This commit uses database functions to precompute the normalized and
tokenized tsquery required for highlighting before it is returned to the
user, and disallows highlight-time compilation of the highlight map.
The primary purpose of this is to avoid the chance for user input to
find its way directly into SQL statements, but an additional benefit is
that it becomes much simpler for high level application code to make use
of Display Field highlighting in non-search contexts.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
Mike Rylander [Fri, 12 Oct 2018 18:43:26 +0000 (14:43 -0400)]
LP#1775958: Rework pullup mechanism to flatten more nested queries
The bulk of this commit reworks the query tree pullup logic, which is
responsible for simplifying the query tree that is used to generate the
SQL query for search. In particular, we now do a better job of finding
opportunities to merge adjacent parts of the query that have the same
requested_class (pre-dealiasing) in the face of boolean OR operators,
explicit grouping, and alternating requested_class values. The result
is fewer joins in the SQL, which should speed up all but the most
trivial searches, and generally help protect the database from mis- or
mal-constructed queries. We also now use CTEs to separate branches of
the logical search tree into descrete subqueries, which helps reduce
the total core query JOINs, and provides the planner with more options
for join order.
This also does away with the conversion of a negated atom into an
"un-phrase". Instead, we just detect and handle those directly as atoms
with a prefix, as appropriate. This allows single negated words to be
used directly in the core tsquery construct, rather than having them
require a separate join and special where clause.
Additionally, this commit handles phrases differently at both the QP and
SQL level, making use of Postgres's phrase support in modern versions
and simplifying how they're handled within the base parse tree
structure.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
This commit implements a new global flag: opac.login_redirect_domains
When this flag is enabled, redirection from login via redirect_to will
be restricted to local URLs. For local URLs, they must either start
with a / (provide an absolute path) or the hostname in the URL must
match the current hostname and have a scheme of http, https, ftp, or
ftps.
The value for the global flag can be set to a list of comma-separated
domain names. Redirection to these domains, and subdomains/hosts
thereof, will also be allowed. For all non-local URLs allowed by the
global flag value, the scheme must be one of http, https, ftp, or ftps.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
This commit adds two types of simple DoS protection:
* Limit concurrent search requests per client IP address, regardless of
the searches being performed. This helps address issues of accidental
spamming from a malfunctioning OPAC workstation, or crawlers of various
types. The limit is controlled by a global flag called
"opac.max_concurrent_search.ip".
* Limit the global concurrent search requests for the same query. This
helps address both simple and distributed DoS that send the same search
request over and over. The limit is controlled by a global flag called
"opac.max_concurrent_search.query", and defaults to 20.
When the limit is exceeded in either case the client receives an HTTP
429 "Too many requests" response from the web server, and the connection
is ended.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
With this commit we throw away searches with invalid qtype value based
on configured classes and aliases. Invalid qtype values have been seen
in the wild as part of attempted (but failed) SQL injection attacks, so
we will tighten up what we accept.
As an additional (unrelated) bonus, this commit also avoids prepending
the search class on basic search when the class (from qytpe) is not
exactly "keyword".
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Jeff Davis [Tue, 18 Oct 2022 19:42:26 +0000 (12:42 -0700)]
LP#1990306: avoid VIEW_USER perm lookup on egPatronApp startup when we have a null authtoken
Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop> Signed-off-by: Chris Sharp <csharp@georgialibraries.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
The angular staff catalog uses the new print/email records
functionality, but calls it without some expected parameters. This
causes the backend method to fail as it assumes the params will exist.
This commit removes that assumption by testing the length of the
parameter list before attempted to read them.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Garry Collum [Thu, 25 Aug 2022 17:44:13 +0000 (17:44 +0000)]
LP1422927 Opac hold history pagination
Fixes the hold history pagination in both the TPac and the Bootstrap opac.
To test:
1. Login as a patron and enable the hold history preference. The default
number of items on each page is 15, so place at least 16 holds for this
patron. (The limit can be overridden in the url with the &limit switch).
2. View the hold history and notice that all items are displaying on all
pages.
3. Apply the patch
4. The results are now paginated with 15 items per page.
Michele Morgan [Thu, 12 Aug 2021 18:09:41 +0000 (14:09 -0400)]
LP#1939730 - Use original call number owning_lib when reverting items
When removing items with edited call numbers from a course, find or
create the resulting call number using the original call number's
owning_lib rather than the course owner.
Signed-off-by: Michele Morgan <mmorgan@noblenet.org> Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>
Bill Erickson [Mon, 8 Aug 2022 18:04:55 +0000 (14:04 -0400)]
LP1915440 Clear Hopeless Date on Capture
Clear the hold hopeless date when a copy is captured for the hold.
One way to make this happen for testing:
. Configure the Missing copy status as holdable=true hopeless_prone=true
. Place hold with only 1 viable copy.
. Mark said copy as missing -- this stamps a hopeless_date on the hold.
. Check the copy in. This results in a capture + hopeless hold.
Signed-off-by: Bill Erickson <berickxx@gmail.com> Signed-off-by: Susan Morrison <smorrison@georgialibraries.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Jane Sandberg [Thu, 17 Sep 2020 21:13:54 +0000 (14:13 -0700)]
LP1824709: Allow comboboxes inputs to have IDs
This adds a new input, domId, for the combobox component.
A good way to test:
1) Download the Wave accessibility checker.
2) Go to one of the following screens:
- Admin > Local > Course Reserves > Choose a course > Associate
item from catalog
- Admin > Local > Course Reserves > Choose a course > Associate
brief record
- MARC Batch Import
- MARC Batch Import/Export > Inspect Queue
- Staff Catalog Add to bucket
- Staff catalog conjoined items
- Hold cancel dialog
3) Right click and select "WAVE this page"
4) On the Details tab of WAVE, notice that there are several "Missing
form label" errors.
5) Apply this patch.
6) Run WAVE again; notice that the number of missing form label errors
has decreased.
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu> Signed-off-by: Garry Collum <gcollum@gmail.com>
This commit adds a new internal flag, auto-created at the time of need,
to control whether record ingest will cause immediate updates to the
symspell dictionary, or if those updates will simply be recorded for
later incorporation. Inline symspell dictionary updates can cause
record updates to be logically serialized, impacting the preformance of
other tools used for batch reingest.
pingest.pl is changed to allow an administrator to make use of this
feature via the --delay-symspell command line flag.
NOTE: includes a minor fixup from blake@mobiusconsortium.org for a
syntax error.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: blake <blake@mobiusconsortium.org>
Mike Rylander [Fri, 4 Mar 2022 15:38:12 +0000 (10:38 -0500)]
LP#1931737: DYM can cause deadlocks w/ parallel ingest
This patch causes all symspell dictionary updates to occur at then end
of metabib search field updates in one go, which allows Postgres' INSERT
... ON CONFLICT mechanism to properly lock and serialize changes when
necessary.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jane Sandberg <js7389@princeton.edu> Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: blake <blake@mobiusconsortium.org>
Jane Sandberg [Sat, 22 Oct 2022 22:43:10 +0000 (15:43 -0700)]
LP1993922: Course material delete should not delete other courses' materials
To test:
* Apply this patch
* Login to BR1 workstation
* Go to Admin - Local Admin - Course Reserves List
* Create two courses, Course 1 and Course 2
* Associate materials to both courses
* Archive Course 1
* Go to Course materials on Course 2 and note that
it still has all of its materials attached.
Signed-off-by: Jane Sandberg <js7389@princeton.edu> Signed-off-by: Beth Willis <willis@noblenet.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Jane Sandberg [Wed, 19 Oct 2022 13:28:40 +0000 (06:28 -0700)]
LP1993534: Command line flag usage for ng xi18n
To test:
1) cd [Evergreen repo]/Open-ILS/src/eg2
2) npm install
3) npm run export-strings # should fail
4) Apply this patch
5) npm run export-strings # should successfully create a file in the locales directory
Signed-off-by: Jane Sandberg <js7389@princeton.edu> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
Jane Sandberg [Thu, 19 May 2022 21:04:05 +0000 (15:04 -0600)]
LP1913604: course materials module shouldn't move items to different owning libs
To test:
1) Create a course that can have volumes (e.g. a branch or bookmobile, not a consortium)
2) Associate an item with that course that is from a different branch
3) Note that the item's owning and circ libraries have not changed.
Signed-off-by: Jane Sandberg <js7389@princeton.edu> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Jane Sandberg [Thu, 28 Jan 2021 22:26:19 +0000 (14:26 -0800)]
LP1913604: Alert staff when associating item with course at a different library
1) Create a new course at a branch that can have items (BR3, for
example).
2) Add an item with the circ_lib of BR3. Note that the item is
added to the grid.
3) Add an item with a different circ_lib. Note that you get an
alert showing that the item is not at the course's owning library.
4) Push the Cancel button. Notice that the item is not added to the
course.
5) Repeat step 3 and push the Confirm button. Notice that the item is
added to the course this time.
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Kyle Huckins [Sun, 27 Feb 2022 01:33:29 +0000 (01:33 +0000)]
lp1940105 Archive Course Should Use detach_material
- Replaced resetItemFields with detachMaterials in Course Service
- Refactored disassociateMaterials to utilize detach_materials
- Refacotred deleteSelectedMaterials to utilize Course Service detachMaterials function
Signed-off-by: Kyle Huckins <khuckins@catalyte.io> Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Jane Sandberg [Wed, 12 Oct 2022 23:38:20 +0000 (16:38 -0700)]
LP1898775: Add basket to bucket in bootstrap
The bootstrap OPAC uses links, rather than <select> for the basket dropdown, so the
existing event listener couldn't get attached to the correct element.
To test:
1. Confirm that you are using the bootstrap OPAC.
2. In the staff client, select the traditional staff catalog.
3. Add several items to your basket.
4. Click the basket icon, and select 'Add Basket to Bucket'
5. Note that you get a 404 error.
6. Apply this patch.
7. Repeat steps 1-3.
8. Note that you can now select a bucket, and that the process completes successfully.
Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Chris Sharp <csharp@georgialibraries.org>
Bill Erickson [Mon, 11 Jul 2022 14:58:40 +0000 (10:58 -0400)]
LP1956619 Holdings editor sanity check for VIEW_USER perm
When the staff accessing holdings in the holdings editor do not have the
VIEW_USER permission at a level sufficient to display the creator/editor
of a set of items, display the ID of the user instead of attempting and
failing to display the username, which causes a page rendering error.
Signed-off-by: Bill Erickson <berickxx@gmail.com> Signed-off-by: Mary Llewellyn <mllewell@biblio.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Jeff Davis [Fri, 21 Jan 2022 22:17:25 +0000 (14:17 -0800)]
LP#1956619: use Angular holdings editor when accessing from item status and item buckets
Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca> Signed-off-by: Bill Erickson <berickxx@gmail.com> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Dan Briem [Thu, 4 Aug 2022 02:46:06 +0000 (22:46 -0400)]
LP1735221 Item Alert Prevents Hold Capture Delay Verification
Clicking OK on an item alert triggers a checkin override. If the
response contains an override event, an error is thrown. Since
a hold capture delay event is handled as an override, an error
throws before the hold capture delay dialog opens.
This handles the capture delay event separately from the override
events so the dialog will open after an override attempt.
To test:
1. set Hold Capture Requires Verification on a shelving location
2. add an item alert to an item in that shelving location
3. place an item hold on that item
4. checkin that item
5. click OK on the alert dialog and Capture on the delay dialog
6. note the hold is captured`
Signed-off-by: Dan Briem <dbriem@wlsmail.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
- Removed Enter KeyUp property from the Patron Barcode field on Associate User
- Removed Enter KeyUp property from the Item Barcode field on Associate Item
Terran McCanna [Fri, 19 Aug 2022 17:38:56 +0000 (13:38 -0400)]
LP1821950 & LP1980409 Option to require call number label
This uses a new Library Setting for "Require call number labels
in Copy Editor" for the benefit of libraries that with to use a
predefined Prefix (such as FIC or EZ) instead of individual call
number labels for each volume.
When the setting is True, the call number label field is marked
required and the Save buttons disabled until a value is present.
When the setting is False, the call number label is not required.
In addition, the Angular interface adds an additional check for
Prefix, so if the call number label is empty then the Prefix is
required.
Acknowledgements:
Org Unit Setting created by Kyle Huckins
Angular and AngularJS changes done by New Developers Working Group
Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Kyle Huckins [Thu, 16 May 2019 22:05:55 +0000 (22:05 +0000)]
lp1821950 Require Call Number Label YAOUS
- Add YAOUS to Require Call Number Labels in Copy Editor
- Set new YAOUS to true
- Don't display empty call number field warning if call numbers
aren't required on the copy editor.
- Properly enable/disable saving an item in the volcopy editor when
CN label is empty, based on Require Call Number Label setting.
Signed-off-by: Kyle Huckins <khuckins@catalyte.io>
Changes to be committed:
modified: Open-ILS/src/sql/Pg/950.data.seed-values.sql
new file: Open-ILS/src/sql/Pg/upgrade/XXXX.lp1821950-call-number-label-required-yaous.sql
modified: Open-ILS/web/js/ui/default/staff/cat/volcopy/app.js
Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
The last follow-up had the inadvertent side-effect of hiding the
message directing the patron to contact their library if they had a
negative balance. My thought is that if there are negative bills then
the patron should see the alert to contact their library about them
regardless of whether or not online payments are allowed. So, this
additional followup separates that alert from the myopac_cc_allowed logic.
This also makes some minor display tweaks to the BooPAC:
- Applies the Bootstrap 'alert-warning' to the negative bills message
in the BooPAC.
- Adds a page header.
- Changes the styling and wording of the grocery charges heading to match
the circulation charges heading.
- Changes the styling of the grocery and circulation tables to be
consistent with each other.
Jason Etheridge [Mon, 18 Jul 2022 19:02:54 +0000 (15:02 -0400)]
LP1981628 follow-up to the follow-up
Consolidate some of the logic to make it more clear what is happening,
leverage the existing myopac_cc_allowed boolean, and catch the
Pay All Charges button in the TPAC. This also clears up some display
oddities and makes sure the non-payment labeling is being used.
Signed-off-by: Jason Etheridge <jason@EquinoxOLI.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
When using Shibboleth for SSO, and global logout is disabled, logging in
after logout on the same computer can fail with a 404-Not Found. The
problem is that we need to ignore our local "don't trust Shibboleth
login" cookie in this situation.
This change also means we need to delegate SP logout, in addition to
possible IdP and/or global logout, to the Shibboleth configuration.
Therefore we always redirect to the Shibboleth logout service on
Evergreen logout (when Shibboleth SSO is enabled), and SP, IdP, and
global logout is configured and mediated by the Shibboleth and IdP
configuration.
This commit modifies the meaning of the opac.login.shib_sso.logout YAOUS
such that it is only used to decide if Evergreen timeout-forced logouts
will cause a Shibboleth logout as well. All user-initiated logouts will
now inform Shibboleth, and the Shibboleth configuration will determine
the SSO logout degree (SP, IdP, global).
See details at
https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072384/NativeSPLogoutInitiator
and the simpler configuration option of
https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072434/NativeSPServiceLogout
for information on the Shibboleth configuration required for your local
needs.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org> Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
LP1909583 Bootstrap Opac: Cannot edit title and description
Fixes the editing of the title and description in the Bootstrap Opac lists.
Adds and Edit List button with a collapsible form.
To Test:
1. Create several lists in the Opac.
2. Notice you are unable to edti the title or description.
3. Apply the patch
4. Use the Edit List button to display an editable form for each individual
list.
Signed-off-by: Garry Collum <gcollum@gmail.com> Signed-off-by: John Amundson <jamundson@cwmars.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
LP1903767 - Bootstrap Opac: Make other formats and editions more visible.
This patch does the following:
1. Moves "Other Formats and Editions" below # of holds and available items.
2. Changes "Other Options" to "Other Formats and Editions" and makes the
header tage and <h2> tag consistent with other header tags.
3. Resizes <h2> tags.
4. Removes bullets and changes the margins of some of the table/list displays
under the <h2> headers.
5. Fixes the alignment of the button group that contains Place Hold.
For Testing:
1. Find a record that contains other formats and editions. In concerto
record #71 contains other formats and editions.
2. Notice that you have to click the More Details button to view the Other
Formats.
3. Apply the patch.
4. Other Formats and Editions now appear under the Available Copies and
Holds heading. You no longer have to push the More Details button.
Fixing "hold Type" to "Hold Type" in hold details screen
Test plan:
1. Go to the staff interface, right click a hold to see hold details,
observe that "hold Type" is not capitalized
2. Apply the patch
3. Refresh the staff interface hold details screen and observe that
the "Hold Type" is properly capitalized
Garry Collum [Tue, 2 Aug 2022 19:35:39 +0000 (19:35 +0000)]
LP1902272-Bootstrap opac needs to prompt on notification preference update
Adds the prompting of updating holds when default notification preferences
are updated in the Bootstrap opac.
To Test:
1. Place a few holds for a patron.
2. Login to the opac and change some default notification methods.
3. The opac does not prompt to update the holds.
4. Apply the patch.
5. The patron should now be prompted to update holds when default
notification methods are changed.
Signed-off-by: Garry Collum <gcollum@gmail.com> Signed-off-by: John Amundson <jamundson@cwmars.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Jane Sandberg [Thu, 11 Feb 2021 01:37:57 +0000 (17:37 -0800)]
LP1907974: Updating call numbers in course module reflected in grid
Also:
* refactors the updateItem method for more idiomatic RxJS usage (e.g.
no nested subscribes)
* corrects some Boolean, String, and Number types to boolean, string,
and number (to use the primitive types instead of objects, as
recommended by the Typescript handbook:
https://www.typescriptlang.org/docs/handbook/basic-types.html#about-number-string-boolean-symbol-and-object)
To test:
1) Go to Local Admin > Course List
2) Double click on a course
3) Go to the materials tab
4) Add an item by barcode, making sure to supply a temporary call
number, and that the call number checkbox is checked.
5) Note that the grid on the right display's the item's old call number,
not its new one.
6) Apply this patch.
7) Repeat step 4. Note that the temporary call number is reflected in
the grid now.
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
Galen Charlton [Thu, 26 May 2022 15:11:59 +0000 (11:11 -0400)]
LP#1957179: improve saving of templates in Angular holdings editor
This patch makes the following improvements to the handling
of holding templates in the Angular holdings editor:
- templates are now saved to the cat.copy.templates user setting,
matching the AngularJS holdings editor
- toast is displayed upon saving or deleting a template
- upon saving a completely new template, re-style it in the
combobox so that it no longer has the new-and-freetext
styling
To test
-------
[1] Apply the patch and open the Angular holdings editor.
[2] Verify that once a template is saved or deleted, that
refreshing the Angular holdings editor will show the
updated list of templates.
[3] Verify that toast is displayed upon saving or deleting
a template.
Note that because of a quirk in how user settings are cached by
the web staff client, if you are testing in more than one browser
(but with the same user account), if you save a template in one
browser, you'll need to log out and back in with the second browser
to see the changes.
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
LP#1980887: fixes cases where shelving location selector didn't work
This patch fixes an issue where the Angular shelving location selection
component (eg-item-location-select) wouldn't work (in particular,
when its contextOrgIds wasn't set, as opposed to contextOrgId).
Coding note: TypeScript confounds the Perl programmer: an empty array
evaulates to true; .length needs to be checked instead.
To test
-------
[1] Apply the patch.
[2] Verify that the shelving location selector works in the following
interfaces:
- Acquisitions Administration -> Distribution Formuals
- Course Materials (in the material form for a course)
- Linked locations for Circulation Limit Sets
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com> Signed-off-by: Michele Morgan <mmorgan@noblenet.org>
LP#1986725: restore portrait/landscape choice when printing from Angular
This patch works around a default setting in Bootstrap 4 that specifies
A3 as the paper size for printing. Specifying any paper size like this
causes Chrome and Firefox to stop offering the users the option to
choose the paper orientation.
My testing suggests that specifying A3 as the default paper size also
resulted in the printed text using a smaller font size when printing
on US paper sizes. Some sort of scaling down from A3 to letter,
perhaps.
To test
-------
[1] Open the Angular Holds Pull List, select a branch that has items
to pull, and click the Print Full List button. Observe that the
browser print dialog does not offer an option to choose the
orientation.
[2] As above, but for any Angular grid's Print Full Grid action.
[3] Apply the patch and repeat 1 and 2. This time, the browser print
dialog should offer the option to select the orientation.
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Mike Rylander <mrylander@gmail.com>