LP#1207281: require SSL when downloading offline patron list
This patch builds on the previous one by forcing use of
SSL for downloading the offline patron list. It also
updates the Apache 2.4 example configuration.
Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Michael Peters [Tue, 24 Sep 2013 20:57:37 +0000 (16:57 -0400)]
LP#1207281 Prevent download of offline patron list without authentication
This patch addresses the vulnerability which allowed a user with the proper
knowledge of the location of offline patron lists to download the file over
regular HTTP without any staff credentials.
This small addition to eg_vhost.conf.in will present users with a login prompt
when trying to access the /standalone/ subdirectory on an Evergreen server.
Users are able to download the patron list in the staff client as normal
because they already have obtained credentials during the normal staff client
authentication process.
Signed-off-by: Michael Peters <mpeters@emeralddata.net> Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Jason Stephenson [Wed, 30 Jan 2013 21:56:12 +0000 (16:56 -0500)]
Fix an omission in the log redaction configuration.
open-ils.actor.patron.password_reset.commit was omitted in the
<log_protect> block of opensrf_core.xml.example. This commit adds
it and updates the release notes for 2.3 to include it.
There is also a release notes file informing users that they need to
edit opensrf_core.xml to address this issue.
Signed-off-by: Jason Stephenson <jstephenson@mvlc.org> Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Remington Steed [Fri, 10 May 2013 13:57:31 +0000 (09:57 -0400)]
Update serials docs for 2.4
In version 2.4, the serials modules underwent significant changes that
require significant updates to the documentation. This commit provides
the necessary updates, including some new screenshots. And in a few
cases, existing documentation was corrected or improved in ways
unrelated to the 2.4 update.
Add altering rows colors to (cataloging) manage authorities interface
To make it easier to use the (cataloging) manage authorities interface I added a tiny bit of CSS to have alternating row colors. The "height: 1.5em" part is needed because the enclosing authEntry div ends up with a height of zero because its children containers are all floating. Turns out this zero height behavior is not a bug, but a natural side affect of floating the div's children.
Mike Rylander [Wed, 28 Aug 2013 19:05:36 +0000 (15:05 -0400)]
Stream facet data
For certain shapes of facet datasets, the .atomic version of the
json_query call can produce an XMPP message large enough to cause
ejabberd to fall over unceremoniously. Switch to a streaming
CStoreEditor-based call instead to avoid this.
Ideally, this would use message bundling (aka, chunking) as well,
but the C parts of OpenSRF don't seem to support that yet.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Dan Wells <dbw2@calvin.edu>
Mike Rylander [Thu, 12 Sep 2013 17:13:23 +0000 (13:13 -0400)]
Optimize container filters in QueryParser
When a container filter is used at the top level of a QueryParser
query (that is, in a simple query with no OR-logic branches or explicit
nesting groups) we can use an INNER join instead of LEFT + IS NOT NULL.
On some production datasets this showed an increase in performance from
20+ seconds to 1ms for the core query.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Dan Scott <dscott@laurentian.ca>
Bill Erickson [Thu, 20 Jun 2013 19:46:33 +0000 (15:46 -0400)]
LP1193095 lineitem batch actions sanity filters
Avoid applying the following actions to lineitems which are in a state
where each action makes no sense.
The following actions are affected. For each, the set of states for
which a lineitem must be in for the action to proceed is listed.
create PO
- new selector-ready order-ready approved
add to PO
- new selector-ready order-ready approved
create invoice
- !cancelled
add to invoice
- !cancelled
cancel lineitem
- !cancelled
mark selector ready
- new
mark order ready
- new selector-ready
mark received
- pending-order on-order
Depending on the interface, some top-level lineitem actions may be
globally disabled. The list of states listed above represent the bare
minimum requirements.
Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Jason Etheridge [Thu, 8 Nov 2012 16:27:13 +0000 (11:27 -0500)]
reset title variable when looping with biblio A/T
Two templates that I'm concerned with, though there may be others that could use
this treatment: biblio.record_entry.email and biblio.record_entry.print
Basically, they can group events from the same user and consolidate bibs, but as
they loop through the bibs they're not clearing the temporary variable that
contains the bib title, so we get duplicated and run-on titles in the output.
Signed-off-by: Jason Etheridge <jason@esilibrary.com> Signed-off-by: Ben Shum <bshum@biblio.org>
Conflicts:
Open-ILS/src/sql/Pg/002.schema.config.sql
Chris Sharp [Mon, 19 Aug 2013 18:29:23 +0000 (14:29 -0400)]
The ILS User reports source branches to an All Hold Requests linked source
that was marked class="circ" instead of class="ahr". This corrects that problem.
Signed-off-by: Chris Sharp <csharp@georgialibraries.org> Signed-off-by: Ben Shum <bshum@biblio.org>
The alternate view in the Item Status screen shows a "Total Circs"
field that was under-counting circulations because UNION filtered
out duplicates. This commit replaces UNION with UNION ALL, which
allows duplicate rows.
Signed-off-by: Chris Sharp <csharp@georgialibraries.org> Signed-off-by: Ben Shum <bshum@biblio.org>
Dan Scott [Sun, 25 Aug 2013 04:39:46 +0000 (00:39 -0400)]
Schema.org: improve MusicGroup vs. Person parsing
Take a stricter approach to defining MusicGroups instead of Persons for
the main authors of MusicAlbums. Music groups are generally catalogued
as a 110 or 710 tag, and this avoids defining birthDates and deathDates
for groups (which, however valid that might be in the real world, is not
valid for schema.org).
Signed-off-by: Dan Scott <dscott@laurentian.ca> Signed-off-by: Ben Shum <bshum@biblio.org>
Mike Rylander [Tue, 20 Aug 2013 20:00:48 +0000 (16:00 -0400)]
Browse normalization timing fix
When indexing browse entries, we need to normalize the value we want to use
before we go looking for it in the table, for uniqueness. We do in master,
we need to in 2.4 (and before) as well.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Ben Shum <bshum@biblio.org>
Mike Rylander [Wed, 14 Aug 2013 14:25:14 +0000 (10:25 -0400)]
Correctly mark nested INNER joins as such
We've been adopting containing the JOINs flavor, and then
attempting to use IS NOT NULL to restrict NULL-ness
in the WHERE clause. This is almost right, but not quite,
and was done in an attempt to match behavior with the
expectations of users that are not SQL experts. However,
right is better than "looks right most of the time", so
we use the proper join type now.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Boyer <jboyer1@library.in.gov>
Conflicts [just whitespace style]:
Open-ILS/src/perlmods/lib/OpenILS/Reporter/SQLBuilder.pm
Bill Erickson [Thu, 23 May 2013 17:30:43 +0000 (13:30 -0400)]
LP1183467 ACQ view funding source list permissions
Limit the set of funding sources visible in the funding source list
interface by those the user has view permissions for, not just those the
user has edit permissions for.
Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Remington Steed <rjs7@calvin.edu> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Mike Rylander [Fri, 12 Jul 2013 18:43:57 +0000 (14:43 -0400)]
Repair remaining Authority Fixed Field editor entries
The "Item" fixed field is only valid for MFHD records, so we remove
that entirely from AUTH records. The "GeoSubd" fixed field is
spelled "GeoDiv" everywhere, so we align that naming so that it can
be saved.
Signed-off-by: Mike Rylander <mrylander@gmail.com>
Acq: Honor new dist forumula fields in old method of applying formulae
The batch updater came with new fields on distribution formulae, but we
didn't teach the pre-existing code for applying formulae from the
lineitem copies interface to apply values from the new fields.
Reported by Jennifer Pringle in Launchpad bug report #1195521.
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com> Signed-off-by: Bill Erickson <berick@esilibrary.com>
Acq general search: improve searching for negative comparisons
This aims to address Launchpad bug #1031535. I think the bug only
really shows up when searches involve invoices either as the core type
or with filter fields. If a search doesn't involve invoices, the
problematic joins aren't present.
Could use more testing though. Seems to make the problem go away, and
other basic searches seem to work, but I certainly haven't tested
everything.
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com> Signed-off-by: Dan Wells <dbw2@calvin.edu>
There's a bit in the code where it tries to pad the first digit group,
if it's the only digit group, but it assumed the digit group was the
first token.
Signed-off-by: Jason Etheridge <jason@esilibrary.com> Signed-off-by: Ben Shum <bshum@biblio.org>
Chris Sharp [Mon, 5 Aug 2013 18:10:56 +0000 (14:10 -0400)]
LP1208572 - Fixes for reporter.classic_item_list
This view was created before the extend_reporter schema and the reporter.
materialized_simple_record existed. Rewriting the view definition to include
those.
Signed-off-by: Chris Sharp <csharp@georgialibraries.org> Signed-off-by: Ben Shum <bshum@biblio.org>
Kyle Tomita [Fri, 31 May 2013 18:33:59 +0000 (11:33 -0700)]
LP1185524 - Duplicate patron checking in the user editor is limited to workstation OU
Added a new library setting opac.duplicate_patron_check_use_consortium.
When true, the duplicate check will use the consortium (1) as the OU.
When false or not set, the duplicate check will use the workstation OU.
The setting is checked in subroutine that creates the search request and
sets the OU accordingly.
[LFW: Signing off but following with material changes next commit.]
Steven Chan [Mon, 5 Aug 2013 16:13:54 +0000 (12:13 -0400)]
Fix LP985075, cannot save Patron Acquisition Request form
The form is shown using a dojo EditPane attached to an EditDialog,
however, attaching the pane was done manually, resulting in the dialog
acting improperly and the pane positioned improperly.
Instead, we use dojo's attr method to define the content attribute of
the dialog to be the pane.
Signed-off-by: Steven Chan <schan@sitka.bclibraries.ca> Signed-off-by: Remington Steed <rjs7@calvin.edu> Signed-off-by: Ben Shum <bshum@biblio.org>
Chris Sharp [Wed, 31 Jul 2013 15:03:25 +0000 (11:03 -0400)]
Fixing LP 1072892 - repeated rows in reporter.classic_item_list view
The view joined the actor.card table in such a way that all library
cards (active or not) were being returned. This commit changes that
behavior so that only the current card (from actor.usr.card) is returned.
Signed-off-by: Chris Sharp <csharp@georgialibraries.org> Signed-off-by: Ben Shum <bshum@biblio.org>
* This commit:
- Makes sure that holding data is valid for the given caption
for new holding objects
- Teaches field_values() to fall back to '*' (unknown marker)
when a holding is missing data
- Allows the caption() method to be a setter
* This commit:
- Makes the comparison operator consider chron data, not just
enumeration data
- Teaches the comparison operator a way to handle 'unsure' data
(that is, data presented in brackets [])
* The code was assuming the $end_holding param would be uncompressed,
but this was not stated anywhere, nor enforced. Let's allow the
method to take both compressed and uncompressed holdings as the "end"
(and handle it appropriately).
* Add some holdings with missing and unsure data to test the new
comparison operators handling of such data.
Signed-off-by: Dan Wells <dbw2@calvin.edu> Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
Dan Wells [Wed, 8 May 2013 19:09:41 +0000 (15:09 -0400)]
Fix logic in get_compressed_holdings()
[This commit has been squashed for merging. LFW]
* This commit rearranges some of the logic branches to protect
against an unusual case of having two holding statements with
the same start value, but one being open-ended and one not.
* The logic in get_combined_holdings() was a little sloppy and
repeated some steps unnecessarily. This cleans things up.
See the test case in the previous commit for more clarity.
Signed-off-by: Dan Wells <dbw2@calvin.edu> Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
Dan Wells [Tue, 7 May 2013 22:19:34 +0000 (18:19 -0400)]
Add new get_combined_holdings() method to MFHD.pm
This commit adds a new method to the MFHD module which creates an
array of compressed holdings from all holdings for a given caption,
combining as needed.
NOTE: This method is similar to, but much less aggressive/strict than
get_compressed_holdings(). Ultimately, get_compressed_holdings()
might be deprecated in favor of this.
Signed-off-by: Dan Wells <dbw2@calvin.edu> Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
In their electronic invoices, vendors sometimes include a mix of line
items that your ILS knows about, because you ordered them through it,
and line items of which your ILS knows nothing. We should not fail
altogether at processing invoices, but instead process what line items
we can.
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com> Signed-off-by: Ben Shum <bshum@biblio.org>
Acq: When building invoices from EDI messages, avoid bad data
From some vendors, these EDI messages contain strings (useless ones,
like just the name of the vendor) where we had been expecting numeric
identifiers.
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com> Signed-off-by: Ben Shum <bshum@biblio.org>
Bill Erickson [Mon, 6 May 2013 13:59:22 +0000 (09:59 -0400)]
LP1171875 Support locale CGI param for fm_IDL.xml
Adds support for passing the locale string directly to
/reports/fm_IDL.xml via locale= CGI parameter.
Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Pasi Kallinen <pasi.kallinen@pttk.fi> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Bill Erickson [Fri, 26 Apr 2013 17:20:24 +0000 (13:20 -0400)]
LP1171875 Add locale support to IDL2js
/IDL2js now reads locale information from either locale= CGI parameter
or Accept-Language HTTP headers. The locale-aware IDL is loaded from
/reports/fm_IDL.xml via Apache subrequest. Each full copy of the IDL is
cached within the Apache processes to avoid the need to re-parse the IDL ad
infinitum for full IDL retrieval. Partial IDL retrieval is also supported
(but not cached).
No attempt is made to cleanse the locale -- invalid locale strings are
discarded -- so it's the callers responsibility to pass a valid locale.
Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Pasi Kallinen <pasi.kallinen@pttk.fi> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Jeff Godin [Tue, 29 May 2012 14:28:50 +0000 (10:28 -0400)]
Fix IDL and OU setting check for staged users
The IDL had references to sequences that do not exist:
staging.usr_stage_row_id_seq -- a typo, fixed
In the case of staging.billing_address_stage_row_id_seq, the
staging.billing_address_stage table is created with LIKE,
and uses the sequence staging.mailing_address_stage_row_id_seq
The OU setting check for the open-ils.actor.user.stage.create API
call was not passing an org unit, and would always fail.
We now pass the home_ou of the user being staged.
At this point, the opac.allow_pending_user OU setting type must
be manually created before its value can be set.
Signed-off-by: Jeff Godin <jgodin@tadl.org> Signed-off-by: Bill Erickson <berick@esilibrary.com>
Bill Erickson [Mon, 8 Jul 2013 15:13:23 +0000 (11:13 -0400)]
LP1195150 batch update funds alters debits
When a fund is updated via the ACQ batch update bar (along the top of
the PO interface), ensure that any existing fund debits are updated to
use the new fund. If the selected fund exceeds the balance block
percent, the operation will fail and the user will be notified.
Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Bill Erickson [Mon, 22 Jul 2013 19:21:15 +0000 (15:21 -0400)]
LP1203753 AuthProxy barcode login support
When users attempt a barcode-based login with AuthProxy, the system will
determine the username of the user (based on the barcode) and use the
username instead of the barcode for all proxied login attempts. This
allows users to use their barcodes (or barcode-looking usernames) to
log in via remote authenticators.
Signed-off-by: Bill Erickson <berick@esilibrary.com> Signed-off-by: Dan Wells <dbw2@calvin.edu>
Link checker: verification review UI needs more columns about redirects
Link checker results can contain information about redirects when URLs
in a bib record happen to point to systems that return 3XX repsonses.
All this is nicely captured in the uvuv and uvu tables, but the
user interface only offers the uvu.redirect_from column, when
uvuv.redirect_to and uvu.id are also necessary to understanding redirect
relationships among the results.
Reported by Erica Rohlfs and Bill Erickson.
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com> Signed-off-by: Bill Erickson <berick@esilibrary.com>
Mike Rylander [Thu, 18 Jul 2013 18:48:36 +0000 (14:48 -0400)]
Point feeds to TPAC instead of slimpac or JSPAC
Where possible, point to TPAC endpoints for HMTL output of supercat feeds.
Also, just use the bookbag (container) name for bookbag feeds, instead of
wrapping them in formatting and context. The description element already
provides that.
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
Mike Rylander [Tue, 16 Jul 2013 20:58:57 +0000 (16:58 -0400)]
Optimize away always-true hold count clause
When rendering results in the tpac we request hold counts for each record.
Most of the time (that is, whenever org unit hiding is /not/ in use) we
filter, essentially, on "where pickup_lib is in the org tree". This is
both useless and slow, so this commit will recognize that and optimize the
test away.
[LFW: fixed typo]
Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
Dan Scott [Mon, 24 Jun 2013 14:12:50 +0000 (10:12 -0400)]
Avoid Z39.50 search warning for uninit var
The debug log blindly attempts to access list members that might not
exist (if, for example, an event code was returned from the attempt to
run do_service_search()), thus generating spurious log warnings.
Instead, move the debug line to only generate output when we have
created the list item in question.
Signed-off-by: Dan Scott <dscott@laurentian.ca> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Fredrick Parks [Wed, 10 Jul 2013 18:12:17 +0000 (11:12 -0700)]
LP 1103706 Hold ratios in circ policies cause errors when trying to renew items
Changed the function action.copy_related_hold_stats to accept a bigint as the perameter instead of an integer.
Copy_related_hold_stats is only called by the function action.item_user_circ_test which trys to pass a bigint.
Signed-off-by: Fredrick Parks <fparks@catalystitservices.com> Signed-off-by: Mike Rylander <mrylander@gmail.com>
In Evergreen we have authority fields defined in the database that
relate to control sets. These are used somewhere today (I'm fuzzy on
that at the moment; some places once had and may still have hardcoded
labels) but they also will be used by the bib and auth browser
that's not yet merged to master (see LP #1177810).
The 4XX tags among the set I'm talking about (in
authority.control_set_authority_fields) are mislabled, saying See Also
where they ought to say See From, e.g.
http://www.loc.gov/marc/authority/ad400.html
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com> Signed-off-by: Mike Rylander <mrylander@gmail.com>
Documentation for default values in Load Order Record form
Documentation for new default values and sticky fields in the acq Load
MARC Order Records form. I also moved up/modified 2.1 docs for this
interface and integrated them with the 2.2 acq/Vandelay integration docs.
Dan Wells [Wed, 10 Oct 2012 13:22:33 +0000 (09:22 -0400)]
Capture and log AuthProxy logins with no account
The current AuthProxy.pm code assumes that if the external auth
passes, the Evergreen account will be there. This protects
against cases where a user is in the external auth system but
has no matching account in Evergreen.
Signed-off-by: Dan Wells <dbw2@calvin.edu> Signed-off-by: Bill Erickson <berick@esilibrary.com>
Dan Wells [Thu, 27 Sep 2012 21:35:03 +0000 (17:35 -0400)]
Make AuthProxy LDAP bind code more robust
The existing version of LDAP_Auth.pm assumed that the user's
bind DN could be derived from the base DN, the ID attribute, and
the user's ID. This is frequently the case, but not always,
particularly in Active Directory setups using sAMAccountName. This
commit instead uses the initial LDAP lookup as the authority for
determining the user's DN.
Signed-off-by: Dan Wells <dbw2@calvin.edu> Signed-off-by: Bill Erickson <berick@esilibrary.com>
If an overdue is returned after a closed date, the generate_fines code
will not generate fines for those items because the section of code that
checks for closed dates returns from the function if a closed date is
encountered.
For example, if an item is due on June 29th, but is not returned until
after July 1st (Canada Day), then when fines are generated for the item,
generate_fines creates a fine for the 30th of June, but when it
gets to the 1st of July it encouters a closed date and executes a
'return' statement which exits the generate_fines code causing the
fine from June 30th to be rolled back as well as preventing further
fines from being created.
This fix replaces the 'return' statements inside the 'for' loop
that is nested within the eval with 'next' statements.
Signed-off-by: Liam Whalen <whalen.ld@gmail.com> Signed-off-by: Dan Scott <dscott@laurentian.ca>
Steven Chan [Sat, 15 Jun 2013 17:06:43 +0000 (13:06 -0400)]
Fix LP1177916, Cannot activate PO which contains only direct charges
We add a safety check in the function
Application/Acq/Order.pm/create_lineitem_list_assets(), which is called
by create_po_assets(), which is the service call initiated by the user
trying to activate a PO.
The safety check prevents the function from processing if there are no
line items specified in the arguments.
P.S. It would be better to stop the sequence of events earlier in the
client, but that will need more coding, which can been done in another
fix.
Signed-off-by: Steven Chan <schan@sitka.bclibraries.ca> Signed-off-by: Kathy Lussier <klussier@masslnc.org> Signed-off-by: Jason Stephenson <jstephenson@mvlc.org>
Dan Scott [Thu, 11 Jul 2013 21:53:21 +0000 (17:53 -0400)]
Document the self check interface
This comes up from time to time on the mailing lists and on the feedback
email, and pulling together all of the pieces takes some time and
digging (thanks Bill Erickson and Ben Shum!), so let's document it once
and for all...
Steven Chan [Thu, 23 May 2013 22:22:15 +0000 (15:22 -0700)]
Patron Editor can enter erroneous values for Claims-returned count
In the staff client, Patrons interface, Edit screen, when
mouse-scrolling up and down the Edit form, it is possible to
inadvertently change the value in Claims-returned Count or Claims Never
Checked Out Count field. It will happen if the mouse hovers over either
data field while using the mouse wheel.
Both data fields use the dijit.form.NumberSpinner widget to provide a
'spin' behaviour. The fix involves cancelling the mouse scroll event as
it propagates to input fields in table rows that are using the
dijit.form.NumberSpinner widget, because the mouse scroll would be
applied too early by the widget, before the user has intentionally
focussed on one of the input fields. Now, mouse scrolling has no effect
on the two input fields; it will only have an effect in scrolling the
page up or down.
Signed-off-by: Steven Chan <schan@sitka.bclibraries.ca> Signed-off-by: Ben Shum <bshum@biblio.org>