[koha-commits] main Koha release repository branch master updated. v19.11.00-1867-gca5b112376
Git repo owner
gitmaster at git.koha-community.org
Mon Apr 27 12:13:15 CEST 2020
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via ca5b112376f8b74d573f8b8d6c1512a59040ba60 (commit)
via 4452036d1c100910c17a7ac7ac54cb83c0120620 (commit)
via 95dc574501a331e603cbe385fa4e5f70dc1c5ef2 (commit)
from b50d891c099d0f21f2528c5a6d5bbb586cf1612e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ca5b112376f8b74d573f8b8d6c1512a59040ba60
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Apr 14 13:22:44 2020 +0200
Bug 25142: Fix wrong grep logical test
To test and understand what's going on, you can try that bit of code:
my @a = qw( a b c a);
my @b = qw( b c d );
my @c;
@c = grep { 'a' eq $_ } @a ? 'ok' : ();
say @c;
@c = ( grep { 'a' eq $_ } @a ) ? 'ok' : ();
say @c;
@c = grep { 'a' eq $_ } @a ? ('ok') : (undef);
say @c;
The problem here:
Have patrons in 3 branches CPL, MPL, SPL
Have a non superlibrarian with edit_borrowers permission but
without view_borrower_infos_from_any_libraries, from CPL
Create a library group with CPL, MPL
Use that non superlibrarian to search for patrons
You can search for patrons fro CPL and MPL
BUT, edit the value for CPL, use SPL (edit the DOM)
Search and... oops
Apply this patch, try again
Also use a superlibrarian patron (and/or with view_borrower_infos_from_any_libraries)
and confirm that they can see all patrons
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 4452036d1c100910c17a7ac7ac54cb83c0120620
Author: Tomas Cohen Arazi <tomascohen at theke.io>
Date: Fri Mar 27 18:16:58 2020 -0300
Bug 25009: Avoid leakages in opac-showmarc.pl
This patch cleans opac-showmarc.pl so it doesn't allow retrieving
records from import batches without requiring any permissions in the
OPAC.
it does so by just removing the code portion that does that.
It also cleans the record fetch operation and how the record processor
is initialized to it actually works :-D
To test:
1. Perform a successful Z39.50 search in cataloguing (this fetches 20
records usually)
2. Query your DB for a valid import_record_id:
$ koha-mysql kohadev
> SELECT * FROM import_records LIMIT 1;
3. Notice some of the MARCXML details (title, author, etc), and the
import_record_id
4. Point your browser to the opac-showmarc.pl URL like this:
http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?importid=20
=> FAIL: You get the record! (Bonus: no field/subfield takes place)
5. Hide some obvious subfield on the framework for a known (to you)
biblionumber
6. Point your browser to:
http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?id=<biblionumber_here>
=> FAIL: No filtering takes place
7. Apply this patch
8. Repeat 4
=> SUCCESS: You get an error because you did a bad request (no id param)
9. Repeat 6
=> SUCCESS: Subfield filtering actually works!
10. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 95dc574501a331e603cbe385fa4e5f70dc1c5ef2
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Thu Jul 14 13:51:21 2016 +0200
Bug 16922: Add RewriteRule to apache-shared-intranet for dev package installs
As a simple alternative to the solution in bug 9949 or just as an
additional measure, this patch adds a rewrite rule for intranet
in order to intercept potential misuse of perl scripts that could be
reached on a dev package install via the cgi-bin/koha scriptalias.
It simply rewrites them to the nonexistent "notfound", resulting in a
regular 404 error.
The rewrite rule does not harm regular installs and is just a little extra
step in securing a dev install. You should have more security measures in
place to secure your staff client.
QA Note: Although a rewrite rule may not be our first choice, this one
rule is more elegant and easier to maintain than e.g. a whole bunch of
aliases.
Note: This patch should have a regular and a dev install signoff.
Test plan:
[1] Make sure that this rewrite rule is inserted in your actual apache
config via /etc/koha/apache-shared-intranet.conf. Restart Apache.
[2] For regular package installs:
Try one of the URLs in step 3.
Verify that your staff client still operates as usual. Test a few
URLs inside some modules.
[3] For dev installs:
Try some URLs like below.
Expect 404 errors only, not 500s. If you do not see a 404, go back!
/misc/stage_file.pl
/t/db_dependent/default_search_class.pl
/installer/data/mysql/updatedatabase.pl
/Makefile.PL
[4] Do you see an additional directory to add to the regex? Please report.
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Utils/DataTables/Members.pm | 2 +-
debian/templates/apache-shared-intranet.conf | 3 ++
opac/opac-showmarc.pl | 41 +++++++++++++++++-----------
3 files changed, 29 insertions(+), 17 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list