[open-ils-commits] [GIT] Evergreen ILS branch rel_2_11 updated. c8fc2dfe4a6112896839faf9cc14a105d78799d4
Evergreen Git
git at git.evergreen-ils.org
Thu Feb 16 18:35:49 EST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_11 has been updated
via c8fc2dfe4a6112896839faf9cc14a105d78799d4 (commit)
via b2b3c420a8c11189bebb28c107a52cd44af73052 (commit)
via f8d691b3c3b07a0cbe2dd4f6182b4de99ed47117 (commit)
via 7e0499b593820a1437c158af8f8056565338963e (commit)
via 405eae5736e23cd8923ea567de32b1b14c442517 (commit)
from 25d4b1833277e8564496396dd135aae2ef2bed72 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c8fc2dfe4a6112896839faf9cc14a105d78799d4
Author: Dan Wells <dbw2 at calvin.edu>
Date: Thu Feb 16 13:07:59 2017 -0500
Add note about missing upgrade script to release notes
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
diff --git a/docs/RELEASE_NOTES_2_11.adoc b/docs/RELEASE_NOTES_2_11.adoc
index c01c696..9d9476c 100644
--- a/docs/RELEASE_NOTES_2_11.adoc
+++ b/docs/RELEASE_NOTES_2_11.adoc
@@ -41,6 +41,13 @@ UPDATE config.org_unit_setting_type
WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;
----
+Missing Upgrade Script Notice
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+It was recently discovered that the 2.11.2 tarball was missing the
+upgrade script for 2.11.1. If you upgraded straight to 2.11.2 from
+2.11.0 or prior, please make sure to apply the
+2.11.0-2.11.1-upgrade-db.sql before moving on to the 2.11.3 script.
+
Other Fixes
~~~~~~~~~~~
Evergreen 2.11.3 also contains the following bugfixes:
commit b2b3c420a8c11189bebb28c107a52cd44af73052
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Thu Feb 16 12:46:13 2017 -0500
release notes for Evergreen 2.11
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_2_11.adoc b/docs/RELEASE_NOTES_2_11.adoc
index e5a1283..c01c696 100644
--- a/docs/RELEASE_NOTES_2_11.adoc
+++ b/docs/RELEASE_NOTES_2_11.adoc
@@ -3,6 +3,97 @@ Evergreen 2.11 Release Notes
:toc:
:numbered:
+Evergreen 2.11.3
+----------------
+This is a security release that also contains several other bugfixes improving
+on Evergreen 2.11.2. All users of Evergreen 2.11.x are recommended to upgrade
+to 2.11.3 as soon as possible.
+
+Security Issue: Credit Processor Stripe Settings Permissions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Unprivileged users can retrieve organizational unit setting values for
+setting types lacking a "view" permission. When the feature adding
+Stripe credit card processing was added, the upgrade script neglected
+to add the VIEW_CREDIT_CARD_PROCESSING permission to the
+organizational unit setting type. This means that anyone can retrieve
+and view the settings for Stripe credit card processing.
+
+Any system that upgraded from Evergreen version 2.5 to 2.6 is
+affected. If you use Stripe for credit card processing, it is
+strongly recommended that you apply this upgrade. Even if you do not
+use Stripe, applying this upgrade is still recommended. If you did
+not upgrade from version 2.5 to 2.6 of Evergreen, but started with a
+later version, applying this upgrade is harmless.
+
+If you are not ready to perform a full upgrade, and if you use Stripe,
+you can protect the settings by running the following two SQL statements:
+
+[source,sql]
+----
+UPDATE config.org_unit_setting_type
+ SET view_perm = (SELECT id FROM permission.perm_list
+ WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
+ WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;
+
+UPDATE config.org_unit_setting_type
+ SET update_perm = (SELECT id FROM permission.perm_list
+ WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
+ WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;
+----
+
+Other Fixes
+~~~~~~~~~~~
+Evergreen 2.11.3 also contains the following bugfixes:
+
+* A fix to correctly apply floating group settings when performing
+no-op checkins.
+* An improvement to the speed of looking up patrons by their username;
+this is particularly important for large databases.
+* A fix to properly display the contents of temporary lists ('My List') in the
+public catalog, as well as a fix of the HTML coding of that page.
+* A fix to the Spanish translation of the public catalog that could
+cause catalog searches to fail.
+* A fix of a problem where certain kinds of requests of information
+about the organizational unit hierarchy to consume all available
+`open-ils.cstore` backends.
+* A fix to allow staff to use the 'place another hold' link without
+running into a user interface loop.
+* A fix to the 'Edit Due Date' form in the web staff client.
+* A fix to the definition of the stock 'Full Overlay' merge profile.
+* A fix to sort billing types in alphabetical order in the web staff
+client.
+* A fix to the display of the popularity score in the public catalog.
+* A fix to the 'return to grouped search results' link in the public
+catalog.
+* A fix to allow pre-cat checkouts in the web staff client without requiring
+a circulation modifier.
+* A fix to how Action/Trigger event definitions with nullable grouping
+fields handle null values.
+* Other typo and documentation fixes.
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+testing and documentation patches to the 2.11.3 point release of
+Evergreen:
+
+* Ben Shum
+* Bill Erickson
+* Blake Henderson
+* Chris Sharp
+* Christine Burns
+* Dan Wells
+* Galen Charlton
+* Jane Sandberg
+* Jason Boyer
+* Jason Etheridge
+* Jason Stephenson
+* Jeanette Lundgren
+* Josh Stompro
+* Kathy Lussier
+* Kyle Huckins
+* Mike Rylander
+
Evergreen 2.11.2
----------------
commit f8d691b3c3b07a0cbe2dd4f6182b4de99ed47117
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Thu Feb 16 12:13:05 2017 -0500
LP#16663435: stamp database update
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
Conflicts:
Open-ILS/src/sql/Pg/002.schema.config.sql
diff --git a/Open-ILS/src/sql/Pg/002.schema.config.sql b/Open-ILS/src/sql/Pg/002.schema.config.sql
index 138d8b4..9adc72b 100644
--- a/Open-ILS/src/sql/Pg/002.schema.config.sql
+++ b/Open-ILS/src/sql/Pg/002.schema.config.sql
@@ -91,7 +91,7 @@ CREATE TRIGGER no_overlapping_deps
BEFORE INSERT OR UPDATE ON config.db_patch_dependencies
FOR EACH ROW EXECUTE PROCEDURE evergreen.array_overlap_check ('deprecates');
-INSERT INTO config.upgrade_log (version, applied_to) VALUES ('1013', :eg_version); -- csharp/miker/gmcharlt
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('1018', :eg_version); -- csharp/Dyrcona/gmcharlt
CREATE TABLE config.bib_source (
id SERIAL PRIMARY KEY,
diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql b/Open-ILS/src/sql/Pg/upgrade/1018.data.coust_view_perms_stripe.sql
similarity index 88%
rename from Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql
rename to Open-ILS/src/sql/Pg/upgrade/1018.data.coust_view_perms_stripe.sql
index 438ec30..34754f9 100644
--- a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql
+++ b/Open-ILS/src/sql/Pg/upgrade/1018.data.coust_view_perms_stripe.sql
@@ -1,6 +1,6 @@
BEGIN;
-SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version);
+SELECT evergreen.upgrade_deps_block_check('1018', :eg_version);
UPDATE config.org_unit_setting_type
SET view_perm = (SELECT id FROM permission.perm_list
commit 7e0499b593820a1437c158af8f8056565338963e
Author: Jason Stephenson <jason at sigio.com>
Date: Tue Feb 14 15:12:47 2017 -0500
LP#16663435 - Release Note for Missing Stripe Settings Permissions
Signed-off-by: Jason Stephenson <jason at sigio.com>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc b/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc
new file mode 100644
index 0000000..84ca344
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc
@@ -0,0 +1,15 @@
+Credit Processor Stripe Settings Permissions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Unprivileged users can retrieve organizational unit setting values for
+setting types lacking a "view" permission. When the feature adding
+Stripe credit card processing was added, the upgrade script neglected
+to add the VIEW_CREDIT_CARD_PROCESSING permission to the
+organizational unit setting type. This means that anyone can retrieve
+and view the settings for Stripe credit card processing.
+
+Any system that upgraded from Evergreen version 2.5 to 2.6 is
+affected. If you use Stripe for credit card processing, it is
+strongly recommended that you apply this upgrade. Even if you do not
+use Stripe, applying this upgrade is still recommended. If you did
+not upgrade from version 2.5 to 2.6 of Evergreen, but started with a
+later version, applying this upgrade is harmless.
commit 405eae5736e23cd8923ea567de32b1b14c442517
Author: Chris Sharp <csharp at georgialibraries.org>
Date: Tue Feb 14 13:27:31 2017 -0500
LP#16663435 - Stripe org settings lack view permissions.
Unprivileged users can retrieve organizational unit setting values
for setting types lacking a "view" permission. When the feature adding
Stripe credit card processing was added, the upgrade script neglected to
add the VIEW_CREDIT_CARD_PROCESSING permission to the organizational unit
setting type (which was included in 0396.data.org-setting-payflowpro.sql).
Fresh installs are not affected, but anyone who upgraded through 0863.data.stripe-payments.sql
(included in the 2.5.3-2.6.0-upgrade-db.sql version upgrade script) and is
using Stripe credit card processing should run this script.
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Jason Stephenson <jason at sigio.com>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql
new file mode 100644
index 0000000..438ec30
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql
@@ -0,0 +1,15 @@
+BEGIN;
+
+SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version);
+
+UPDATE config.org_unit_setting_type
+ SET view_perm = (SELECT id FROM permission.perm_list
+ WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
+ WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;
+
+UPDATE config.org_unit_setting_type
+ SET update_perm = (SELECT id FROM permission.perm_list
+ WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
+ WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;
+
+COMMIT;
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/src/sql/Pg/002.schema.config.sql | 2 +-
.../upgrade/1018.data.coust_view_perms_stripe.sql | 15 +++
docs/RELEASE_NOTES_2_11.adoc | 98 ++++++++++++++++++++
.../Administration/stripe_settings_permission.adoc | 15 +++
4 files changed, 129 insertions(+), 1 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/upgrade/1018.data.coust_view_perms_stripe.sql
create mode 100644 docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list