kohabug 2458 Disallowing non-SELECT SQL in reports module
This patch enforces SELECT-only SQL in the reports module.
It introduces code to check SQL in two places. The first is
when a save is attempted on a user constructed SQL statement.
If a non-SELECT SQL statement is entered, the user will be
presented with an error message and a button giving the
option of editing the SQL. The second is when any SQL is
executed. If execution of a non-SELECT SQL statement is
attempted, the user is presented with an error message and
instructed to delete that report as the SQL is invalid.
The second check is intended as a safety net as no non-SELECT
SQL should ever be saved.
It may be well to document the proper usage of the direct SQL
entry type report.
kohabug 2427 Correcting C4::Items:: _koha_new_item to populate items.copynumber
The INSERT was missing the copynumber parameter. moredetail.pl was also not setting
the copyvol template variable. This patch corrects these issues so that the copynumber
is both inserted when a new item is created (including during a bulkmarcimport.pl run)
and displayed properly on moredetail.pl
kohabug 2448 Correcting Alignment of Column Headers
This patch corrects the alignment of the column headers in the overdues list
on the 'Overdue' tab on opac-user.pl It also corrects the template to display
the item type rather than the Koha collection type.
Owen Leonard [Wed, 6 Aug 2008 19:49:30 +0000 (14:49 -0500)]
Minor change to correct offset problem for Cart popup. Libraries with opacheader markup specified were finding their Cart popup appearing out of place.
Andrew Moore [Wed, 6 Aug 2008 16:14:26 +0000 (11:14 -0500)]
Bug 2084 [2/2]: Database version 3.00.00.107: adding warnings to three system preferences
This patch adds warnings to the OPACShelfBrowser, CataloguingLog, and NoZebra system preferences. Using
them on busy koha installations has proven to be rather resource intensive.
This is considered a stopgap solution. Making these features less resource using to run
would be preferred.
Note to documentation writers: screenshots of these system preferences could be updated, but
no functionality has changed.
Andrew Moore [Wed, 6 Aug 2008 16:14:25 +0000 (11:14 -0500)]
Bug 2084 [1/2]: adding warning to overdues report
This patch adds a warning to the staff interface on the circulation page
to indicate that the overdues report is resource intensive on large installations.
This is considered a stopgap solution. Ideally, this report should be changed in order
to make it usable even for large installations.
Documentation note: Although no functionality has changed, any screenshots of the
circulation page on the staff interface should be updated.
Galen Charlton [Wed, 6 Aug 2008 16:32:15 +0000 (11:32 -0500)]
bug 2479: allow MARC21 bib 440 to link to authorities
Fixed overly-strict interpretation of OCLC practice
that prevented 440 series statement/added entries
from linking to the appropriate series authority
record.
Owen Leonard [Wed, 6 Aug 2008 15:35:05 +0000 (10:35 -0500)]
Reformatting serials item edit screen to eliminate label truncation and give it additem-like layout. Also correcting some markup errors, both in the template and in markup generated by Biblio.pm. HDL: I assume this will be superceded at some point by an include, but wasn't sure if that would be in time for 3.0.
Galen Charlton [Wed, 6 Aug 2008 14:54:42 +0000 (09:54 -0500)]
bug 1433: use same bib when adding new subscription from details page
When viewing the subscription details page of a bib that already
has at least one subscription, clicking on the 'New Subscription'
button in the toolbar will fill in the biblionumber and title
in the new subscription form.
Clicking on the 'New Subscription' button in other context (e.g.,
when viewing the results of a search) will leave the biblionumber
and title fields unpopulated, as there is no specific bib to
use.
This incorporates and extends the patch from MJ Ray attached to bug 2287.
Added feedback of up to 25 lines, including for errors at the Text::CSV
parsing level. This allows feedback for problems than involve encoding.
Added link to download "starter" CSV file (with all the columns).
Using default values for PrepareItemrecordDisplay
It changes Biblio.pm
Adding a hash with default values to PrepareItemrecordDisplay
Usunf that API in Serials.pm and serials-edit.pl
Galen Charlton [Wed, 6 Aug 2008 02:16:09 +0000 (21:16 -0500)]
bug 2317: avoid crash when auto-creating authority
If BiblioAddsAuthorities is ON, saving a MARC bib record
in the cataloging editor can create new authority records.
When using MARC21, if one of those authority records
has diacritics in its heading, the save crashes with the
following error:
Wide character in null operation at
/usr/local/share/perl/5.8.8/MARC/Charset/Table.pm line 96
To prevent this, new MARC21 authorities created by
BiblioAddsAuthorities have the Leader/09 set to 'a'. Note
that this is not currently required for UNIMARC authorities,
as MARC::File::XML->as_xml_record() does not attempt
to transcode UNIMARC records from MARC-8 to UTF-8.
Paul POULAIN [Tue, 5 Aug 2008 13:10:01 +0000 (15:10 +0200)]
bugfix for 2451 : serial recieve & barcode does exist complaint
If barcode already exists, then return an error.
making some checks on values passed through the code.
Duplicated serialid and subscriptionid are displayed only once.
This manage multiple errors on barcode and displays them.
Ryan Higgins [Tue, 5 Aug 2008 03:50:01 +0000 (22:50 -0500)]
Final patch for serials planning bugs
This patch resolves bug 1580 and addresses the modification of firstacquidate as per hdl's comments.
I have also removed some useless javascript from subscription-detail, and just reported the number of
irregular issues there (previously was reporting nothing since the js was broken).
Ror a poorly understood (by me) reason, use of 'use
UNIVERSAL' and 'use C4::Auth' in the SIP2 code is resulting
in a compilation error, thus blocking SIP2 from working.
The error (prior to this patch) could be reproduced as follows:
cd C4/SIP
perl -I. -wc Sip/MsgType.pm
"get_session" is not exported by the C4::Auth module
Can't continue after import errors at /home/gmc/koha/dev/C4/VirtualShelves.pm
line 51
BEGIN failed--compilation aborted at /home/gmc/koha/dev/C4/VirtualShelves.pm
line 51.
Compilation failed in require at /home/gmc/koha/dev/C4/Auth.pm line 34.
BEGIN failed--compilation aborted at /home/gmc/koha/dev/C4/Auth.pm line 34.
Compilation failed in require at Sip/MsgType.pm line 21.
BEGIN failed--compilation aborted at Sip/MsgType.pm line 21.
or more minimally
perl -ce 'use UNIVERSAL; use C4::Auth;'
This patch works around the problem by making C4::Auth
and C4::VirtualShelves not import any symbols
from each other.
Because of a miscalculation in the offset algorithm, the LIMIT offset creeps
backwards by a magnitude for every page beyond page two. This patch corrects
the algorithm to behave as expected.
kohabug 2417 Removing hardcoded query limit from reports
This patch removes a hardcoded 'LIMIT 20' which was added to all report queries
thus limiting all reports to only the first twenty rows of applicable data. In
its place this patch introduces code to paginate through all applicable data,
regardless of how many rows are available. The code will also honor any user
defined 'LIMIT' in reports based on SQL entered directly by the user.
This patch also adds column labels to 'tab' and 'csv' files generated by reports.
NOTE: Only user defined 'LIMIT's apply to 'tab,' 'csv,' and 'text' files.
Ryan Higgins [Mon, 4 Aug 2008 01:37:51 +0000 (20:37 -0500)]
Serials planning: Update subscription edit to properly deal with date changes. ( patch 3 / 3 )
Previously subscription-add.pl allowed modification of 'firstacquidate', which changed
the subscription definition, but did not affect prediction. This patch adds two fuctions
to Serials.pm to get/set the current expected issue date (note that all date calculations
in prediction patterns are based on the current expected date, and there's only one serial
issue per subscription in the 'expected' status at any time). Subscription editing
now allows you to edit the next expected date, but not the first acqui date (unless you
haven't received any issues yet), thus allowing for adjustments in the prediction pattern.
This patch also updates fixes some discrepancies in irregularities / prediction display.
Ryan Higgins [Mon, 4 Aug 2008 01:10:15 +0000 (20:10 -0500)]
Update serials planning javascript to properly deal with 3-level periodicity. ( Serials patch 2/3 )
Minor changes to dom object names and id's to allow for proper calculation of the
base planning table from the simplified table.
Prior to this patch, the base table was populated with the incorrect value, so patterns like
Vol{X} No{Y} Issue{Z} incremented the Vol value incorrectly.
Ryan Higgins [Mon, 4 Aug 2008 01:05:55 +0000 (20:05 -0500)]
Serials planning updates patch 1/3
This patch addresses usability and interface bugs in the javascript irregularity checks by
adding extra controls: 'test pattern' button (always visible) replaces the 'irregularity' link
that was previously only sometimes visible. A 'show advanced pattern' button will display/hide the
base prediction table at any time. A 'reset pattern' button is added. The form may now also be submitted
even if it fails the irregularity test, as there are cases when this will result in the desired behavior.
Danny Bouman [Fri, 1 Aug 2008 20:08:51 +0000 (16:08 -0400)]
bug 2450: expanded size of cardnumber input field
Expanded the size of the cardnumber input field to 20 instead of 10. This allows the full 14-digit barcode to be viewed at a glance without having to
scroll.
Andrew Moore [Wed, 30 Jul 2008 16:18:02 +0000 (11:18 -0500)]
bug 2335: adding SMSSendDriver system preference - DB update to version 3.00.00.105
Previously, the SMSSendDriver system preference was set as a local use system
preference. This patch makes it an official system preference under the "Patron" tab.
This system preference determines which SMS::Send driver is used to send SMS messages.
I have attempted to take care to not overwrite this system preference if it has already
been set.
Andrew Moore [Thu, 31 Jul 2008 13:58:43 +0000 (08:58 -0500)]
Bug 1953: updating bad unit test for C4::Items::GetItemsForInventory
The tests I wrote for C4::Items::GetItemsForInventory confused the differences
between biblionumber and itemnumber. That wasn't uncovered on my limited test
database, but I uncovered it later.
This fixes that problem by populating a $self->{'items'} list with details of any items
added by KohaTest::add_biblios. Then, tests can probe there for the details of items
they should expect to find when searching.
Owen Leonard [Thu, 31 Jul 2008 13:43:11 +0000 (08:43 -0500)]
Reorganizing this display for better usability and to fix bug 2290 ("Claims Should not Have Send Button if nothing to claim"). Adding jquery tablesorter. This also adds a message to ask the user to select a supplier if none is selected (see Bug 2338).
bug 2423: actually ignore already-imported records
When recommiting a partially completed MARC
record batch, records that were already imported
(or had an error status) were being processed
again, leading to duplicate bibs. Corrected
so that these records are actually ignored.
Owen Leonard [Wed, 30 Jul 2008 17:45:45 +0000 (12:45 -0500)]
Partial fix for Bug 2420 ("OPAC shows broken image for some Google Jackets"). This fix only corrects for undefined img src, not for well-formed but broken img src.
Andrew Moore [Tue, 29 Jul 2008 16:42:46 +0000 (11:42 -0500)]
Bug 1953 [2/6]: refactoring SQL in C4::Koha::displayServers to use placeholders.
The SQL call in displayServers was not using placeholders, leaving itself open
to potential SQL injection attacks. I've rewritten it to use placeholders.
kohabug 2404 This patch removes Image::Magick and adds GD
This patch removes Image::Magick as a dependency and replaces it with
the (much) lighter GD. Functionality of patronimage code has not changed with
this conversion.
Adding errorhandling for corrupted image file and link to return to moremember.pl when called from there
Andrew Moore [Fri, 25 Jul 2008 20:31:11 +0000 (15:31 -0500)]
Bug 1953: refactoring C4::Koha::get_itemtypeinfos_of to eliminate potential SQL injection
C4::Koha::get_itemtypeinfos_of was not using plceholders, opening itself up to
potential SQL injection attacks. This patch refactors it to use placeholders to
bind parameters.
I also had to extend C4::koha::get_infos_of to allow us to pass bind parameters into it.
I'm including a test module for C4::Koha::get_itemtypeinfos_of.
Andrew Moore [Fri, 25 Jul 2008 16:55:13 +0000 (11:55 -0500)]
Bug 1953 [3/3]: documentation changes for C4::items::GetItemsForInventory
This patch corrects what appears to me to be a few defficiencies in the documentation
for C4::items::GetItemsForInventory. I noticed them while writing test methods for this sub.
Andrew Moore [Fri, 25 Jul 2008 16:55:12 +0000 (11:55 -0500)]
Bug 1953 [2/3]: refactoring SQL in C4::Items::GetItemsForInventory to use placeholders
The SQL in C4::Items::GetItemsForInventory wasn't using placeholders and
bind parameters, possibly leaving itself open ot SQL injection attacks. This
patch changes that.
I've also incliuded a test module for C4::items::GetItemsForInventory.
If a new order was created and no fund selected, a db error was thrown due to the
'bookfundid' field being set to NULL. This patch sets the first fund retrieved from
available funds as the default selection in the scrolling list.
A further enhancement might be to allow the library to choose which fund is the
default fund.
kohabug 2219 Corrects inconsistent use of subscription.serialsadditems column
From the bug report:
The serialsadditems syspref was ostensibly removed in DB rev 071
(http://git.koha.org/cgi-bin/gitweb.cgi?p=Koha;a=commit;h=5c41ae54e68866f9661e853376537059f4d83f70)
in favor of a new serialsadditems column in the subscription table.
However, this removal was incomplete. It is still created for new installations by:
Since the system preference was not removed from the sample data scripts, it
is necessary to add another DB rev to remove it - a user may have made a
fresh install of Koha after DB rev 071.
The current serialitems table structure does not provide for a *:1 relationship with
the serial table. This causes a problem when attempting to add multiple items to a given
serial. The db throws an error when attempting to INSERT in serialitems due to serialid.serialitems
being a unique key. A further side effect is that the marc record is updated with the
item inspite of the error. The mods to the serialitems table structure in this patch
drop serialid.serialitems as a key and make itemnumber.serialitems the primary key
creating a *:1 relationship with the serial table. This patch also makes serialid.serialitems
a foreign key referencing serialid.serial to maintain referential integrity.
Ryan Higgins [Fri, 25 Jul 2008 14:04:07 +0000 (09:04 -0500)]
BUG 2351 : Add duplicate barcode check prior to receiving multiple items. This patch adds a javascript form check for duplicates in-form, and returns an error if there are duplicates in the catalog.
Joe Atzberger [Thu, 24 Jul 2008 21:11:17 +0000 (16:11 -0500)]
TZ - multiple timezone support
Support multiple timezones via Apache SetEnv. See the perldoc for
admin/env_tz_test.pl on how to configure and test. Minimal changes
to Context itself.
This patch fixes the OPAC view and holdability of items:
1. restores a check to itemtype.notforloan to set the norequests flag
2. changes improper boolean OR with AND for checking conditions of setting norequests
3. displays 'Not for loan' for item-level itypes when the itemtype is set to notforloan
4. restores items.notforloan values < 0 allowing holds (ordered items for instance)
We still need a notforhold flag set at the itemtype, and items level
kohabug 2154 Modifying form input controls to accomodate translations
Due to the logic of the underlying picture-upload.pl depending upon the "value" of the
form input controls and this value being translated, the script then failed to function.
This patch changes the input controls so that this should not be an issue.
This issue should be kept in mind, though, so that it can be avoided in the future.