Galen Charlton [Wed, 7 Jun 2023 18:26:16 +0000 (14:26 -0400)]
LP#2023222: prevent open-ils.fielder.$IDLCLASS from invoking function transforms
This patch adds some argument checking to the family of
open-ils.fielder.$IDLCLASS[.atomic] methods to prevent
JSON query funcion transforms from being invoked. This
is needed to prevent unauthenticated callers from invoking
arbitrary stored procedures.
This is a security patch that closes down a pathway
towards remote, unauthenticated SQL injection attacks.
Jeff Davis [Thu, 29 Jun 2023 16:27:04 +0000 (09:27 -0700)]
LP#2024682: fix regression in action.item_user_circ_test
A previous bugfix reverted portions of the action.item_user_circ_test
function to an older version in the 3.9.1-3.10.0 version upgrade script.
This commit provides an upgrade script to restore the correct version of
the function on 3.10.
Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Dan Briem [Fri, 26 May 2023 16:24:54 +0000 (16:24 +0000)]
LP#1996818 Issues Placing Holds from the Patron Record
Set the hold target using the same cookie Angular uses when
placing holds from AngularJS patron records.
Clear the cookie and broadcast to all catalog tabs to remove
the hold target when:
- the Clear button for the hold target is pressed
- the hold interface loads a different patron
- a different Angular route loads
- AngularJS app starts (left the Angular context)
When a catalog tab is closed, clear the cookie and broadcast
it so that any open catalog tabs can restore it.
To test:
1. After loading the patch, build Angular and AngularJS
2. Place a hold from AngJS patron record, note target is set
3. Open multiple catalog tabs
5. Close one catalog tab, note target persists in other tabs
6. Click Clear button, note target is cleared in all tabs
7. Repeat steps 2-3, load a different patron in the hold
interface, note target is cleared in all tabs
8. Repeat steps 2-3, click the home icon in the navbar, note
target is cleared in all tabs
9. Repeat steps 2-3, click AngJS Check Out in the navbar,
note target is cleared in all tabs
Signed-off-by: Dan Briem <dbriem@wlsmail.org> Signed-off-by: John Amundson <jamundson@cwmars.org> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Jason Boyer [Thu, 23 Feb 2023 17:44:00 +0000 (12:44 -0500)]
LP2008252: Fix report output access when Shibboleth is enabled
When mod_shib is enabled use the ShibCompatValidUser option to ensure
report outputs load correctly.
Additionally, since it's SSO related, mention the sso_loc variable in
a comment for the apache config.
Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org> Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Jane Sandberg [Wed, 1 Mar 2023 12:58:07 +0000 (04:58 -0800)]
LP1983628: Add editor for item notes
Test plan:
1. Open your favorite bib record in the staff catalog
2. On the item table tab, find a barcode and click "Edit"
3. Press the Item Notes button.
4. Add a note with a title and value.
5. Press Apply Changes
6. Press Apply All and Save
7. Press the Item Notes button again.
8. Without this commit, you will not have a way to edit
these notes. With this commit, you will have an edit
button.
9. Confirm that you can Back out of the editor without
making changes
10. Confirm that you can make changes and they persist.
This commit also adds a test to confirm that this fm-editor
won't inadvertently fetch every single row in asset.copy
(as a linked field).
Signed-off-by: Jane Sandberg <js7389@princeton.edu> Signed-off-by: Elaine Hardy <ehardy@georgialibraries.org> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
This commit uses database functions to precompute the normalized and
tokenized tsquery required for highlighting before it is returned to the
user, and disallows highlight-time compilation of the highlight map.
The primary purpose of this is to avoid the chance for user input to
find its way directly into SQL statements, but an additional benefit is
that it becomes much simpler for high level application code to make use
of Display Field highlighting in non-search contexts.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
Mike Rylander [Fri, 12 Oct 2018 18:43:26 +0000 (14:43 -0400)]
LP#1775958: Rework pullup mechanism to flatten more nested queries
The bulk of this commit reworks the query tree pullup logic, which is
responsible for simplifying the query tree that is used to generate the
SQL query for search. In particular, we now do a better job of finding
opportunities to merge adjacent parts of the query that have the same
requested_class (pre-dealiasing) in the face of boolean OR operators,
explicit grouping, and alternating requested_class values. The result
is fewer joins in the SQL, which should speed up all but the most
trivial searches, and generally help protect the database from mis- or
mal-constructed queries. We also now use CTEs to separate branches of
the logical search tree into descrete subqueries, which helps reduce
the total core query JOINs, and provides the planner with more options
for join order.
This also does away with the conversion of a negated atom into an
"un-phrase". Instead, we just detect and handle those directly as atoms
with a prefix, as appropriate. This allows single negated words to be
used directly in the core tsquery construct, rather than having them
require a separate join and special where clause.
Additionally, this commit handles phrases differently at both the QP and
SQL level, making use of Postgres's phrase support in modern versions
and simplifying how they're handled within the base parse tree
structure.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
This commit implements a new global flag: opac.login_redirect_domains
When this flag is enabled, redirection from login via redirect_to will
be restricted to local URLs. For local URLs, they must either start
with a / (provide an absolute path) or the hostname in the URL must
match the current hostname and have a scheme of http, https, ftp, or
ftps.
The value for the global flag can be set to a list of comma-separated
domain names. Redirection to these domains, and subdomains/hosts
thereof, will also be allowed. For all non-local URLs allowed by the
global flag value, the scheme must be one of http, https, ftp, or ftps.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
Galen Charlton [Wed, 10 May 2023 19:45:05 +0000 (15:45 -0400)]
LP#2019150: link to AngularJS Patron Requests interface
Due to a presumed timing issue in 2018, the AngularJS patron purchase
request interface created in bug 1774277 was never linked to from the
Angular navbar (only the AngularJS one).
This patch fixes this.
To test
-------
[1] Apply the patch.
[2] From the Angular menu, go to Acquisitions -> Patron Requests
and verify that it loads the AngularJS interface rather
than the legacy Dojo one.
Jason Boyer [Fri, 12 May 2023 17:44:14 +0000 (13:44 -0400)]
LP1915326: Followup to Silence Offline / Shared Worker Errors
The user agent string hasn't been 'PhantomJS' for quite some time, so look for
'Headless' and add that to the Firefox launcher. Also redirect requests for
offline-db-worker.js to the current directory.
Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jane Sandberg <js7389@princeton.edu>
Several tests of egOrg started failing when Lovefield
was added as a dependency. This patch fixes them by
ensuring that Lovefield is loaded.
To test
-------
[1] Go to Open-ILS/web/js/ui/default/staff and run
`npm run test`. Note that six tests fail because
'lf' is undefined.
[2] Apply the patch and repeat step 1. This time, all
of the tests should pass.
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jane Sandberg <js7389@princeton.edu>
Jeff Davis [Tue, 7 Feb 2023 19:33:07 +0000 (11:33 -0800)]
LP#1778567: don't return cached list/tree before updating
The absorbList function can be used to append items to an existing
cached list (and ditto for absorbTree), so we shouldn't start off by
returning the cached version.
Thanks to James Fournie for catching this.
Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca> Signed-off-by: Ruth Frasur <rfrasur@library.in.gov> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Stephanie Leary [Wed, 3 May 2023 17:39:41 +0000 (17:39 +0000)]
LP2002363 Aria labels for catalog search +/- buttons
Adds aria-label to the staff catalog search row plus/minus buttons. The
labels match the title attributes on the buttons, to allow dictation
users to identify the phrases that should be spoken to select the
buttons.
Jane Sandberg [Mon, 6 Mar 2023 00:57:50 +0000 (16:57 -0800)]
LP1808016: improve error handling by open-ils.pcrud
This patch ensures that requests to open-ils.pcrud return
an error code (before the request completion code) when
a permissions or constraint check fails.
To test
-------
[1] Make an invalid request, e.g., by attempting to create a claim
type whose owner is not set in the Acquisitions Claiming admin
interface.
[2] Note that the user interface reports that the action succeeds
(although the new claim type is not actually created).
[3] Apply the patch and repeat step 1. This time, the admin interface
shoudl report that the creation failed.
Jane Sandberg [Wed, 1 Mar 2023 17:37:32 +0000 (09:37 -0800)]
LP2008918: default modal background color
To test:
1) Open the holdings editor in the angular staff catalog
2) right click on an item
3) select Add/Manage Item notes
4) Note that you can't see the text at the top of the modal, nor can you see the close button
5) Apply this patch and repeat steps 1-3
6) Note that the modal header is a darker color, so the text and close button are again visible.
Dan Briem [Sat, 4 Mar 2023 21:10:44 +0000 (21:10 +0000)]
LP#1901072 Menus Don't Recognize Max Recent Patrons Setting
On the Angular menu, both Retrieve Last Patron and Recent Patrons
links appear under Circulation, regardless of what the "Number of
Retrievable Recent Patrons" setting is set to.
On both the AngularJS and Angular menus, both links appear under
Circulation (Experimental).
On the Angular menu, Circulation->Retrieve Recent Patrons links
to the Angular interface instead of the AngularJS interface.
To test this fix:
1. Set Enable Angular Circulation Menu setting to True
2. Set Number of Retrievable Recent Patrons setting to 0
- Retrieve Last Patron and Recent Patrons links don't appear
3. Set to 1 or unset (default fallback is 1)
- Retrieve Last Patron link appears only
4. Set to greather than 1
- both links appear
- Circulation->Retrieve Recent Patrons loads the AngJS interface
Signed-off-by: Dan Briem <dbriem@wlsmail.org> Signed-off-by: Susan Morrison <smorrison@georgialibraries.org> Signed-off-by: Jane Sandberg <js7389@princeton.edu>
Stephanie Leary [Mon, 8 May 2023 22:37:27 +0000 (22:37 +0000)]
LP2015137 Tab order for admin splash link tables
Replaces row/column logic with CSS columns in the link table component
used in settings screens. This allows the user to tab through the
settings in alphabetical order, rather than the three-across groupings
that previously broke up similarly named settings.
Galen Charlton [Wed, 29 Mar 2023 16:09:32 +0000 (12:09 -0400)]
LP#2013223: quiet browser console noise from some AngularJS grids
This patch quells console error noise from certain AngularJS grids.
To test
-------
[1] Go to the AngularJS Renew Items, Holds Shelf, or patron holds list
pages.
[2] Note that the brower console has a lot of "TypeError: action.handler is undefined"
error messages.
[3] Apply the patch and repeat step 1. This time, the "action.handler"
errors should be gone.
Galen Charlton [Fri, 31 Mar 2023 22:11:36 +0000 (18:11 -0400)]
LP#1920826: ensure that some DB updates missed in 3.6.0 are included
This patch fixes a situation where an Evergreen database that had
been been upgraded to 3.6.0 at some point in its past using the
3.5.1-3.6.0 DB update script may be missing some DB revisions.
To test
-------
[1] Locate a test database that had been upgraded to 3.6.0 at some point
and is missing some or all of DB revisions 1236-1240.
[2] Run the DB update in this patch.
[3] Verify that the DB revisions are in place and that the following
bugs are resolved:
Tiffany Little [Thu, 26 Jan 2023 14:18:01 +0000 (09:18 -0500)]
LP2003946 LI ID in Search jumps to item detail page
Signed-off-by: Tiffany Little <tlittle@georgialibraries.org> Signed-off-by: Christine Morgan <cmorgan@noblenet.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Jane Sandberg [Fri, 3 Mar 2023 23:55:43 +0000 (15:55 -0800)]
LP1972917: fix circ modifier column in course materials grid
To test:
1. Add a circulation modifier to your system if it doesn't
already have some.
2. In Local Admin > Course Materials > Edit Course > Course
Materials, turn on the circ modifier column in the grid.
3. Associate an item with the course using its barcode.
Make sure you have selected a circulation modifier and
checked the circulation modifier box.
4. Press the "Add Material" button.
5. Note that the circulation modifier column says
"[Object object]"
6. Apply this patch and repeat steps 2-4.
7. Note that the column now has the name of the circulation
modifier.
Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Jennifer Pringle <jennifer.pringle@bc.libraries.coop> Signed-off-by: Beth Willis <willis@noblenet.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Michele Morgan [Wed, 1 Mar 2023 17:18:09 +0000 (12:18 -0500)]
LP2001728 - Don't display circ_staff for opac and autorenewals
Item Status Circ History List: Displays the placeholder <OPAC Renewal>
or <Auto-renewal> instead of the patron information in the Check Out
Staff field.
Signed-off-by: Michele Morgan <mmorgan@noblenet.org> Signed-off-by: Gina Monti <gmonti@biblio.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
Dan Briem [Thu, 16 Mar 2023 18:21:03 +0000 (14:21 -0400)]
LP#2004052 Hold Shelf Actions Menu Includes Irrelevant Actions
Removes Activate, Suspend, Set Top of Queue, Un-Set Top of Queue,
Set Desired Item Quality, Transfer to Marked Title from the
actions menu on the Holds Shelf grid.
Signed-off-by: Dan Briem <dbriem@wlsmail.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jane Sandberg <js7389@princeton.edu>
Jeff Davis [Thu, 4 May 2023 18:13:42 +0000 (11:13 -0700)]
LP#2018534: treat year as numeric when retrieving item circs by year
The open-ils.pcrud.search.circbyyr API uses EXTRACT to extract the year
from circulation timestamps. In recent versions of Postgres, the return
type for EXTRACT was changed from double precision to numeric (thanks to
Jason Boyer for noticing this!); for obscure reasons, this causes pcrud
to return the year as a string instead of a number. So, let's get the
staff client to force those values to be numbers before doing math with
them.
Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Stephanie Leary [Wed, 3 May 2023 17:18:59 +0000 (17:18 +0000)]
LP2018208 Empty alt for result record images, icons
Adds empty alt attributes for jacket images and format icons that are
immediately followed by equivalent text representations, and are
therefore redundant for screen reader users.
Stephanie Leary [Mon, 12 Dec 2022 20:27:26 +0000 (14:27 -0600)]
LP1615707 ARIA landmarks for staff interface
Adds the following ARIA landmarks and roles to the Angular staff
interface:
* <main> and role="main" for the content container
* <nav> and role="navigation" for the navbar
* role="form" for the catalog search form (which lacks a <form> tag)
* role="search" for the search tab panel inside the form
* type="search" and role="searchbox" for the search term input field
* a custom region for the bib record summary box
* <aside> and role="complementary" for the facet sidebar
To construct the ARIA label for the bib record summary, I've added an ID
to the header row of the bib summary component so the screen reader can
use the localized text.
Since the staff interface doesn't really have a header section other
than the navigation, and there is no footer, I've left out these
landmarks.
Signed-off-by: Stephanie Leary <stephanie.leary@equinoxOLI.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
Galen Charlton [Thu, 30 Mar 2023 18:11:26 +0000 (14:11 -0400)]
LP#1791791: remove a regression regression on bug 1923225
This was introduced on the Bootstrap side by the patch for
bug 1955403.
To test:
[0] This applies to the Bootstrap OPAC skin.
[1] Perform a search on ISBN.
[2] Note that on the record page, the ISBN (under more details)
is not properly highlighted.
[3] Apply the patch and repeat step 1. This time, the ISBN
should be highlighted.
Garry Collum [Sun, 19 Dec 2021 01:31:22 +0000 (20:31 -0500)]
LP1791791: Google book previews not displaying from a bib linked from a search.
The javascript that queries Google Books Preview looks for ISBN(s) wrapped in
a rdetail_value class. There was a line of code in which the isbn variable
was not enclosed in this class. This patch just wraps that stray variable
into a <span> with the class.
To test:
0. Use the TPAC skin - this bug does not affect the Bootstrap skin
1. Perform a keyword search for an bib that should have a google book's link.
As of March 2023, ISBN 9780786496570 has previews enabled.
2. Go to the bib display and notice that there is no link.
3. Remove the ';query=something' text from the url and notice that the
google book information displays.
4. Apply the patch.
5. Perform the same search. The google book information should now display.
LP#1863387: multi-select now allows filtering shelving locations by owner
The Angular multi-select component now has a special case for
shelving locations: when the IDL class of "acpl" is selected,
rather than just displaying a combobox, the item-location-select
component followed by an org selector is displayed and checkbox.
The org selector defaults to workstation OU and is used to restrict
the list of shelving locations displayed in the shelving location
combobox to the context org unit and its ancestors. If the checkbox
is also selected, descendants of the context OU are included as well.
The effect of this is to allow large consortial to more efficiently
select the shelving locations to be used by a carousel.
To test
-------
[1] Apply the patch.
[2] Create or edit carousel definitions. Verify that the widget
for the carousel's shelving locations now displays both a
combobox for the location selector as well as one for the
location owning library. Further verify that when the OU
selector for the owning library is changed, that the list
of available shelving locations reflects the locations available
at the ancestors of the filter OU. Also verify that the
"Include descendants?" checkbox updates the list of available
locations as well.
Stephanie Leary [Mon, 9 Jan 2023 19:46:53 +0000 (13:46 -0600)]
LP1970946 Adjust color contrast in result highlights
Lowers the contrast on search result match highlights in the staff
catalog, and changes the highlight tag from <b> (PostgreSQL's default),
to <mark> (new in HTML5).
As an additional consequence, the color contrast for highlighted
search terms in the Bootstrap OPAC (using default styles) improves
from 4.38 to 17.12.
Stephanie Leary [Thu, 9 Mar 2023 16:08:40 +0000 (16:08 +0000)]
LP2009865 Revised search result headings & source order
Revises the hierarchy of headings in the search results. In combination
with the H1 provided in in bug #1994711, the result is now:
h1. Staff Catalog
h2. Search Results (N)
(repeat for each result:)
h3. [Title] [Author]
h2. Facets
(repeat for each facet box:)
h3. [Facet title]
The source order of the results list and facet sidebar have been
swapped. The facets still appear on the left visually, but now fall
after the results in the document.
Patch alters the markup within <eg-staff-banner> to include H1 headings
for page titles.
The patch also includes a new CSS file for the course page component,
which appears to be the only component taking advantage of the custom
classes and icons for page titles. I've made archived course titles gray
and italicized.
Jeff Davis [Tue, 15 Nov 2022 23:11:49 +0000 (15:11 -0800)]
LP#1996651: treat empty string as null for preferred name/alias in wide_hold_data
This prevents the patron name from appearing blank in the hold shelf
"User Display Name" or "User Alias or Display Name" columns when the
alias or preferred name fields are empty strings.
Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop> Signed-off-by: Susan Morrison <smorrison@georgialibraries.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
LP#1716479: (follow-up) fix handling of onSave callbacks for AngularJS MARC edit
This patch fixes an issue that has been present for a while but
clarified by Beth Wills in the course of testing the base patch
for this bug.
Specifically, the routine to process onSave callbacks was
not bound to the scope properly, meaning that the wrong onSave
callbacks could be run when dealing with mutiple active
egMarcEditRecords.
Jane Sandberg [Thu, 29 Aug 2019 01:09:35 +0000 (18:09 -0700)]
LP1716479: Make sure authority linker works in embedded MARC editors
1) Perform a z39.50 search
2) Select a record
3) Click Edit then Import
4) Click on the link next to any authorizable field.
5) You will see a mysteriously data-free heading: {{bibField.tag}} {{bibField.ind1}}{{bibField.ind2}}
6) Clicking on the "Immediately" and "Create and edit" buttons doesn't work.
7) Apply this patch and repeat steps 1-6.
8) Note that the heading is now correct, and the buttons work.
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu> Signed-off-by: Jennifer Weston <jennifer.weston@equinoxOLI.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Fix "Installing PostgreSQL server packages" heading. It was showing
up as a list entry.
Drop the text about installing additional packages for the database,
since there are none to install at this time. (We could replace that
with a subsection on the packages required for a standalong databse
server without all of Evergreen installed on it.)
Add a "Create the Evergreen PostgreSQL user" heading above the
instructions to creat the evergreen user in the database.
Co-authored-by: Ben Shum <ben@evergreener.net> Signed-off-by: Jason Stephenson <jason@sigio.com>
Terran McCanna [Wed, 19 Oct 2022 14:54:19 +0000 (10:54 -0400)]
LP1970476 Where filter in Bootstrap Catalog Produces Unwanted Results
Prior to this change, the Advanced Search page split the library selector
and the "Where" scope selector into two separate dropdown lists that
produced unexpected results when both were used.
This change uses the same approach as the combined dropdown on the Basic
search page instead.
Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org> Signed-off-by: John Amundson <jamundson@cwmars.org> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>