[open-ils-commits] [GIT] Evergreen ILS branch master updated. ab9da07bfb334193b4ceb0c57f5b707d164ab24b
Evergreen Git
git at git.evergreen-ils.org
Tue Mar 3 18:02:18 EST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via ab9da07bfb334193b4ceb0c57f5b707d164ab24b (commit)
via 27c608caa49c2c50983843ce9154e90af32d1bff (commit)
via 3a0f1cc7b2efa517ee4cd4c6a682237554fed307 (commit)
via ac588e879cf73ff1b65617e0bd273361d3529063 (commit)
from 012a0ebe523c792ba79810868dabc974fe6e672c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ab9da07bfb334193b4ceb0c57f5b707d164ab24b
Author: Ben Shum <bshum at biblio.org>
Date: Tue Mar 3 18:01:13 2015 -0500
Forward-port 2.7.3-2.7.4 upgrade script
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/2.7.3-2.7.4-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/2.7.3-2.7.4-upgrade-db.sql
new file mode 100644
index 0000000..f2b63e1
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/2.7.3-2.7.4-upgrade-db.sql
@@ -0,0 +1,114 @@
+--Upgrade Script for 2.7.3 to 2.7.4
+\set eg_version '''2.7.4'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('2.7.4', :eg_version);
+
+SELECT evergreen.upgrade_deps_block_check('0908', :eg_version);
+
+CREATE OR REPLACE FUNCTION vandelay.overlay_bib_record ( import_id BIGINT, eg_id BIGINT, merge_profile_id INT ) RETURNS BOOL AS $$
+DECLARE
+ editor_string TEXT;
+ editor_id INT;
+ v_marc TEXT;
+ v_bib_source INT;
+ update_fields TEXT[];
+ update_query TEXT;
+BEGIN
+
+ SELECT q.marc, q.bib_source INTO v_marc, v_bib_source
+ FROM vandelay.queued_bib_record q
+ JOIN vandelay.bib_match m ON (m.queued_record = q.id AND q.id = import_id)
+ LIMIT 1;
+
+ IF v_marc IS NULL THEN
+ -- RAISE NOTICE 'no marc for vandelay or bib record';
+ RETURN FALSE;
+ END IF;
+
+ IF vandelay.template_overlay_bib_record( v_marc, eg_id, merge_profile_id) THEN
+ UPDATE vandelay.queued_bib_record
+ SET imported_as = eg_id,
+ import_time = NOW()
+ WHERE id = import_id;
+
+ editor_string := (oils_xpath('//*[@tag="905"]/*[@code="u"]/text()',v_marc))[1];
+
+ IF editor_string IS NOT NULL AND editor_string <> '' THEN
+ SELECT usr INTO editor_id FROM actor.card WHERE barcode = editor_string;
+
+ IF editor_id IS NULL THEN
+ SELECT id INTO editor_id FROM actor.usr WHERE usrname = editor_string;
+ END IF;
+
+ IF editor_id IS NOT NULL THEN
+ --only update the edit date if we have a valid editor
+ update_fields := ARRAY_APPEND(update_fields, 'editor = ' || editor_id || ', edit_date = NOW()');
+ END IF;
+ END IF;
+
+ IF v_bib_source IS NOT NULL THEN
+ update_fields := ARRAY_APPEND(update_fields, 'source = ' || v_bib_source);
+ END IF;
+
+ IF ARRAY_LENGTH(update_fields, 1) > 0 THEN
+ update_query := 'UPDATE biblio.record_entry SET ' || ARRAY_TO_STRING(update_fields, ',') || ' WHERE id = ' || eg_id || ';';
+ --RAISE NOTICE 'query: %', update_query;
+ EXECUTE update_query;
+ END IF;
+
+ RETURN TRUE;
+ END IF;
+
+ -- RAISE NOTICE 'update of biblio.record_entry failed';
+
+ RETURN FALSE;
+
+END;
+$$ LANGUAGE PLPGSQL;
+
+
+SELECT evergreen.upgrade_deps_block_check('0913', :eg_version);
+
+--stock evergreen comes with 2 merge profiles; move any custom profiles
+UPDATE vandelay.merge_profile SET id = id + 100 WHERE id > 2;
+
+--update the same ids in org unit settings, stored in double quotes
+UPDATE actor.org_unit_setting
+ SET value = '"' || merge_profile_id+100 || '"'
+ FROM (
+ SELECT id, (regexp_matches(value, '"(\d+)"'))[1]::int as merge_profile_id FROM actor.org_unit_setting
+ WHERE name IN (
+ 'acq.upload.default.vandelay.low_quality_fall_thru_profile',
+ 'acq.upload.default.vandelay.merge_profile'
+ )
+ ) as foo
+ WHERE actor.org_unit_setting.id = foo.id
+ AND foo.merge_profile_id > 2;
+
+--set sequence's next value to 100, or more if necessary
+SELECT SETVAL('vandelay.merge_profile_id_seq', GREATEST(100, (SELECT MAX(id) FROM vandelay.merge_profile)));
+
+
+SELECT evergreen.upgrade_deps_block_check('0914', :eg_version);
+
+CREATE OR REPLACE FUNCTION evergreen.lpad_number_substrings( TEXT, TEXT, INT ) RETURNS TEXT AS $$
+ my $string = shift; # Source string
+ my $pad = shift; # string to fill. Typically '0'. This should be a single character.
+ my $len = shift; # length of resultant padded field
+ my $find = $len - 1;
+
+ while ($string =~ /(^|\D)(\d{1,$find})($|\D)/) {
+ my $padded = $2;
+ $padded = $pad x ($len - length($padded)) . $padded;
+ $string = $` . $1 . $padded . $3 . $';
+ }
+
+ return $string;
+$$ LANGUAGE PLPERLU;
+
+COMMIT;
+
+-- recompute the various normalized label fields that use lpad_number_substrings()
+UPDATE biblio.monograph_part SET id = id;
+UPDATE asset.call_number_prefix SET id = id;
+UPDATE asset.call_number_suffix SET id = id;
commit 27c608caa49c2c50983843ce9154e90af32d1bff
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Thu Feb 19 11:17:08 2015 -0500
LP#1424755: Add IMPORTANT SECURITY INFORMATION release note.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt b/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
new file mode 100644
index 0000000..03d83cd
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
@@ -0,0 +1,9 @@
+IMPORTANT SECURITY INFORMATION
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+A serious security flaw that allows unauthorized remote access to
+organizational unit settings is fixed in the following releases of
+Evergreen: 2.5.9, 2.6.7, and 2.7.4. All prior releases of Evergreen
+are vulnerable to exploitation of this flaw to reveal sensitive system
+information. If you are running a vulnerable release of Evergreen you
+are *strongly* encouraged to upgrade to a non-vulnerable release as
+soon as possible.
commit 3a0f1cc7b2efa517ee4cd4c6a682237554fed307
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Wed Feb 18 16:28:31 2015 -0500
LP#1424755: Org Unit Setting view permissions can be bypassed
Fix private org. unit setting leakage by forcing the $auth argument
to true if not passed in when open-ils.actor.ou_setting.ancestor_default
or open-ils.actor.ou_setting.ancestor_default.batch are called.
Other than a change to the desc of the public methods to reflect that
they now check permissions if permissions are required, there are no
required api changes to the back or the front ends.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 4e3df18..8c97669 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -269,8 +269,9 @@ __PACKAGE__->register_method(
method => 'ou_ancestor_setting',
signature => {
desc => 'Get the org unit setting value associated with the setting name as seen from the specified org unit. ' .
- 'IF AND ONLY IF an authentication token is provided, this method will make sure that the given ' .
- 'user has permission to view that setting, if there is a permission associated with the setting.' ,
+ 'This method will make sure that the given user has permission to view that setting, if there is a ' .
+ 'permission associated with the setting. If a permission is required and no authtoken is given, or ' .
+ 'the user lacks the permisssion, undef will be returned.' ,
params => [
{ desc => 'Org unit ID', type => 'number' },
{ desc => 'setting name', type => 'string' },
@@ -289,6 +290,8 @@ __PACKAGE__->register_method(
# ------------------------------------------------------------------
sub ou_ancestor_setting {
my( $self, $client, $orgid, $name, $auth ) = @_;
+ # Make sure $auth is set to something if not given.
+ $auth ||= -1;
return $U->ou_ancestor_setting($orgid, $name, undef, $auth);
}
@@ -297,8 +300,9 @@ __PACKAGE__->register_method(
method => 'ou_ancestor_setting_batch',
signature => {
desc => 'Get org unit setting name => value pairs for a list of names, as seen from the specified org unit. ' .
- 'IF AND ONLY IF an authentication token is provided, this method will make sure that the given ' .
- 'user has permission to view that setting, if there is a permission associated with the setting.' ,
+ 'This method will make sure that the given user has permission to view that setting, if there is a ' .
+ 'permission associated with the setting. If a permission is required and no authtoken is given, or ' .
+ 'the user lacks the permisssion, undef will be returned.' ,
params => [
{ desc => 'Org unit ID', type => 'number' },
{ desc => 'setting name list', type => 'array' },
@@ -309,6 +313,8 @@ __PACKAGE__->register_method(
);
sub ou_ancestor_setting_batch {
my( $self, $client, $orgid, $name_list, $auth ) = @_;
+ # Make sure $auth is set to something if not given.
+ $auth ||= -1;
my %values;
$values{$_} = $U->ou_ancestor_setting($orgid, $_, undef, $auth) for @$name_list;
return \%values;
commit ac588e879cf73ff1b65617e0bd273361d3529063
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Tue Feb 24 14:05:16 2015 -0500
LP#1206589: Temporary Fix for Org. Unit Settings History Bug
This commit makes two changes to the coustl IDL entry.
1. It adds a retrieve permission of STAFF_LOGIN. This at least
requires someone with staff permission to be able to view settings
history.
2. It fixed the primary key field from date_applied to id. The
prior setting was just an outright error.
NOTE: This is intended as a short term fix for the Library Settings
Editor history feature.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml
index 853d785..354d396 100644
--- a/Open-ILS/examples/fm_IDL.xml
+++ b/Open-ILS/examples/fm_IDL.xml
@@ -11140,7 +11140,7 @@ SELECT usr,
</class>
<class id="coustl" controller="open-ils.cstore open-ils.pcrud" oils_obj:fieldmapper="config::org_unit_setting_type_log" oils_persist:tablename="config.org_unit_setting_type_log" reporter:label="Organizational Unit Setting Type Log">
- <fields oils_persist:primary="date_applied" oils_persist:sequence="config.org_unit_setting_type_log_id_seq">
+ <fields oils_persist:primary="id" oils_persist:sequence="config.org_unit_setting_type_log_id_seq">
<field reporter:label="ID" name="id" reporter:datatype="id"/>
<field name="date_applied" reporter:datatype="timestamp"/>
<field name="org" reporter:datatype="org_unit"/>
@@ -11155,7 +11155,7 @@ SELECT usr,
<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
<actions>
<create permission="ADMIN_ORG_UNIT_SETTING_TYPE" context_field="org"/>
- <retrieve/>
+ <retrieve permission="STAFF_LOGIN" context_field="org"/>
<update permission="ADMIN_ORG_UNIT_SETTING_TYPE_LOG" context_field="org"/>
<delete permission="ADMIN_ORG_UNIT_SETTING_TYPE_LOG" context_field="org"/>
</actions>
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/fm_IDL.xml | 4 +-
.../src/perlmods/lib/OpenILS/Application/Actor.pm | 14 ++-
.../Pg/version-upgrade/2.7.3-2.7.4-upgrade-db.sql | 114 ++++++++++++++++++++
docs/RELEASE_NOTES_NEXT/security-bug-fix.txt | 9 ++
4 files changed, 135 insertions(+), 6 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/2.7.3-2.7.4-upgrade-db.sql
create mode 100644 docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list