[koha-commits] main Koha release repository branch 18.11.x updated. v18.11.15-27-gb6954b6b0d

Git repo owner gitmaster at git.koha-community.org
Wed Apr 22 02:31:17 CEST 2020 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 18.11.x has been updated
       via  b6954b6b0de6e7a95de014cbf35f949869589664 (commit)
      from  dfe1bd600c3155bdc905716c8c745051a3234d06 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b6954b6b0de6e7a95de014cbf35f949869589664
Author: Tomas Cohen Arazi <tomascohen at theke.io>
Date:   Fri Mar 27 18:16:58 2020 -0300

    Bug 25009: Avoid leakages in opac-showmarc.pl
    
    This patch cleans opac-showmarc.pl so it doesn't allow retrieving
    records from import batches without requiring any permissions in the
    OPAC.
    
    it does so by just removing the code portion that does that.
    
    It also cleans the record fetch operation and how the record processor
    is initialized to it actually works :-D
    
    To test:
    1. Perform a successful Z39.50 search in cataloguing (this fetches 20
       records usually)
    2. Query your DB for a valid import_record_id:
      $ koha-mysql kohadev
      > SELECT * FROM import_records LIMIT 1;
    3. Notice some of the MARCXML details (title, author, etc), and the
       import_record_id
    4. Point your browser to the opac-showmarc.pl URL like this:
       http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?importid=20
    => FAIL: You get the record! (Bonus: no field/subfield takes place)
    5. Hide some obvious subfield on the framework for a known (to you)
       biblionumber
    6. Point your browser to:
       http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?id=<biblionumber_here>
    => FAIL: No filtering takes place
    7. Apply this patch
    8. Repeat 4
    => SUCCESS: You get an error because you did a bad request (no id param)
    9. Repeat 6
    => SUCCESS: Subfield filtering actually works!
    10. Sign off :-D
    
    Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Joy Nelson <joy at bywatersolutions.com>
    (cherry picked from commit d3ba9dc0fe423347f0e0e90b66be3ebeb7a6dec1)
    
    Signed-off-by: Hayley Mapley <hayleymapley at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 opac/opac-showmarc.pl | 41 +++++++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 16 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list