This commit adds two types of simple DoS protection:
* Limit concurrent search requests per client IP address, regardless of
the searches being performed. This helps address issues of accidental
spamming from a malfunctioning OPAC workstation, or crawlers of various
types. The limit is controlled by a global flag called
"opac.max_concurrent_search.ip".
* Limit the global concurrent search requests for the same query. This
helps address both simple and distributed DoS that send the same search
request over and over. The limit is controlled by a global flag called
"opac.max_concurrent_search.query", and defaults to 20.
When the limit is exceeded in either case the client receives an HTTP
429 "Too many requests" response from the web server, and the connection
is ended.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
With this commit we throw away searches with invalid qtype value based
on configured classes and aliases. Invalid qtype values have been seen
in the wild as part of attempted (but failed) SQL injection attacks, so
we will tighten up what we accept.
As an additional (unrelated) bonus, this commit also avoids prepending
the search class on basic search when the class (from qytpe) is not
exactly "keyword".
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Jane Sandberg [Wed, 11 Jan 2023 03:17:18 +0000 (19:17 -0800)]
LP2002435: Don't allow shelving location fm-editor to change delete flag
To test:
1. Go to the Local Admin > Shelving Locations Editor screen
2. Select a location and edit it.
3. Note that with this patch in place, the Delete checkbox
is no longer editable.
Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
spmorrison [Wed, 8 Mar 2023 19:59:21 +0000 (14:59 -0500)]
Docs: Update describing_your_organization.adoc
Updated the Create and edit Organization Unit Types section as well as the Organization Units sections to update text and add screenshots. Also added instructions for hours of operation notes (released in 3.10).
Signed-off-by: Jane Sandberg <js7389@princeton.edu>
Some older style ARRAY_TO_STRING(ARRAY_AGG()) should be replaced to
use the native STRING_AGG() that comes with PG 9+. This should improve
performance for these functions.
Signed-off-by: Ben Shum <ben@evergreener.net> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
Galen Charlton [Thu, 17 Nov 2022 15:09:39 +0000 (10:09 -0500)]
LP#1996908: allow OpenILS::WWW::Proxy::Authen to check eg.auth.token
This patch allows the authentication handler to accept the
'eg.auth.token' cookie coming from the staff client if a 'ses' parameter
or 'ses' cookie has not been set. This allows resources gated by
this handler to be accessed by a staff member who has logged
into the staff client without requiring an additional login.
To test
-------
[1] Create a report and note the URL of one of its
outputs.
[2] In a completely fresh browser session, log into the
staff client, then directly load the reporter output.
You will be prompted to log in again because the 'ses'
cookie was not set.
[3] Apply the patch and repeat step 2. This time, the reporter
output should be directly retrieved.
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
This patch reduces the number of updates to search.sympell_dictionary
rows that would not change the contents of those rows, thereby
reducing the potential for certain record maintenance operations to
significantlly bloat that table.
In particular, it adjust the upsert to update the row for an existing
prefix only if there would be a net change in at least one of the *_count
columns or the list of suggestions. (Note that if a row is the target of
an UPDATE statement, PostgreSQL will _always_ create a row version, even
if there is no change to the contents of the row.)
It should be noted that while this patch is useful in and of itself, there
is a longer-term fix that would have additional benefits: adjust the
overall reingest logic so that it minimizes changes to all large tables
derived from the bib record when a bib gets reingested. A row that never
gets touched because it doesn't have to be can never become bloat.
To test
-------
[1] In a Concerto database, ensure that idempotent updates of the MARC
in biblio.record_entry will nonetheless force a reingest by running:
update config.internal_flag set enabled = true where name = 'ingest.reingest.force_on_same_marc';
[2] Note the size of search.symspell_dictionary by running:
Galen Charlton [Wed, 15 Feb 2023 17:01:47 +0000 (12:01 -0500)]
LP#2007351: fix the MARC editor heading linker for certain fields
The headings linker in the Angular bib record editor could fail
to retrieve the relevant authority control field metadata to determine
what subfields in the bib record are controlled by a top-level authority
record (as opposed to a subdivision record). This patch fixes this
by adjusting the query for bib-to-authority linking relationships.
This manifiested by the headings linker not consistently bringing
up the headings browse when attemping to link headings in the bib
600, 600, 651, and 655 field.A
To test:
[1] Open a bib record in the Angular MARC editor and create a 650
field.
[2] Click the button to open the headings linker. Note that no
browse is performed. (This is not 100%, as the bug is sensitive
to the exact order that the database happens to return rows
from the authority.control_set_bib_field table.)
[3] Apply the patch and repeat step 2.
[4] This time, the browse list in the headings linker should show
results.
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Carol Witt <wittc@cwmars.org>
Jane Sandberg [Wed, 22 Feb 2023 04:48:31 +0000 (20:48 -0800)]
LP1999401: Don't override magic statuses from holdings editor templates
1. Create a new template including a status
2. Check out an item
3. Apply your template to the item
4. Note that the item's status is no longer Checked Out
5. Apply this patch
6. Retry steps 1-3. Note that the item's status is still Checked Out
Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Elizabeth Davis <elizabeth.davis@sparkpa.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Jane Sandberg [Wed, 11 Jan 2023 00:59:14 +0000 (16:59 -0800)]
LP1999401: Don't apply magic statuses from holdings editor templates
1. Create a new template in the holdings template editor with a few
different values in various fields.
2. Include a "magic" status in your template (like Lost or In
Transit). To select it, you can type the first few characters
then press <Tab>.
3. Save your template.
4. Apply your template to an item.
5. Note that the copy status has changed to a magic status.
6. Apply this patch.
7. Try applying your template to another item.
8. Note that the copy status field doesn't change this time,
but other fields from your template should still apply.
Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Galen Charlton [Wed, 16 Nov 2022 17:11:22 +0000 (12:11 -0500)]
LP#1980142: adjust styling of patron message body in Bootstrap OPAC
This patch resolves an issue where the text of the message body
could be rendered very small due to default styles applied to the <pre>
element. In particular, it converts the <pre> to a <p> and restores
a TPAC-era style that ensures that
* long lines in the message wrap
* but line breaks are also preserved (see LP#1927990)
This patch also ensures that the message body is not displayed with
label but no contents if the body is empty.
To test
-------
[1] Create a public patron note that contains line breaks and
long lines.
[2] Note that in the Bootstrap OPAC message view, the message
displays with fixed-width text (that may use a smaller font
than the rest of the page) and has a horizontal scrollbar
(due to the long line).
[3] Apply the patch and look at the message again in the OPAC.
This time, the long line should wrap, but line breaks are
also preserved.
This patch includes a portion of a patch by Garry Collum.
Lp 2008925: Patch Templates Adversely Affected by Lp 1992490
The patch for Lp 1992490 wrapped several text blocks in the l()
translation function. At least two of these introduced syntax error
in Template Toolkit. Some of the others could have been done
differntly to fit in better with the general idiom of how we use the
fuction in Evergreen.
This commit modifies those that stood out as the most egregious
examples.
An easy way to test this is to login to the OPAC on an unpatched
system and click to open "Messages." You will get an Internal Server
Error. After you apply this commit and install the affected
templates, you will not get an Internal Server Error.
The other modified templates do not seem to crash, but use the
translation funciton in idiosyncratic ways. This commit attempts to
smooth those out.
Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Stephanie Leary [Wed, 1 Mar 2023 15:52:19 +0000 (09:52 -0600)]
LP1814978 Keyboard support for bib record actions
Adds the ngbDropdownItem directive to dropdown menu items in the staff
catalog bib record actions: Serials, Mark For, and Other Actions. This
adds support for navigating the menus using the up/down arrows on the
keyboard.
Signed-off-by: Stephanie Leary <stephanie.leary@equinoxOLI.org> Signed-off-by: Susan Morrison <smorrison@georgialibraries.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
Bill Erickson [Thu, 16 Feb 2023 16:02:49 +0000 (11:02 -0500)]
LP2007591 Allow Last-Copy Delete to Create Hold Notices
Fixes an issue where attempting to create A/T events for recently
canceled holds fails becuase the cancel_time on the hold is the
pre-insert value of "now" instead of a valid date string.
Resolve the issue by fetching the post-insert copy of the hold, so it has
all of the correct in-database values, before passing the hold to A/T
for processing.
Signed-off-by: Bill Erickson <berickxx@gmail.com> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Stephanie Leary [Tue, 1 Nov 2022 16:33:04 +0000 (11:33 -0500)]
LP1991562 Accessible link and button colors in Angular staff interface
Several of the default colors in Bootstrap 4 do not meet WCAG Level AA
accessibility requirements when used for links (#007bff blue) or button
backgrounds with white text (blue/primary, #28a745 green/success, and
Additionally, while the yellow/warning color (#ffc107) does pass the
contrast check with black text, the button itself does not pass the
graphical object contrast check against white or #f7f7f7 page/tab
backgrounds, meaning people with some forms of color blindness can't see
the shape of the button.
This patch updates link and button colors using Bootstrap 5 tints
(https://getbootstrap.com/docs/5.0/customize/color/#all-colors). While
slightly lighter custom colors could be used to pass the contrast
checks, sticking to the Bootstrap 5 color scheme should make it easier
for us to stay consistent as new components are added in the future.
Stephanie Leary [Thu, 19 Jan 2023 15:18:40 +0000 (09:18 -0600)]
LP1980874 Limit depth dropdown in patron notes
Adds standard form control styling to the depth select menu in the
Patron > Create Note modal. This limits the width of the closed dropdown
to the width of the form and prevents long labels from overflowing.
This does not prevent the individual options from overflowing the
<select> width due to the limited CSS support for the <option> tag; all
width and text wrap properties are currently unsupported.
Stephanie Leary [Tue, 6 Dec 2022 22:56:14 +0000 (16:56 -0600)]
LP1998969 Make disabled <option>s more obvious
Changes the color of disabled options in <select> dropdowns to 30% gray.
To test, visit the staff catalog. In the search filters, with the search
type set to keyword, notice that the "matches exactly" and "starts with"
options in the "Contains" dropdown are now better distinguished from
valid choices.
Signed-off-by: Stephanie Leary <stephanie.leary@equinoxOLI.org> Signed-off-by: Susan Morrison <smorrison@georgialibraries.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
Provides label tags for staff catalog search form fields.
Most labels in the form are visible. I have used the sr-only class to
make labels available to screen reader users while hiding them from
sight on the publication date range fields, which I think are easy
enough to use without visible labels. However, this combination of year
and operator dropdowns is not well organized for screen reader users,
and we should rethink the order and wording of these fields.
To test, visit staff/catalog/search and inspect each form field. Verify
that each one has a <label> tag where the for attribute matches the ID
of the associated form element. (Checkboxes wrapped in the <label> tag
still need matching ID and for attributes for consistent ARIA support.)
Tiffany Little [Mon, 30 Jan 2023 18:52:58 +0000 (13:52 -0500)]
LP2003947 Add LID count to Acq Search
Signed-off-by: Tiffany Little <tlittle@georgialibraries.org> Signed-off-by: Christine Morgan <cmorgan@noblenet.org> Signed-off-by: Jane Sandberg <js7389@princeton.edu>
Tiffany Little [Mon, 30 Jan 2023 19:01:11 +0000 (14:01 -0500)]
LP2004187 Opens acq provider link in new tab on PO
Signed-off-by: Tiffany Little <tlittle@georgialibraries.org> Signed-off-by: Christine Morgan <cmorgan@noblenet.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
Garry Collum [Tue, 24 Jan 2023 16:22:28 +0000 (16:22 +0000)]
LP2003742 Shelf browse in angular catalog uses deleted call numbers
Fixes the call number browse. To determine the call number for which
the browse list displays, deleted call numbers are not removed from
the query.
To test in Concerto:
1. Go to a bib and click on the shelf browse tab. Notice where the list
begins.
2. Add a new item with a call number less thatn the starting point of
the browse list. For example, if the list begins at 780, create
a call number at 100.
3. Refresh the browse screen and notice that the list now begins at
the lower call number.
4. Delete the item and call number that was created, the list still
begins at the lower call number.
5. Apply the patch.
6. The list should now begin at it's original call number.
Signed-off-by: Garry Collum <gcollum@gmail.com> Signed-off-by: Bill Erickson <berickxx@gmail.com>
Use OFFSET as an optimization fence to keep newer PGs from trying to
fold the c_attr and b_attr CTEs into the main search query.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Jane Sandberg <js7389@princeton.edu>
Stephanie Leary [Fri, 9 Dec 2022 22:25:15 +0000 (16:25 -0600)]
LP1999282 Less intense badges for staff interface
Flips the contrast on badges to make them less intense and comply with
color contrast requirements. In keeping with the less intense alert
styles, the badges have more subtle background colors. I have also
adjusted the spacing and font weight to make the characters larger
without greatly increasing the overall size of the badge.
All of these styles pass WCAG AAA contrast checks. In anticipation of
Bootstrap 5, I have included the new .text-bg-* classes alongside the
current ones.
The access key modal (Control-H) is a good place to observe the overall
effect.
This patch fixes a regression introduced by bug 2006749 that
prevented open-ils.actor.ou_setting.ancestor_default from retrieving
the value of a library setting that does not have a view permission
associated with it. It also fixes a similar issue with
open-ils.actor.org_unit.settings.history.retrieve.
To test
-------
[1] Use srfsh to retrieve the value of a library setting
that does not have a view permission. E.g.,
[2] Apply the patch and repeat step 1. This time, the value of
the setting should be returned.
[3] Verify that viewing the edit history of a setting in the
Library Settings admin page works as expected.
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jason Stephenson <jason@sigio.com>
LP#1999944: fix bug that can break drawing the folder tree for reports
Specifically, skip drawfolders iteration if parent node cannot be
found and eport invalid parent folder in the browser console.
For example, if a user creates a template folder that is not shared
that has a child folder that _is_ shared, another user at the library
that the folder is shared with would see their report folders be
incompletely rendered.
Tiffany Little [Fri, 16 Dec 2022 20:55:21 +0000 (15:55 -0500)]
LP1999544 Also fixes fund dropdown in PO charges
Signed-off-by: Tiffany Little <tlittle@georgialibraries.org> Signed-off-by: John Amundson <jamundson@cwmars.org> Signed-off-by: Jason Stephenson <jason@sigio.com>
Tiffany Little [Fri, 16 Dec 2022 20:09:34 +0000 (15:09 -0500)]
LP1999544_funddropdown Add owners limiter to fund dropdown
Adds a limiter of owners to the acqf idlquery for fund dropdown in line items
Signed-off-by: Tiffany Little <tlittle@georgialibraries.org> Signed-off-by: John Amundson <jamundson@cwmars.org> Signed-off-by: Jason Stephenson <jason@sigio.com>
Bill Erickson [Wed, 20 Apr 2022 16:08:52 +0000 (12:08 -0400)]
LP1969641 Show useful lack of staff working location message
When a user logs into the staff client that has STAFF_LOGIN permissions,
but no working locations, show a message to this affect instead of
resulting in a blank page.
Signed-off-by: Bill Erickson <berickxx@gmail.com> Signed-off-by: John Amundson <jamundson@cwmars.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Jeff Davis [Tue, 18 Oct 2022 19:42:26 +0000 (12:42 -0700)]
LP#1990306: avoid VIEW_USER perm lookup on egPatronApp startup when we have a null authtoken
Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop> Signed-off-by: Chris Sharp <csharp@georgialibraries.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
The cancel button on the delete-volcopy-dialog now appears last
to be consistent with the eg-confirm dialogs.
To test:
1. set the ou setting "Alert on empty bib records" to true
2. delete the last copy on a record
3. note the Delete Holdings/OK and Cancel buttons are in the
same order on the delete and confirmation dialogs
Signed-off-by: Dan Briem <dbriem@wlsmail.org> Signed-off-by: Jennifer Weston <jennifer.weston@equinoxinitiative.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Moves the display of applied filters into bootstrap alert messages and aligns applied filters
in a row, and utilizes more native bootstrap classes. Also, adds a label to the 'Locations'
filter and code to implement an 'OR' separator, if more than one location is selected.
To test:
1. Perform an advanced search in the bootstrap catalog and apply some filters. To test
the locations, select several location options.
2. Notice the formatting of the 'Filtered by:' display data. Notice also the display
of the locations filter without a label or a separator.
3. Apply the patch.
4. Repeat 2 to see the new formatting.
Garry Collum [Tue, 28 Jun 2022 15:07:46 +0000 (15:07 +0000)]
LP1965065 Example DOB on self-registration displays twice
This fixes the double display of the example text in the self-registration form of the opac.
Not only does DOB example display twice but the example text for phone, email, and
postal code also display twice.
To test:
1. Go to library settings and set "Allow Patron Self Registration" and "Show DOB field on patron
registration" to true. Set a value for "Example dob field on patron registration". If testing
phone, postal code, or email the appropriate values must be set for the show and example
parameters.
2. Go to "Request a Library Card" in the opac.
3. Notice that the DOB example displays twice.
4. Apply the patch.
5. The example now just displays once.
Garry Collum [Thu, 11 Aug 2022 18:44:19 +0000 (18:44 +0000)]
LP#1984269: Bootstrap opac: display of tables on small screens
This incorporates a generic process to display vertical tables in the Bootstrap
opac in small screens by adding a 'mobile-title' attr to any <td> elements
of the table. This patch uses the copy_table.tt2 and results/table.tt2
as examples.
These two tables are best tested with bibs that contain items that have parts.
The results/table.tt2 is displayed by using the "Show More Details" button
on the results screen. When the screen is sized so that the tables become
vertical the parts column is not displayed. After the patch is applied
the parts column is displayed only on those bibs that contain parts.
For these two particular tables, it also refactors the method
in which the copies are numbered with the lists. Prior to the patch the
mobile display would show the copy number, but it would stop at 10 for both
of these tables, because that's what was defined in CSS. They should now
display a number for each table row displayed.
Garry Collum [Wed, 10 Aug 2022 17:05:14 +0000 (17:05 +0000)]
LP#1983729: Bootstrap Opac: fix copy navigation links in small screens
This moves the previous, next, and Show more copies links out of the
copies table so that these values do not have incorrect labels on small
screens.
To test:
1. Retrieve a bib record with a large number of copies.
2. In a small screen notice that the previous, next, and show more copies
links are labeled, as Library and Call Number.
3. Apply the patch.
4. Repeat step 2.
LP1980304 Bootstrap: Facets move when viewing results for grouped records.
Fixes the displacement of the facets in the bootstrap opac when viewing grouped records.
To test:
1. Perform a search in the bootstrap opac with the Group Formats and Editions option
selected. In concerto - "Ready Player One"
2. Click on a resulting title that contains more than one format.
3. Notice the placement of the facets.
4. Apply the patch and repeat.
5. The facets should no longer be displaced when viewing metarecords or non-metarecords.
Garry Collum [Fri, 5 Aug 2022 14:45:27 +0000 (14:45 +0000)]
LP1966995: Bootstrap Opac: fix display of 856 $n, $z, and $3
This fixes the display in the Bootstrap Opac for the 856 subfields n, z, and
3.
To test:
1. Create a record(s) with 856 fields which contain a combination of
subfield n, z and 3's.
2. Prior to the patch the fields do not display in the bootstrap opac.
3. Apply the patch.
4. The fields will now display.
This patch updates the open-ils.actor.patron.update method
documentation to explicitly state that updates to patron notes,
user activity, and standing penalities via that method are
ignored. This is to try to avoid a regression on this bug, as
otherwise it might be plausible for the method to allow the notes
and standing penalties (at least) to be updated.
When saving a user in the AngularJS UIs, we currently send the notes,
usr_activity, and standing_penalties fields to the actor service.
However, that's not how those get updated, and with large sets that can
cause problems. This commit removes those fields before saving the
user.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
The angular staff catalog uses the new print/email records
functionality, but calls it without some expected parameters. This
causes the backend method to fail as it assumes the params will exist.
This commit removes that assumption by testing the length of the
parameter list before attempted to read them.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Garry Collum [Tue, 11 Oct 2022 17:47:14 +0000 (17:47 +0000)]
LP1992490-Bootstrap Opac: sr-only, aria-label, and title localization.
Corrects some instances of non-localization of sr-only fields, aria-labels,
and title attributes. Also corrects some stray display strings that were
not localized.
To test:
Apply the patch, and view each page to see if it renders. View the page
source of each page to see if the sr-only fields, aria-labels, and
title attributes are rendered correctly.
Jane Sandberg [Sat, 7 Jan 2023 04:19:55 +0000 (20:19 -0800)]
LP1999304 (follow-up): blank alt text for decorative image
Steps to test:
1. Search the staff catalog for Ready Player One in the concerto dataset.
2. Check the Group Formats/Editions checkbox
3. Press the Place hold button
4. Use your browser's dev tools (or a screen reader) to find the accessible
name of the Large Print Book checkbox.
5. Confirm that the accessible name is Large Print Book, rather than
Large Print Book Large Print Book.
Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
Stephanie Leary [Tue, 13 Dec 2022 16:45:58 +0000 (10:45 -0600)]
LP1999304 Labels for metarecord hold checkboxes
Wraps metarecord hold format and language checkboxes in labels with
for attributes matched to input IDs.
To test:
1. Search the catalog for an item with multiple formats
2. Check the option to group formats/editions
3. Click "place hold" on one of the results
4. Find the table below "Placing METARECORD hold on record(s)"
5. Toggle the language or format checkboxes by clicking their labels or
icons rather than the box itself
Signed-off-by: Stephanie Leary <stephanie.leary@equinoxOLI.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
Garry Collum [Thu, 25 Aug 2022 17:44:13 +0000 (17:44 +0000)]
LP1422927 Opac hold history pagination
Fixes the hold history pagination in both the TPac and the Bootstrap opac.
To test:
1. Login as a patron and enable the hold history preference. The default
number of items on each page is 15, so place at least 16 holds for this
patron. (The limit can be overridden in the url with the &limit switch).
2. View the hold history and notice that all items are displaying on all
pages.
3. Apply the patch
4. The results are now paginated with 15 items per page.