scottmk [Wed, 18 Mar 2009 18:04:56 +0000 (18:04 +0000)]
In oils_cstore.c:
1. Verify that the BETWEEN operator receives
exactly two operands.
2. Validate the operator used in a simple predicate;
i.e. make sure it contains no semicolons or white space
(with the exception that "similar to" is allowed).
Purpose: prevent certain kinds of SQL injection.
erickson [Tue, 17 Mar 2009 03:12:01 +0000 (03:12 +0000)]
moved lineitem table out to generic template for import. this will eventually take the place of jubgrid in most cases. still need to plug some final holes for basica functionality
erickson [Mon, 16 Mar 2009 20:04:16 +0000 (20:04 +0000)]
plugged in Bill Ott's lost item checkin functionality. This includes the ability to void lost item fines, processing fines, and un-voiding existing overdue fines on the transaction when an item previously marked lost is checked in. lib can also define a post-due-date interval during which these settings take effect. Each are controlled by org-unit settings. I still need to add Const.pm entries for billing types. Thanks Billsvn diff Open-ILS/src/perlmods/OpenILS/Const.pm Open-ILS/src/perlmods/OpenILS/Application/Circ/Circulate.pm
erickson [Mon, 16 Mar 2009 19:58:55 +0000 (19:58 +0000)]
better handling of sets of work_ou's. will probably shove some of this logic into User.js at some point. Added support for UPDATE_ORG_UNIT_SETTING_ALL perm checking
erickson [Mon, 16 Mar 2009 15:23:43 +0000 (15:23 +0000)]
removed the old, convoluted work_perm_org code. Now using the stored procedure for calculating range of influence. updated api name to hopefully be more clear
erickson [Mon, 16 Mar 2009 02:43:21 +0000 (02:43 +0000)]
move away from jubgrid in bib search for greater flexibility of display. stream LI's from search call for faster grid population. swap form and results display for better screen use
erickson [Sat, 14 Mar 2009 21:28:04 +0000 (21:28 +0000)]
due to some odd interactions with IE and dojo and the fact that opensrf.js is not dojo-ized, load opensrf.js in the usual fashion first. may want to do this for all non-dojo-ized js files, but so far, loading this file alone seems to fix ie6
dbs [Sat, 14 Mar 2009 14:54:42 +0000 (14:54 +0000)]
Check in revision 1.27 of MARC21slim2MODS33.xsl (for 648 -> <subject> mapping)
Note: 242$i change was not mentioned in MODS mapping revision notes; was this
a local Evergreen customization?
dbs [Sat, 14 Mar 2009 04:45:41 +0000 (04:45 +0000)]
These now validate with XML schema:
xmllint --schema docbook-5.0/xsd/docbook.xsd --xinclude --noout index.xml
A slash at the end of the XLink namespace declaration is no good; whoops.
And the placeholder chapters wanted more content. Fine, throw in some index terms.
scottmk [Fri, 13 Mar 2009 12:27:40 +0000 (12:27 +0000)]
Further tightened input validation. In all cases where we call
searchWHERE(), we now respond to a NULL return by propagating
the error up the calling chain (instead of generating
defective SQL).
Also: replaced one call to jsonObjectToSimpleString() with a
call to jsonObjectGetString(), avoiding a malloc and free.
scottmk [Fri, 13 Mar 2009 04:00:33 +0000 (04:00 +0000)]
Tightened the input validation in searchWHERE(). It now complains
about an empty JSON object or empty JSON array, instead of
constructing a doomed WHERE clause.
scottmk [Thu, 12 Mar 2009 18:35:05 +0000 (18:35 +0000)]
In searchWHERE(): plugged a security hole that invited SQL injection.
The use of a leading plus sign was originally intended to allow
references to boolean columns in a WHERE clause, without requiring
an explicit comparison to true or false. E.g. "WHERE col" instead
of the more prosaic "WHERE col = TRUE".
However the old code worked by simply concatenating unsanitized
strings, leaving the door open for SQL injection.
The new code attempts to verify that the last string to be appended
looks like an SQL identifier, with no extra SQL syntax.
scottmk [Wed, 11 Mar 2009 18:57:16 +0000 (18:57 +0000)]
When inserting a literal value into a SELECT statement:
whenever possible, leave the value unquoted if it is known to be
numeric, i.e. it is carried as a JSON_NUMBER, regardless of the
datatype as inferred from the associated column. Reason: so that
the test_json_query utility (which currently doesn't look up the
datatypes of the columns) can generate the correct SQL most of
the time. This approach should also be slightly faster, since it
bypasses some hashed lookups.
2. As part of the implementation of the change described above:
combine searchSimplePredicate() and searchWriteSimplePredicate()
into a single function, so that the JSON type is known when it's
time do decide whether to add quotes. This change is benign because
the latter function was called only by the former anyway.
3. Several minor rearrangements and optimizations.
phasefx [Tue, 10 Mar 2009 16:46:11 +0000 (16:46 +0000)]
Fast single item add from within marc editor. Good for home users, but all catalogers might like this too. Only working in z39.50 and New MARC interfaces, though I want to enable it when editing
existing bib records (code placement issues with JSAN and remote vs chrome, bleh :)
phasefx [Tue, 10 Mar 2009 13:39:32 +0000 (13:39 +0000)]
use oncommand rather onclick here for keyboard access. But interestingly, the timing for DOM updates appears to happen differently between oncommand and onclick, so the element's .checked (and @checked) get updated after the oncommand but before the onclick. So I threw a negation in front of the .checked test
phasefx [Tue, 10 Mar 2009 04:52:52 +0000 (04:52 +0000)]
Fix Holdings Maintenance for >3-tier hierarchies. We force every parent org to be rendered as open, but the most drastic change is the global function array that gets consumed by a setInterval. This was to fix some timing issues that came from multiple setTimeout function chains; notably, the SL1 stock library was rendering twice if Show Volumes was selected.
dbs [Sun, 8 Mar 2009 05:48:08 +0000 (05:48 +0000)]
Cherry-pick the "integrate Google Book Preview into record detail" feature based on a patch by Alexander O'Neill <aoneill@upei.ca> from http://vre.upei.ca/dev/node/422
I integrated the code directly into rdetail.js and edited it to remove unnecessary helper functions.
Tested with Firefox 3 (Linux), Internet Explorer 7, Google Chrome, and Safari 3.2.1 (Windows).
dbs [Sat, 7 Mar 2009 01:57:15 +0000 (01:57 +0000)]
Add support for returning records in Federal Geographic Data Committee (FGDC) Content Standard for Digital Geospatial Metadata (CSDGM) format.
MARC21slim2FGDC.xsl was retrieved from http://oregonstate.edu/~reeset/marcedit/xslt/MARC21slim2FGDC.xsl and (as the comments in the stylesheet indicate) is available under a CC0 license.
projects / working / Evergreen.git / log