[open-ils-commits] [GIT] Evergreen ILS branch rel_2_10 updated. fae329155d9a69d131a9262f2ef4c3fa147a0bb1

Evergreen Git git at git.evergreen-ils.org
Thu Feb 16 16:57:54 EST 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_10 has been updated
       via  fae329155d9a69d131a9262f2ef4c3fa147a0bb1 (commit)
       via  9d496463ad4ea94c44475b7d0b59d7f0730f4d7a (commit)
       via  fb95eabe65102029e2b224c91bbc393ff5f2a882 (commit)
       via  5782caa42a8eb04be7d81808b5dd77e8662bbdc9 (commit)
       via  c1c1011dafdc2e0132cd8a3d671e07e28eadb493 (commit)
      from  65646160516a2168fe2f774e7b60ca82b05d75ff (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fae329155d9a69d131a9262f2ef4c3fa147a0bb1
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Thu Feb 16 15:43:21 2017 -0500

    schema update script for 2.10.10
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/Open-ILS/src/sql/Pg/version-upgrade/2.10.9-2.10.10-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/2.10.9-2.10.10-upgrade-db.sql
new file mode 100644
index 0000000..92ef8b3
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/2.10.9-2.10.10-upgrade-db.sql
@@ -0,0 +1,17 @@
+--Upgrade Script for 2.10.9 to 2.10.10
+\set eg_version '''2.10.10'''
+BEGIN;
+
+SELECT evergreen.upgrade_deps_block_check('1018', :eg_version);
+
+UPDATE config.org_unit_setting_type
+    SET view_perm = (SELECT id FROM permission.perm_list
+        WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
+    WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;
+
+UPDATE config.org_unit_setting_type
+    SET update_perm = (SELECT id FROM permission.perm_list
+        WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
+    WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;
+
+COMMIT;

commit 9d496463ad4ea94c44475b7d0b59d7f0730f4d7a
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Thu Feb 16 12:53:45 2017 -0500

    release notes for 2.10.10
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/docs/RELEASE_NOTES_2_10.adoc b/docs/RELEASE_NOTES_2_10.adoc
index ad36a57..f438f15 100644
--- a/docs/RELEASE_NOTES_2_10.adoc
+++ b/docs/RELEASE_NOTES_2_10.adoc
@@ -3,6 +3,85 @@ Evergreen 2.10 Release Notes
 :toc:
 :numbered:
 
+Evergreen 2.10.10
+-----------------
+This is a security release that also contains several other bugfixes improving
+on Evergreen 2.10.9.  All users of Evergreen 2.10.x are recommended to upgrade
+to 2.10.10 as soon as possible.
+
+Security Issue: Credit Processor Stripe Settings Permissions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Unprivileged users can retrieve organizational unit setting values for
+setting types lacking a "view" permission.  When the feature adding
+Stripe credit card processing was added, the upgrade script neglected
+to add the VIEW_CREDIT_CARD_PROCESSING permission to the
+organizational unit setting type.  This means that anyone can retrieve
+and view the settings for Stripe credit card processing.
+
+Any system that upgraded from Evergreen version 2.5 to 2.6 is
+affected.  If you use Stripe for credit card processing, it is
+strongly recommended that you apply this upgrade.  Even if you do not
+use Stripe, applying this upgrade is still recommended.  If you did
+not upgrade from version 2.5 to 2.6 of Evergreen, but started with a
+later version, applying this upgrade is harmless.
+
+If you are not ready to perform a full upgrade, and if you use Stripe,
+you can protect the settings by running the following two SQL statements:
+
+[source,sql]
+----
+UPDATE config.org_unit_setting_type
+    SET view_perm = (SELECT id FROM permission.perm_list
+        WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
+    WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;
+
+UPDATE config.org_unit_setting_type
+    SET update_perm = (SELECT id FROM permission.perm_list
+        WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
+    WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;
+----
+
+Other Fixes
+~~~~~~~~~
+Evergreen 2.10.10 also contains the following bugfixes:
+
+* A fix to correctly apply floating group settings when performing
+no-op checkins.
+* A fix to the HTML coding of the temporary lists page.
+* A fix of a problem where certain kinds of requests of information
+about the organizational unit hierarchy to consume all available
+`open-ils.cstore` backends.
+* A fix to allow staff to use the 'place another hold' link without
+running into a user interface loop.
+* A fix to the 'Edit Due Date' form in the web staff client.
+* A fix to sort billing types and non-barcoded item types in alphabetical
+order in the web staff client.
+* A fix to the 'return to grouped search results' link in the public
+catalog.
+* A fix to allow pre-cat checkouts in the web staff client without requiring
+a circulation modifier.
+* Other typo and documentation fixes.
+
+Acknowledgements
+~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+testing and documentation patches to the 2.10.10 point release of
+Evergreen:
+
+* Ben Shum
+* Bill Erickson
+* Blake Henderson
+* Chris Sharp
+* Christine Burns
+* Galen Charlton
+* Jane Sandberg
+* Jason Stephenson
+* Jeanette Lundgren
+* Josh Stompro
+* Kathy Lussier
+* Kyle Huckins
+* Mike Rylander
+
 Evergreen 2.10.9
 ----------------
 

commit fb95eabe65102029e2b224c91bbc393ff5f2a882
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Thu Feb 16 12:13:05 2017 -0500

    LP#16663435: stamp database update
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
    
    Conflicts:
    	Open-ILS/src/sql/Pg/002.schema.config.sql

diff --git a/Open-ILS/src/sql/Pg/002.schema.config.sql b/Open-ILS/src/sql/Pg/002.schema.config.sql
index d72d83a..684fc25 100644
--- a/Open-ILS/src/sql/Pg/002.schema.config.sql
+++ b/Open-ILS/src/sql/Pg/002.schema.config.sql
@@ -91,7 +91,7 @@ CREATE TRIGGER no_overlapping_deps
     BEFORE INSERT OR UPDATE ON config.db_patch_dependencies
     FOR EACH ROW EXECUTE PROCEDURE evergreen.array_overlap_check ('deprecates');
 
-INSERT INTO config.upgrade_log (version, applied_to) VALUES ('1003', :eg_version); -- gmcharlt/rhamby/csharp
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('1018', :eg_version); -- csharp/Dyrcona/gmcharlt
 
 CREATE TABLE config.bib_source (
 	id		SERIAL	PRIMARY KEY,
diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql b/Open-ILS/src/sql/Pg/upgrade/1018.data.coust_view_perms_stripe.sql
similarity index 88%
rename from Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql
rename to Open-ILS/src/sql/Pg/upgrade/1018.data.coust_view_perms_stripe.sql
index 438ec30..34754f9 100644
--- a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql
+++ b/Open-ILS/src/sql/Pg/upgrade/1018.data.coust_view_perms_stripe.sql
@@ -1,6 +1,6 @@
 BEGIN;
 
-SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version);
+SELECT evergreen.upgrade_deps_block_check('1018', :eg_version);
 
 UPDATE config.org_unit_setting_type
     SET view_perm = (SELECT id FROM permission.perm_list

commit 5782caa42a8eb04be7d81808b5dd77e8662bbdc9
Author: Jason Stephenson <jason at sigio.com>
Date:   Tue Feb 14 15:12:47 2017 -0500

    LP#16663435 - Release Note for Missing Stripe Settings Permissions
    
    Signed-off-by: Jason Stephenson <jason at sigio.com>
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc b/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc
new file mode 100644
index 0000000..84ca344
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc
@@ -0,0 +1,15 @@
+Credit Processor Stripe Settings Permissions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Unprivileged users can retrieve organizational unit setting values for
+setting types lacking a "view" permission.  When the feature adding
+Stripe credit card processing was added, the upgrade script neglected
+to add the VIEW_CREDIT_CARD_PROCESSING permission to the
+organizational unit setting type.  This means that anyone can retrieve
+and view the settings for Stripe credit card processing.
+
+Any system that upgraded from Evergreen version 2.5 to 2.6 is
+affected.  If you use Stripe for credit card processing, it is
+strongly recommended that you apply this upgrade.  Even if you do not
+use Stripe, applying this upgrade is still recommended.  If you did
+not upgrade from version 2.5 to 2.6 of Evergreen, but started with a
+later version, applying this upgrade is harmless.

commit c1c1011dafdc2e0132cd8a3d671e07e28eadb493
Author: Chris Sharp <csharp at georgialibraries.org>
Date:   Tue Feb 14 13:27:31 2017 -0500

    LP#16663435 - Stripe org settings lack view permissions.
    
    Unprivileged users can retrieve organizational unit setting values
    for setting types lacking a "view" permission.  When the feature adding
    Stripe credit card processing was added, the upgrade script neglected to
    add the VIEW_CREDIT_CARD_PROCESSING permission to the organizational unit
    setting type (which was included in 0396.data.org-setting-payflowpro.sql).
    
    Fresh installs are not affected, but anyone who upgraded through 0863.data.stripe-payments.sql
    (included in the 2.5.3-2.6.0-upgrade-db.sql version upgrade script) and is
    using Stripe credit card processing should run this script.
    
    Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
    Signed-off-by: Jason Stephenson <jason at sigio.com>
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql
new file mode 100644
index 0000000..438ec30
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql
@@ -0,0 +1,15 @@
+BEGIN;
+
+SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version);
+
+UPDATE config.org_unit_setting_type
+    SET view_perm = (SELECT id FROM permission.perm_list
+        WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
+    WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;
+
+UPDATE config.org_unit_setting_type
+    SET update_perm = (SELECT id FROM permission.perm_list
+        WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
+    WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;
+
+COMMIT;

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/src/sql/Pg/002.schema.config.sql          |    2 +-
 .../upgrade/1018.data.coust_view_perms_stripe.sql  |   15 ++++
 .../version-upgrade/2.10.9-2.10.10-upgrade-db.sql  |   17 ++++
 docs/RELEASE_NOTES_2_10.adoc                       |   79 ++++++++++++++++++++
 .../Administration/stripe_settings_permission.adoc |   15 ++++
 5 files changed, 127 insertions(+), 1 deletions(-)
 create mode 100644 Open-ILS/src/sql/Pg/upgrade/1018.data.coust_view_perms_stripe.sql
 create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/2.10.9-2.10.10-upgrade-db.sql
 create mode 100644 docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list