Kyle M Hall [Fri, 27 Sep 2013 16:53:39 +0000 (12:53 -0400)]
Bug 10961: Error in GetMarcBiblio can cause severe data loss
A bug in GetMarcBiblio can cause severe data loss if your database has
records where the biblionumber and biblioitemnumber do not match and the
script misc/batchRebuildBiblioTables.pl is run.
The Biblio::GetMarcBiblio makes a kall to
C4::Biblio::_koha_marc_update_bib_ids which passes the biblionumber as
both the biblionumber *and the biblioitemnumber*.
Thus, if your biblio and biblioitem numbers are not always equal, you
will end up with a record where the biblioitemnumber is incorrect in the
record!
This is usually not a severe issue, but since batchRebuildBiblioTables
uses that record to update the database tables, it ends up updating the
wrong biblioitem row!
NOTE: What a horrible, horrible typo that was. Tested this with the
second patch.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 298c4c76a5f231d9cc0935b6f14a5f191b727804) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Mark Tompsett [Fri, 3 Jul 2015 22:04:04 +0000 (18:04 -0400)]
Bug 14487: Noise best detected under Debian 8
The first error is caused by the fact that
$messages->{'IsPermanent'} is undefined.
The second error is caused by querying the CGI
parameter 'barcode' inside a function call. This is not required.
There is a variable $barcode set with the parameter. Changed to
use the variable.
TEST PLAN
----------
1) Test first patch.
2) Clear the log
3) Put in a barcode which is not checked out.
4) Check the log.
-- should be two errors. One about a hash,
the other will only be detectable under Debian 8.
5) Apply this second patch
6) Clear the log
7) Put in a barcode which is not checked out.
8) Check the log.
-- should be empty.
9) run koha qa test tools
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit beef8534724900e5777fc7b6d163763712decb1f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
1/ check out an item and then check it back in.
1/ check the logs after the check-in to see the warns from
returns.pl line 623 of :
(a) Use of uninitialized value $holdingBranch
(b) Use of uninitialized value $collectionBranch
2/ apply patch
3/ check out and check-in again. no warns are recorded this time.
NOTE: Under Debian Jessie, there are other messages.
Additionally, this only corrects the line 623 ones.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 0d632a606f499c31afb8a08f81625c4dfbddb445) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
mxbeaulieu [Mon, 15 Jun 2015 15:05:51 +0000 (11:05 -0400)]
Bug 14387: Merge reference selection has no effect when merging authorities.
This patch swaps the authority records according to the refenrece record selection.
To TEST:
Merge two authority records, select the second as merge reference.
The reference authority is always the first.
Apply the patch.
Repeat previous steps, the authority is now merged using the selected reference record.
modified: authorities/merge.pl
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit ee7666a5fdd1b04f1bf50aa89900488e1a01402b) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Bug 11693: Default emailing preferences not loaded for self registering patron
The call to AddMember_Opac does not take care of the messaging prefs
when enhanced messaging is enabled.
This patch adds the call to handle_form_action to do that.
Test plan:
Enable self registering patrons and enhanced messaging.
Check the (default) message prefs for the relevant patron category. At least
enable email for one notice.
Self-register a user with and without verification email enabled.
Check in both cases that the message prefs of the user conform to
those in the patron category. (So at least one enabled.)
Followed test plan, works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f7ed250d618c57a3fc00728bbb93460b25ceda52) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jacek Ablewicz [Wed, 24 Jun 2015 17:43:05 +0000 (19:43 +0200)]
Bug 14456: EmbedSeeFromHeadings record filter shouldn't process MARC holding fields
If the system preference IncludeSeeFromInSearches is enabled, records
exported for zebra indexing are being additionally processed by
EmbedSeeFromHeadings record filter (right now used only in rebuild_zebra.pl
script). This filter embeds 'see from' fields (extracted from authority
records linked with the given biblio via $9 subfields) into target MARC
record, which is then subsequently indexed in zebra.
Currently all fields containing $9 are getting the same exact treatment
by this filter. But on the export stage when the filter is applied, MARC
record being processed already does have holdings data fields added in
the previous stage (usually 952 / 995, depending on the MARC format).
Problem is that holdings data fields use to have $9 subfields in them
as well (mapped to item.itemnumber by default). As a consequence, some
(great many in the typical setup) records exported for zebra indexing
may have surplus "see from" fields added erroneously in semi-random
fashion, so biblio searches would often return some completely
unexpected additional results.
EmbedSeeFromHeadings record filter should not process holdings fields
when dealing with MARC records intended for zebra indexing.
To reproduce:
1) database with as many sample or real-world biblio, item and authority
records as possible is recommended for testing purposes
2) enable IncludeSeeFromInSearches
3) export a bunch of biblio records for zebra (e.g.:
misc/migration_tools/rebuild_zebra.pl -I -b -x -k -length=1000),
inspect the result xml records in /tmp/<whatever> file; observe that at
the end of many records, here and there some extra "see from" (= 1st
indicator: 'z') fields tend to appear, which shouldn't be there ;)
To test:
4) apply patch
5) redo 3)
6) compare results from 3) and 5) with diff
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I introduced a regression test for this. You should run the tests
without/with the patch and verify that the patch actually fixes the problem.
Good job Jacek! I'm sure writing the regression test would take less time
than such a detailed commit message!
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f3a8b7a0e1e1bf112628c6215105ab80f25ed94f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Test plan:
Run git grep -E "borroewr|borow". You should not find anything now.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Typos in comments corrected.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 7d4e7e4e525fc99cb4452de135e161a0e0866753) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Thu, 9 Jul 2015 09:31:07 +0000 (10:31 +0100)]
Bug 14404: Rename class no-show to noshow for consistency with nosort
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 0183cc0223678f6b3f0885213c7223ddb31acf5d) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Kyle M Hall [Tue, 16 Jun 2015 23:05:10 +0000 (19:05 -0400)]
Bug 14404: Checkouts default sort order for Self Checkout (SCO) confusing for patrons
Libraries are reporting that patrons are very confused during
self-checkout. The problem is they are expecting the list of checkouts
to be in the order they checked out the items ( first checkout on the
bottom, last item checked out on top ). However, the checkouts
table is sorted by title ( ascending ) then due date ( descending ).
This is not intuitive.
Test Plan:
1) Enable Koha's self checkout
2) Use the SCO to check out a random assortment of items,
make sure you don't check them out in alphabetical order
3) Note the order of the items in the list is not based on the order
you checked them out in
4) Apply this patch
5) Refresh the page
6) Note the items are now in the order you checked them out
with the last on top and the first on bottom
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit e9061028c1ba95b310be5e9333b224e735e64f40) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
When creating a new notice, warn is triggered "Argument "" isn't numeric in numeric gt (>) at line 400". Same warn is triggered when changing Koha module option to any other module.
To test:
1) Go to Tools, then Notices & Slips
2) Click 'new notice'. Notice warn in intranet-error.log
3) Change Koha module to another module. Notice warn is triggered for every change
4) Apply patch and reload page
5) Change Koha module to another module. Notice there are no longer warns
6) Go back to Notices & Slips and click 'new notice' again. Notice there are no warns
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 7098a36b19c35a06a51361bd381416a1204de38d) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Aleisha [Wed, 24 Jun 2015 01:15:32 +0000 (01:15 +0000)]
Bug 14445: Silences warn in letter.pl
When changing Koha module to 'Circulation', there is a warn saying that $code is uninitialized. This patch sets $code to an empty string to silence the warn.
To test:
1) Go to Tools, the Notices & Slips
2) Click 'new notice' (This will trigger warns, but ignore these as they will be corrected in the next patch)
3) Change Koha module to 'Circulation'
4) Notice warn about uninitialized $code variable
5) Apply patch and reload page, change Koha module to 'Circulation'
6) Notice page still works and warns are gone
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit fe3a49e61133e1e66d0075f3300cd3a99e691890) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Sun, 24 May 2015 16:00:57 +0000 (18:00 +0200)]
Bug 14263: Fix export of item search results when translated
This csv does not use the correct way to display headers.
They should be put in a separate file to get a correct display.
Without this patch, the first line of the generated file contains the
headers + data
Test plan:
1/ choose a language and update + translate the templates
for instance:
cd misc/translate;
./translate update es-ES; ./translate install es-ES
2/ Go to the item search form using this language
3/ Launch a search and select CSV to display the results.
The CSV headers should be correct
Signed-off-by: Frederic Demians <f.demians@tamil.fr>
Seen the bug. Works as described.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit ece2b02a57fdb692c02f00540df436af1f5ba971) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Bug 14494: Terribly slow checkout caused by DateTime->new in far future
An expiry date like 9999-12-31 in the local timezone will make DateTime
spend a lot of time (maybe 60 seconds) on date calculation. See the
DateTime documention on CPAN.
A calculation in floating (or alternatively in UTC) would only take
a few milliseconds.
This patch makes two changes in this regard:
[1] The compare between expiry date and today in CanBookBeIssued has been
adjusted in Jonathan's patch. I am moving the compare to the floating
timezone (as was done in my original patch). This removes a hardcoded
9999.
[2] If ReturnBeforeExpiry is enabled, CalcDateDue compares the normal due
date with the expiry date. The comparison is now done in the floating
timezone. If the expiry date is before the due date, it is
returned in the user context's timezone.
NOTE: The calls to set_time_zone moving to or from floating do not adjust
the local time.
TEST PLAN:
First without this patch (and the one from Jonathan):
[1] Set expiry date to 9999-12-31 for a patron.
[2] Enable ReturnBeforeExpiry.
[3] Checkout a book to this patron. This will be (very) slow.
Continue now with this patch applied:
[4] Check in the same book.
[5] Check it out again. Should be much faster.
Bonus test:
[6] Set borrower expiry date to today. Change relevant circulation rule
to loan period of 21 hours. Test checking out with a manual due date
/time just before today 23:59 and after that. In the second case the
due date/time should become today 23:59 (note that 23:59 is not
shown on the checkout form).
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 17d04c46190880d3031adbc02553f82234d70fc1) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Thu, 9 Jul 2015 08:52:28 +0000 (09:52 +0100)]
Bug 14494: Prevent slow checkout if the patron does not have an expiry date
If a patron has a expiry date set to 9999-12-31 (for organizations for
instance), the checkouts are very slow.
It's caused by 2 different calls to DateTime in CanBookBeIssued:
1/
DateTime->new( year => 9999, month => 12, day => 31, time_zone => C4::Context->tz );
The time_zone should not be set (as it's done in Koha::DateUtils), set to UTC or floating tz.
2/
DateTime->compare($today, $expiry_dt)
The comparaison of 2 DT with 1 related to 9999 is very slow, as you can
imagine.
For 1/ we need to call Koha::DateUtils::dt_from_string (actually, we
should never call DateTime directly).
For 2/ we just need to test if the date is != 9999, no need to compare
it in this case.
Test plan:
Before this patch, confirm that the checkouts are slow if the patron has a
dateexpiry set to 9999-12-31.
update borrowers set dateexpiry="9999-12-31" where borrowernumber=42;
After this patch, you should not see any regression when checking out
items to an expired patron and to a valid patron.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 8d58acc565c8500d4b9d55cacb3d6d21628a899b) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Kyle M Hall [Thu, 25 Jun 2015 16:54:51 +0000 (12:54 -0400)]
Bug 14465 - Broken umlauts/diacritics in feedback of last checkout
This was tested in 3.18 after upgrading to the security release. The
feedback on the last checkout information introcuded by bug 13315 has
encoding problems in the displayed title (see screenshot).
This is a really prominent place to display broken encoding.
Test Plan:
1) Apply this patch
2) Check out an item with broken encoding
3) Note the title now displays properly
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We already put it in production... so this better works :) Signed-off-by: Liz Rea <wizzyrea@gmail.com>
David Cook [Mon, 13 Jul 2015 04:06:46 +0000 (14:06 +1000)]
Bug 14521: SQL injection in local use system preferences
This patch fixes a SQL injection vulnerability in the local use
system preferences.
_TEST PLAN_
Before applying:
1) Go to Global System Preferences
2) Click on the "Local use" tab
3) Add a new preference with the value "') or '1' = '1' -- "
(be sure to include the space at the end after the comment --).
4) When the page refreshes, you should now see about 99 other system
preferences which shouldn't be showing up.
5) Apply the patch
6) Refresh the page
7) Note that you now only see a system preference for "') or '1' = '1' -- "
and the other actual local use system preferences.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit a72262a950aa701cebe460e2a3a7586edecd86be) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Mon, 13 Jul 2015 14:44:23 +0000 (15:44 +0100)]
Bug 14524: Don't escape query_cgi with uri
According to the doc, we should not escape query_cgi with the uri
filter:
http://www.template-toolkit.org/docs/manual/Filters.html#section_uri
Since query_cgi can contains something like: "idx=kw&q=42", we should
not escape the & char
Test plan:
0/ Don't apply the patch
1/ Go on launch a search at the OPAC
2/ Click on the RSS icon
3/ You should arrive on
opac-search.pl?idx%3Dkw%26q%3D42&count=50&sort_by=acqdate_dsc&format=rss2
The & has been escaped.
4/ Apply the patch
5/ Now you should get result and see an url correctly formatted.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Get notes and subjects from MARC record
ONLY when XSLT is not activated.
It's useless doing it when XSLT is activated,
because XSLT takes care of it by its own.
=> With this patch, we are saving precious
milliseconds
I compared the display of some records in XSLT view with and without patch, was the same (as expected). Signed-off-by: Marc Veron <veron@veron.ch> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
On a slower server, I saw a time save of 0.0274 to 0.0908 seconds (with XSLT). Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 468d3d9c83a9760e796cdf43c7da2766ccf7c9b9) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Bug 14485: HTML comment disables translation in cataloguing/addbooks.tt
In cataloguing/addbooks.tt, the line :
[% total %] result(s) found in catalog,
is not present in PO files even after an update.
I've found that the cause is the previous HTML comment line.
This patch converts HTML comment into TT comment and adds a div to have a more comprehensive string to translate.
Test plan :
- without patch
- go into <sources>/misc/translator
- run PO update for example in french : translate update fr-FR
=> the text "result(s) found in catalog" is missing from PO file : fr-FR-staff-prog.po
- restore default PO files
- apply patch
- go into <sources>/misc/translator
- run PO update for example in french : translate update fr-FR
=> You find text "result(s) found in catalog" in PO file : fr-FR-staff-prog.po
Sponsored-by: Universidad de El Salvador Signed-off-by: Hector Eduardo Castro Avalos <hector.hecaxmmx@gmail.com>
Works as advertised. Just one msgid appear with msgid "%s result(s) found in catalog,"
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e2ab42716825c5dedbb0036ae56a28e6119083f5) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
David Cook [Tue, 9 Jun 2015 04:25:23 +0000 (14:25 +1000)]
Bug 14366: Units doesn't get saved usefully for patroncards
This patch causes the "Units" to be saved and displayed correctly
for the "Edit layout" screen in Patroncards.
_TEST PLAN_
Before applying:
0) Create a new layout
1) Edit the layout, change the units, and click Save
2) Edit the layout again, and notice the units are still "PostScript Points"
Apply the patch:
3) Edit the layout again, change the units, and click Save
4) Edit the layout again, note that the units have changed to your
selection
5) Rejoice
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f573a155974c84a6fb433bff86a220d4644ad27e) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Nick Clemens [Wed, 17 Jun 2015 01:48:18 +0000 (21:48 -0400)]
Bug 13950: Sort Item search home library list by branch name
On the item search form the list of home libraries isn't sorted
alphabetically by their descrption.
To test:
- Ensure that you have libraries whose code/name are sorted in a different alphabetical order (e.g. Aardvark/ZZZ & Zebra/AAA)
- Staff: Advanced search - item search
- See that libraries are sorted in code order
- Apply patch
- Verify selection block for home library is correctly sorted after
applying the patch.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 958be9804a50c3e13f74c4d5f81348e2256a8042) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Mirko Tietgen [Thu, 25 Jun 2015 13:38:42 +0000 (15:38 +0200)]
Bug 14453: (followup) Fix shipped XSLT files
Make the shipped XSLTs for authorities (MARC21 and UNIMARC) the same as the generated version
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit fbe25b1d8e1806768b04d829bd9fc1a05f4861cf) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Fridolin Somers [Wed, 24 Jun 2015 14:06:05 +0000 (16:06 +0200)]
Bug 14453: kohaidx is missing for id in authority-koha-indexdefs.xml
In authority-koha-indexdefs.xml, all tags use the namespace "kohaidx" except the tag "id".
When re-generating authority-zebra-indexdefs.xsl, the line :
<xslo:variable name="idfield" select="normalize-space(marc:controlfield[@tag='001'])"/>
is modified :
<xslo:variable name="idfield" select="normalize-space()"/>
This is an error.
This patch adds kohaidx namespace to correct.
Test plan :
- Without patch
- go to etc/zebradb/marc_defs/marc21/authorities/
- run : xslproc xsltproc ../../../xsl/koha-indexdefs-to-zebra.xsl authority-koha-indexdefs.xml > authority-zebra-indexdefs.xsl
- read authority-zebra-indexdefs.xsl
=> the line has changed : <xslo:variable name="idfield" select="normalize-space()"/>
- Apply patch
- go to etc/zebradb/marc_defs/marc21/authorities/
- run : xslproc xsltproc ../../../xsl/koha-indexdefs-to-zebra.xsl authority-koha-indexdefs.xml > authority-zebra-indexdefs.xsl
- read authority-zebra-indexdefs.xsl
=> the line has not changed
(same for unimarc flavor)
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
As Mirko mentioned, the xslt's now generate the facet-processing templates in
the authority xslt's too. They are harmless because we don't define facets
for authority records. If we did, it would be harmless too.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 2365537eea9d5cd6526843b1cd0c2152a6def06c) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Winona Salesky [Thu, 4 Jun 2015 02:46:23 +0000 (22:46 -0400)]
Bug 14326: XSLT Syntax error in MARC21slimOPACResults.xsl
Test Plan:
1) Apply this patch
2) Ensure you are using the default XSLT setting for the staff and opac record details
3) Perform an opac search check "Availability" for expected display values.
5) Note this patch corrects invalid syntax in xslt, there should be no visable changes to the results page.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 058b50de5b09ee2ba3efc953b9846bc79d712c31) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Bug 14135: Adds 'Free' to variabletypes in systempreferences.tt
The 'Local Use' system preference addition/modification template provides the following options against "Variable Type" - Choice, YesNo, Integer, Textarea, Float, Themes, Languages, Upload or ClassSource.
There is no option presented for "Free" which seems to be the most
used variable type out-of-the-box (i.e. INTRAdidyoumean,
OPACdidyoumean, UsageStatsID and UsageStatsLastUpdateTime)
This trivial patch proposes to modify the systempreferences.tt
and add the option 'Free' to the list offered to users.
Test Plan
=========
1/ Go to Home > Administration > System preferences > Local use
2/ Click on 'New preference'.
3/ In the fieldset 'Koha Internal', the variable types offered
are Choice, YesNo, Integer, Textarea, Float, Themes,
Languages, Upload or ClassSources.
4/ Clicking on 'Choice' should set the 'preftype' field as
'Choice'.
5/ Apply this patch.
6/ Refresh the page.
7/ The variable types list should read - "Free, Choice, YesNo,
Integer, Textarea, Float, Themes, Languages, Upload or
ClassSources".
8/ Clicking on 'Free' should set the 'preftype' field as 'Free'.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: Discovered that there is no validation on the type field.
However, that is beyond the scope of this bug.
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 9f008a102415c8b71a1f4a976bc15691c2663b5c) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
The regex /|date>>/ will match much more than you like :)
The unescaped pipe is bad, but you also need to remove the >> because
the split a few lines above it removes them already.
This allows you to recover from an error like this one, running another
report with a string parameter:
The given date (india%) does not match the date format (us) at
Koha/DateUtils.pm line 144.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended for possible spaces around the word date. Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit bfea40b6e8161629c11d97be5eeba56fb6d59ba3) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Mark Tompsett [Wed, 24 Jun 2015 16:13:46 +0000 (12:13 -0400)]
Bug 14382: Non-ISO Date parameters generate empty reports.
The issue is that SQL expects ISO dates, but the user may wish to view dates according to the dateformat system preference.
By detecting a date preference, the non-ISO dates can be converted to ISO dates before being stuffed back into the SQL query to be executed.
TEST PLAN
---------
1) Add a report with date parameters.
-- I used 'Holds placed in date range' from
http://wiki.koha-community.org/wiki/SQL_Reports_Library
2) Set your dateformat to YYYY-MM-DD
3) Run the report
-- Note the SQL reads
"... BETWEEN '{date formatted in YYYY-MM-DD}'..."
-- If there is supposed to be data, there is some.
4) Set your dateformat to MM/DD/YYYY
5) Run the report
-- Note the SQL reads
"... BETWEEN '{date formatted in MM/DD/YYYY}'..."
-- If there is supposed to be data, there is none.
6) Apply patch
7) Repeat steps 2-5
-- The SQL will always read YYYY-MM-DD (ISO) format.
-- The report will have data, if there is some.
8) koha qa test tools.
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Adding a QA follow-up. Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit c3fea53039a6c53c766b0403eedd57f644c6f772) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Conflicts:
reports/guided_reports.pl
Kyle M Hall [Thu, 25 Jun 2015 21:22:25 +0000 (17:22 -0400)]
Bug 9942: [QA Followup] - Add test and alert to returns.pl
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit efedadebf233cf7f2b8c1eb64d1687b282d94474) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Thu, 9 Apr 2015 11:07:05 +0000 (13:07 +0200)]
Bug 9942: Make Koha fail if privacy is not respected
If a patron has requested anonymity on returning items and the system is
not correctly configured (AnonymousPatron no set or set to an inexistent
patron), the application should take it into account and not fail
quietly.
This patch is quite radical: the script will die loudly if the privacy
is not respected.
To be care of the bad "Software error", some checks are done in the
updatedatabase to be sure the admin will be warned is something is wrong
in the configuration.
Test plan:
1/ Test the updatedatabase entry:
a. Turn on OPACPrivacy and set AnonymousPatron to an existing patron
=> You will get a warning
b. Turn on OPACPrivacy and set AnonymousPatron to 0 or ''
=> You will get a warning
c. Turn on OPACPrivacy and set the privacy to 2 (Never) for at least 1 patron
Turn off OPACPrivacy
=> You will get a warning
d. In all other cases you will get no error
2/ Test the interface
a. Turn on OPACPrivacy and set the privacy to 2 (Never) for a patron
b. Now you can turn off OPACPrivacy or keep it on, behavior should be
the same
c. check an item out the patron
d. Check the item in using the check out table
=> fail
e. Check the item in using the Check in tab
=> fail (not gracefully).
Note that the software error could appear on other pages too.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Updatedatabase works as described
On staff, if don't have correct settings for anonymity it's
impossible to check-in (with OPACPrivacy on)
No errors
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 94315f663b8a582fb7ef68de2bd9c3933901cd7f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Kyle M Hall [Thu, 25 Jun 2015 20:41:23 +0000 (16:41 -0400)]
Bug 14467: Security updates break some Koha plugins
The new security updates break previously functioning plugins, most
notably the cover flow plugin and the Ebsco EDS plugin.
Test Plan:
1) Install and configure the cover flow plugin ( http://bywatersolutions.com/koha-plugins/ )
2) Note that attempting to access coverflow.pl from the OPAC results in an error
3) Apply this patch
4) Note that coverflow.pl now output html again
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit e0d2bc669e385cfd1c42c1e83aaff3495a75a822) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Liz Rea [Tue, 16 Jun 2015 04:12:57 +0000 (16:12 +1200)]
Bug 14389: Editing a syspref in a textarea does not enable the Save button
Test plan:
1. Navigate to the "opaccredits" syspref (or any other textarea, i.e.,
"Click to Edit", syspref) in the system preferences editor.
2. Change its contents, by either pasting or typing. The field may not
be marked as modified, even after you click outside the box.
3. Apply the patch.
4. Reload the page and try again; either pasting or typing should mark
the field as changed and allow you to save.
Signed-off-by: Jesse Weaver <pianohacker@gmail.com>
Confirmed working for normal input, paste and middle-click paste in
Chrome and Firefox in Linux.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit c95e794bd458377d742280ae8fff281ddf395e04) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Tue, 23 Jun 2015 08:40:15 +0000 (10:40 +0200)]
Bug 14324: Display "Add Child" for Organisations on circ/circulation.pl
On moremember, the button is displayed for Organisations.
To be consistent, it should be displayed on the circulation page too.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 198e6669eeb68519b4909d99631d84aed068845e) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Bug 14324: Set "adultborrower" regardless of guarantor status.
Signed-off-by: Jason Robb - SEKLS (jrobb@sekls.org) Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f05931e05154cc85df4036fe7c4acdfc0ddb5995) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Wed, 1 Apr 2015 14:23:48 +0000 (16:23 +0200)]
Bug 8802: On editing a library group category type is not set
The category type was always set to 'searchdomain', because it's the
first of the dropdown list.
Test plan:
1/ Create or edit a library group
2/ Set the category type to "properties"
3/ Edit it again
4/ Confirm "properties" is correctly selected
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit fc6789c20636f8104854b74209b658634831f4e5) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Katrin Fischer [Sun, 7 Jun 2015 23:30:58 +0000 (01:30 +0200)]
Bug 14356: Improvements to the 'Transfers to receive' page
Patch makes several small changes to the template for the
'Transfers to receive page'
1) Show the branch name instead of the branchcode in the
table of incoming transfers.
If there is a hold connected with the transfer:
2) Show the patron's name as 'surname, firstname'
intead of 'surname firstname'
3) Restore broken feature: Show a mailto: link with a
generated subject of 'Hold: <title>'.
The mailto: feature actually existed in the templates, but
was broken to a misnamed database column. I made some small
changes to make the subject translatable (see bug 8330).
To test:
- Create a transfer by placing a hold with pickup at another library
- Craete a transfer manually
- Go to the circulation > transfers to receive
- Check the changes explained above, compare before and after
- Check the mailto: link works as expected
Bonus: Check the Hold: bit in the subject is really translatable now.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e5cea455d00c52b4a81e87b4dc77315c03ce8630) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Nicolas Legrand [Thu, 28 May 2015 14:32:29 +0000 (16:32 +0200)]
Bug 14290: Add a table foot to circulation matrix
Reprint circulation matrix header in a footer helps editing entries in
big matrix. Otherwise, the header disapears and it's hard to tell
which columns we're editing.
Test plan : try do add, modify or delete some entries in the
circulation matrix, everything should work as expected.
Patch works as expected. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 1ea3465d30b1b0fcd12a5592ce5a4c34a9a58462) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Bug 12616: Locale in subscriptions not preselecting correctly
There is a problem if a language is present but
don't have ISO639-2 code. Locale pulldown on serial
suscription is malformed.
To reproduce on master:
a) remove some entries on language_rfc4646_to_iso639
b) go to Serials > New suscription
c) Put any value on Vendor and record, press Next>>
d) Look at locale pulldown, it must default to last
removed lang from a), also other langs has no value
and are also 'selected' on html
To test:
1) Reproduce the problem
2) Apply the patch
3) Add New suscription, pulldown must be fixed
NOTE: Deleted Urdu and Chinese.
Master had both "selected" in the HTML.
Applied patch, neither were added.
Defaults to first item, which is blank meaning English.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit b9c4061479235d0d79ecbd917b015db5441d8118) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Katrin Fischer [Mon, 8 Jun 2015 03:29:16 +0000 (05:29 +0200)]
Bug 13874: 'Rotating collections' are a circulation tool
Moves the entry for 'Rotating collections' from the Catalog
column to the 'Patrons and circulation' column.
To test:
- Verify the entry has been moved on the tools home page
NOTE: I agree that collections makes more sense under the new
column.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit da8ec2d37a43c87ad5b087511dd8e4ce082f022f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Mark Tompsett [Wed, 15 Apr 2015 16:33:29 +0000 (12:33 -0400)]
Bug 14001: Inventory has bad $_ references
After receiving an error while attempt a simple inventory run,
Two lines were changed from:
...$_->...
to
...$item->...
since the loop variable is $item. And $_ is not set to the
expected hash reference, when there is a loop variable.
This also helps explain the "Why are there blank dates on my
last seen field?" problem that has been mentioned by users.
TEST PLAN
---------
1) Apply this patch after a reset to master.
2) Log in to staff client
3) Add one item via z39.50, setting barcode to a known value (BARCODE1)
4) Wait for the reindex
5) Home -> Tools -> Inventory/Stocktaking
6) Browse for a file with the barcode in it
7) Set the library dropdown to the library branch of the added item.
8) Check 'Compare barcodes list to results:'
9) Click 'Submit'
-- This should not die under plack.
This should not generate blank last seen dates.
The last seen dates should be as expected.
10) run koha qa test tools
11) Confirm the two change point correspond to the two change points
in the patch which shall not be pushed to master.
The test result comply with expected outcome outlined in test plan.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 3ebc081962247ce0c598da810451c459909842bc) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Katrin Fischer [Wed, 17 Jun 2015 10:28:39 +0000 (12:28 +0200)]
Bug 14401: Zebra index configuration doesn't allow exact search for C.
2 lines in the Zebra configuration files prevent an exact search for C.,
while all other [A-Z]. searches work correctly.
After taking a look at the /etc/zebradb/etc/word-phrase-utf.chr
those 2 lines cause the problem:
map (^c\.) @
map (^C\.) @
I propose to remove them.
To test:
- Catalog a record with an item with callnumber: C.
- Catalog a record with an item with callnumber: B.
- Try seaching for the second using callnum,ext:B. (exact field search)
- Verify search works.
- Try searching for the other with callnum,ext:C.
- Verify no result.
- Apply the patch - copy the zebra config file if necessary into the right spot
- Reindex
- Repeat searches - both should not bring up the correct record.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit f86743d893b61a4609d2f02a175db9944710067e) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Robin Sheat [Wed, 27 May 2015 00:25:34 +0000 (12:25 +1200)]
Bug 14394: fix documentation of OpacHiddenItems
The current documentation of OpacHiddenItems told people to go and read
a file on the server, which most people don't have access to. This
replaces it with a link to the wiki.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
It doesn't apply for some reason. Fixed
Added target attribute to open in new window/tab,
hope you don't mind.
Updated documentation
No errors
Belongs to Aleisha or Robin?
Update assignee please :)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 865321f3726c3b6065ef72107017c4171630d140) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Mark Tompsett [Fri, 19 Jun 2015 13:00:33 +0000 (09:00 -0400)]
Bug 14422: Typo in updatedatabase.pl
TEST PLAN
---------
1) backup db
2) git checkout -b my_3.6.x origin/3.6.x
3) drop db and create blank one
4) git reset --hard origin/3.6.x
5) run web installer
6) set HomeorHoldingBranchReturn system preference to 'holdingbranch'.
7) create a Default checkout, hold rule
home -> koha administration -> Circulation and fines rules
-- I put 10 checkouts total and clicked 'Save'
-- there currently is not 'returnbranch' in default_circ_rules.
8) git reset --hard origin/3.20.x
-- or whatever version you apply this to
(3.8.x, 3.10.x, 3.14.x, 3.16.x, 3.18.x, or 3.20.x
-- 3.21.00.008 deletes the systempreference involved)
9) ./installer/data/mysql/updatedatabase.pl
10) check HomeorHoldingBranchReturn systempreference
-- Currently says 'holdingbranch', but
the value of 'returnbranch' in default_circ_rules is
'homebranch'.
11) repeat steps 3-8
12) apply this patch
13) repeat steps 9-10
-- Currently says 'holdingbranch', and
the value of 'returnbranch' in default_circ_rules is
'holdingbranch'.
14) run koha qa test tools
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Tested using 3.6.x install, updated to 3.8.x
Value is preserved
No errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Note: I haven't followed the test plan, but the fix is trivial.
Maybe it could worth to upate 3.21.00.008 and check the value of
HomeOrHoldingBranchReturn before deleting it.
We could raise a warning if HomeOrHoldingBranchReturn ==
'holdingbranch'. Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 8c91ca7903846da0cf7a73914a0b78484c0429df) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Katrin Fischer [Mon, 8 Jun 2015 00:15:03 +0000 (02:15 +0200)]
Bug 4925: Remove Smithsonian as a delivered z39.50 target
Removes the Smithsonian as a target installed with the
sample data during installation.
Also adds the newer LOC authority targets to files where
they were missing.
To test:
- Verify the Smithsonian has been removed from all
translated installers
- Verify the files are still valid SQL and install
correctly
NOTE: There was tiny scope creep which included ensuring
there were two Authority z39.50 servers as well.
Text files properly reflect the removal.
SQL 'source' of SQL files worked properly.
Was able to Z39.50 search for all of the 'en'.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 0ca21c1e488f150cca74beb9a67b285e5531f3b5) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Intranet:
1/ Marc view link
2/ The Please upload one image link
Test plan:
On a record detail page (staff and OPAC), print the page and confirm
these blocks no longer appear.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 68f0fe7b6f152a6db100525724c1ece507258652) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Conflicts:
koha-tmpl/intranet-tmpl/prog/en/css/print.css
Katrin Fischer [Mon, 8 Jun 2015 00:58:53 +0000 (02:58 +0200)]
Bug 10119: Add note about CalculateFinesOnReturn to description of finesmode
This adds a note to the descrpition of the finesmode system
preference mentioning that CalculateFinesOnReturn is another
option for charging fines:
Note: Fines can also be charged by the CalculateFinesOnReturn system preference.
To test:
- Search for the finesmode system preference
- Verify the new text shows and is correct
NOTE: New text appears as expected. You can also just scroll for
it on the Circulation preferences tab.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 45c1b8f7b261493c27aa4d734e9795be619c1c70) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Marc Véron [Tue, 2 Jun 2015 07:54:15 +0000 (09:54 +0200)]
Bug 14313: OPAC - Adding a comment makes result browser disappear
To reproduce:
- Allow commenting in OPAC (Syspref reviewson)
- Log in to OPAC
- Do a search with many results
- Click on a biblio in result list
- Verify that you can browse the results in detail view ("Browse results")
- Repeat teh search above
- Click on the same biblio as above
- Add a comment (Tab "Comments")
- Close commenting window
- Click on "Next" in result browser
Result: The next biblio is displayed, but result browser has disappeared.
To test:
- Apply patch
- Try to reproduce issue above, verify that result browser does no longer disappear
AMended to remove whitespace chars. / MV
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Bug & solution checked, works well. No koha-qa errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 22c5c4b468b3584ed8bf45039c1494e969f2d66b) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Fridolin Somers [Tue, 23 Jun 2015 15:45:30 +0000 (17:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (opac-ratings.pl)
Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()
This patch corrects opac/opac-ratings.pl
Test plan :
- Apply patch
- Set sysopref OpacStarRatings to 'results and details'
- Disable Javascipt on your browser (otherwise it will use ajax)
- Login at OPAC
- Go to a record
- Click on a button left of 'Rate me' to choose a rating, ie 4
- Click on 'Rate me'
=> The page is reloaded and you see 'your rating: 4'
- Loggout from OPAC
- Try to access URL : http://<serveur>/cgi-bin/koha/opac-ratings.pl
=> You see the loggin page
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit f1acb5615d0cbcba5db5b84e12fbad3d41454347) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 3d8af819a84847b35ad08e62ba137d3febd878dd)
Bug 14421: Corrected example in SMS.pm to working version with hashref.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Test:
1) Apply patch
2) perldoc C4/SMS.pm
3) Check fixed argument in example
Argument is hashref, POD is now right
Added additional space on second arg
No errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 0cb82c8d02cc4b672b169c8b0261c4bb6360cd00) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Mark Tompsett [Fri, 19 Jun 2015 15:24:57 +0000 (11:24 -0400)]
Bug 14425: Typo in C4::Context IsSuperLibrarian perldoc
TEST PLAN
---------
1) git checkout -b bug_14425 origin/master
2) perldoc C4::Context
/IsSuperlibr
-- see it is bad.
3) apply patch
4) perldoc C4::Context
/IsSuperLibr
-- see it is fixed.
5) koha qa test tools.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Fix typo, no errors.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
% git grep -i IsSuperLibrarian|wc -l
55
% git grep IsSuperLibrarian|wc -l
55 Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 2b255be22c919b11d690f4dcf8a5e84e93290878) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Katrin Fischer [Tue, 9 Jun 2015 22:11:19 +0000 (00:11 +0200)]
Bug 11458: Improve confusing description of syspref 'gist'
The description of "gist" was:
"Default tax rates are ... (enter in numeric form, 0.12 for 12%.
First is the default. If you want more than 1 value, please
separate with |) "
The doubled use of "default" is confusing here.
With the patch it reads:
Tax rates are ... Enter in numeric form, 0.12 for 12%.
The first item in the list will be selected by default.
For more than one value, separate with | (pipe)
To test:
- Verify that the gist system preference description is
correct.
The use of "default" is confusing here.
Signed-off-by: Aleisha <aleishaamohia@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 6c94fe52f954f93916993f71c472b068096806da) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Katrin Fischer [Tue, 9 Jun 2015 00:32:46 +0000 (02:32 +0200)]
Bug 14215: Change the 'delimiter' syspref description for its wider use
Patch changes 'report files' to 'CSV files' as there are more
options now for downloading and creating CSV files where this
preference is taken into account.
To test:
- Verify the changed system preference description for
'delimiter' is correct.
Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 2eaeb708795e7624eb8873b617d4a38d69fa84fc) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Jonathan Druart [Tue, 24 Mar 2015 16:01:30 +0000 (17:01 +0100)]
Bug 4137: Fix the OPACViewOthersSuggestions behavior
This pref does not work at all, the interface let the user choose to
list all suggestions, but whatever he chooses the suggestion list is the
same.
This patch cleans a bit the suggestedby management.
There are a lot of cases to test, because linked to 2 prefs:
AnonSuggestions and OPACViewOthersSuggestions.
1/ AnonSuggestions = 0 and OPACViewOthersSuggestions = 0
- A non logged in user is not able to make a suggestion.
- A logged in user is not able to see suggestions made by someone else.
2/ AnonSuggestions = 0 and OPACViewOthersSuggestions = 1
- A non logged in user is not able to make a suggestion.
- A logged in user is able to see suggestions made by someone else.
3/ AnonSuggestions = 1 and OPACViewOthersSuggestions = 0
- A non logged in user is able to make a suggestion.
The suggestedby field will be filled with the AnonymousPatron pref value.
He is not able to see suggestions, even the ones made by AnonymousPatron.
- A logged in user is not able to see suggestions made by someone else.
4/ AnonSuggestions = 1 and OPACViewOthersSuggestions = 1
- A non logged in user is able to make a suggestion.
He is able to see all suggestions.
- A logged in user is able to see suggestions made by someone else.
In all cases a logged in user should be able to search for suggestions
(except if he is not able to see them).
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
All use cases tested, work as expected
No errors
Only comment is perhaps (in the future) a gracefull failure
when AnonymousPatron is not set, or has '0' value
Message is DBIx::Class::ResultSet::create(): Column 'suggestedby' cannot be null at ...
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit be35039b55a351c97f2c1f9a5b373cb26ac5e0b0) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Jonathan Druart [Wed, 22 Apr 2015 10:14:24 +0000 (12:14 +0200)]
Bug 10866: Hide patron's history if intranetreadinghistory is set to not allow
If set to "not allow", the intranetreadinghistory pref prevent staff
members to access patron's checkout history.
But:
1/ The page is still accessible if you know the url
2/ The history can be consulted on the item history page
Test plan:
0/ Don't apply this patch
1/ Set the intranetreadinghistory to allow
2/ Go on a patron's checkout history page
3/ Open a new tab and go on a item's checkout history page
4/ Set the intranetreadinghistory to not allow
5/ Refresh both pages => no change
6/ Apply this patch
7/ Refresh both page.
On the first page, you should see a warning
On the other one, you should see that the patron column is not displayed
anymore.
Followed test plan, results were as expected. Signed-off-by: Marc Véron <veron@veron.ch>
http://bugs.koha-community.org/show_bug.cgi?id=10886 Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Nice addition! Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit d847b1d92a9df6db2bb5321f032f3ec13d6ba55d) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Magnus Enger [Wed, 17 Jun 2015 12:36:44 +0000 (14:36 +0200)]
Bug 14403: Remove warn in Koha::NorwegianPatronDB
Line 99 has an unconditional warn, left over from development:
warn "$combined_username => $combined_password";
This patch deletes the line i question.
To test:
No testing needed, just have a look at the diff and see that
it makes sense to delete the warn.
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit b740b1b412e11b1d540b243e7b1767cc0c1cb962) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Katrin Fischer [Mon, 8 Jun 2015 03:04:56 +0000 (05:04 +0200)]
Bug 13427: jQuery Timepicker is not translated on returns page
The returns page was missing an include with the translated strings.
To test:
- Install an additional language, like de-DE
- Confirm the bug on the returns page
- Make sure SpecifyReturnDate is activated
- Open the datepicker, look at the time settings
- Apply the patch
- Reinstall the language, no update of the po files is needed
- Retest
- Verify, that now the time settings are translated
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Works as expected
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 688452ad7e9131a53a96bd826e6228e73494fa53) Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Katrin Fischer [Mon, 8 Jun 2015 01:18:35 +0000 (03:18 +0200)]
Bug 11467: Bug Untranslatable srings in opac-detail.tt (IDreamBooks*, OpacBrowseResults)
Patch marks several strings in the Javascript on the OPAC detail
and result page for translation.
1) IDreamBooks*
- Activate the 3 IDreamBooks* system preferences
- Check the 'cloud' and additional content shows up correctly on
the detail and result pages
- Verify everything works as expected and the same as without the patch
2) OpacBrowseResults
- Activate OpacBrowseResults
- Do various searches
- Verify the nex, previous, browse result list features still
work the same as without the patch
Bonus: Check new strings appear in the .po files by updating one
language with the patch applied (perl translate update de-DE)
NOTE: Really should have read the test plan more closely.
I couldn't find the 'Go to detail:' section, until I clicked
'Browse results'.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 7ab873aaea298c787e93438012fa8792345664f4) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Conflicts:
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
Jonathan Druart [Wed, 24 Jun 2015 09:03:22 +0000 (11:03 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (quote*_ajax.pl)
This patch uses check_api_auth instead of get_template_and_user.
Test plan:
Confirm that you are still able to access to the quote editor with the
edit_quotes permission.
Confirm that you are not if you don't have the permission.
wget your_url/cgi-bin/koha/tools/quotes/quotes_ajax.pl
should return "403 : Forbidden."
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 08871a324fa731ffdbbe87afde1ee145c604a22b) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Fridolin Somers [Tue, 23 Jun 2015 14:45:21 +0000 (16:45 +0200)]
Bug 14440: get_template_and_user can not have an empty template_name (updatesupplier.pl)
Since Bug 14408, the method get_template_and_user can not have an empty template_name.
Pages calling with an empty value should use C4::Auth::checkauth()
This patch corrects acqui/updatesupplier.pl
Test plan :
- Apply patch
- Connect to intranet with a user having "vendors_manage" permission
- Go to acquisition module
- Create a new vendor
- Click on "Edit vendor"
- Change some information and save
=> Your change is saved
- Connect to intranet with a user not having "vendors_manage" permission
- Try to access <intranet>/cgi-bin/koha/acqui/updatesupplier.pl
=> Access is denied
- Disconnect from intranet
- Try to access <intranet>/cgi-bin/koha/acqui/updatesupplier.pl
=> Access is denied
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 015c26a5e36dae5070eab57f400237715d93ae44) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Liz [Wed, 24 Jun 2015 09:52:05 +0000 (09:52 +0000)]
Bug 14450: itemsearch no longer working
To test:
Click Advanced search in staff client
Click the link for "Go to Item Search" at the top of the page
Do a search, you should get results. Try some combinations and make sure it works like it should.
Signed-off-by: Jacek Ablewicz <abl@biblos.pk.edu.pl> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit f900ea03bf15746bd2c310b59f2fb06972f6bdee) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Aleisha [Tue, 9 Jun 2015 18:20:52 +0000 (18:20 +0000)]
Bug 11011: Rephrasing 'in keyword' in OPAC authority search
Using 'in the complete record' rather than 'in keyword'. I think this fits well as it seems that this means the search looks anywhere in the record.
To test:
1) In the OPAC, click on Authority Search
2) Notice that in the drop-down menu for the 'Where:' field, there is an 'in keyword' option.
3) Apply patch
4) Now says 'in the complete record'
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 892d374b64fa4eed98955d75b517702f78f1ca40) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Katrin Fischer [Sun, 7 Jun 2015 21:45:10 +0000 (23:45 +0200)]
Bug 8686: Raise required version of URI::Escape to 3.31
Raises the minimum required version of URI::Escape from
1.36 to 3.31.
TEST PLAN
---------
1) git branch -b bug_8686 origin/master
2) ./koha_perl_deps.pl -a | grep URI
-- it will list 1.36 required
3) git bz apply 8686
4) ./koha_perl_deps.pl -a | grep URI
-- it will list 3.31 required
5) koha qa test tools
NOTE: Also default in Ubuntu 14.04 LTS,
not just Wheezy as noted in comment #15.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signoff based on Nicole's comment (bug 9990 comment 6):
"This stops happening if you upgrade URI::Escape to
3.31. We should make it clear in the Perl Modules page that an upgrade
is needed." Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 7c0c92807f49ef61aa975e84cf26d42f7dfa425f) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz <wizzyrea@gmail.com>
Chris [Sun, 21 Jun 2015 09:35:07 +0000 (09:35 +0000)]
Bug 14423 : Multiple XSS bugs in suggestion.pl
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl?author=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&accepteddate_to=
2/ Notice alert box(es)
3/ Apply patch
4/ Reload and notice alert is gone
Repeat for
collection_title
copyrightdate
isbn
manageddate_from
manageddate_to
publishercode
suggesteddate_from
suggesteddate_to
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Chris [Sun, 21 Jun 2015 09:20:51 +0000 (09:20 +0000)]
Bug 14423 : Multiple XSS vulnerabilities in serials-search
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/serials/serials-search.pl?bookseller_filter=%22%22%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&searched=1&title_filter=
2/ Notice alert boxes
3/ Apply patch
4/ Reload, notice fixed
Repeat for
callnumber_filter
EAN_filter
ISSN_filter
publisher_filter
title_filter
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Chris [Sun, 21 Jun 2015 09:01:32 +0000 (09:01 +0000)]
Bug 14423 : XSS bugs in catalogue search
To test
1/ hit a url like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?limit=%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice alert boxes
3/ Apply patch
4/ Reload url, no alerts
5/ Check search still works
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Chris [Sun, 21 Jun 2015 08:46:40 +0000 (08:46 +0000)]
Bug 14423 : XSS issues in marc_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice all the alert boxes
3/ Apply patch
4/ Reload page, no more alerts
5/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Chris [Sun, 21 Jun 2015 08:33:13 +0000 (08:33 +0000)]
Bug 14423 XSS bug in auth_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Chris [Sun, 21 Jun 2015 08:18:20 +0000 (08:18 +0000)]
Bug 14423 : XSS bug in lateorders
1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Chris [Sun, 21 Jun 2015 08:10:20 +0000 (08:10 +0000)]
Bug 14423 : XSS in authorities-home
To test:
1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice you get 3 alert boxes
3/ Apply patch
4/ Hit the url again, no js
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Chris [Mon, 22 Jun 2015 05:23:52 +0000 (05:23 +0000)]
Bug 14408 Path Traversal error
Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc
Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Chris Cormack [Thu, 18 Jun 2015 23:41:45 +0000 (11:41 +1200)]
Bug 14418 : More XSS vulnerabilities in opac-shelves.pl
To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script> Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it.
Chris Cormack [Thu, 18 Jun 2015 23:30:22 +0000 (11:30 +1200)]
Bug 14418 : XSS flaw in opac-shelves.pl
To test:
1/ Create a list and add at least one item to it
2/ Hit a url like http://192.168.2.18/cgi-bin/koha/opac-shelves.pl?viewshelf=7&sort=author&direction=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
Where the shelf id is the number of the list you created, notice the js is executed
3/ Apply the patch
4/ Reload the page notice the js is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Chris Cormack [Thu, 18 Jun 2015 21:25:22 +0000 (09:25 +1200)]
Bug 14418 XSS Vulnerabilities
Fix for /cgi-bin/koha/opac-search.pl
To test
1/ Hit /cgi-bin/koha/opac-search.pl?tag="><script
src='http://cst.sba-research.org/x.js'/>&q=a
2/ Notice the js is executed
3/ Apply patch
4/ Reload page, notice it is no longer executed
5/ Test the rss links work still
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed bug and that the patch fixes it.
To exploit the vulnerability, no authentication is needed
To test
1/ Turn on mysql query logging
2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
3/ Check the logs notice something like
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
PROCEDURE ANALYSE
(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
4/ Apply patch
5/ Hit the url again
6/ Notice the log now only has
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed the problem and the fix for it.
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Katrin Fischer [Sat, 6 Jun 2015 12:34:57 +0000 (14:34 +0200)]
Bug 14350: Missing statement in kohastructure.sql - DROP TABLE IF EXISTS borrower_sync
Reported by Jonathan on bug 11401:
DROP TABLE IF EXISTS borrower_sync;
is missing in installer/data/mysql/kohastructure.sql
To test:
- Run the web installer and confirm all tables are
created correctly
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 2fe241cc0f774799b8dca329d41d03f2217ffcaa) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Jonathan Druart [Tue, 28 Apr 2015 09:26:44 +0000 (11:26 +0200)]
Bug 11941: Add link to patron lists from the patron home page
The patron lists are only accessible from the tools module, which is not
easily accessible when you are in the patron module.
Test plan:
Go on the patron home page.
In the toolbar, you should see a link to the patron lists.
NOTE: Tweaked button to a to get the click to work.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Liz Rea <liz@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 27ef1410a7784577149bed6a466937c7ded6ba70) Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Liz Rea <wizzyrea@gmail.com>