1. Evergreen 2.10.12

This release is a security release.

1.1. Security Issue: XSS Vulnerability in Public Catalog

This release fixes several cross-site scripting (XSS) vulnerabilities in the public catalog. When upgrading, Evergreen administrators should review whether any of the following templates have been customized or overridden. If so, either the template should be replaced with the stock version or the XSS fix (which entails adding the | html filter in several places) applied to the customized version.

  • Open-ILS/src/templates/opac/parts/locale_picker.tt2

  • Open-ILS/src/templates/opac/parts/login/form.tt2

  • Open-ILS/src/templates/opac/parts/searchbar.tt2

1.2. Acknowledgements

We would like to thank the following individuals who contributed code, testing and documentation patches to the 2.10.12 point release of Evergreen:

  • Galen Charlton

  • Dan Scott

2. Evergreen 2.10.11

This release contains several bug fixes improving on Evergreen 2.10.10.

  • A fix to avoid fetching and creating EDI message entries that the system cannot parse.

  • A fix to prevent staff users from marking a long overdue item as lost so that the patron will not be billed twice for the same item.

  • A fix to the link that is used on the catalog’s Library Info page so that links with anchors can be successfully retrieved.

  • A replacement for the blank fallback image used when the catalog cannot retrieve an added content book cover.

  • An EDI fix that prevents EDI fetcher from crashing when the vendor supplies a zero-length file.

  • A fix to an issue where adjusting a bill to zero for a current checkout prematurely closes the transaction.

  • A fix to encoding problems in MODS output. These problems caused issues when using Zotero with records in the catalog.

  • A fix that marks a hold as fulfilled when staff check out a hold- captured item for a hold whose expire time is in the past.

  • A change to the acquisitions funding source funds drop down menu so that the menu will now only display active funds and will also display the year alongside the fund.

  • A fix to a problem where the Current Bills tab of the patron record showed duplicate charges when a check in was done from the Items Out tab.

  • A fix that hides the option to add to My Lists from the staff client since this functionality does not work as expected in the staff client.

  • A change to the fund year selectors in acq interfaces so that the years are sorted in descending order.

  • A fix to a billing issue where transactions were not re-opened after they acquired a non-zero balance at check in.

2.1. Acknowledgements

We would like to thank the following individuals who contributed code, testing and documentation patches to the 2.10.11 point release of Evergreen:

  • Jason Boyer

  • Galen Charlton

  • Jeff Davis

  • Bill Erickson

  • Jason Etheridge

  • Kathy Lussier

  • Christine Morgan

  • Michele Morgan

  • Terran McCanna

  • Jane Sandberg

  • Jonathan Schatz

  • Dan Scott

  • Ben Shum

  • Remington Steed

  • Dan Wells

  • Bob Wicksall

3. Evergreen 2.10.10

This is a security release that also contains several other bug fixes improving on Evergreen 2.10.9. All users of Evergreen 2.10.x are recommended to upgrade to 2.10.10 as soon as possible.

3.1. Security Issue: Credit Processor Stripe Settings Permissions

Unprivileged users can retrieve organizational unit setting values for setting types lacking a "view" permission. When the feature adding Stripe credit card processing was added, the upgrade script neglected to add the VIEW_CREDIT_CARD_PROCESSING permission to the organizational unit setting type. This means that anyone can retrieve and view the settings for Stripe credit card processing.

Any system that upgraded from Evergreen version 2.5 to 2.6 is affected. If you use Stripe for credit card processing, it is strongly recommended that you apply this upgrade. Even if you do not use Stripe, applying this upgrade is still recommended. If you did not upgrade from version 2.5 to 2.6 of Evergreen, but started with a later version, applying this upgrade is harmless.

If you are not ready to perform a full upgrade, and if you use Stripe, you can protect the settings by running the following two SQL statements:

UPDATE config.org_unit_setting_type
    SET view_perm = (SELECT id FROM permission.perm_list
        WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
    WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;

UPDATE config.org_unit_setting_type
    SET update_perm = (SELECT id FROM permission.perm_list
        WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
    WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;

3.2. Other Fixes

Evergreen 2.10.10 also contains the following bug fixes:

  • A fix to correctly apply floating group settings when performing no-op checkins.

  • A fix to the HTML coding of the temporary lists page.

  • A fix of a problem where certain kinds of requests of information about the organizational unit hierarchy to consume all available open-ils.cstore backends.

  • A fix to allow staff to use the place another hold link without running into a user interface loop.

  • A fix to the Edit Due Date form in the web staff client.

  • A fix to sort billing types and non-barcoded item types in alphabetical order in the web staff client.

  • A fix to the return to grouped search results link in the public catalog.

  • A fix to allow pre-cat checkouts in the web staff client without requiring a circulation modifier.

  • Other typo and documentation fixes.

3.3. Acknowledgements

We would like to thank the following individuals who contributed code, testing and documentation patches to the 2.10.10 point release of Evergreen:

  • Ben Shum

  • Bill Erickson

  • Blake Henderson

  • Chris Sharp

  • Christine Burns

  • Galen Charlton

  • Jane Sandberg

  • Jason Stephenson

  • Jeanette Lundgren

  • Josh Stompro

  • Kathy Lussier

  • Kyle Huckins

  • Mike Rylander

4. Evergreen 2.10.9

This release contains several bug fixes improving on Evergreen 2.10.8

  • A fix to the web client patron interface that changed the holds count in the patron summary from total / available to available / total.

  • A fix to an issue where the Closed Dates Editor was displaying an extra day of closure.

  • A fix to the Closed Dates Editor so that it now displays "All Day" when the library is closed for the entire day.

  • A fix to properly format LC Call numbers in spine label printing.

  • A fix to a bug that was causing intermittent search failures.

4.1. Acknowledgements

We would like to thank the following individuals who contributed code, testing and documentation patches to the 2.10.9 point release of Evergreen:

  • Galen Charlton

  • Kyle Huckins

  • Jeanette Lundgren

  • Dan Pearl

  • Michelle Purcell

  • Jane Sandberg

  • Dan Scott

  • Remington Steed

5. Evergreen 2.10.8

This release contains several bug fixes improving on Evergreen 2.10.7

  • A fix to that provides alphabetical sorting to the fund selector in the Acquisitions Selection List → Copies interface.

  • The addition of a progress bar that displays when conducting a patron search in the web client.

  • A fix to the web client patron interface so that total Items Out in the patron summary now includes overdue and long overdue items. It will also include Lost and Claims Returned items when the appropriate library setting is enabled.

  • A change to the public catalog My Account screen where the font for leading articles will now be smaller when sorting a list by title.

  • A fix to subject links in the catalog’s record summary page so that periods are no longer stripped from resulting subject searches, leading to more accurate results when those links are clicked.

  • A fix to avoid avoid unint warnings in the logs for prox_cache in open-ils.circ.hold.is_possible.

  • A fix to rounding errors that occured when summing owed/paid totals for display in the catalog’s credit card payment form.

  • A change to sort behavior in the My Account screens. Previously, a third click on a column header returned the list to its original sort order. Clicking column headers will now simply toggle the sort between ascending and descending order.

  • The Permalink option on the catalog’s record summary page will now be hidden in the staff client because clicking the link in the client led to no discernable change for users.

  • A fix to the text of a notice that displays when migrating circulation history during the upgrade to 2.10.

  • An improvement to the performance for the lookup of a user’s circ history by adding an index on action.usr_circ_history(usr).

  • The addition of Spanish as a supported translation so that it can be configured as a language option in the public catalog.

  • A fix so that when a bib record’s fingerprint changes, it gets correctly moved to a different metarecord.

5.1. Acknowledgements

We would like to thank the following individuals who contributed code, tests and documentation patches to the 2.10.8 point release of Evergreen:

  • Galen Charlton

  • Bill Erickson

  • Jim Keenan

  • Kathy Lussier

  • Christine Morgan

  • Dan Scott

  • Ben Shum

  • Remington Steed

  • Josh Stompro

  • Dan Wells

6. Evergreen 2.10.7

This release contains several bug fixes improving on Evergreen 2.10.6.

  • When adding a price to the Acquisitions Brief Record price field, it will now propogate to the lineitem estimated price field.

  • Declares UTF-8 encoding when printing from the catalog to resolve issues where non-ASCII characters printed incorrectly in some browsers.

  • Fixes an issue where the circ module sometimes skipped over booking logic even when booking was running on a system.

  • Fixes an issue where the workstation parameter was not passed through the AuthProxy.pm login function, causing problems with opt-in settings and transit behaviors.

6.1. Acknowledgements

We would like to thank the following individuals who contributed code, testing and documentation patches to the 2.10.7 point release of Evergreen:

  • Eva Cerninakova

  • Bill Erickson

  • Mike Rylander

  • Dan Scott

  • Dan Wells

7. Evergreen 2.10.6

This release contains bug fixes improving on Evergreen 2.10.5.

7.1. Add Date Header to Action Trigger Email/SMS Templates

The Date: header specified in RFC 2822 has been added to the seed data for the example Action Trigger email and SMS templates, but no attempt has been made to automatically modify existing templates. To add this header (and end any "Why are my library emails from 1969/70?" questions you may have heard) make sure the following lines are in all templates that use the SendEmail or SendSMS reactors:

The first is already in most sample templates, but you may need to add it to the top of any custom templates: [%- USE date -%]

And this line should be inserted into the header block of each template: Date: [%- date.format(date.now, '%a, %d %b %Y %T -0000', gmt => 1) %]

7.2. Other Bug Fixes

  • Prorating invoice charges now works again.

  • The claims never checked out counter on the patron record is now incremented correctly when marking a lost loan as claims-never-checked-out.

  • When a transit is canceled, the copy’s status is changed only if its status was previously "In Transit".

  • Retrieving records with embedded holdings via SRU and Z39.50 is now faster.

  • A performance issue with sorting entries on the public catalog circulation history page is fixed.

  • Various style and responsive design improvements are made to the circulation and holds history pages in the public catalog.

  • The public catalog holds history page now indicates if a hold had been fulfilled.

  • The hold status message in the public catalog now uses better grammar.

  • The error message displayed when a patron attempts to place a hold but is prevented from doing so due to policy reasons is now more likely to be useful

  • The public catalog now draws the edition statement only from the 250 field; it no longer tries to check the 534 and 775 fields.

  • Embedded schema.org microdata now uses "offeredBy" rather than "seller".

  • The ContentCafe added content plugin now handles the "fake" ISBNs that Baker and Taylor assigns to media items.

  • Attempting to renew a rental or deposit item in the public catalog no longer causes an internal server error.

  • Various format icons now have transparent backgrounds (as opposed to white).

  • The file extension when exporting non-imported records is now ".mrc" rather than ".xml".

  • The staff client will no longer wait indefinitely for Novelist to supply added content, improving its responsiveness.

  • A few additional strings are now marked as translatable.

7.3. Translation Updates

Translations in this release have been significantly increased. In particular, Spanish has received a huge update with over 9,000 new translations, Czech has received a sizable update of over 800 translations, and additional smaller updates have been added for Arabic, French (Canada), and Armenian.

7.4. Acknowledgments

We would like to thank the following individuals who contributed code, testing and documentation patches to the 2.10.6 point release of Evergreen:

  • Thomas Berezansky

  • Jason Boyer

  • Galen Charlton

  • Jeff Davis

  • Bill Erickson

  • Blake Graham-Henderson

  • Jim Keenan

  • Kathy Lussier

  • Mike Rylander

  • Jane Sandberg

  • Dan Scott

  • Ben Shum

  • Remington Steed

  • Jason Stephenson

  • Josh Stompro

  • Yamil Suarez

  • Dan Wells

8. Evergreen 2.10.5

This release contains bug fixes improving on Evergreen 2.10.4

  • Fixes SIP2 failures with patron information messages when a patron has one or more blocking penalties that are not otherwise ignored.

  • Recovers a previously existing activity log entry that logged the username, authtoken, and workstation (when available) for successful logins.

  • Fixes an error that occurred when the system attempted to display a translated string for the "Has Local Copy" hold placement error message.

  • Fixes an issue where the Show More/Show Fewer Details button didn’t work in catalogs that default to showing more details.

  • Removes Social Security Number as a stock patron identification type for new installations. This fix does not change patron identification types for existing Evergreen systems.

  • Adds two missing link fields (patron profile and patron home library) to the fm_idl.xml for the Combined Active and Aged Circulations (combcirc) reporter source.

  • Adds a performance improvement for the "Clear Holds Shelf" checkin modifier.

8.1. Acknowledgements

We would like to thank the following individuals who contributed code, testing and documentation patches to the 2.10.5 point release of Evergreen:

  • Galen Charlton

  • Bill Erickson

  • Jeff Godin

  • Codey Kolasinski

  • Jeanette Lundgren

  • Kathy Lussier

  • Terran McCanna

  • Michele Morgan

  • Jason Stephenson

9. Evergreen 2.10.4

This release contains bug fixes improving on Evergreen 2.10.3

  • Fixes the responsive view of the My Account Items Out screen so that Title and Author are now in separate columns.

  • Fixes an incorrect link for the MVF field definition and adds a new link to BRE in fm_IDL.xml.

  • Fixes a bug where the MARC stream authority cleanup deleted a bib record instead of an authority record from the authority queue.

  • Fixes a bug where Action Triggers could select an inactive event definition when running.

  • Eliminates the output of a null byte after a spool file is processed in MARC steam importer.

  • Fixes an issue where previously-checked-out items did not display in metarecord searches when the Tag Circulated Items Library Setting is enabled.

  • Fixes an issue in the 0951 upgrade script where the script was not inserting the version into config.upgrade_log because the line to do so was still commented out.

9.1. Acknowledgments

We would like to thank the following individuals who contributed code, testing, and documentation patches to the 2.10.4 point release of Evergreen:

  • Jason Boyer

  • Bill Erickson

  • Galen Charlton

  • Kathy Lussier

  • Jason Stephenson

  • Josh Stompro

10. Evergreen 2.10.3

This release contains bug fixes improving on Evergreen 2.10.2:

  • Fixes a critical bug where a newly-registered patron record could not be used to log in to Evergreen using the password supplied during registration. Under some circumstances, the same bug could also prevent patron records that were modified via the patron registration form from being used to log in.

  • Emails sent using the Action Trigger SendEmail reactor now always MIME-encode the From, To, Subject, Bcc, Cc, Reply-To, and Sender headers. As a consequence, non-ASCII character in those fields are more likely to be displayed correctly in email clients.

10.1. Acknowledgements

We would like to thank the following individuals who contributed code, testing, and documentation patches to the 2.10.3 point release of Evergreen:

  • Galen Charlton

  • Pasi Kallinen

  • Kathy Lussier

  • Mike Rylander

  • Dan Scott

  • Remington Steed

  • Dan Wells

11. Evergreen 2.10.2

This release contains several bug fixes improving on Evergreen 2.10.1

  • Fixes a bug where phrase searching in the catalog failed when the phrase started or ended with punctuation.

  • Fixes a bug where changing the sort order in the public catalog to "relevance" could fail.

  • Fixes a bug that prevented users from recreating a monograph part that had previously been deleted.

  • Fixes a bug where serials checkouts failed for users that track circulation history.

  • Fixes a bug that prevented the Library Settings Editor from consistently retrieving the values of library settings.

  • Fixes several issues with the new web-based Angular patron editor, including:

    • Allows barcodes to be used as user name even if it doesn’t match the user name regex.

    • Presents an alert when trying to save a form with invalid values.

    • Allows staff to delete all patron addresses if the corresponding Library Setting allows them to do so.

    • Honors Library Settings to require the county and state fields at patron registration time.

    • Resizes checkboxes that had become huge in some browsers.

    • Displays the New Address button at all times.

    • Prevents staff from editing linked addresses for cloned users.

    • Fixes a bug where out-of-scope stat cats would be incorrectly bundled in the patron save operation, resulting in a server-side error on save.

  • Silences unnecessary warnings emitted for libraries using extending grace periods.

  • Removes support for Debian Squeeze now that its long-term support period has ended.

  • Fixes a bug that had prevented the dependency libpcre3 from being intalled on Debian Jessie.

  • Fixes some QA tests that had been failing.

  • Renumbers the Perl unit test files.

11.1. Acknowledgements

We would like to thank the following individuals who contributed code and documentation patches to the 2.10.2 point release of Evergreen:

  • Jason Boyer

  • Steve Callender

  • Galen Charlton

  • Bill Erickson

  • Anna Goben

  • Angela Kilsdonk

  • Debbie Luchenbill

  • Jennifer Pringle

  • Mike Rylander

  • Jane Sandberg

  • Jason Stephenson

  • Yamil Suarez

We also thank the following organizations whose employees contributed patches:

  • BC Libraries Cooperative

  • Berklee College of Music

  • Equinox Software, Inc.

  • Evergreen Indiana

  • King County Library System

  • Linn Libraries Consortium

  • Merrimack Valley Library Consortium

  • MOBIUS

12. Evergreen 2.10.1

Evergreen 2.10.1 is a bugfix release that fixes one significant bug in 2.10.0:

This bug affected only databases that were upgraded to 2.10.0 from a previous version; fresh installations of 2.10.0 are not affected.

Evergreen users who prefer not to perform a full upgrade from 2.10.0 to 2.10.1 can fix the bug by applying the database update script 2.10.0-2.10.1-upgrade-db.sql (found in the source directory Open-ILS/src/sql/Pg/version-upgrade).

13. Evergreen 2.10.1 Acknowledgments

The Evergreen project would like to thank the following individuals who contributed code and testing to this release of Evergreen:

  • Galen Charlton

  • Dan Wells

14. Evergreen 2.10.0 Upgrade notes

  • Support for PostgreSQL 9.1 is deprecated as of the release of Evergreen 2.10.0. Users are recommended to install Evergreen on PostgreSQL 9.2 or later.

  • In the next major release following 2.10.0, Evergreen will no longer officially support PostgreSQL 9.1.

  • Please read the release notes thoroughly for information about changes that Evergreen administrators may need to make manually when upgrading to 2.10.0. In particular, the enhancement to user password storage introduces a new service, open-ils.auth_internal, and requires changes to opensrf.xml in order for users to be able log in.

15. Evergreen 2.10.0 New Features

15.1. Acquisitions

15.1.1. PO Line item "paid" label

A new "paid" label appears along the bottom of each line item in the PO display when every non-canceled copy on the line item has been invoiced.

15.1.2. Disencumber funds on invoice close

Fund debits linked to an invoice are now marked as paid (encumbrance=false) when the invoice is marked as closed/complete instead of at invoice create time. This is particularly useful for EDI invoices which may be created well in advance of receipt and payment.

15.1.3. PO actions selector always visible

The actions selector is now always visible in the purchase order view, even when no line items exist. With this, users can print PO’s that only contain direct charges.

The custom "Add Brief Record" button is no longer present, since the same action is accessible via the now-visible selector.

15.2. Administration

15.2.1. Set application name when connecting to database

The services that connect directly to the PostgreSQL database (and Clark Kent) now look for an application_name parameter as part of the database login credentials specified in opensrf.xml. If present, the value is used to set the application name Pg connection value; this in turn shows up in the Postgres pg_stat_activity table and Pg’s logs.

15.2.2. Credit card receipts and privacy

To improve privacy and security, Evergreen now stores less data about credit card transactions. The following fields are no longer stored:

  • cc_type

  • cc_first_name

  • cc_last_name

  • expire_month

  • expire_year

Note
All existing data within these fields will be deleted during the upgrade. Reports using this data will no longer function.

Additionally, a tool has been added to Evergreen for clearing the last 4 digits of the credit payment from the database after payments reach a certain age.

Print/email templates

The stock print and email payment templates have been modified to no longer use these fields, but only when the existing templates matched the stock templates. If local changes have been applied, it will be necessary to modify local templates to avoid referencing these fields which no longer exist.

Any templates whose hook is "money.format.payment_receipt.print" or "money.format.payment_receipt.email" may need modification. In stock Evergreen, these are templates:

  1. "money.payment_receipt.email" (stock id 29)

  2. "money.payment_receipt.print" (stock id 30)

Example diff:

-  [% CASE "credit_card_payment" %]credit card (
-      [%- SET cc_chunks = mp.credit_card_payment.cc_number.replace(' ','').chunk(4); -%]
-      [%- cc_chunks.slice(0, -1+cc_chunks.max).join.replace('\S','X') -%]
-      [% cc_chunks.last -%]
-      exp [% mp.credit_card_payment.expire_month %]/[% mp.credit_card_payment.expire_year -%]
-  )
+  [% CASE "credit_card_payment" %]credit card
+  [%- IF mp.credit_card_payment.cc_number %] ([% mp.credit_card_payment.cc_number %])[% END %]
Clearing the last 4 of the CC number

To activate automatic CC number clearing, add the following to opensrf’s crontab. Change timing to suit.

5  4  * * *   . ~/.bashrc && $EG_BIN_DIR/clear_cc_number.srfsh

The default retention age is 1 year, but this can be changed by modifying clear_cc_number.srfsh (typically found in /openils/bin/). Replace "1 year" with the age of your choice.

15.2.3. Configure multiple telephony servers via action/trigger

If you are using the AstCall action/trigger reactor to generate callfiles to send to an Asterisk server, until now the only place to specify the relevant configuration was in opensrf.xml. However, this restricted an Evergreen consortium to using only one Asterisk instance.

Now, the telephony parameters can also be specified as A/T event parameters, allowing per-library configuration.

Table 1. Telephony parameters

Name

Example value

enabled

0

driver

"SIP"

channels

["Zap/1", "Zap/2", "IAX/user:secret@widgets.biz"]

host

"localhost"

port

"10080"

user

"evergreen"

pw

"evergreen"

callfile_lines

["MaxRetries: 3", "RetryTime: 60", "WaitTime: 30", "Archive: 1", "Extension: 10"]

15.2.4. Juvenile-to-adult batch script honors library setting

The batch juv_to_adult.srfsh script that, when set up as a cronjob, is responsible for toggling a patron from juvenile to adult now honors the age value set in the library setting named "Juvenile Age Threshold" (global.juvenile_age_threshold). When no library setting value is present at a given patron’s home library, the value passed in to the script will be used as a default.

15.2.5. New reporting source for hold/copy ratios

A new reporting source is added, "Hold/Copy Ratio per Bib and Pickup Library (and Descendants)", that, for each bib that has a hold request on it or any of its components, calculates the following:

  • active holds at each OU (including the OU’s descendants)

  • holdable copies at each OU (and its descendants)

  • the ratio of the above two counts

  • counts and ratio across the entire consortium

This source differs from the "Hold/Copy Ratio per Bib and Pickup Library" source by including all descendants of the organization unit one is filtering on.

One use case is allowing a multi-branch system within an Evergreen consortium that doesn’t do full resource sharing to readily calculate whether additional copies should be purchased for that system.

15.2.6. New patron action/trigger notice

A new action/trigger event definition ("New User Created Welcome Notice") has been added that will allow you to send a notice after a new patron has been created, based on the actor.usr create-date field.

This notice can be used for various tasks.

  • Sending a welcome email to new patrons to market library services.

  • Confirm that a new patron email address is correct.

  • Generate postal notices to send a welcome packet to new patrons.

Enable this event in the staff client at AdminLocal AdministrationNotifications / Action Triggers.

15.2.7. Improved password management and authentication

Evergreen user passwords are now stored with additional layers of encryption and may only be accessed directly by the database, not the application layer.

All API changes are backwards compatible with existing 3rd-party clients.

Migrating passwords

Passwords are migrated for each user automatically the first time a user logs in under the new setup. However, it is also possible to force password migration for a given user via a database function:

-- actor.migrate_passwd() will only migrate un-migrated
-- accounts, but it's faster to avoid any re-migration attempts.
SELECT actor.migrate_passwd(au.id)
FROM actor.usr au
    LEFT JOIN actor.passwd pw ON (pw.usr = au.id)
WHERE pw.usr IS NULL;

Using this, admins could perform manual batch updates to force all users to use the new, more secure passwords, regardless of when or whether a patron logs back into the system.

Beware that doing this for all users in a large database will take some time and should probably be performed in batches.

Changing Encryption Work Factor

Roughly speaking, the work factor determines the amount of time/effort required to crack passwords. The higher the value, the more secure the password. Higher values also mean that it takes longer for password verification (e.g. during login) to work.

At time of release, Evergreen uses a work factor value of 10. The value is set in the database table/column actor.passwd_type.iter_count (hash iteration count). When this value is modified, any passwords created or modified after the change will use the new work factor. Other passwords will continue using the work factor in place when they were created/modified, until they are changed once again.

Beware that raising the work factor can have a significant impact on login speeds. A work factor of 10 requires ~0.1 seconds to verify a password. A work factor of 15 takes almost 2 full seconds! Also beware that once a password is encoded with a higher work factor, it cannot be lowered again through any automatic means. The owner of the password would have to log in and modify the password after the work factor is re-lowered.

Because of this, it’s recommended that admins thoroughly test work factor modifications before deploying to production.

To check encryption timing:

-- enable psql timing
evergreen=# \timing

-- encode password "HELLOWORLD" with a work factor of 10.
evergreen=# select crypt('HELLOWORLD', gen_salt('bf', 10));
(1 row)

Time: 95.082 ms
open-ils.auth_internal

To support the new storage mechanism, a new Evergreen service has been added called open-ils.auth_internal. This service runs on the private OpenSRF/XMPP domain and is used to store authenticated user data in the authentication cache.

This is a required service and changes to opensrf.xml (typically /openils/conf/opensrf.xml) are needed to run the new service.

Modifying opensrf.xml
  • A new <open-ils.auth_internal> app stanza is added to define the new service

  • Cache timeout settings are moved from the app stanza for open-ils.auth into open-ils.auth_internal

  • open-ils.auth_internal is added to the set of running services for the domain.

Example diff:

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 3b47481..59f737a 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -424,6 +424,29 @@ vim:et:ts=4:sw=4:
                 </unix_config>
                 <app_settings>
                     <!-- defined app-specific settings here -->
+                    <auth_limits>
+                        <seed>30</seed> <!-- amount of time a seed request is valid for -->
+                        <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
+                        <block_count>10</block_count> <!-- number of failures before blocking access -->
+                    </auth_limits>
+                </app_settings>
+            </open-ils.auth>
+
+            <!-- Internal authentication server -->
+            <open-ils.auth_internal>
+                <keepalive>5</keepalive>
+                <stateless>1</stateless>
+                <language>c</language>
+                <implementation>oils_auth_internal.so</implementation>
+                <unix_config>
+                    <max_requests>1000</max_requests>
+                    <min_children>1</min_children>
+                    <max_children>15</max_children>
+                    <min_spare_children>1</min_spare_children>
+                    <max_spare_children>5</max_spare_children>
+                </unix_config>
+                <app_settings>
+                    <!-- defined app-specific settings here -->
                     <default_timeout>
                         <!-- default login timeouts based on login type -->
                         <opac>420</opac>
@@ -431,13 +454,10 @@ vim:et:ts=4:sw=4:
                         <temp>300</temp>
                         <persist>2 weeks</persist>
                     </default_timeout>
-                    <auth_limits>
-                        <seed>30</seed> <!-- amount of time a seed request is valid for -->
-                        <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
-                        <block_count>10</block_count> <!-- number of failures before blocking access -->
-                    </auth_limits>
                 </app_settings>
-            </open-ils.auth>
+            </open-ils.auth_internal>
+
+

             <!-- Authentication proxy server -->
             <open-ils.auth_proxy>
@@ -1177,6 +1197,7 @@ vim:et:ts=4:sw=4:
                 <appname>open-ils.circ</appname>
                 <appname>open-ils.actor</appname>
                 <appname>open-ils.auth</appname>
+                <appname>open-ils.auth_internal</appname>
                 <appname>open-ils.auth_proxy</appname>
                 <appname>open-ils.storage</appname>
                 <appname>open-ils.justintime</appname>

15.2.8. Sortable HTML reports

HTML reports can now be sorted by clicking on the header for a given column. Clicking on the header toggles between sorting the column in ascending and descending order. Note that sorting is available only when there are at most 10,000 rows of output.

15.3. Cataloging

15.3.1. Additional fixed fields

The AccM, Comp, CrTp, EntW, Cont, FMus, LTxt, Orig, Part, Proj, Relf, SpFm, SrTp, Tech, and TrAr fixed fields have been defined and coded value maps added so they can also be used for Advanced Searches or inclusion in Composite Value Maps.

Note that AccM, Cont, LTxt, Relf, and SpFm are compositite values based on the values of "helper" fields like AccM(1), AccM(2), and so on. These positional fields can be ignored.

Coded value maps have also been added for Cont, Ctry, and DtSt, and the Time field has been defined. All of these fields are now available in the Fixed Field Editor when editing the appropriate records.

15.3.2. Quickly export non-imported records

When inspecting a queue in MARC Batch Import/Export, there is now a link to download to MARC file any records in the queue that were not imported into the catalog. This allows catalogers to quickly manipulate the records that failed to import using an external tool, then attempt to import them again.

The authority linker script now supports linking the MARC21 field 800 (series added entry - personal name) to authority records.

15.3.4. MARC stream importer authority records and repairs

The MARC stream importer script, commonly used with external services like OCLC Connexion, is now capable of importing authority records in addition to bib records. A single running instance of the script can import either type of record, based on the record leader.

New Options
  • --auth-merge-profile

  • --auth-queue

  • --bib-import-no-match

  • --bib-auto-overlay-exact

  • --bib-auto-overlay-1match

  • --bib-auto-overlay-best-match

  • --auth-import-no-match

  • --auth-auto-overlay-exact

  • --auth-auto-overlay-1match

  • --auth-auto-overlay-best-match

Deprecated options

The following options still work and map to the "bib" equivalent of the option, however a deprecation warning message is generated when the script is started.

  • --import-no-match

  • --auto-overlay-exact

  • --auto-overlay-1match

  • --auto-overlay-best-match

No longer supported options

--import-by-queue is no longer supported. This option serves no particular purpose and is a bad idea when re-using the same queue over and over as most people do, because queue bloat will increase run times.

--noqueue (AKA "direct import") is no longer supported. All imports go through Vandelay now.

15.3.5. Support for monograph parts import in MARC Batch Import/Export

When adding or overlaying copies in MARC Batch Import/Export (Vandelay), monograph part labels can now be assigned during the import process. This feature is modeled after the existing support for statistical category import. As such, it:

  • Uses | characters to separate labels to allow for multiple part assignment

  • Adds to (rather than replaces) any existing parts assigned to overlay copies

15.4. Circulation

15.4.1. Alternate parts selection display when placing holds

Users often miss the list of parts on the Place Holds screen, leading to many title-level holds on records where only one or two libraries may have unparted copies.

A new option is available to change this display so that a part is selected via radio buttons instead of the traditional dropdown menu. This display increases the visibility of parts on the Place Holds screen and also forces users to make an explicit choice.

To enable the alternate display, set the enable.radio.parts option to true in config.tt2.

New config.tt2 setting

enable.radio.parts

15.4.2. Web staff client patron editor

The web staff interface now includes a patron editor/registration form that is written using AngularJS, leading to faster and more responsive patron editing. This feature is currently available in preview mode, but supports the following actions:

  • adding and editing base patron records and addresses

  • setting statistical categories

  • editing secondary groups

  • cloning patron records

  • duplicate detection

  • surveys

15.4.3. Non-active status copy transit message

After copy checkin, if the copy is in transit, display a special message in the transit alert dialog and in the printed transit receipt (optionally, via macro) if the copy is in (or, rather, will be once it arrives at its destination) a non-active copy status.

Upgrade notes
  • To add the new message to the transit slip, add the transit_copy_status_msg MACRO.

  • To remove the new message from the alert dialog, remove the staff.circ.utils.transit.copy_status_message string property from Open-ILS/xul/staff_client/server/locale/LOCALE/circ.properties

  • For a list of non-active copy statuses, see in the staff client under Admin → Server Administration → Copy Statuses.

15.4.4. Selectively disallow opt-in based on patron’s home library

A new library setting has been added which enables a library to prevent their patrons from being opted in at other libraries.

For example, consider the following org unit hierarchy:

Org Units          Depth
        CONS              0
         |
    +-----+-----+
    |           |
   SYS1        SYS2       1
    |           |
 +--+--+     +--+--+
 |     |     |     |
BR1   BR2   BR3   BR4     2

Suppose that SYS1 wishes to prevent its patrons from being opted in at SYS2. To accomplish this, it sets the value of the "Restrict patron opt-in to home library and related orgs at specified depth" setting to 1, meaning that patrons at SYS1 libraries at or below that depth in the org tree cannot be opted in by libraries outside that part of the org tree. Thus, BR1 patrons can be opted in at BR2, but not at BR3 or BR4.

(This setting is distinct from the "Patron Opt-In Boundary" setting, which merely determines the depth at which Evergreen prompts for the patron to opt in.)

New library setting
  • Restrict patron opt-in to home library and related orgs at specified depth (org.restrict_opt_to_depth)

15.4.5. Standing penalty ignore proximity

Standing penalties now have an ignore_proximity field that takes an integer value. When set, the value of this field represents the proximity from the user’s home organizational unit where this penalty will be ignored for purposes of circulation and holds. Typical values for this field would be 0, 1, or 2 when using a standard hierarchy of Consortium → System → Branch → Sublibrary/Bookmobile. A value of 1 would cause the penalty to be ignored at the user’s home organization unit, its parent and/or immediate child. A value of 2 should cause it to be ignored at the above as well as all sibling organizational units to the user’s home. In all cases, a value of zero causes the penalty to be ignored at the user’s home and to apply at all other organizational units. If the value of this field is left unset (or set to a negative value), the penalty will still take effect everywhere using the normal organizational unit and depth values. If you use a custom hierarchy, you will need to figure out any values greater than 0 on your own.

The ignore_proximity does not affect where penalties are applied. It is used when determining whether or not a penalty blocks an activity at the current organizational unit or the organizational unit that owns the copy involved in the current transaction. For instance, if you set the ignore_proximity to 0 on patron exceeds overdue fines, then the patron will still be able to place holds on and checkout copies owned by their home organizational unit at their home organizational unit. They will not, however, be able to receive copies from other organizational units, nor use other organizational units as a patron.

15.4.6. Patron checkout history stored in a dedicated table

Patron checkout history is now stored in separate, dedicated database table instead of being derived from the main circulation data. This allows us to age/anonymize circulations more aggressively, since they no longer need to stick around in cases where they represent a patron’s opt-in checkout history.

This has a number of patron privacy implications.

  • Minimal metadata is stored in the new patron checkout history table, so once the corresponding circulation is aged, the full set of circulation metadata is no longer linked to a patron’s reading history.

    • It is limited to checkout date, due date, checkin date, and copy data.

  • Staff can no longer report on a patron’s reading history.

    • While it is possible to build aggregate reports on reading history data, it is not possible to report on which user an entry in the history table belongs to. (The usr column is hidden from the reporter).

  • Staff can no longer retrieve a patron’s reading history via API. Only the user that owns the history data can access it.

Upgrade notes

Administrators should verify the CSV export of checkout history works after deploying this change. If local changes were made to the CSV template, the template will not be updated as part of this deployment. The stock template was modified to handle gracefully NULL values for checkin_time.

For example:

-    Returned: [% date.format(helpers.format_date(circ.checkin_time), '%Y-%m-%d') %]
+    Returned: [%
+        date.format(
+            helpers.format_date(circ.checkin_time), '%Y-%m-%d')
+            IF circ.checkin_time;
+    %]

15.5. Client

15.5.1. Holds count column picker option

A new column picker option showing the number of holds for a given item will now be available in various interfaces displaying item information, including the patron’s Items Out tab and the Item Status, Check Out, Check In, Renew Item and Record In-House Use screens.

Note: Because the holds count is generated from the hold_copy_map, newly-added items and items in a non-holdable status will not display accurate hold counts until 24 hours after they have been added to the system or moved to a holdable copy status.

15.5.2. Distinct images for pop-ups and slips

The client now supports using distinct images for hold, transit, and booking reservation popup windows and slips. In addition, three new images have been provided, replacing the turtle that previously displayed. The turtle file is still available in the images directory for those sites that still wish to use it.

15.6. Development

15.6.1. Removal of unused methods

The following public methods, which were both broken and not in use, are removed:

  • open-ils.actor.org_unit.closed_date.create

  • open-ils.actor.org_unit.closed_date.delete

15.7. Public catalog

15.7.1. Editable borrowing history

Patrons can now delete titles that they do not wish to appear in their Check Out History.

  • In "My Account", click on the "Items Checked Out" tab, then the "Check Out History" sub-tab.

  • Check off the items to conceal.

  • Click the Go button next to the "Delete Selected Titles" drop-down box.

  • Click OK in the pop-up to confirm the deletion. Note that deletions cannot be undone.

Deleted titles will also not appear in the downloaded CSV file.

15.7.2. Patron history disable warning

When disabling checkout and/or holds history in the public catalog’s Search and History Preferences tab, patrons will be warned that the operation is irreversible when history data exists that will be deleted as part of the update.

15.7.3. Include parts label when sorting copies on the record details page

The list of copies on the catalog’s record details page now includes the part label in the default sort order.

Specifically, copies are now sorted by (in order), org unit, then call number, then part label sortkey, then copy number, and finally barcode.

Previously, the hierarchy was org unit, then call number, then copy number, and finally barcode

15.7.4. Quick option to change search scope to all libraries

A common usage of the catalog is to do a search in a restricted scope, like a local library. When the results are lacking, the search is repeated in a consortium-wide scope. This feature provides an optional button and checkbox to alter the depth of the search to a defined level.

This feature is enabled by default and can be configured in the Depth Button/ Checkbox section of config.tt2.

New config.tt2 settings
  • ctx.depth_sel_checkbox

  • ctx.depth_sel_button

  • ctx.depth_sel_depth

  • ctx.sel_button_label

  • ctx.depth_sel_button_class

  • ctx.depth_sel_checkbox_label

  • ctx.depth_sel_tooltip

  • ctx.depth_sel_resultshint

15.7.5. Limiter to exclude electronic resources

A limiter to exclude electronic resources from search results is now available on the advanced search screen and from the search results page. This limiter will exclude any search results with an item form of o or s. This limiter will be applied on top of any other format limiters used in the search.

The checkboxes are disabled by default. To display them in both places, set the ctx.exclude_electronic_checkbox setting in config.tt2 to 1.

New config.tt2 setting

ctx.exclude_electronic_checkbox

15.7.6. Expand unAPI API

Evergreen’s unAPI support now includes access to many more record types. For example, the following URL would fetch bib 267 in MODS32 along with holdings, volume, copy, and record attribute information:

To access the new unAPI features, the unAPI ID should have the following form:

  • tag::U2@

  • followed by class name, which may be

  • bre (bibs)

  • biblio_record_entry_feed (multiple bibs)

  • acl (copy locations)

  • acn (volumes)

  • acnp (call number prefixes)

  • acns (call number suffixes)

  • acp (copies)

  • acpn (copy notes)

  • aou (org units)

  • ascecm (copy stat cat entries)

  • auri (located URIs)

  • bmp (monographic parts)

  • cbs (bib sources)

  • ccs (copy statuses)

  • circ (loan checkout and due dates)

  • holdings_xml (holdings)

  • mmr (metarecords)

  • mmr_holdings_xml (metarecords with holdings)

  • mmr_mra (metarecords with record attributes)

  • mra (record attributes)

  • sbsum (serial basic summaries)

  • sdist (serial distributions)

  • siss (serial issues)

  • sisum (serial index summaries)

  • sitem (serial items)

  • sssum (serial supplement summaries)

  • sstr (serial streams)

  • ssub (serial subscriptions)

  • sunit (serial units)

  • followed by /

  • followed by a record identifier (or in the case of the biblio_record_entry_feed class, multiple IDs separated by commas)

  • followed, optionally, by limit and offset in square brackets

  • followed, optionally, by a comma-separated list of "includes" enclosed in curly brackets. The list of includes is the same as the list of classes with the following addition:

  • bre.extern (information from the non-MARC parts of a bib record)

  • followed, optionally, by / and org unit; "-" signifies the top of the org unit tree

  • followed, optionally, by / and org unit depth

  • followed, optionally, by / and a path. If the path is barcode and the class is acp, the record ID is taken to be a copy barcode rather than a copy ID; for example, in tag::U2@acp/ACQ140{acn,bre,mra}/-/0/barcode, ACQ140 is meant to be a copy barcode.

  • followed, optionally, by &format= and the format in which the record should be retrieved. If this part is omitted, the list of available formats will be retrieved.

15.7.7. New form/genre search and facet index

The stock indexing definitions now include a search and facet index on the form/genre field (tag 655). This allows genre links in the public catalog record display to retrieve works in the same genre. The public catalog genre links will no longer display content from the 659 MARC fields.

The genre facet will also display by default in the public catalog. A partial reingest during upgrade is required to use this index.

Catalog search now limits the number of facets retrieved per defined facet field. Setting a limit is useful so that `open-ils.cstore backends don’t end up needlessly consuming memory when fetching facets for a large result set; if a broad search retrieves over 10,000 author facets (say), even the most persistant user is not going to actually look at all of them. Fetching fewer facets can also slightly speed up generation of search results.

The limit is controlled by a new global flag, search.max_facets_per_field, whose label is "Search: maximum number of facet values to retrieve for each facet field". The default limit value is 1,000, but lower values (e.g., 100) are perhaps even better for most catalogs.

15.8. Significant bug fixes

15.8.1. Add acquisitions cancel reason 85 for Baker & Taylor EDI

Baker & Taylor send backs a quantity status code of 85 when a line item is canceled when using EDI. That code is now included in the system so those cancelations get properly registered.

15.8.2. Self-check printing

Corrections were made to the self-check holds and fines printing functionality to so that the proper transactions can be printed. The change requires that the Self-Checkout Fines Receipt and Self-Checkout Holds Receipt action/trigger templates be updated in order to work properly.

15.9. Miscellaneous

  • Copy records in the "Concerto" test data set now have prices.

  • The web-based self-check interface now displays the patron information area only when a patron is logged in.

  • The progress page displayed by MARC Batch Edit is improved.

  • The public catalog now better handles the situation where a patron who does not have an email address registered in Evergreen tries to email a record.

16. Evergreen 2.10.0 bugs closed

17. Evergreen 2.10.0 Acknowledgments

The Evergreen project would like to thank the following individuals who contributed code, documentations patches and tests to this release of Evergreen:

  • Thomas Berezansky

  • Adam Bowling

  • Jason Boyer

  • Kate Butler

  • Steven Callender

  • Steven Chan

  • Galen Charlton

  • Mark Cooper

  • Jeff Davis

  • Martha Driscoll

  • Bill Erickson

  • Jason Etheridge

  • Blake Henderson

  • Pasi Kallinen

  • Jake Litrell

  • Kathy Lussier

  • Terran McCanna

  • Christine Morgan

  • Dan Pearl

  • Michael Peters

  • Jennifer Pringle

  • Mike Rylander

  • Dan Scott

  • Chris Sharp

  • Ben Shum

  • Remington Steed

  • Jason Stephenson

  • Josh Stompro

  • Yamil Suarez

  • Dan Wells

  • Bob Wicksall

We would also like to thank the following individuals who tested and signed off on patches:

  • Christine Burns

  • Andrea Neiman

  • Erica Rohlfs

We would also like to thank the following organizations who commissioned developments in this release of Evergreen:

  • Linn Libraries Consortium

  • King County Library System

  • MassLNC

We also thank the following organizations whose employees contributed to this release:

  • BC Libraries Coooperative

  • Berklee College of Music

  • Bibliomation

  • Calvin College

  • CW/MARS

  • Emerald Data

  • Equinox Software

  • Georgia Public Library Service

  • Indiana State Library

  • Kent County Public Library

  • King County Library System

  • Lake Agassiz Regional Library

  • Laurentian University

  • MassLNC

  • MOBIUS

  • MVLC

  • NOBLE

  • Rodgers Memorial Library

  • Sigio

We regret any omissions. If a contributor has been inadvertantly missed, please open a bug at http://bugs.launchpad.net/evergreen/ with a correction.