May 2015 00:51:20 +0000 (12:51 +1200)]
Bumping DB version for 3.16.11

9 years agoAdd release notes for 3.16.11
Mason James [Sun, 31 May 2015 01:27:58 +0000 (13:27 +1200)]
Add release notes for 3.16.11

9 years agoTranslation updates for Koha 3.16.11 release
Bernardo Gonzalez Kriegel [Sat, 30 May 2015 04:31:19 +0000 (01:31 -0300)]
Translation updates for Koha 3.16.11 release

9 years agoBug 14068: fix preinst for fresh package installs
Robin Sheat [Tue, 28 Apr 2015 03:19:30 +0000 (15:19 +1200)]
Bug 14068: fix preinst for fresh package installs

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Works as expected. Tested both upgrading and on a new install.
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14055: remove symlink that breaks upgrades
Robin Sheat [Fri, 24 Apr 2015 02:48:53 +0000 (14:48 +1200)]
Bug 14055: remove symlink that breaks upgrades

Old versions of koha-common would put in a symlink to the system YUI
libraries. This causes upgrade problems, so we look out for that and zap
it if it's there.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14006: about.pl checks the wrong zebra index mode
Tomas Cohen Arazi [Mon, 20 Apr 2015 18:39:45 +0000 (15:39 -0300)]
Bug 14006: about.pl checks the wrong zebra index mode

When setting zebra_bib_index_mode to grs1 I get two warnings when not applying the patch:

"The <zebra_bib_index_mode> entry is set to grs1. GRS-1 support is now deprecated and will be removed in future releases. Please use DOM instead by setting <zebra_bib_index_mode> to dom (full reindex required)."

"You have set <use_zebra_facets> but the <zebra_bib_index_mode> is not set to dom. Falling back to legacy facet calculation."

When applying the patch a third warning appears in addition to the two previous ones:

"The <zebra_bib_index_mode> entry is set to dom, but your system still appears to be set up for grs1 indexing."

Seems like the patch does what it should to me regarding the configuration mismatch warning.

Signed-off-by: Eivin Giske Skaaren <eskaaren@yahoo.no>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14075: Undefined value creates noisy warns in C4::AuthoritiesMarc
Aleisha [Wed, 29 Apr 2015 01:56:45 +0000 (01:56 +0000)]
Bug 14075: Undefined value creates noisy warns in C4::AuthoritiesMarc

This match sets $sortby (previously undefined value) as an empty string to get rid of the warns.

To test:

1) Go to a URL such as http://localhost:8080/cgi-bin/koha/opac-authorities-home.pl?op=do_search&type=opac&operator=contains&value=a&marclist=any&and_or=and
2) Notice the warns in the error log
3) Apply patch
4) Reload URL
5) Notice page still works but no warns in error log

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: I would have done $sortby //= '';
      But this works too. :)

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14204: (QA followup) remove unneeded messages
Tomas Cohen Arazi [Fri, 15 May 2015 18:28:56 +0000 (15:28 -0300)]
Bug 14204: (QA followup) remove unneeded messages

TEST PLAN
---------
1) Apply first patch
2) prove -v t/db_dependent/Labels/t_Batch.t
   -- YUCK! No meaningful messages on a lot of the ok's.
3) Apply this patch
4) prove -v t/db_dependent/Labels/t_Batch.t
   -- YAY! Meaningful test results
5) koha qa test tools

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
9 years agoBug 14204: Fix t/db_dependent/Labels/t_Batch.t failing test from Bug 12991
Nick Clemens [Thu, 14 May 2015 19:56:43 +0000 (19:56 +0000)]
Bug 14204: Fix t/db_dependent/Labels/t_Batch.t failing test from Bug 12991

This patch updaes the batch_id variable after items are added to test batch

To test:
1. prove t/db_dependent/Labels/t_Batch.t and see two tests fail
2. apply patch
3. prove again, tests pass!

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: The $batch->add_item() call to C4::Creators::Batch::add_item
      triggers the change of the batch_id so this line is necessary!
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>