Jonathan Druart [Tue, 2 Aug 2016 13:06:41 +0000 (14:06 +0100)]
Bug 17023: Fix XSS in cataloguing/z3950_search.pl
Test plan:
Enter the following in the different inputs:
<script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris Cormack [Wed, 25 May 2016 14:06:28 +0000 (14:06 +0000)]
Bug 16587 opac-sendshelf.pl is vulnerable to XSS
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendshelf.pl?email=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&shelfid=4
2/ Notice you get a js alert
3/ Apply patch
4/ Notice the js is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Chris Cormack [Wed, 25 May 2016 14:01:41 +0000 (14:01 +0000)]
Bug 16587 - opac-sendbasket.pl is open to XSS
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendbasket.pl?email_add=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&bib_list=3
Where bib_list is a valid basket number
2/ Notice you get a javascript alert showing
3/ Apply patch
4/ Notice the text is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Jonathan Druart [Thu, 26 May 2016 10:52:19 +0000 (11:52 +0100)]
Bug 16593: Do not allow patrons to delete search history of others patrons
A malicious user can delete the search history of all other users by
correctly guessing the ID value assigned to the victim's search. As
searches are assigned values sequentially, an attacker could quickly
remove the searches belonging to all of the application's users.
To reproduce:
Login with patron A
launch a search
Note the id generated for this search history:
select id from search_history order by id desc limit 1;
Login with patron B
Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
Note that the row is deleted in the DB
Test plan
Confirm that this patch fixes the issue.
The same test can be made at the staff interface
Reported by Alex Middleton at Dionach
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Fri, 22 Jul 2016 07:14:27 +0000 (08:14 +0100)]
Bug 16958: Fix XSS in opac-imageviewer.pl
Test plan:
Trigger
/opac-imageviewer.pl?biblionumber=14&imagenumber=7"><sCrIpT>alert(42)<%2fsCrIpT>
=> Without this patch you will see the JS alert
=> With this patch applied you won't see it
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
The update_dbix_class_files.pl script generates ActionLog.pm instead, which is
already on the source tree.
To test:
- Apply the patch
=> SUCCESS: Koha/Schema/Result/ActionLogs.pm is removed
- Run:
$ mysql -uroot
> CREATE DATABASE dbic; \q
$ mysql -uroot dbic < kohaclone/installer/data/mysql/kohastructure.sql
$ misc/devel/update_dbix_class_files.pl --db_name dbic --db_user root
=> SUCCESS: Koha/Schema/Result/ActionLogs.pm is not re-generated
- Run:
$ git grep ActionLogs
=> SUCCESS: There's no code using it
- Sign off
Signed-off-by: Srdjan <srdjan@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b8c950a4c1b1ead8a58686b27c95f9891cdccbae) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit c0d3e6db1191e2bb63da70cf1d3280f25efe7bfa) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit ffd86f218e50124ff0090bb4e41fc4a32cb51b99) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Mon, 23 May 2016 07:03:23 +0000 (09:03 +0200)]
Bug 16502: Replace a few other ok-calls by is-calls
Trivial changes that speak for themselves..
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Srdjan <srdjan@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 8204024f1c21102c0649dec70d10398131aab953) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 2b7a9479b601e224ff6cdbdcc3162426a4727406) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit b58e8642b0d6b98a9e59a6e53d21472cb38a1e42) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Mon, 23 May 2016 06:58:02 +0000 (08:58 +0200)]
Bug 16502: Adjust test for GetPlugins
The current test assumes that GetPlugins will return the test plugin
as the first one in the array. This is not correct.
This patch adjusts the test to a grep.
Test plan:
Run the test.
Bonus: Add additional plugins. Run the test again.
Signed-off-by: Srdjan <srdjan@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 6ad5770786c6646ce68ffdfec9080645fc25772e) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 64382be0d45ad6d43bb86bda095ca1a3699d1265) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit d1dff4c3bde88c2b7c2bb6722ef07d1fcf5f5cce) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Mon, 16 May 2016 17:00:16 +0000 (19:00 +0200)]
Bug 16502: Add additional test to Plugins.t
In order to verify if the delete now really works, we add one test
in Plugins.t.
Test plan:
[1] Run the test.
[2] Bonus: Comment line 63 in Plugins.t where delete is called.
Run the test again. It should fail now.
Signed-off-by: Srdjan <srdjan@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 959d69fa0107423ed31e20f4a6afb46d1e5c771c) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 0632256c1aca919ec055dd5f170ac10d84cc8ec7) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit e41863bfa9bf73066d2ec43a3b8e843fa1f0222f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Mon, 16 May 2016 15:19:54 +0000 (17:19 +0200)]
Bug 16502: Table koha_plugin_com_bywatersolutions_kitchensink_mytable not always dropped after running Plugin.t
If you run Plugin.t, the above table will still be present (when you
did not enable UseKohaPlugins). This would trigger a warning when
running the test a second time.
Why? The uninstall call does its work not completely due to a small
inconsistency in Koha::Plugins::Handler::delete when calling run
without the enable_plugins parameter.
This patch resolves that inconsistency and also removes an unneeded skip
in Plugin.t in case the KitchenSink module already exists.
Note: This is a small fix. But I wonder if the Handler routines run and
delete should not have been implemented in Koha::Plugins::Base.
Also note that plugins/plugins-uninstall.pl will not be affacted by this
change, since it checks whether the pref is enabled before calling the
delete method.
Test plan:
[1] Do not yet install this patch.
[2] Verify that plugins are enabled in koha-conf.xml.
[3] Disable UseKohaPlugins in System Preferences!
[4] Run t/db_dependent/Plugins.t.
[5] Verify that table koha_plugin_com_bywatersolutions_kitchensink_mytable
still exists. (It should have been deleted.) Remove it manually.
[6] Apply this patch.
[7] Run the test again.
[8] Verify that the table does not exist.
[9] Run the test again (without warnings).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Srdjan <srdjan@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4263ac2b92737024d8d620a751babf72b904b73a) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 4ebe7b489c9798d2456bd3de1d95ec6e027b2b21) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 752e31425efa34fa6f21446fb18cf34ba31fc441) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Chris Cormack [Thu, 26 May 2016 09:33:33 +0000 (21:33 +1200)]
Bug 16597: Fix XSS in opac-shareshelf
To test
1/ Go to /cgi-bin/koha/opac-shareshelf.pl?op="><script>alert('XSS')</script>&shelfnumber=5
2/ Notice you see a js alert
3/ Apply patch
4/ It is gone
Reported by
Alex Middleton at Dionach
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit c47c835672a8fcd8c7df79663443f01639fc7657) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 8d6486013b504fa652b43b2a20c3bb4da25034fd) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Thu, 26 May 2016 11:03:55 +0000 (12:03 +0100)]
Bug 16599: Fix XSS in opac-shareshelf.pl
Test plan:
- Create a list with the name "<script>alert(1)</script>"
- On the shelf list, click on share
=> Without this patch you will see the JS alert
=> With this patch applied you won't see it
Reported by Kaybee at Dionach
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit a44a930c076fceca0f7193f488e187d9849f89b6) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 858e3b2043e0eb1ce5bb9a6c36b3b87afb69ae22) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Thu, 7 Apr 2016 16:11:58 +0000 (12:11 -0400)]
Bug 16220 - The view tabs on opac-detail.pl are not responsive
When looking at the detail page for a bibliographic record, there are
tabs linking to the "Normal," "MARC," and "ISBD" views. These tabs need
to be styled responsively so that they work well at all browser widths.
This patch makes some slight markup changes to the templates and updates
the LESS files to add responsive styling.
This patch does not include the compiled CSS file, so the follow-up is
required to test the visual changes.
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 0fcbf1efe10a4269e3705dce10ef632e1739dbb1) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c760866e237b758bd34d3a6cb6283592bf7c3416) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Tue, 3 May 2016 17:09:54 +0000 (13:09 -0400)]
Bug 16159 - guarantor section missing ID on patron add form
In the patron entry form template most <fieldset> and <legend> tags have
unique ids. This patch adds ids to fieldsets and legends which lack
them.
To test apply the patch and view the patron entry form. There should be
no visual changes. There should be no HTML validation errors triggered
by this change.
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 553d06073b8af0ab6ed33393b22a953e3feca1e6) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit eba902ced599bce927c59c48ae930fd7d62cafb5) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Mon, 2 May 2016 09:46:59 +0000 (10:46 +0100)]
Bug 16407: Simplify comments
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 671f81e877a3e23127a2e8078921760e9b449a27) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 4b0c36846117212cff4db09f06f719be5aea308e) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This test was using hardcoded borrower number, assuming they should be
present. Now we use TestBuilder.
Test plan:
Run the test.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Test pass before and after patch.
No errors
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d8d4277471908bf046d04b4e94eed6cd4c94f63b) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 9112e88901c419f54ba34ff4eab0a6a744b31990) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Tue, 3 May 2016 13:48:11 +0000 (09:48 -0400)]
Bug 16315 - OPAC Shelfbrowser doesn't display the full title
This patch adds subtitle information to the display of titles in the
OPAC's shelf browser.
To test, apply the patch and make sure OPACShelfBrowser is enabled.
- View the detail page for any title in the OPAC which has items.
- Click the "Browse shelf" link next to any item in the holdings table.
- The titles in the shelf browser should display with all subtitle
information as defined in Keywords to MARC mapping.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Adding 245a and c as 'subtitle' in Keywords to Marc make them
show on shelf browser.
No errors.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 67f91f24e537ef93d0c121b68681dcdec9f417e1) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit b47e87d0820c3f2e1afa4679c13234abc4d86517) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Nick Clemens [Mon, 28 Mar 2016 20:09:01 +0000 (20:09 +0000)]
Bug 15682 - Only allow merging of 2 or more records form lsits (for consistency)
Test as above but on shelves.pl
Signed-off-by: Chris Cormack <chrisc@catalyst.net.z> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 9550e37fc66402500adf8bca7a1c90ee0104cdd0) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 9f1e23735f46a8b014d4a8983796f1b8b37cc9b4) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Nick Clemens [Mon, 28 Mar 2016 20:01:30 +0000 (20:01 +0000)]
Bug 15682 - Merging records from cataloguing search only allows to merge 2 records
To test:
1 - Perform a cataloging search
2 - Attempt to merge 0 results - should fail
3 - Attempt to merge 1 resutls - should fail
4 - Attempt to merge 2 results - should succeed
5 - Attempt to merge 3 results - should succeed
6 - Test any other amount of records and if more than 1 it should
succeed
**Note: On shelves.pl you can merge a single record. I think that is
incorrect so made this only work for 2. Will add a followup to fix
shelves.pl
Signed-off-by: Chris Cormack <chrisc@catalyst.net.z> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 8f1e5ad95fd78cbf09028e3d2dfe0b2b77d4dd21) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit aa8b468a13760b23c6ea29fddd43ade34e594af0) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Tue, 3 May 2016 13:59:01 +0000 (09:59 -0400)]
Bug 15194 - Drop-down menu 'Actions' has problem in 'Saved reports' page with language bottom bar
This patch changes the direction of the "actions" menu on the saved
reports page so that it popup up instead of down.
To test, apply the patch and go to Reports -> Saved reports.
- Click the "Actions" menu for any report and confirm that the menu
displays above the button instead of below it.
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit de98a936751efc00d893f6e74e440416d66140b4) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 1e494ae15ed819512a9b04a3b7ffd76c38a36018) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Mark Tompsett [Mon, 8 Jun 2015 03:40:50 +0000 (23:40 -0400)]
Bug 14362: Regression tests
This should trigger the error. Attempts to shift system time
zones did not make sense as to the number of failures.
Added Time::Fake dependency, if it isn't installed these extra
tests don't run. There is a nice skip message about it.
Added License text.
TEST PLAN
---------
1) apply test patch
2) sudo dpkg-reconfigure tzdata
-- set your system time to GMT (Africa/Abidjan)
3) prove t/Circulation/AgeRestrictionMarkers.t
-- should not fail, even if you change system
time to any time.
4) sudo dpkg-reconfigure tzdata
-- set your timezone to Eastern
5) sudo date -s"2015-06-18 21:15:00"
6) date
-- should be past 9pm Eastern timezone
7) prove t/Circulation/AgeRestrictionMarkers.t
-- kaboom!
8) sudo date -s"2015-06-18 12:00:00"
9) date
-- should be noon Eastern timezone
10) prove t/Circulation/AgeRestrictionMarkers.t
-- success?! Time sensitive tests are bad tests.
11) sudo apt-get install libtime-fake-perl
12) prove t/Circulation/AgeRestrictionMarkers.t
-- kaboom!
-- changing timezone to anything other than GMT
should trigger a kaboom.
13) apply fix patch
14) prove t/Circulation/AgeRestrictionMarkers.t
-- should work all the time.
15) less t/Circulation/AgeRestrictionMarkers.t
-- the license text should be similar to
http://wiki.koha-community.org/wiki/Coding_Guidelines#Licence
16) koha qa test tools.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a2aba3c86f106603212eb2c5beb52c3cdfe49857) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Conflicts:
C4/Installer/PerlDependencies.pm
Mark Tompsett [Mon, 8 Jun 2015 01:26:53 +0000 (21:26 -0400)]
Bug 14362: PEGI15 Circulation/AgeRestrictionMarkers test fails
It is best to test when UTC date is a date in the future compared
to your timezone. I'm in Eastern, so right now, I expect this
test to fail for another 2.5 hours.
TEST PLAN
---------
1) prove t/Circulation/AgeRestrictionMarkers.t
-- fails for PEGI 15 after 9pm.
2) Apply patch
3) prove t/Circulation/AgeRestrictionMarkers.t
-- works.
4) koha qa test tools
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 73f55165bef229668a135bee7e8c90a2c9c3f0a7) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c894bd4ab5401aec642089f00c9e6b3909e01d2b) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Alex Arnaud [Tue, 15 Mar 2016 15:36:28 +0000 (16:36 +0100)]
Bug 13877 - Make serialseq season name translatable regardless its position in a string
Signed-off-by: Chris Cormack <chrisc@catalyst.net.z> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit adb8d41053357eeb68fa148a04c2202df6e54974) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit e0f8aff8a958a0ce3b47e94939bb6d467c69ad1b) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Julian Maurice [Mon, 9 May 2016 09:42:05 +0000 (11:42 +0200)]
Bug 13041: Fix add of basket's manager when name contains a single quote
If you are trying to add a user as a manager of a basket in
acquisitions, a JavaScript error will be triggered if that user has a
single quote in their name (e.g. "O'Neil"). This patch corrects the
issue.
Also changed by this patch: Increased the size of the patron search
popup and made a correction to some invalid HTML.
To test you should have a patron whose name contains a single quote who
is also a user with permission to manage acquisitions.
- Apply the patch and go to Acquisitions.
- Locate an open basket and view the details for that basket.
- In the "Managed by" section, click the "Add user" button to trigger
the patron search popup.
- Search for the patron described above and click the "Add" button.
- In the parent window, the patron you chose should have been added to
the "Managed by" section.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 964a1888138e276a78be5d84a70559ace6418e79) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marc Véron [Wed, 27 Apr 2016 10:38:58 +0000 (12:38 +0200)]
Bug 12721: (followup) Replace mysqlism by DBIx::Class
This patch removes the mysqlism (see comment #18)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Fixed QA tools complaints about missing lines before
and after =cut in POD.
- Change syspref to any combination of location|itype|ccode
=> Result: Table displays columns as appropriate
- Change syspref to some garbage
=> Result: Same as with empty syspref (was crashing without patch)
- Change syspref to valid combination with trailing |
=> Result: Table displays columns as appropriate (was crashing
without patch)
- Change syspref to a combination of valid and invalid fields
(location|blah|ccode)
=> Result: Table displays column of valid fields only (was crashing
without patch)
Signed-off-by: Aleisha <aleishaamohia@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 5fc93bce9b786797724539bea1a1689e959078e6) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 36392d8a0cc07c3d5de51ec53c529d3a7d777508) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marc Véron [Sun, 18 Oct 2015 16:27:58 +0000 (18:27 +0200)]
Bug 12721 - Syspref StatisticsFields: Warning on About page and text change in System preferences
This patch adds a warning to the about page if the syspref 'StatisticsFields' is misconfigured.
Additionally, the text on Home > Administration > SystemPreferences for 'Statistics Fields'
is changed.
To test:
- Apply patch
- Edit syspref 'StatisticsFields'. Verify that the explanation makes sense.
- Leave field empty
=> verify that no message appears on About page, tab System information
- Insert valid field names, e.g. location|itype
=> verify that no message appears on the About page
- Add trailing char
=> verify that the warning message appears on the About page
- Fill in some garbage or misspell a field name
=> verify that the warning message appears on the About page
Signed-off-by: Aleisha <aleishaamohia@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 95f492b4d2505103269b295a34bab74804df9746) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit f6694ce92ff4b60aea1234e9a138853fb0406f18) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Tue, 3 May 2016 07:58:33 +0000 (08:58 +0100)]
Bug 16426: follow-up of bug 15840 - correctly manage userid while inserting patrons
Bug 15840 tried to fix a bug but makes things more complicated than it
was before.
If an userid is not provided for 1 or more rows of the csv file, it
should not be updated. However, if a userid is provided and it already
used by an other patron, the import should fail for this row (but not
crash!).
Test plan:
0/ Create a patron with a userid=your_userid
1/ Use the import patron tool to update this userid
=> userid should have been updated
2/ Update another data and do not provide the userid
=> data should have been updated and not the userid
3/ Update another data and provide the userid, but set it to an empty
string, or '0'
=> data should have been updated and not the userid
4/ Update another patron, and set userid=your_userid
=> Update should fail and an error whouls be displayed ("already used by
another patron")
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 7b76b24fad305b0253eb1d779f074d265087ca73) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit b53075b58df01e65371e13dee0b6848d12a181f2) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Tue, 3 May 2016 07:58:26 +0000 (08:58 +0100)]
Bug 16426: Add tests for ModMember - do not update userid
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit e883c19f3778c0247c11e6bdd3f27bbdd927468d) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit ea45e3f39ebdd2a33b7ea00730ef278ba0f461a7) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Wed, 6 Apr 2016 14:59:02 +0000 (15:59 +0100)]
Bug 12752: FIX letter names in 3.15.00.041
3.15.00.041 was wrong, the name of the letter should not always been the
name of the first HOLD notice.
PREDUE_PHONE should be updated with the first name of the PREDUE notice,
same for OVERDUE_PHONE and OVERDUE
Signed-off-by: Chris Cormack <chrisc@catalyst.net.z> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 6d52cd63f351cd56f36492b80c10c0d8568ef03d) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 6ca552c2e86a4459ba8a68903b7ac60c614731af) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Jonathan Druart [Wed, 6 Apr 2016 10:33:11 +0000 (11:33 +0100)]
Bug 15930: Make patron searches defaulting on 'contain'
The default patron search types has changed from 'contain' to
start_with. Users consider it as a bug.
This patch revert the previous changes to default on 'contain'.
Test plan:
Search for patrons in different places (guarantor, checkout, patron
module, acquisition module, etc.) and confirm that the default is always
'contain'
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit a8491dc156db9d746b0f5ddd6175b66bf1bfa4ab) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit f2c5b7b036a47289a069f89bf3e63ede548058d8) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Mason James [Fri, 1 Apr 2016 02:23:22 +0000 (15:23 +1300)]
Bug 1750 - Report bor_issues_top erroneous and truncated results.
Signed-off-by: Mason James <mtj@kohaaloha.com>
TEST PLAN
---------
1) Ensure you have some checkouts
2) Home -> Reports
-> Patrons with the most checkouts
3) Click 'Submit'
-- you get a list
4) Click a patron name.
5) Note the borrower number.
6) In MySQL run something like:
> UPDATE borrower SET firstname=NULL WHERE borrowernumber=####
7) Refresh the report page
-- name goes totally blank
8) apply patch
9) Refresh the report page
-- only first name is lost
10) run koha qa test tools
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit b859739c2a6dc899176276022782ac3af7a0ad0c) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 8f4df78bd46e9e9c02f2841ef6bd1bba2bb39c6c) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
The antiClickjack trick should be removed at the OPAC as we want to keep
the OPAC usable even if the user has disabled JS.
That means the OPAC will be vulnerable to XFS if a user is navigating
with a prehistoric browser:
Firefox 3.6.9 September 2010
IE 8 March 2008
Opera 10.5 March 2010
Safari 4 February 2009
Chrome 4.1.… somewhen 2010
Test plan:
Confirm that there are no regression of bug 15111 with modern browsers
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit d496d03e8aa3079e0d29837b27b31b9a55afd02e) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 57fc49475db35b965ea50e5b60114fa46b2be37f) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Mon, 22 Feb 2016 09:24:29 +0000 (09:24 +0000)]
Bug 15111: Do not include the antiClickjack legacy browser trick for greybox
Most of the scripts called via greybox (which uses iframe) don't include
doc-head-close. But some do.
This patch adds a popup parameter for these templates, not to include
the legacy browser trick and avoid the replacement of the location.
Test plan:
1/ Export patroncard and label
2/ translate itemtypes
3/ click on a idref link at the OPAC
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit fc640d2a86f395ad392f84314bce22e8b4dab1fe) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 45e39882432dd9fdae0fc1b1ef7b7b8b09a9480a) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Fri, 13 Nov 2015 08:19:57 +0000 (08:19 +0000)]
Bug 15111: Change X-Frame-Options with SAMEORIGIN
There are some places where frames are used, the greybox JS plugin for
instance.
We need either to allow them from Koha or replace this plugin.
The easier for now is to switch the value from DENY with SAMEORIGIN.
Test plan:
- modify a record in a batch (tools/batch_record_modification.pl)
- click on preview marc
=> With only the previous patch you will get a blank page.
=> With this patch apply, it will work as expected.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 201e1f239728f3656f5f71792a7d5ce9b5a05144) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Kyle M Hall [Mon, 2 Nov 2015 17:11:17 +0000 (12:11 -0500)]
Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks
Web pages that can be embedded in frames are vulnerable to cross-frame
scripting attacks. Cross-frame scripting is a type of phishing attack
that involves instructions to an unsuspecting user to follow a specific
link to update confidential information in an online application.
Because the link leads to a legitimate page from the online application
that is embedded in a frame hosted by the attackers' server, the
attackers can capture all the information that the user enters.
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c97a01e1330ab5b1b1df7029d2149efa0deb19a4) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Mon, 4 Apr 2016 13:45:48 +0000 (14:45 +0100)]
Bug 16179: Do not crash if "rate me" is clicked and not rate selected
If JS is disabled and a user clicks on the "Rate me" button, Koha will
crashes with:
DBIx::Class::ResultSet::create(): Column 'rating_value' cannot be null
at /usr/share/koha/lib/C4/Ratings.pm line 208
To avoid that, opac-ratings.pl will check if a rate has been selected.
Test plan:
Disable JS
On a record detail page, click on the "Rate me" button
TESTED PLAN:
1) go to /cgi-bin/koha/opac-ratings.pl?biblionumber=1
-- kaboom as above.
2) apply patch
3) refresh
-- either login screen (don't know why)
-- or if already logged in, detail page.
4) koha qa test tool
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Owen Leonard <oleonard@myacpl.org>
I tested successfully by temporarily removing the modification made by
Bug 16210.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit b679cac96409b7248f8e224e10c73dafa4c82890) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit a965702c08f84d8d770fb81e09f13bee8e922bba) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Alex Arnaud [Tue, 16 Feb 2016 15:33:17 +0000 (16:33 +0100)]
Bug 15832 - Fix filter and items split-up in pendingreserves.tt
Test plan:
- Go to circ/pendingreserves.pl (Ensure that there are biblios with many
items on different branches),
- Check the libraries filter at the bottom of datatable. There should be
duplicates.
- Apply this patch and return to circ/pendingreserves.pl,
- check that libraries filter should not contain duplicate,
- check that the filter works.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 82be93af1ccbd3544646a6345ab51183a62d05cb) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 4f699275a76107f3a210a199dc9cadd5da2560f3) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 15113: koha-rebuild-zebra should check USE_INDEXER_DAEMON and skip if enabled
This patch changes the behaviour of the koha-rebuild-zebra script in the following way:
USE_INDEXER_DAEMON=no
- Keeps the current behaviour
USE_INDEXER_DAEMON=yes
- It skips incremental indexing to avoid races.
Caveats:
- A --force option is introduced for useing in a specific situtation that might need it
(i.e. the administrator knows what he's doing).
- If --full is passed, the reindexing is not skipped.
The documentation files and messages are adjusted accordingly.
This patch should help users that want to use the indexing daemon, in which case they wouldn't need
to change their default 5 min cronjob (it will be just skipped). Ultimately, koha-common could have
USE_INDEXER_DAEMON = yes by default, but that's subject for another bug report.
To test:
- Play with the different option switches and USE_INDEXER_DAEMON
- Things work as expected
- Sign off
Regards
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as expected
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Your Full Name <your_email>
(cherry picked from commit 997ad166c6ea53d47e3e15e7720d63da9f3b0a80) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 67dd96545bf8fdabdc98428438cbd92a5ae33c9f) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Julian Maurice [Thu, 7 Jan 2016 14:38:57 +0000 (15:38 +0100)]
Bug 14816: Fix multiple selection in item search
Send each selected value as a separate parameter. Otherwise DataTables
(or jQuery ?) joins all values with a comma
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
I could not reproduce the bug when selecting multiple home libraries,
but I could by selecting multiple item types or collection codes. The
patch allowed those queries to complete correctly.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 9aa8bf46f6b45ebcd342c09bd3a09ae55f3dd4a8) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 47ebb4ffb1869b52f1c011e3a6b236b85b0e51ab) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Nick Clemens [Fri, 26 Feb 2016 21:08:55 +0000 (21:08 +0000)]
Bug 15928 - Show unlinked guarantor
To test:
1 - Add guarantor data to patron account by typing it in but do not 'Set to patron'
2 - Note it is not displayed on patron details
3 - Apply patch
4 - Note the info is displayed
5 - Test that linked guarantors show as expected
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit bebb61739f4460295151a37d44cc1a2d6f956d26) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Julian Maurice [Thu, 14 Apr 2016 12:29:38 +0000 (14:29 +0200)]
Bug 15962: Block the currency deletion if used
A currency should not be deleted if used by a vendor or a basket.
Test plan:
1/ Add a new currency
2/ Create a vendor using this currency
3/ Create a basket using this currency
4/ Try to delete the currency
5/ Delete the basket
6/ Try to delete the currency
7/ Delete the vendor
8/ Delete the currency
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c20496aea938e1faaa53daff5e2cf3d697b0eac9) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Marc Véron [Wed, 23 Mar 2016 07:11:49 +0000 (08:11 +0100)]
Bug 16133: Translatability of database administrator account warning
This patch removes sentence splitting of the database administrator warning with
a button styled link.
Additionally, it uses the same wording as in the warning on the 'About' page.
To test:
- Apply patch
- Log in to Staff client as database administration user
- Verify that the wording of the warning is the same as on the About page (Tab
'System information')
- Verify that the link to the patron administration page is styled as a button
and behaves correctly
NOTE: Actually, the category is irrelevant. But I like the improved message.
Categories may or may not be set up at the initial log in.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit e53b80dedf91617f9eecb9defd2d6f5222f03d65) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c6a049167f9f1b4d4df81520900b23d2b9e0ea46)
Owen Leonard [Thu, 17 Mar 2016 13:08:39 +0000 (09:08 -0400)]
Bug 16047 [Follow-up] Software error on deleting a group with no category code
This follow-up take the original patch a little further, making category
name required on the entry form as well. Without a category name there
is no label in the interface when selecting a category. That doens't
make any sense.
Also changed on the group entry form:
- Added "required" attribute to labels on required fields.
- Changed "Update" submit button label to "Submit."
- Added a "Cancel" link.
- Added the "validated" class to the form so that our built-in
validation script will process it (not strictly necessary but makes
the validation appearance more consistent).
Followed test plan, form displays and behaves as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit df127ebad814ad1710b161b85a69d408de95de85) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c514e1fee2890660caa36c1dae62bcfbc6f72fc3) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Aleisha [Thu, 10 Mar 2016 21:49:57 +0000 (21:49 +0000)]
Bug 16047: Making category code a required field on creating a group
This will prevent users from creating a group without a category code,
which causes a software error when you try to delete it
To test:
1) Go to Admin -> Libraries and groups
2) Create new group without category code
3) Attempt to delete the group you just created and notice software
error
4) Apply patch
5) Create new group without category code
6) Notice you now cannot save the group without putting in a category
code
Sponsored-by: Catalyst IT Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 577aa86eb96160088c70008bfe85ae2c0820f547) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 730cfb59258841572d19ffd9eedf36571edc100a) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Aleisha [Sun, 13 Mar 2016 23:40:53 +0000 (23:40 +0000)]
Bug 16029: Hide patron toolbar if patron does not exist
To test:
1) Create a patron, take note of the borrower number
2) Delete the patron
3) Navigate to the page of the patron you just deleted by typing the url (ie /cgi-bin/koha/members/moremember.pl?borrowernumber=X)
4) Confirm that the patron toolbar is not showing on the page
5) The message now has a link that says 'Find another patron?'. Click this link and confirm you are taken to the member home pgae.
Sponsored-by: Catalyst IT
Followed test plan, works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 1870141874667d854f9b5508c563169baefb2328) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit e0ad205512af9dba2a9d5cad70bf6fdffecc6e17) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Owen Leonard [Fri, 18 Mar 2016 13:41:15 +0000 (09:41 -0400)]
Bug 15984 - Correct templates which use the phrase "issuing rules"
This patch corrects two places in the templates where the phrase
"issuing rules" is used instead of "circulation and fine rules."
To test, apply the patch and view the help pages for Administration ->
Circulation and fine rules; and Tools -> Automatic item modification by
age. Confirm that the term "circulation and fine rules" is used instead
of "issuing rules."
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 98a9e30f040661e0a67a594f72abd8ab02cf9ad6) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 1c1d9558eb6df6f44e96d204e8e6683e3ae04491) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Fri, 12 Feb 2016 11:49:28 +0000 (11:49 +0000)]
Bug 14076: Do not use CGI->param in list context - opac-authorities-home.pl
See bug 15809 for more info on why we should not use CGI->param in list
context.
Note: I have not found any places where several values for the same
params are passed to this script but, just in case, this patch won't
change this ability.
Test plan:
Do an authority search at the OPAC
Test with several values of the form.
Confirm that the results are always the same before and after this
patch.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 3fa2b10150a9ea2db2897be1246cba3785c55e55) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 182838a54498b4a00a4077779458cf005f5ec444) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Fri, 12 Feb 2016 11:32:02 +0000 (11:32 +0000)]
Bug 15809: Redefine multi_param is CGI < 4.08 is used
On debian Jessie, the CGI version is >= 4.08
Since this version, the param method raise a warning
"CGI::param called in list context".
Indeed, it can cause vulnerability if called in list context
There is a long journey to get rid of these warnings.
First I suggest to redefine the multi_param method when the CGI version
installed is < 4.08, it will allow us to move the wrong ->param calls to
->multi_param without waiting for everybody to upgrade.
The different ways to call these 2 methods are:
my $foo = $cgi->param('foo'); # OK
my @foo = $cgi->param('foo'); # NOK, will raise the warning
my @foo = $cgi->multi_param('foo'); #OK
$template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning
# and vulnerable
$template->param( foo => scalar $cgi->param('foo') ); # OK
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested a call to multi_param with CGI < 4.08.
With reference to the comments on Bugzilla, this workaround is arguable,
but provides a base to move to multi_param. If we come up with a better
solution, it should be easy to adjust.
Mason James [Fri, 1 Apr 2016 02:56:34 +0000 (15:56 +1300)]
Bug 16184 - Report bor_issues_top shows incorrect number of rows
TEST PLAN
---------
1) Have at least 6 patrons with checkouts and some checkins.
2) Reports -> Patrons with the most checkouts
3) Click 'Submit' (default is 5)
-- more than 5 entries listed.
4) Apply patch
5) Refresh page
-- only 5 entries listed.
6) Run koha qa test tools
NOTE: While this works, I'd be much happier with a refactor
as it would also speed up the report. See comment #5.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 2c68980467009a9d19116440d4f28356707e9e7c) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit bd4659d09f92135a7956496c44af555b5938c8c3) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Nick Clemens [Tue, 23 Feb 2016 20:41:57 +0000 (20:41 +0000)]
Bug 15888 - Syndetics Reviews preference should not enable LibraryThing reviews
To test:
1 - Enable Syndetics Reviews without a LibraryThing ID
2 - Check page source and note you have a stanza for LTFL tabbed reveiws
3 - Apply patch
4 - Reload page and note LTFL tabbed reviews are not present
5 - Enter a LibraryThing ID and not the tab is restored.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 541a03cf6daace451f78e614b8019382dcd52acc) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 9a7c37473042cbc0c533ea12e95273b7471d22a3) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Aleisha [Sun, 20 Mar 2016 23:24:18 +0000 (23:24 +0000)]
Bug 15866: Add confirm message for deleting rotating collection from toolbar
To test:
1) Go to Tools -> Rotating Collections
2) Click on any rotating collection ('Add or remove items' from drop down menu)
3) Click 'Delete' from toolbar. Validate you are now asked to confirm your deletion. Check that cancel works, then check that confirm works.
Sponsored-by: Catalyst IT Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
I've added the word 'rotating' before collection, to make
it clear for translators what is meant here.
Alex Arnaud [Wed, 17 Feb 2016 11:27:14 +0000 (12:27 +0100)]
Bug 15838 - Subscription duplicating: Reset fields from SubscriptionDuplicateDroppedInput syspef by getting them using name instead of id
How I tested:
Verified bug with start and end date (were not cleared without patch).
After applying the patch all fields defined in SubscriptionDuplicateDroppedInput
were cleared as expected.
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 873a49f13b79bf1f5f7163f217cfc3a317ce602f) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 702002129787ceb2cdae61f6dc2352dff1afa84d) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Tue, 8 Mar 2016 14:09:09 +0000 (14:09 +0000)]
Bug 15722: Escape patron infos for JSON in patron searches
If patron infos contain invalid JSON chars (\t for instance), the
results won't appear.
The solution is to escape these info.
Test plan:
Edit patron infos in DB (update borrowers set surname="foobar\t" where
borrowernumber=42)
Search for foobar (you should have more than 1 result)
Without this patch, DT retrieves a bad formatted JSON and the results
won't appear.
With this patch, the table result appears
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit cd20b61a7c845110e518e6dedc12ac50efebe4aa) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit eba74c8e51a52432362150c38d674f661a6228e8) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Tue, 9 Feb 2016 17:02:05 +0000 (17:02 +0000)]
Bug 15773: Fix and standardise checkboxes code in framework
When creating a new subfield for an authority framework, the checkboxes
don't behave as they should.
If you click on the 'repeatable', 'mandatory' or 'is url' checkbox's
label, the checkbox from the second tab will be checked/unchecked.
This is caused by a non-unique id of the input element.
I have found this bug when working on the removal of CGI::checkbox in
both admin/auth_subfields_structure.pl and
admin/marc_subfields_structure.pl scripts.
This patch remove the use of CGI::checkbox as well as the generation of
html code from these 2 pl scripts (which should be avoided).
The code these scripts are now pretty similar.
Test plan:
Add/modify/remove subfield for a MARC framework and an Authority
framework.
Use as many field as possible and confirm that the values are correctly
inserted/displayed.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 39597b86ae299a9b4c0c1e8221f51f9e8dd300ed) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 60e601bf5f485a46b36bf14d2145adf9c25fe098) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
David Cook [Fri, 5 Feb 2016 05:09:45 +0000 (16:09 +1100)]
Bug 15745: C4::Matcher gets CCL parsing error if term contains ? (question mark)
Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
Also fixes ! and +
Rebased to master Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
It makes perfect sense and works as expected. This part of the code is too
under-tested so no point requiring a regression test for such a simple change.
Jonathan Druart [Wed, 30 Mar 2016 10:30:01 +0000 (11:30 +0100)]
Bug 15323: Use fixtures for the active currency
prove t/Prices.t
fails after bug 15084 has been pushed
It's caused by
commit 1538e9ecf47642c4974693ff499c3e95e4d71977
Bug 15084: Replace C4::Budgets::GetCurrencies with
Koha::Acquisition::Currencies->search
Koha::Number::Price->_format_params calls
Koha::Acquisition::Currencies->get_active, which requests the DB.
The currency data should be mocked.
Test plan:
sudo service mysql stop
prove t/Prices.t
should return green
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Patch works as expected and passes the qa-tools tests.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 0a14e22d59343475ed6970b82b474a80e43d8e29) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c4c7ea475b813d97595a6114ef2e31028ec6efe5) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Mason James [Tue, 1 Mar 2016 03:26:06 +0000 (16:26 +1300)]
Bug 14441 - TrackClicks cuts off/breaks URLs
to test...
1/ set TrackClicks syspref to 'track'
2/ add a problematic multipart url to an item's 'url' field
example url: http://foo.corg?key1=val1&key2=val2
3/ test url in opac-detail.pl - url is corrupt
4/ apply patch - url is corrct
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Only fixes the item URLs - a follow-up for the URLs
in the bibliographic record (856 for MARC21) is still
needed.
Without this patch, the tests will hang
With the patch applied, they won't!
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 8255a18edc9c2eee52b01bfa20114b088b9bf555) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 5808b3de5b40bf964813b0c3509f7f7cd0429422) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Marc Véron [Wed, 10 Feb 2016 16:21:40 +0000 (17:21 +0100)]
Bug 11498 - Prevent bypassing sco timeout with print dialog
This patch prevents bypassing the self check timeout with the print dialog.
To test:
- Set syspref 'WebVasedSelfCheck' to 'Enable'
- Set syspref 'SelfCheckoutReceivePrompt' to 'Show'
- Set syspref 'SelfCheckTimeout' to 20 seconds
- Apply patch
- Go to SCO page (/cgi-bin/koha/sco/sco-main.pl)
- Enter card number
- Click 'Finish'. Dialog "Would you like to pritn a receipt?' appears.
- Confirm printing without waiting 20 seconds
=> Result: Print slip, SCO page shows 'Please enter your card number'
- Enter card number again
- Click 'Finish'. Dialog "Would you like to pritn a receipt?' appears.
- Wait > 20 seconds (value of SelfCheckTimeout) and then confirm.
=> Result: Message appears "Timeout while waiting for print confirmation"
- Click on OK.
=> Result: Self checkout page refreshes (shows 'Please enter your card number')
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
https://bugs.koha-community.org/show_bug.cgi?id=11497
Jonathan Druart [Thu, 3 Mar 2016 08:58:06 +0000 (08:58 +0000)]
Bug 15967: Fix regression from bug 14133 - notify the library if patron is not
Regression introduced by bug 14133, see but 14133 comment 13.
Test plan:
Without this patch applied, if a patron cannot be notified (no email
address or sms number), the print notice generated for the library was
not.
With this patch applied, the print notice should be generated using the
print template
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit faaa2cbcdb1970866be4f8a7001bf2de305823a9) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 8664af5e20716d1a849b1deb26e48927b4921c5a) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
John Seymour [Thu, 11 Feb 2016 03:38:15 +0000 (22:38 -0500)]
Bug 14633: Patch to control.ini to add or dependency to libapache2-mpm-itk
The other attachment was not a patch which could be applied by
'git bz'. This corrects that.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
debian/update-control will need to be run after this is applied, but
it works well Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit aa66debec6fcdbdadd643386749a61229167aa62) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 50c84aa4ce4614655a0fdc5c75a0e98694b4fa9c) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Mon, 21 Mar 2016 15:49:25 +0000 (15:49 +0000)]
Bug 16040: Update fnReloadAjax DT plugin to fix quotes deletion
When deleting quotes, the table is not regenerated and a JS error is
raised.
That is because we are not using an up-to-date plugin
Test plan:
Delete a quote and confirm you do not get a JS error
Works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 908a751e2cadcda0ceafa2efdd2cf0104a323467) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 9478a0bf1eb43e0b82fb7c8ea84a4b503b9f81ce) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Marcel de Rooy [Mon, 1 Feb 2016 12:48:06 +0000 (13:48 +0100)]
Bug 15713: Restart zebra when rotating logfiles
Somehow, it may happen that Zebra keeps writing to the old rotated logfile
with extension .log.1. I must add that although I saw that happen (a new
log was created and was empty, while Zebra kept writing to log.1 for weeks),
I cannot reproduce it every time.
By stopping the zebra server in prerotate and starting it again in
postrotate, this should not happen at all. In practice, this implies that
your Zebra server is restarted once a week.
Note: The existing sharedscripts directive makes sure that these actions
are not executed for all individual logfiles but once for all matching
logfiles (even when running multiple instances).
Test plan:
[1] Apply the change in koha-common.logrotate to the file
/etc/logrotate.d/koha-common.
[2] Run logrotate -f /etc/logrotate.conf (forcing a logrotate).
[3] Check in zebra-error.log that your zebra server was stopped
('killed by signal 15').
[4] Verify that your Zebra server runs (read: has been restarted).
(Do a search..)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit af47f00636848e1115b08652abcaec6b789bf672) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit ddd1bbebeadc3bed0fd592bc04621a0dc3fb08c6) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Marc Véron [Thu, 24 Mar 2016 10:59:27 +0000 (11:59 +0100)]
Bug 14614: Multiple URLs (856) in cart/list email are broken
To reproduce:
- Add multiple subfields 856 u to a bilbio
- Add this biblio to a cart and send it as mail
(from Staff client and from OPAC)
Result: Links in mail body are broken
To test
- Apply patch
- Send carts again (from Staff client and from OPAC)
- Result: In mail body, links display separated with blank-pipe-blank
like http://bla.com | http://blabla.com | http://blablabla.com
- Change one of the 856 u to not to be a link, e.g. äöü
- Send carts again
- Verify that in mail body äöü correctly display as text.
(Amended to make it work for OPAC as well, MV)
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit d135499d2893fe1000c627f433395989d7d9e022) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit bd6e5a4c32496c94b0f90010fdc6b8dc047ea64f) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Thu, 17 Sep 2015 07:40:19 +0000 (08:40 +0100)]
Bug 14841: Fine column is not manage by columns settings
Bug 9481 added the "Fine" columns to the checkouts table and bug 13492
added the columns settings to these table.
They overlapped each others in the bugs queue.
Test plan:
Confirm that you are able to hide/show the "Fine" columns on both
checkouts table.
Signed-off-by: Joonas Kylmälä <j.kylmala@gmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f94afd5e6c5bbc6669cf74177aad0da9f492a3d1) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Thu, 17 Sep 2015 07:34:28 +0000 (08:34 +0100)]
Bug 14841: Columns settings are not taken into account for checkout table / moremember
There is a typo member vs members in the template when retrieving the
existing settings.
So that all columns are displayed, even the ones which are hidden
(sort_order, due_date_unformatted, etc.)
Test plan:
0/ Does not apply this patch
1/ Go on the columns config page and check some fields not to display by
default for Patrons > moremember > issues-table
2/ Go on the patron detail page (with checkouts), click on the "show/hide
columns" button (top right of the table).
Confirm that the config is not taken into account and that it's ugly
(hidden columns are displayed)
3/ Apply this patch
4/ Everything should be fine now :)
Signed-off-by: Joonas Kylmälä <j.kylmala@gmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 8b7e1f45832e3b8d079612d973916310766aa93a) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Wed, 6 Jan 2016 13:10:00 +0000 (13:10 +0000)]
Bug 15119: Hide search header text boxes on render
When the page rendering is slow or the page is heavy, the tabs in the
header shown be not correctly displayed as tabs.
This patch suggests to hide them, display the first one, and wait for
the JS code to display them nicely.
To easily reproduced the ergonomic issue, go on the circulation home
page (/cgi-bin/koha/circ/circulation.pl) and search for a patron 'a' or
'd', you will get a lot of result and the page will be slow to be fully
displayed.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 70eedf2217e1bfde1c56bc77c8dd0dc039124f47) Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 0d018647849724bacc40be7360e56a29c1a7fb53) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>