Address SQL injection vulnerability in SQL ORM layer
If the user-supplied value and the db column are both numbers
(jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
don't quote. Otherwise, quote.
Signed-off-by: Mike Rylander <email address hidden>
Signed-off-by: Dan Scott <email address hidden>
Signed-off-by: Bill Erickson <email address hidden>
536def6...
by
Lebbeous Fogle-Weekley <email address hidden>
TPAC bucket item retrieval operates in streaming mode
TPAC bucket item retreive fleshes bib records with large blobs of MARC
data. When a bucket contains a few thousand items, the size of the
data passed around in atomic retreival mode will exceed the typical jabber
max stanza size and result in a failure. Retrieve the records in
streaming mode instead.
Signed-off-by: Bill Erickson <email address hidden>
Signed-off-by: Ben Shum <email address hidden>
Avoid problems when auth recs are missing the 901c
Fixed the authority.normalize_heading function to better handle
INT's when there is no 901 present. Now we look for the best-fit
control set instead of throwing a db-level error.
Signed-off-by: Steven Callender <email address hidden>
Signed-off-by: Mike Rylander <email address hidden>
If a hold note is marked as "public", it seems reasonable that it
should be visible to anyone who can see that hold, regardless of
who created the note.
Hold notes (at least at the data level) allow for both staff and
"private" notes to be attached. This code intended to show "private"
notes to the hold owner and staff notes to staff, but had the logic
reversed.
