]> git.koha-community.org Git - koha.git/log
koha.git
7 days agoUpdate release notes for 23.11.10 release 23.11.x v23.11.10
Fridolin Somers [Thu, 7 Nov 2024 13:37:48 +0000 (14:37 +0100)]
Update release notes for 23.11.10 release

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
7 days agoIncrement version for 23.11.10 release
Fridolin Somers [Thu, 7 Nov 2024 13:28:01 +0000 (14:28 +0100)]
Increment version for 23.11.10 release

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 days agoBug 33339: (Follow up) Fix more cases of formula=empty
Magnus Enger [Fri, 16 Aug 2024 12:59:20 +0000 (14:59 +0200)]
Bug 33339: (Follow up) Fix more cases of formula=empty

This patch adds formula=empty to:
- Koha::ERM::EUsage::SushiCounter::_build_COUNTER_report_file()

Updated 2024-09-26: Earlier version also removed unnecessary
use of formula=empty from two places.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9318e7ade724a39303e4276ecd633b5b2e90ae7b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 days agoBug 33339: Prevent Formula Injection (CSV Injection) in CSV files
Kyle M Hall [Thu, 27 Jul 2023 16:30:54 +0000 (12:30 -0400)]
Bug 33339: Prevent Formula Injection (CSV Injection) in CSV files

The system is vulnerable to Formula Injection attacks as the data
stored within the database and exported as CSV/Excel is not being
sanitized or validated against implanted formula payloads

This patch modifies all uses of Text::CSV and derived classes to pass
the "formula" parameter with value of "empty" which replaces formulas
by empty string.

Test Plan:
1) Apply this patch
2) For guided_reports.pl, attempt to export CSV where you've set a column to a formula somehow
   ( such as "=1+3" )
3) Export that CSV file
4) Note the formula has not been exported
5) Repeat this plan for the remaining scripts that export CSV files
   where users can define the outputted data

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Fixed two conflicts. I have tested that this works as advertised on:
- Reports (Download > Comma separated text (.csv)) [Text::CSV::Encoded]
- Circulation > Overdues > Download file of all overdues [Text::CSV_XS]
- misc/export_borrowers.pl [Text::CSV]
This covers all modules used, and both GUI and command line.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Change none to empty in the commit message ! None is the default,
doing nothing. Empty clears the formulas.
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit e588f810a521065bf46dc037edeac5c83d537714)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 days agoBug 37724: Remove Koha version number from OPAC
David Cook [Mon, 26 Aug 2024 01:22:12 +0000 (01:22 +0000)]
Bug 37724: Remove Koha version number from OPAC

This change removes the Koha version number from the OPAC generator
metadata.

Test plan:
0. Apply patch
1. Enable syspref SelfCheckInModule
2. Visit /cgi-bin/koha/opac-main.pl and confirm meta tag doesn't
include version number
3. Visit /cgi-bin/koha/sci/sci-main.pl and confirm meta tag doesn't
include version number
4. Visit /cgi-bin/koha/sco/sco-main.pl) and confirm meta tag doesn't
include version number
5. Click "Help" and confirm meta tag doesn't include version number

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 6524913f142a9b7dc17a8974b8097f6089f8ff8b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 days agoBug 37861: Fix XSS vulnerability in barcode append function
Artur [Sat, 7 Sep 2024 16:12:05 +0000 (18:12 +0200)]
Bug 37861: Fix XSS vulnerability in barcode append function

When user inputs were appended directly to the barcode table, the values were not properly escaped, allowing potential XSS attacks. This patch ensures that user inputs are sanitized and safely added to the DOM using .text() and .attr() methods to prevent script injection.

To test:
Enable the "SelfCheckInModule".
Open the barcode input form.
Enter a barcode with HTML or script tags.
Without the patch, observe that the script is executed.
Apply the patch.
Repeat step 2.
Verify that the input is escaped and no script execution occurs.
Check that the barcode is properly appended to the table.

Documentation:
No updates required.

Sponsored-by:
KillerRabbitAos

Signed-off-by: Bo Gustavsson <bosse@gustavsson.one>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
(cherry picked from commit f1a02fdfe127ebebc0a53596f30c24c7e3c9e285)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 days agoBug 37737: [23.11] Fixed report permissions to prevent disallowed duplication
Lisette Scheer [Mon, 9 Sep 2024 20:12:47 +0000 (20:12 +0000)]
Bug 37737: [23.11] Fixed report permissions to prevent disallowed duplication

Test plan:
1. Checkout 23.11
2. Create a report
3. Create a user with staff login and run reports permissions
4. Log in as your new user
5. Preview the SQL of the report
6. In the preview modal, select Duplicate report
7. Apply patch
8. Repeat steps 4-6.
9. You should be prompted to login.

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2 weeks agoBug 38148: (QA follow-up) Code comments
Nick Clemens [Tue, 22 Oct 2024 20:06:01 +0000 (20:06 +0000)]
Bug 38148: (QA follow-up) Code comments

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 38e33074b6f8431f363e17fdd792cbaae721c41f)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 1a71b1270299db79904b075353a9003553eec090)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 weeks agoBug 38148: Revert back to get_effective_rule
Pedro Amorim [Tue, 22 Oct 2024 10:48:14 +0000 (10:48 +0000)]
Bug 38148: Revert back to get_effective_rule

And update the first conditional logic.
This patch aims to maintain the logic behind the first patch, but restore get_effective_rule.
get_effective_rule_value is using cache and I believe that is the reason why Items.t fail when using that.

Test plan:
1) Search for 'music' on OPAC
2) Notice records have the 'place hold' link
3) Visit circulation rules on Staff:
<staff_url>/cgi-bin/koha/admin/smart-rules.pl
4) On 'Default checkout, hold and return policy' , under 'Hold policy' pick 'From any library'. Hit 'Save'.
5) Repeat 1). Notice the 'place hold' link is gone.
6) Apply patch. restart plack. Repeat 1). Notice the 'place hold' is shown again

Run:
$ prove t/db_dependent/Koha/Items.t

Signed-off-by: andrewa <andrew.auld@ptfs-europe.com>
Signed-off-by: Ray Delahunty <r.delahunty@arts.ac.uk>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit c7c24aa8d3e856a21e50075f743a5abc39fa5797)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 36cace8f70204b68f5a379adfbb10e47360177f8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 weeks agoBug 38148: Check value of holdallowed circ rule properly
Aleisha Amohia [Fri, 11 Oct 2024 01:53:11 +0000 (01:53 +0000)]
Bug 38148: Check value of holdallowed circ rule properly

It was noted on Bug 29087 that the value of circulation rules needs to be checked differently, so this follow-up addresses that.

To test:

1. Apply patch and restart services
2. Search for a record on the OPAC. Confirm you can see a link to place a hold.
3. Search for this record on the staff interface and place a hold. Go to Circulation -> Holds to pull and confirm your hold shows in the list.
4. Confirm tests still pass t/db_dependent/Koha/Holds.t

Sponsored-by: Whanganui District Council
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: andrewa <andrew.auld@ptfs-europe.com>
Signed-off-by: Ray Delahunty <r.delahunty@arts.ac.uk>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e2be4e00a5bf0920786339f5f47997508be93c4d)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 3748fe30dfa705bc3184def7e67089cdea7160bb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 weeks agoBug 38148: Unit tests
Nick Clemens [Tue, 22 Oct 2024 19:54:42 +0000 (19:54 +0000)]
Bug 38148: Unit tests

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 76352200cac7736bb905b809cea5640b83576b53)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit f8b6777e50295b6a2ba468f0694ca2e69083d6b3)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37339: Set messaging preferences from default on self registration
Nick Clemens [Fri, 12 Jul 2024 14:00:49 +0000 (14:00 +0000)]
Bug 37339: Set messaging preferences from default on self registration

The change on bug 30318 prevented setting the default messaging preferences when none were passed.
Self registration relied on this for setting borrower preferences from the defaults.

This patch removes the call to handle_form_action and replaces it with a call to:
SetMessagingPreferencesFromDefault

To test:
 1 - Ensure self registration is enabled
 2 - Set default messaging preferences for the self registration category
 3 - Self register a patron from the OPAC, confirm defaults not set
 4 - Apply patch, restart all
 5 - Self register a patron
 6 - Confirm defaults have been set
 7 - Enable  PatronSelfRegistrationVerifyByEmail
 8 - Self register a patron on OPAC with an email
 9 - Find the email and grab the verification link (unless you have emails enabled)
     SELECT * FROM message_queue;
10 - Visit the link and confirm registration
11 - Confirm messaging defaults are set

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2accac5fd9a210c9aa0107c47522c7393b257c8c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 1d72bfe3d2ce95da35b966960efb2c73679226c2)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37775: Spelling and tidy
Nick Clemens [Fri, 30 Aug 2024 12:51:37 +0000 (12:51 +0000)]
Bug 37775: Spelling and tidy

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit d785fb1c1e7422861dc6aaea4291f0b3cb1f2416)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ae84680c4d89eee031ba1bcb02c44db10f93bb9c)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37775: Remove delayed commits from update_totalissues.pl and add progress option
Nick Clemens [Fri, 30 Aug 2024 12:47:07 +0000 (12:47 +0000)]
Bug 37775: Remove delayed commits from update_totalissues.pl and add progress option

This patch removes setting AutoCommit to 0 and commiting only every X records.
Instead we commit as we go and report progress using a parameter.

Bug 36474 reduced the numebr of changes that are being committed, so this should be a reasonable change. The
use of commits without transactions was causing problems if the library was active while the script ran.

To test:
1 - perl misc/cronjobs/update_totalissues.pl -c
2 - Script runs, but with unknown parameter
3 - perl misc/cronjobs/update_totalissues.pl -p 10
4 - Script runs and reports every 10 records
5 - per; misc/cronjobs/update_totalissues.pl
6 - Script runs and reports every 100 records by default

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit dba9dd405339691a8671c243518f16cb20f4777f)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8fd510cc567ec0dc1a87b6fa4abf8b5e9c208435)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 36474: Don't update records when total issues has not changed
Nick Clemens [Mon, 1 Apr 2024 15:00:34 +0000 (15:00 +0000)]
Bug 36474: Don't update records when total issues has not changed

This patch adds a new check in UpdateTotalIssues to check that we are changing the number
of total issues before calling ModBiblio

To test:
0 - Enable CataloguingLog
1 - Checkout an item
2 - Run : misc/cronjobs/update_totalissues.pl --use-stats --commit=1000 -v
3 - In report, note all biblios were updated
4 - Check action_logs - note a new entry for every biblio
5 - Apply patch
6 - Repeat
7 - Note no biblios reported updated
8 - Note no new cataloguing log entries
9 - Checkout the item again
10 - Run again
11 - Note biblionumber has updated count in verbose output
12 - Note report only rpeort 1 biblio modified, the rest only processed
13 - Only one line added to action_logs
14 - Run it again
15 - Confirm no updates

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit d7b36d7f692420a5b67dee88ce78529ce7509413)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit a40b6d538d8e4b808cd9a65bca4f2281895fc186)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 36474: Unit tests
Nick Clemens [Wed, 28 Aug 2024 13:28:35 +0000 (13:28 +0000)]
Bug 36474: Unit tests

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 1c875b01572d81c8f1fedd73e4399d0535f44f97)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 7a9bddd516fd12d9d8fa1c0390b0e81d880360f5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37413: Ensure itemnumber is sent
Pedro Amorim [Thu, 1 Aug 2024 11:59:58 +0000 (11:59 +0000)]
Bug 37413: Ensure itemnumber is sent

Fix condition to ensure the itemnumber is sent

Signed-off-by: Sam Lau <samalau@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 99c5e3bae40122bd8e8721aa186292388db9a7d6)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit b10bb5baee519d4a13b5e9c819e97f10da1e516f)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37586: Added aria-label for Login icon
Laura_Escamilla [Wed, 7 Aug 2024 13:44:36 +0000 (13:44 +0000)]
Bug 37586: Added aria-label for Login icon

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 57dc65bed597507c9b0433edaed5f535d46b7f0c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 92e35a3d1722dc6d481435236d91d2a42a585ef1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37586: Updated aria-labels for masthead links
Laura_Escamilla [Wed, 7 Aug 2024 13:22:58 +0000 (13:22 +0000)]
Bug 37586: Updated aria-labels for masthead links

Update to my last comment: The Lists aria-label had an accessibility issue as the label did not match the visible text.

New test plan:

Check the OPAC Interface:
* Open the OPAC in a normal-sized browser window.
* You’ll see the text next to the 'Cart', 'Lists', and 'Login' icons clearly.
* Gradually reduce the window size until the text next to these icons disappears.
* Inspect the icon elements. You’ll find that there is no alternative text (like aria-label) provided for 'Cart' and 'Login'. The aria-label for 'Lists' does not match the visible text. It currently says "Show dropdown with detailed list information". This lack of alternative text is an accessibility issue and labels should match visible text.
Apply the Patch:
* Apply the patch
* Restart_all
Verify the Fix:
* Inspect the icons again.
* For the 'Cart' icon, you should see an aria-label attribute with the text "View your shopping cart".
* For the 'Login' icon, you should see an aria-label attribute with the text "Log in to your account".
* For the 'Lists' icon, you should see an updated aria-label attribute with the new text of "Lists".
* These changes will improve accessibility for users relying on screen readers.
Sign Off:
* Sign off and Have an amazing day!

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8318d27a7d08d6c8667adb0eba7662ab6ac545f4)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit b05d36402b6186ecfacdf51cf91278512b3a92c6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 36907: Add maxlength to OAI set mapping form fields
Owen Leonard [Tue, 21 May 2024 15:09:59 +0000 (15:09 +0000)]
Bug 36907: Add maxlength to OAI set mapping form fields

This patch adds a maxlength attribute to the field, subfield, and value
fields in the OAI set mapping form. This helps prevent an error when the
form data is too long for the database columns.

Unrelated: The patch also adds quotes around two unquoted name
attributes.

To test, apply the patch and go to Administration -> OAI sets.

- If necessary, create a new set.
- Click Actions -> Define mappings.
- Test that each form field is limited correctly:
  Field: 3
  Subfield: 1
  Value: 80
- Test that the form can be submitted successfully with the maximum
  number of characters in each field.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit c3f47091def8b03c9d5d4fbf5329d01d743398f5)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 4f9707dcd16e77507f6703d59853f4649f85624d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 32696: Unit tests
Janusz Kaczmarek [Tue, 9 Jul 2024 09:59:07 +0000 (09:59 +0000)]
Bug 32696: Unit tests

Added unit tests.

Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit da5aa7fabad0635535a7b1847ad9e8736414d38c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit e7a6fe10362a3ef0b9339884570dd973280ebb79)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 32696: Recalls can inadvertently extend the due date
Janusz Kaczmarek [Mon, 8 Jul 2024 11:30:16 +0000 (11:30 +0000)]
Bug 32696: Recalls can inadvertently extend the due date

If an item is due sooner than the recall due date interval then placing
a recall on it can inadvertently extend the book's due date, possibly
causing the recalling patron to receive the item later than they would
otherwise.

Test plan:
=========

1. Turn on recalls with UseRecalls.
2. In circulation rules, set the recall due date interval to 7 days
   or any other arbitrary period.
3. Check out an item to one patron & set the due date to be before the
   recall due date interval will have elapsed (e.g. the next day)
4. As a second patron, place a recall on the item in question.
5. See that the item's due date is extended to the current date plus
   the recalls due date interval.
6. Apply the patch, restart_all;
7. Repeat steps 3. and 4. See that the due date has not been extended.

BTW, the calculation of $due_interval has been changed, because with
the current code and empty 'Recall due date interval' $due_interval
is undefined, despite the intention of the author of the code.
(after calling get_effective_rule $recall_due_date_interval is defined, but
$recall_due_date_interval->rule_value is undefined;  the patron gets
a message: '... return the item within days, by ...' - no days count).

Sponsored-by: Ignatianum University in Cracow
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e584b9adcb6fafb96ce77fcd84b68f6f697478f4)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 15dc40af39a1a545fc1915cd148a0ac6197eb7bb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37623: Make t/db_dependent/Letters.t idempotent
Aleisha Amohia [Tue, 13 Aug 2024 03:07:17 +0000 (03:07 +0000)]
Bug 37623: Make t/db_dependent/Letters.t idempotent

The tests should be unaffected by system preference settings, such as EmailFieldPrimary.

To test:
1. Log into the staff interface
2. Go to Koha Administration -> Global system preferences, and search for EmailFieldPrimary
3. Change the EmailFieldPrimary preference to something other than 'primary email' and 'first valid email address', i.e. any of the following:

* alternate email
* card number
* secondary email
* selected addresses

4. Run tests t/db_dependent/Letters.t and notice they fail

5. Apply the patch

6. Run the tests again t/db_dependent/Letters.t with different settings of EmailFieldPrimary. The tests should always pass.

Sponsored-by: Pymble Ladies' College
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 0e61e56e5728fc0ed387e9a53f40a6e77e9bc793)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ca17ec1ce3b352938a811ff56c2b4afaf6e0eb63)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37591: Fix moredetail.tt performance issue
Johanna Räisä [Fri, 9 Aug 2024 05:58:31 +0000 (08:58 +0300)]
Bug 37591: Fix moredetail.tt performance issue

This patch fixes the performance issue in moredetail.tt by removing the
unnecessary call of checkout_renewals table.

To test:
1. Create lot of checkouts and renewals for a record.
2. Open the moredetail page for the record.
3. Check the timing of the page load.
4. Apply the patch and check the timing of the page load again.
5. The page load should be faster after applying the patch.

Sponsored-by: Koha-Suomi Oy
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 5c41c1c657eba6be37bd8ca4622fdc9eda658fcd)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 85afecd491b08152bd140b67381e75bffe47561e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37308: (QA follow-up) Tidy code
Kyle M Hall [Wed, 14 Aug 2024 14:41:35 +0000 (14:41 +0000)]
Bug 37308: (QA follow-up) Tidy code

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 5a06bd0d73d51bbc87a7e4ff210434b8782b90ec)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 955f724b1d645d77fcca65c07c844ddd39811789)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37308: Add user-agent for SUSHI outgoing requests
Pedro Amorim [Wed, 10 Jul 2024 15:07:22 +0000 (15:07 +0000)]
Bug 37308: Add user-agent for SUSHI outgoing requests

Signed-off-by: Belal Ahmadi <belal.ahmadi@uwl.ac.uk>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8175cccca2f7f28c68445e702ec40c200010211c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit aceb48f1503b86e4a4c5544687da53e3063e192a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 weeks agoBug 37593: Removed all instances of 'this this' in the codebase
PerplexedTheta [Mon, 12 Aug 2024 14:26:13 +0000 (15:26 +0100)]
Bug 37593: Removed all instances of 'this this' in the codebase

To test:
a)  do a grep for 'this this'
    1)  notice that there are five matching files
    2)  notice that all of these instances are in comments, or podfiles
b)  apply this patch
c)  do a grep for 'this this'
    1)  notice now that these instances are gone
d)  apply these changes to schema.koha-community.org
e)  result!

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2cc520cdeb6782f9370356f1c7a1bb7f78ea1057)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8297471b3b41e00d19134453ba5721ad3f85877b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
6 weeks agoUpdate release notes for 23.11.09 release v23.11.09
Fridolin Somers [Thu, 3 Oct 2024 10:16:04 +0000 (12:16 +0200)]
Update release notes for 23.11.09 release

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
6 weeks agoIncrement version for 23.11.09 release
Fridolin Somers [Thu, 3 Oct 2024 10:05:00 +0000 (12:05 +0200)]
Increment version for 23.11.09 release

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
6 weeks agoBug 37720: (follow-up) Adjust tests
Lucas Gass [Mon, 30 Sep 2024 20:45:04 +0000 (20:45 +0000)]
Bug 37720: (follow-up) Adjust tests

6 weeks agoBug 37720: Prevent XSS in label creator
Jonathan Druart [Wed, 28 Aug 2024 10:18:06 +0000 (12:18 +0200)]
Bug 37720: Prevent XSS in label creator

Because labels/label-edit-batch.pl fills a DataTable with things that include
a link created by C4/Creators/Lib.pm, it outputs them with the $raw filter,
so HTML in author/title/callnumber is executed in the label batch editor.
While we wait for a fix that moves the link creation into the template and
out of C4, encoding HTML in Lib.pm for the bits going into the link, and
switching from $raw to the html filter for the rest of the things, will at
least get rid of the XSS.

Test plan:
 1. Without this patch, but with the patch from bug 37654 so you don't get
    alert()s in batch import, download attachment 170675 [details]
 2. Cataloging - Stage records for import - browse to the downloaded file -
    Upload file - when the upload finishes Stage for import - when staging
    finishes View batch (get alert()s if you didn't apply bug 37654) - Import
    this batch into the catalog
 3. Once the import finishes, Cataloging - Manage staged records
 4. In the row for your import, in the # Items column, click "(Create label
    batch)"
 5. In the "Label batch #n created" message, click the link to the batch #
 6. Because the batch includes a call number with an open <script>, you'll
    get XSS alert()s and then one about something going wrong while loading
    the table, with only one of the two records showing in the batch editor
 7. Apply patch, restart_all
 8. Cataloging - Label creator - Manage Label batches
 9. In the row for your batch, click Edit
10. You will see both labels, with their attempts at XSS visible as text
    rather than being interpreted as HTML

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
6 weeks agoBug 37655: Basic editor needs to HTML-escape the bib record title used as a heading
Phil Ringnalda [Thu, 15 Aug 2024 22:41:18 +0000 (15:41 -0700)]
Bug 37655: Basic editor needs to HTML-escape the bib record title used as a heading

We stick the title of a bib record you are editing in the basic editor into
an <h1> without escaping any HTML it might contain. We should instead escape
it.

Test plan:

1. Without the patch, search for any record in the catalog and click Edit
   record (if you are in the advanced editor, switch to the basic one)
2. Tab 2, Field 245, Subfield a, paste <script>alert('boo ❤')</script><h2>
   at the end of the subfield
3. Save, then from the record detail page select Edit - Edit record
4. You will have gotten an alert(), and the entire form will be the size
   of an <h2>. That's ugly, so go back to the detail page.
5. Apply patch, restart_all
6. Edit - Edit record
7. Now you should not get an alert, the whole title inluding the <script>
   should display in italics, and the "(Record number nnn)" after it should
   not be italicized.

Signed-off-by: David Cook <dcook@prosentient.com.au>
(cherry picked from commit 0b1c2ba4b86f9aac615625f0456d81c2cf0ab4d7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
6 weeks agoBug 37656: XSS in Advanced editor from Z39.50 search results
Phil Ringnalda [Fri, 16 Aug 2024 04:22:12 +0000 (21:22 -0700)]
Bug 37656: XSS in Advanced editor from Z39.50 search results

The Advanced editor inserts data from Z39.50 results into the search results
page without escaping HTML. Whether it's German records with "<<A>> Title"
or someone with a compromised catalog or a book with the title "<em> for
emphasis" it shouldn't.

Test plan:
 1. Not a dependency, but you'll avoid getting even more alerts while batch
    importing by starting with the patch from bug 37654
 2. Without this patch applied, download attachment 170421
 3. Administration - set the preference EnableAdvancedCatalogingEditor to
    Enable
 4. Cataloging - Stage records for import - browse to the downloaded file -
    Upload file - Stage for import
 5. Once the background job finishes, View batch (getting alerts if you
    didn't apply the patch from bug 37654) - Import this batch into the
    catalog
 6. When the import finishes, Search the catalog for script, on the imported
    record Edit record (if you wind up in the basic editor, Settings - Switch
    to Advanced editor)
 7. In the left sidebar below the search inputs, click Advanced », check
    the checkbox for Local catalog and uncheck any others, then search for
    the Title script
 8. You'll get five alerts, and the word "edition" displayed in huge text
 9. Close the search popup, apply patch, shift+reload the advanced editor
    page to clear your cache
10. Repeat step 7, but this time you won't get any alerts, and you'll see
    the title and the other <script> inclusions.

Sponsored-by: Chetco Community Public Library
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 1493c9b56ea3ca0f0e7d841068d015f086399e1f)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
6 weeks agoBug 37654: XSS in Batch record import for Citation column
Phil Ringnalda [Fri, 16 Aug 2024 02:57:42 +0000 (19:57 -0700)]
Bug 37654: XSS in Batch record import for Citation column

Viewing a staged MARC record batch loads a DataTable from
/tools/batch_records_ajax.pl, and both batch_records_ajax.pl and the
DataTable just trust the author/title/isbn/issn to be free of HTML. They
shouldn't.

Test plan:
1. Without this patch applied, download attachment 170418, then Cataloging
   - Stage records for import - Select the downloaded file - Upload file -
   Stage for import
2. When the background job completes, View batch - you'll get three alert()s
   from the title, author, and ISSN, and the author and ISSN displayed huge
3. Apply patch, restart_all
4. Manage staged records - click HTMLescapingimporttestrecord.mrc - get zero
   alerts and no <h2> display

Sponsored-by: Chetco Community Public Library
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 25672f82f090ac411c027da9ca044f7269f82814)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
6 weeks agoBug 13342: Not logged user can place a review/comment
Hammat Wele [Tue, 3 Sep 2024 20:31:21 +0000 (20:31 +0000)]
Bug 13342: Not logged user can place a review/comment

We are able to comment a notice even when no user is connected

To test

1. Log in to OPAC.
2. Find a Biblio and open the comments tab.
3. Open another tab/window, and log out from the account.
4. Return to the first tab.
5. Click "Post your comments on this title."
 --> We are able to post a comment
6. Apply the patch
7. Repeat step 1, 2, 3, 4, 5
 --> You should be redirected to the login page.

Signed-off-by: David Cook <dcook@prosentient.com.au>
Bug 13342: Tidy

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 2dc9dcf87a388ad118af0326f37893d525a7cbfa)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
7 weeks agoBug 37607: Only default to manual form if we are editing
Matt Blenkinsop [Fri, 9 Aug 2024 16:05:55 +0000 (16:05 +0000)]
Bug 37607: Only default to manual form if we are editing

This patch fixes an issue where the form to add a provder would automatically default to the manual form. This patch prevents this behaviour and restores the intended functionality.

Test plan:
1) Don't apply the patch
2) In ERM, click to add a new provider
3) Type something in the provider name search box
4) The input will change from a select to a text input and the button next to it will now say "Create from registry"
5) Apply patch
6) Yarn build and hard refresh the browser
7) Repeat steps 1-3, the form should work as intended and return results in the select box

Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit a73cafda2daf020d41a86e8e80c5da50307ff277)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit a2a2314856dacff802ea32913fd3d2285ac11320)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
7 weeks agoBug 37254: Fix clearing of dropdown values on circulation rules
Emmi Takkinen [Thu, 4 Jul 2024 12:04:42 +0000 (15:04 +0300)]
Bug 37254: Fix clearing of dropdown values on circulation rules

When one tries to clear the rule they are editing in circulation
rules page via "Clear" button, dropdown selectors aren't populated
with default value (first on the list).

To reproduce:
1. Select a rule to edit.
2. Press "Clear" button to return edit rows values back to default values.
=> Values in dropdowns aren't set back as default, instead they have
same values as rule you edited before pressing "Clear".
3. Apply this patch.
4. Select rule to edit, then press "Clear".
=> Dropdowns now have default values.

Sponsored-by: Koha-Suomi Oy
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Laura_Escamilla <laura.escamilla@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit f1f08f92c52dc92eed71110f1c4d7711148c8b5c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit d0cb0ff57b306c7a9b67c38a41cb37230b0ea175)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
7 weeks agoBug 36879: Spurious warning in QueryBuilder
Andreas Jonsson [Thu, 16 May 2024 07:38:09 +0000 (09:38 +0200)]
Bug 36879: Spurious warning in QueryBuilder

Test plan:

With ElasticSearch enabled,
* Perform a search using the default  sort order
  (i.e. 'relevance').
* Verify that no warnings are generated in
  plack-intranet-error.log

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 347291727dd63cdba508b84336bed4d12efee57d)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ab51747dcc8b9a14d73e0efe4763937763f7f622)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
7 weeks agoBug 37030: Use template wrapper for breadcrumbs: Cash register stats
Owen Leonard [Tue, 4 Jun 2024 17:17:33 +0000 (17:17 +0000)]
Bug 37030: Use template wrapper for breadcrumbs: Cash register stats

This patch updates the cash register statistics template so that they
use the new WRAPPER for displaying breadcrumbs.

To test, apply the patch and test page and its variations.
Breadcrumbs should look correct, and each link should be correct.

- Reports ->
  - Cash register statistics
    - Results

Sponsored-By: Athens County Public Libraries
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 938053b1cf35e90827354d731704a26b2c3f86c8)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 7fcda7cfc3126ca6c36b2bf14f717472bcdb1c80)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
7 weeks agoBug 35235: Make "Koha module" label match the corresponding <select>
Catalyst Bug Squasher [Thu, 25 Jul 2024 23:30:42 +0000 (23:30 +0000)]
Bug 35235: Make "Koha module" label match the corresponding <select>

Test Plan
1. Go to Tools -> Notices and slips -> New notice
2. Select Acquisition
3. Click on the Koha module label
4. The corresponding drop down field should activate (greyed)

Signed-off-by: Sam Lau <samalau@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 9ba523f6b68ea1b7fcc0b9a52bba0518535f698d)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 574f98a64e60ac89d4970ee15ac338aa1b2a5866)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 37552: (24.05.x) Wrap auto renewal attempt in eval to ensure script does not die
Lucas Gass [Mon, 9 Sep 2024 13:47:40 +0000 (13:47 +0000)]
Bug 37552: (24.05.x) Wrap auto renewal attempt in eval to ensure script does not die

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 13c6a4a1bb936dbdb60a845cf82873719e1a433c)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 37337: Pass the save $op when biblio_exists
Lucas Gass [Thu, 11 Jul 2024 22:11:35 +0000 (22:11 +0000)]
Bug 37337: Pass the save $op when biblio_exists

To test:
1. Go to suggestions in the staff interface and enter a new suggestion.
2. Enter a title that matches something already in the catalog. In k-t-d I used "Lanark".
3. Submit the suggestion.
4. Get a blank page.
5. APPLY PATCH and restart_all
6. Now after step 3 you should get a page that shows the 'Click on "Confirm your suggestion" to ignore this message." warning, the form, and a Confirm your suggestion button.

Signed-off-by: Jake Deery <jake.deery@ptfs-europe.com>
Signed-off-by: Jan Kissig <jkissig@th-wildau.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8e7208d7104bef61f45f10e2a3324e445d177094)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 7ae41cda1d991b50c79aa93d669c1d1b7933f7ac)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 33453: Change the button class of the record cashup modal to btn-primary
Vicki McKay [Thu, 25 Jul 2024 22:12:49 +0000 (22:12 +0000)]
Bug 33453: Change the button class of the record cashup modal to btn-primary

To test:

1. Go to System Preferences > find and enable "Use cash registers"
2. Go to Administration > "Cash registers" and create a new cash register
3. Go to Tools > "Transaction history for" > "Record cashup"
4. Click "Record cashup"
5. Modal with change: "Confirm" should be yellow and primary.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 3a3d367922233c2422ffc5d216344c717170b64a)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8df2d43102531e6cf20ca1e851b9b1e369dfbc4a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 37411: Fixed exporting to CSV file
Eric Garcia [Wed, 31 Jul 2024 18:31:53 +0000 (18:31 +0000)]
Bug 37411: Fixed exporting to CSV file

To test:
1. Acquistions -> Budgets -> Funds -> Planning, select any option
2. In the toolbar see Export, and click Submit and see a 500 error
3. Apply patch, restart_all
4. Repeat steps 1-2
5. Notice the 500 error is gone and the CSV is exported properly

Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 94890a1e55735504b2f405c4b82793e3a2e44fc3)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 3c8539bc6b4952922fe80c6e6714efb85b9ed9f1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 37411: Fixed 500 error when exporting budget planning
Eric Garcia [Mon, 29 Jul 2024 15:21:59 +0000 (15:21 +0000)]
Bug 37411: Fixed 500 error when exporting budget planning

To test:
1. Acquistions -> Budgets -> Funds -> Planning, select any option
2. In the toolbar see Export, and click Submit and see a 500 error
3. Apply patch, restart_all
4. Repeat steps 1-2
5. Notice the 500 error is gone and the CSV is exported properly

Notes:
Is there a reason we call exit(1) after exporting the csv?

Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 7367b114c916aab9bebd06135fe889cf2a8883d4)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 1adce64d84fbd2f082e11786e9f5dd533f9ba6c3)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 37288: Allow manual providers to be edited
Matt Blenkinsop [Mon, 29 Jul 2024 08:52:39 +0000 (08:52 +0000)]
Bug 37288: Allow manual providers to be edited

There is a bug preventing manually created providers from being edited. This patch fixes that issue and allows providers to be edited if they have been created manually

Test plan:
1) Create a data provider in the ERM manually using the Create manually option
2) Click to edit that provider
3) The form will not load
4) Apply patch and run yarn build
5) Hard refresh the browser
6) The form should now load correctly

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 8872aa91e35a77951eb60037bc1f709fe093f00a)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 04b7d7f1ffe464120b26fed5636fae215f4be608)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 37288: Improve display of data provider edit form
Matt Blenkinsop [Wed, 17 Jul 2024 08:36:16 +0000 (08:36 +0000)]
Bug 37288: Improve display of data provider edit form

This patch makes some improvements to the edit form for data providers. It delays page display until the counter registry has responded and also improves the display of the "create manually" and "Create from registry" buttons

Test plan:
1) Create a Data provider in the ERM module
2) Click to edit that new provider
3) The page will load and there will be a slight delay before the Data provider name input is populated
4) The "Create manually" button will also be visible
5) Apply patch and yarn build
6) Hard refresh the browser and repeat steps 1 and 2
7) This time when the page loads the provider name should be prepopulated and no manual creation button will be visible

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit b646d8ab651e32067367a8ba781fc4256b9eec68)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit c87b670300c4e8e226ed1fdeb707dd4883d91039)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 35236: Make "Batch description" label match corresponding <input> field
Jennifer Sutton [Thu, 25 Jul 2024 23:11:16 +0000 (23:11 +0000)]
Bug 35236: Make "Batch description" label match corresponding <input> field

To test:
  1. Create a new patron.
  2. Go to Tools -> Patron card creator.
  3. Create a new patron card batch.
  4. On the "Edit patron card batch" page, click the "Batch
     description:" label.
  5. Observe that the corresponding <input> field is selected.

Mentored-by: Catalyst Academy
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 558b900895a42ff33fed06f746f677ac9ea3f51c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 54e26935e931ee579c3f651d72a497109dfc8349)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 36998: Correctly update the 'Amount paid' displayed on the issue refund modal
Sam Lau [Thu, 25 Jul 2024 16:02:16 +0000 (16:02 +0000)]
Bug 36998: Correctly update the 'Amount paid' displayed on the issue refund modal

To test:
1) Enable the 'EnablePointOfSale' sys pref (also requires the 'UseCashRegisters' pref)
2) In the POS module, configure a cash register and also configure some items for purchase with different costs
3) Make multiple sales
4) View the transactions table by clicking the 'Cash summary for ...' tab and then clicking on your cash register's name.
5) Click on the 'Issue refund' button for one of the sales, this should have the correct 'Amount paid'
6) Close the modal and click issue refund on your other item.
7) Note the 'Amount paid' is incorrect and lists the value from the previous item
8) Apply patch
9) Now when clicking issue refund, it displays the correct 'Amount paid'

Signed-off-by: Barbara Johnson <barbara.johnson@bedfordtx.gov>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 47a3c284734c56e095a5945cdbd40f6e50652496)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 528db7e928367b8f1c2c358abb4f685d74a20bf2)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
8 weeks agoBug 36196: Handling NULL data on ajax call
Thibaud Guillot [Wed, 28 Feb 2024 15:20:10 +0000 (16:20 +0100)]
Bug 36196: Handling NULL data on ajax call

Test plan:

1) Update some data in your cities table, sample for one send:
"UPDATE cities SET city_state=NULL WHERE cityid=<id>"
2) Go on "/cgi-bin/koha/admin/cities.pl" and wait a entire life :)
3) Apply this patch
4) Rebuild your po files if needed
5) Reload the same page and now you get normally the datatable

Sponsored by: BibLibre
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e0856d0db648766ba1d65a4f784983a416ac4a35)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit a963c6bc14253d736ccfa0a3618d5d6e0e0ed955)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37351: Rework checkbox JS to work with paginating dataTable
Lucas Gass [Wed, 24 Jul 2024 22:44:05 +0000 (22:44 +0000)]
Bug 37351: Rework checkbox JS to work with paginating dataTable

To Test:

1. Log in to staff client
2. Place items on items for borrowers
    2-1 Place enough holds as noted above
    2-2 Trap holds for borrowers
3. Open Circulation->Holds Awaiting Pickup (circ/waitingreserves.pl)
4. Click a checkbox for one or mroe holds
    Note->The 'Cancel selected (0)' button changes to 'Cancel
selected (1)', etc.
5. Cancel selected Holds using the (Cancel selected (#) button)
6. Confirm Cancellation
7. Wait for background processes to complete, then verify holds are cancelled.
8. Return to Open Circulation->Holds Awaiting Pickup (circ/waitingreserves.pl)
9. Ensure button shows "Cancel selected (0)"
10. Click "Next >" to navigate to page 2 of holds
11. Click a checkbox for one or more holds
     Note->The 'Cancel selected (0)' button DOES NOT increase as boxes
are selected.
12. Cancel selected Holds using the (Cancel selected (#) button)
13. Confirm Cancellation
14. Wait for background processes to complete, then verify holds are cancelled.
     Note-> Holds were not cancelled

15. APPLY PATCH
16. Try step 9-14 again. This time the 'Cancel selected (0)' button should update even when you paginate.
17. Make sure you try all the tables, Holds waiting, Holds waiting over X, Holds with cancellation requests.

Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit bbd1fa0bfa2604e60eb38072569d7af5ec6808d8)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ca43567e86220d1a5ef645d23b500ef4a6362169)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37378: Tidy
Nick Clemens [Tue, 23 Jul 2024 12:24:25 +0000 (12:24 +0000)]
Bug 37378: Tidy

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit a0f89e7e98e5adabc3ff6726f1a7e36fd217b9d9)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 2dbf64d7ad280aabd9eba6f0c4f0a5e40a2f0a83)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37378: libraries_where_can_see_things should always return an array
Nick Clemens [Tue, 23 Jul 2024 12:14:44 +0000 (12:14 +0000)]
Bug 37378: libraries_where_can_see_things should always return an array

The subroutine libraries_where_can_see_things stores the list of libraries that things
can be viewed from in an internal variable, so we can return this directly if we have already calculated.

When returning if not cached, we dereference the list and return an array. If cached, we are returning
an arrayref. This patch simply ensures we dereference the array even if already cached.

Before this patch, we were fetching the patrons, then redacting all info as their branches didn't match against
an arrayref, rather than checking against each branch we are allowed to view.

To test:
1. Setup a library group and check the "Limit patron data access by group ." option.
2. Add some libraries to the group. ( IN k-t-d I added CPL and MPL )
3. Create a staff account who has staff access permissions and all of the borrower permissions except "view_borrower_infos_from_any_libraries"
4. Set the home library of that staff member to one of the branches in step 2. ( In my test I choose MPL )
5. Log in as that patron and attempt a patron search that would include users from either library in step 2.
6. See the error:

Something went wrong when loading the table.
500: Internal Server Error.
Expected boolean - got null.
Expected boolean - got null.
Expected string - got null.
Expected string - got null.
Expected string - got null.
Expected integer - got null.
Expected integer - got null.
Expected integer - got null.
Expected boolean - got null.
Expected boolean - got null.
Expected string - got null.

7. Apply patch, restart all
8. Search again, you can see the expected patrons

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit ebdf121a7de99e7cfaf53d5177621b9cbca7338c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 7ec7fc7ce0af941d53529dd35a5150155521c1c8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37378: Unit test
Nick Clemens [Tue, 23 Jul 2024 12:12:17 +0000 (12:12 +0000)]
Bug 37378: Unit test

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit fb768ebbb82bd5f12c53e8d013269df08e5a01bd)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 998416c7a4fcd4c79d2dd3f5f0de14cd6e368120)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37285: (QA follow-up) Perl Tidy
Laura_Escamilla [Thu, 25 Jul 2024 15:22:00 +0000 (15:22 +0000)]
Bug 37285: (QA follow-up) Perl Tidy

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e7a017e663bd0376c626a692a85cda4dc7e68324)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 1374290f7a75ecf32d192c8bd5fe82e6286de016)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37285: Printing lists only prints the ten first results
Baptiste Wojtkowski [Tue, 9 Jul 2024 14:08:39 +0000 (16:08 +0200)]
Bug 37285: Printing lists only prints the ten first results

GIVEN koha in a version later than 22.11, a list with more than ten entries
WHEN the user tries to print the list
THEN only the ten first results are printed

EXPECTED THEN all results are printed

It looks like it is an undesired effect of BZ36858. Page remains set
even while printing, therefore, however the number of rows is not set,
default value (10) is used.

TEST PLAN

1 - create a list with more than 10 items
2 - print the list -> there is a pagination and that only 10 items
  are printed
Apply patch
3 - print the list again -> every items are being printed

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 64027daadcea8c44cb73aae71a48ac64d527ed3f)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 0f8f20a01fede0991500bff529d540959fea6251)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 33455: Fix the size of the patron change password heading
Catalyst Bug Squasher [Thu, 25 Jul 2024 23:06:47 +0000 (23:06 +0000)]
Bug 33455: Fix the size of the patron change password heading

The H1 heading on the patron change password page in the staff
interface is too big and should be outside of the area with
form area with the white background.

Test plan:
1. In the staff interface, click on top right of menu and navigate
   to my account.
2. Click the 'Change password' button.
3. Note that title is now outside the legend and font size is
   comparable to other H1 headings (e.g. Duplicate).

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 3eb461bc9b293aa88a1c60addc5125759b46ff03)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 59d8f236ad818c58e26f5dc43f59d000b51895cf)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37435: Fixed renew patron from moremember.pl without circulate permissions
Eric Garcia [Tue, 23 Jul 2024 18:04:41 +0000 (18:04 +0000)]
Bug 37435: Fixed renew patron from moremember.pl without circulate permissions

To recreate:
1. Have a staff account with limited permissions:
    -Staff access ( catalouge )
    -Add, modify and view patron information (borrowers)
    -NO circulate permissions
2. Log in as that staff user and find a patron with an expired account.
3. See the warning "Expiration: Patron's card has expired. Renew or Edit details".
4. Try clicking on Renew, you are logged out and see "Error: You do not have permission to access this page."

To test:
1. Apply patch
2. From the expired patron's details page see the warning and click Renew
3. Notice it renews the patron and returns to the patron details page
4. Details -> Edit -> Set the expiration date so that the patron is expired
5. Go back to your staff patron and check 'Check out and check in items' permission
6. In your expired patron's page -> Check out -> See warning -> Renew
7. Notice it renews the patron and returns to the check out page
8. Set the expired patron's expiration date so that it expires soon
9. Uncheck 'Check out and check in items' permission for your staff patron
10. Confirm the warning for your patron now is "Expiration: Patron's card expires on (DATE). Renew or Edit details"
11. Repeat steps 2-7 and notice it returns to the correct pages

Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 39ff9705444f8da1ebd82e2093a808c26c503338)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 012fd3d0c1ba3a324a264d4d83c7d822ac301857)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 36362: (QA follow-up) Tidy code
Kyle M Hall [Fri, 19 Jul 2024 16:23:43 +0000 (12:23 -0400)]
Bug 36362: (QA follow-up) Tidy code

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit a62d39ea11a9b6986c155f6333ac6e3afde0dd87)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit b507aad0cb1876abcea6476035ed7a7570ad0860)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 36362: Only call Koha::Libraries->search() if necessary in Item::pickup_locations
David Gustafsson [Tue, 19 Mar 2024 17:33:18 +0000 (18:33 +0100)]
Bug 36362: Only call Koha::Libraries->search() if necessary in Item::pickup_locations

To test:

1) Make sure the following tests pass:
 - t/db_dependent/Koha/Item.t
 - t/db_dependent/Koha/Biblios.t
 - db_dependent/Koha/Biblio.t

Sponsored-by: Gothenburg University Library
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 2c1e95562188a6d93c22055e30d6a5e9d7e50034)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit a409b16d5b3bd871a04f9bcdc8f01f6aed653f3b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 36129: Make check on "Hide all columns" persist on item patch modification/deletion
Emmi Takkinen [Mon, 19 Feb 2024 10:55:26 +0000 (12:55 +0200)]
Bug 36129: Make check on "Hide all columns" persist on item patch modification/deletion

On item patch modification/deletion tool, if one checks
"Hide all columns" checkbox and then reloads the page,
checkbox is no longer selected. Columns are hidden as
they should. This patch adds line to batchMod.js which
sets "checked" attribute and class "selected" to checkbox.

To test:
1. Find items to modify/delete and modify/delete them with
corresponding tool.
2. Check checkbox "Hide all columns".
3. Refresh the page.
=> Note that columns are still hidden, but checkbox is now
unselected.
4. Apply this patch.
5. Check checkbox again and refresh page.
=> Checkbox should be still checked.

Sponsored-by: Koha-Suomi Oy
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 1a154f1f0e1fa4d5c7295ba181fc27eaff99fd09)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 909987cd4db25088e68b5ca75404f25dab6b3fba)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 36566: Correct eslint errors in OPAC enhanced content JS
Owen Leonard [Wed, 10 Apr 2024 11:30:33 +0000 (11:30 +0000)]
Bug 36566: Correct eslint errors in OPAC enhanced content JS

This patch fixes various eslint errors in enhanced content JS files:

- Consistent indentation
- Remove variables which are declared but not used
- Add missing semicolons
- Add missing "var" declarations

To test, apply the patch and clear your browser cache if necessary.

- Go to Administration -> System preferences and enable these
  preferences:
  - OPACAmazonCoverImages
  - BakerTaylorEnabled
  - GoogleJackets
  - OPACLocalCoverImages
  - OpenLibraryCovers
- Go to the OPAC and confirm that covers from these services appear
  correctly in search results and on detail pages.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 3d82116830ac7fbafe7414e08f155a54b7bb723f)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 19dd5221f3686c37a54aba97121f578d74228f9e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37425: Check for existence of biblio object before fetching cover images
Nick Clemens [Mon, 22 Jul 2024 19:46:33 +0000 (19:46 +0000)]
Bug 37425: Check for existence of biblio object before fetching cover images

This patch simply adds a conditional to ensure the biblio object has been retrieved and assumes no cover images otherwise

To test:
 1 - Enable system preference LocalCoverImages
 2 - Perform a search in staff interface
 3 - Find the biblionumebr for one of the results and delete it via the SQL backend:
     DELETE FROM biblio WHERE biblionumber=3;
 4 - Search again.
 5 - KO!
     Can't call method "cover_images" on an undefined value at /usr/share/koha/intranet/cgi-bin/catalogue/search.pl line 671.
 6 - Reindex, confirm error is gone
 7 - Apply patch
 8 - Search again
 9 - Delete a record from the results via SQL
10 - Reload and confirm no error
11 - Reindex and repeat search and confirm no error

Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8fdddccffb2fa165b32e6a9c9b8d6d3dcacd5b08)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 4d141a6bb7210b1d4136bed3dcc38e408f148554)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37400 - In returns.pl don't search for a patron unless needed
Kyle M Hall [Thu, 18 Jul 2024 11:27:47 +0000 (07:27 -0400)]
Bug 37400 - In returns.pl don't search for a patron unless needed

In returns.pl we find a patron, then use it in an if statement.

Test Plan:
Cancel a hold with other holds remaining on the record.
No change should be noted.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 82535a488764be5437c47d38953eb0aea81ce4ee)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit d7e754ea3c6c3f12f784de84bff4b3da31e4e791)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 36885: Fix Bootstrap tooltip on budget planning page
Owen Leonard [Thu, 16 May 2024 13:57:11 +0000 (13:57 +0000)]
Bug 36885: Fix Bootstrap tooltip on budget planning page

This patch finishes the process of adding a Bootstrap tooltip to the
listing of funds which are locked.

To test, apply the patch and go to Administration -> Budgets.

- Edit a budget and make it locked: Check the "Lock budget" checkbox and
  save.
- View the budget you locked.
- From the toolbar, click Planning -> Plan by months.
- In the table of funds, hover your mouse over a fund.
- You should see a Bootstrap-styled tooltip, "Fund locked."

Signed-off-by: David Nind <david@davidnind.com>
Bug 36885: (follow-up) Correct popup hint

Bug 36885: (follow-up) Remove tooltip from unlocked budgets (copy-paste error)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit deb9bf78b8197eeb90e2c9c9088104a0b91d498b)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit c20fede430654dc3c6830d6227e9e954859ec993)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 29509: DBRev 23.11.08.001
Lucas Gass [Wed, 28 Aug 2024 19:57:42 +0000 (19:57 +0000)]
Bug 29509: DBRev 23.11.08.001

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 901c918ff4d1bf563cba0a5b1dfa6a7b5f7ccf2b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 29509: (QA follow-up) Tidy atomic update
Kyle M Hall [Fri, 19 Jul 2024 13:54:44 +0000 (09:54 -0400)]
Bug 29509: (QA follow-up) Tidy atomic update

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0505531cde2e0513a2c8fbc3c91d18f9ae3a3a89)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 95082c34db25156fef12dba6ab44956d54aab20d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 29509: (QA follow-up) Check top level permissions too
Martin Renvoize [Tue, 7 May 2024 13:18:04 +0000 (14:18 +0100)]
Bug 29509: (QA follow-up) Check top level permissions too

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 56c7c3782b2ceacbbd2777ec0f3fa9955e877d2c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit b33b9b5f615a5e99a309b016148ca5dde6c0e5b9)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 29509: Update swagger specification and add permissions to users
Martin Renvoize [Mon, 22 Jan 2024 16:49:56 +0000 (16:49 +0000)]
Bug 29509: Update swagger specification and add permissions to users

This patch removes the 'edit_borrowers', 'manage_bookings',
'lable_creator', 'routing' and 'order_manage' permissions from the list
of options in the patrons list endpoint.

We then assign the new 'list_borrowers' permission to any users who have
those removed permissions

Test plan
1) Apply patch and run the database update
2) Users with any of the permissions listed above should now also have
   the 'list_borrowers' permission too.
3) Check that patron searching continues to work from the various
   locations in the UI for the above affected users

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Incorporated second patch and removed 1<<4. 16 reads much better :)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 85ea79c45b6f95baee9ec955c6c09046808771b5)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 435211adbc230514f4c0c370bbe8002dafa595af)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 37226: append a random number to the `id` attribute of each <li>
Andreas Roussos [Mon, 1 Jul 2024 14:27:42 +0000 (14:27 +0000)]
Bug 37226: append a random number to the `id` attribute of each <li>

When you view the authority details page for a term that contains more
than one terms with broader relationship, clicking on the expand/collapse
arrows next to the top-level terms in the hierarchy tree will not work
properly, i.e. *only one* broader term will show the narrower term under
it at any given time.

This is affecting both the OPAC and the Staff interface.

This is happening because in the HTML source of the page the individual
<li> elements associated with each node do not have unique `id` values,
which confuses the JavaScript library (jsTree) responsible for rendering
the hierarchy tree.

This patch fixes that by appending a random number to each `id` attribute.

Test plan:

0) Enable the AuthDisplayHierarchy System Preference (set to 'Show').

1) Copy the provided MARC21 Authority sample data (sample-data.mrc)
   to your KTD Koha container (it must have MARC21 marc flavour):

   docker cp sample-data.mrc koha-koha-1:/kohadevbox/

2) Import the provided authorities (the sample file contains three
   Geographic Name records):

   WARNING! the --delete switch is passed to bulkmarcimport.pl
   WARNING! this will erase any authority data you have in your instance!
   (this is done to retain the broader/narrower authid associations)

   misc/migration_tools/bulkmarcimport.pl --authorities --file=/kohadevbox/sample-data.mrc --verbose -c=MARC21 --delete -m=ISO2709

3) Visit the authority details page for 'Athens' in OPAC/Staff:

   http://localhost:8080/cgi-bin/koha/opac-authoritiesdetail.pl?authid=3
   http://localhost:8081/cgi-bin/koha/authorities/detail.pl?authid=3

   In the authority hierarchy tree, click the arrows next to 'Europe'
   and 'Greece' to expand and show the narrower term: notice how only
   one item works at any given time.

4) Apply the patch.

5) Repeat step 3) (refresh the pages) -- this time you should be able
   to view 'Athens' as a narrower term of both 'Europe' and 'Greece'
   at the same time.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 24e54b1fd4b241a0d5723ff7ec97b2fe9645d577)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8add61d7f379b966c1dafc30a499a9267a567fd7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 29087: (QA follow-up): Fix QA tests
Matt Blenkinsop [Fri, 28 Jun 2024 13:53:10 +0000 (13:53 +0000)]
Bug 29087: (QA follow-up): Fix QA tests

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Conform BZ comment31
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 7f5e1fac86bf7eaa3f217a8e41cc4522e7fe9c3c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit b7ec2d2131fe9736fd83615b1c37b85b25e10942)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 29087: Add unit tests
Matt Blenkinsop [Tue, 16 Apr 2024 12:47:16 +0000 (12:47 +0000)]
Bug 29087: Add unit tests

prove t/db_dependent/Koha/Items.t

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 44d3762a6921a323443ca56996fc55d5e96cc9b8)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit a35333a3279e44cad9f738f208a8b72c7831644e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 29087: Prevent filter_by_for_hold to crash if default holdallowed is not_allowed
Jonathan Druart [Fri, 19 Nov 2021 12:27:44 +0000 (13:27 +0100)]
Bug 29087: Prevent filter_by_for_hold to crash if default holdallowed is not_allowed

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8c804c17493ecc9cb993c5434644c1b2a860bae3)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 34be9ab95bdf6cb6eccc7ca198dd4e4da6eaf291)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoBug 36481: (follow-up) Add missing library_id parameter
Martin Renvoize [Mon, 22 Jul 2024 13:49:31 +0000 (14:49 +0100)]
Bug 36481: (follow-up) Add missing library_id parameter

The /libraries/{library_id}/cash_registers endpoint was missing the
library_id parameter definition from the swagger specification.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 466d38f18d43e968f3b69562c1ee018177953681)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ec208128525d42b97a6d1fd390ca78c1f88e8856)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2 months agoRevert "Bug 37059: Fix insert button in notices and slips"
Fridolin Somers [Mon, 2 Sep 2024 12:44:44 +0000 (14:44 +0200)]
Revert "Bug 37059: Fix insert button in notices and slips"

This reverts commit 013cda40de12acc3488677139c44d3532cd63f68.

3 months agoUpdate release notes for 23.11.08 release v23.11.08-1
Katrin Fischer [Wed, 14 Aug 2024 05:38:08 +0000 (05:38 +0000)]
Update release notes for 23.11.08 release

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
3 months agoRevert "Bug 37255: Fix handling of "All" values on waiting hold cancellation policy"
Katrin Fischer [Wed, 14 Aug 2024 05:36:06 +0000 (07:36 +0200)]
Revert "Bug 37255: Fix handling of "All" values on waiting hold cancellation policy"

This reverts commit f340b66acca5a188b0ef3177c745af5b70b24aaa.

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
3 months agoGenerate release notes for 23.11.08 release v23.11.08
Lucas Gass [Tue, 13 Aug 2024 15:20:34 +0000 (15:20 +0000)]
Generate release notes for 23.11.08 release

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoIncrement version for 23.11.08 release
Tomas Cohen Arazi [Tue, 13 Aug 2024 04:32:07 +0000 (01:32 -0300)]
Increment version for 23.11.08 release

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (QA follow-up) Move sth error check up
Tomas Cohen Arazi [Tue, 13 Aug 2024 04:08:44 +0000 (01:08 -0300)]
Bug 37508: (QA follow-up) Move sth error check up

This patch moves the error check right before the ->check_columns call.
This is how main and 24.05 behave. 23.11 doesn't have bug 35907
backported so things are not exactly the same. With this patch tests
pass and the only difference in behavior is logging.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: Don't return Internal server error when running report
Nick Clemens [Mon, 12 Aug 2024 12:10:12 +0000 (12:10 +0000)]
Bug 37508: Don't return Internal server error when running report

To test:
1 - Create a report like:
SELECT "a"
FROM borrowers
WHERE <<Test>> != ''
2 - Run report
3 - Enter "password"
4 - Internal server error / stacktrace
5 - Apply patch
6 - Repeat
7 - Get a yellow warning box

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (QA follow-up) Use ->check_columns
Marcel de Rooy [Fri, 9 Aug 2024 09:56:11 +0000 (09:56 +0000)]
Bug 37508: (QA follow-up) Use ->check_columns

Add shebang to Guided.t too.

Test plan:
See also previous commits.
Try sql like:
  select access_token from oauth_access_tokens

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (QA follow-up) Move check to Koha::Report, extend
Marcel de Rooy [Fri, 9 Aug 2024 09:50:44 +0000 (09:50 +0000)]
Bug 37508: (QA follow-up) Move check to Koha::Report, extend

Do not allow password but allow password_expiry_days etc.
Do not allow token, secret and uuid too.

Test plan:
Run t/db_dependent/Koha/Reports.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (follow-up) Don't pass the column or sql containing password
Aleisha Amohia [Thu, 8 Aug 2024 23:53:47 +0000 (23:53 +0000)]
Bug 37508: (follow-up) Don't pass the column or sql containing password

This patch replaces these variables with a non-translatable message.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: (follow-up) Throw error is password is in SQL query at all
Aleisha Amohia [Wed, 7 Aug 2024 04:37:25 +0000 (04:37 +0000)]
Bug 37508: (follow-up) Throw error is password is in SQL query at all

Confirm tests pass t/db_dependent/Reports/Guided.t

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: Test for errors when returning an aliased password column
David Cook [Wed, 7 Aug 2024 01:15:10 +0000 (01:15 +0000)]
Bug 37508: Test for errors when returning an aliased password column

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37508: Throw error if password column is detected in SQL report
Aleisha Amohia [Mon, 29 Jul 2024 03:53:06 +0000 (03:53 +0000)]
Bug 37508: Throw error if password column is detected in SQL report

This enhancement prevents SQL queries from being run if they would return a password field from the database table.

To test:

1. Run tests and notice they fail t/db_dependent/Reports/Guided.t

2. Apply patch and restart services

3. Create a public report with an SQL report which would access a password column in a database table
4. Try to run the report. Notice you are met with an error and the results are not shown.
5. Access the JSON URL, you should not get the results and should be shown an error
6. Confirm tests pass t/db_dependent/Reports/Guided.t

Sponsored-by: Reserve Bank of New Zealand
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37370: Return 400 if OpacExportOptions does not contain the passed format
Tomas Cohen Arazi [Tue, 16 Jul 2024 15:43:39 +0000 (12:43 -0300)]
Bug 37370: Return 400 if OpacExportOptions does not contain the passed format

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37466: Add correct filter for sort_by in results.tt
David Cook [Thu, 25 Jul 2024 06:44:37 +0000 (06:44 +0000)]
Bug 37466: Add correct filter for sort_by in results.tt

This patch replaces the $raw filter with the correct uri filter
for the sort_by in results.tt

Test plan:
1. Apply patch
2. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=1
3. Click on "Edit this search"
4. Note that the "Popularity (most to least)" Sort by option is selected
5. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=24y24ty2498294t9824yt9y23
6. Click on "Edit this search"
7. Note that the "Popularity (most to least)" Sort by option is selected

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37464: Validate "type" sent to barcode/svc
David Cook [Thu, 25 Jul 2024 06:56:18 +0000 (06:56 +0000)]
Bug 37464: Validate "type" sent to barcode/svc

This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37488: Validate paths in datalink.txt/idlink.txt files
David Cook [Fri, 26 Jul 2024 04:01:43 +0000 (04:01 +0000)]
Bug 37488: Validate paths in datalink.txt/idlink.txt files

This change validates the paths in datalink.txt/idlink.txt,
so that only images in the unpacked archive directory are allowed

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Create a datalink.txt file with the following:
42,selfie.jpg
3. Create a jpeg at selfie.jpg
4. ZIP the datalink.txt and selfie.jpg files
5. Upload to the "Upload patron images" tool
(after enabling the "patronimages" system preference)
6. Note that the image uploads correctly

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37323: Tidy
David Cook [Fri, 26 Jul 2024 03:27:22 +0000 (03:27 +0000)]
Bug 37323: Tidy

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37323: Don't allow symlinks in link files in zip and validate filepaths
Chris Cormack [Thu, 18 Jul 2024 23:57:32 +0000 (23:57 +0000)]
Bug 37323: Don't allow symlinks in link files in zip and validate filepaths

Test plan:
0. Apply patch and restart/reload Koha
1. Test that uploading a patron image still works, in single file format and as a zip

Work as suggested

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37323: Escape characters in patron image picture upload
Amit Gupta [Thu, 11 Jul 2024 17:43:06 +0000 (23:13 +0530)]
Bug 37323: Escape characters in patron image picture upload

To Test
1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip
   where the domain is one you can watch the logs from.
2. Go to Tools and click on Upload patron images choose option zip file and upload the file.
3. Check /var/log/apache2/access.log and see the curl with the IP
   "xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0"
4. Apply the patch
5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.
6. Test uploading actual zip file and images still works.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37255: Fix handling of "All" values on waiting hold cancellation policy
Emmi Takkinen [Thu, 4 Jul 2024 11:23:31 +0000 (14:23 +0300)]
Bug 37255: Fix handling of "All" values on waiting hold cancellation policy

If one creates a default waiting hold cancellation policy with
patron categories set as "All" and itemtype set as "All", Koha
breaks on 500 error. This happens because in we try to match
template policy with "All" values either in category or itemtype
with *, not undef. This patch fixes this.

To test:
1. Create a new default waiting hold cancellation policy and
set both patron category and itemtype as "All".
2. Save policy.
=> Error page for error 500 is displayed.
3. Apply this patch.
4. Reload page.
=> Page is displayed and policy listing displays new policy
as it should.

Sponsored-by: Koha-Suomi Oy
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 37533: fix query in orderreceive.tt
Andreas Jonsson [Wed, 31 Jul 2024 09:06:02 +0000 (09:06 +0000)]
Bug 37533: fix query in orderreceive.tt

The new validation in the REST API will no longer allow
the operator "in".  Consequently, it has to be replaced
with the allowed "-in".

Test plan:

 * Open an invoice and click "Go to receipt page" and
   on any basket click "receive" and make sure the dialog
   box appears.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3 months agoBug 36480: (follow-up) Add missing library_id parameter
Martin Renvoize [Mon, 22 Jul 2024 13:52:29 +0000 (14:52 +0100)]
Bug 36480: (follow-up) Add missing library_id parameter

The /libraries/{library_id}/desks endpoint was missing the
library_id parameter definition from the swagger specification.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 6aadc4a42308815803ac77c124ac4e778141e349)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 51d15f7ca88fba05266bd6e9d05127dd94d2f313)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 months agoBug 10758: Show title of deleted biblio on basket page
Marcel de Rooy [Mon, 12 Feb 2024 08:01:26 +0000 (08:01 +0000)]
Bug 10758: Show title of deleted biblio on basket page

Test plan:
Find a completed order line and a cancelled one with deleted biblios.
Goto acqui/basket.pl
Check if you see the title if deleted_biblionumber is filled.

Signed-off-by: Michaela Sieber <michaela.sieber@kit.edu>
Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 62b48bb932a165bf01e7a0d0866ed2d92e90263e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 months agoBug 36187: Corrected set data.patron_id in select_suggestor()
Lucas Gass [Fri, 1 Mar 2024 15:46:04 +0000 (15:46 +0000)]
Bug 36187: Corrected set data.patron_id in select_suggestor()

To test:
1. Make a new suggestion in the staff interface and attempt to set the "Created by" patron to someone other than the logged in user.
2. Submit the suggestion.
3. select suggestedby from suggestions where suggestionid = X; ( Where X is the suggestionid )
4. The value is NULL
5. On suggestion/suggestion.pl the "Suggested by" column is blank.
6. APPLY PATCH
7. Try 1 - 3 again. This time the suggestedby should be correctly set.

Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 607b80c5a601f54920a2b3b259896ac4e490e0ab)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 months agoUpdate release notes for 23.11.07 release v23.11.07
Fridolin Somers [Thu, 25 Jul 2024 08:41:40 +0000 (10:41 +0200)]
Update release notes for 23.11.07 release

Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>