# Security and Data Information # Security & privacy ### Connection security All data sent to or from SETLS is protected by [TLS 1.2](https://en.wikipedia.org/wiki/Transport_Layer_Security) or above. This provides the same level of security as online banking, government and other sites. ### Authentication & password management SETLS uses form-based authentication where the password is sent as a POST parameter. The password is transmitted securely using TLS. Passwords are stored in the database as a [salted hash](https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/), and cannot be retrieved by the SETLS team. Passwords can be reset by any user with administrative permissions by - sending a password reset email to the member, or - manually entering the new password After checking the password, SETLS creates a cryptographically-secure session cookie. This is used to identify the user when they return to SETLS using the same device, so they do not need to log in again. A user with administrative permissions can remove a logged-in session, or reset the user's password. Both actions will require the user to enter their password the next time they access SETLS. ### Email configuration SETLS sends emails to members or toy library staff for a variety of reasons, including: - reminders to return items or attend volunteer sessions - notifications that a held item is available or membership fees are due A full list of the automatic emails can be found in the [demonstration system](https://sampletoylibrary.setls.com.au/automatic_emails). Emails are sent with a "from" address of [noreply@<toylibrary>.setls.com.au.](mailto:noreply@.setls.com.au,) The "reply to" address can be set from the [settings page](https://sampletoylibrary.setls.com.au/toy_library_settings). Emails from SETLS are sent via Amazon Simple Email Services (SES). You do not need to provide SETLS with access to your mail server or a relay. ### Sensitive information SETLS can be used to record information about members that may be considered sensitive. This information includes:
**Member details***Name* *Required*
Email Optional, required for online access
Mobile phone Optional, required for SMS
**Home address**Street, suburb and phone Optional
**Alternate contact**Name, address and phone Optional
**Identity**Drivers license numberOptional
The following additional fields can be enabled from the settings page.
**Member details**Date of birth Healthcare card (checkbox) Ethnicity Language Disability
**Children**Name Date of birth Gender
**Organisations (schools)**Name
Additional information related to library operations, such as membership type, are also recorded. These can be seen in the [demonstration system.](https://sampletoylibrary.setls.com.au/signup) ### Financial transactions SETLS can be used to manually record member charges and payments, including membership fees and penalties. SETLS also supports online payment of membership fees using PayPal. This requires creation of a PayPal account. The SETLS team are currently investigating integration with Square for online and in-person payments. ### Data validation SETLS uses model-driven design and all input fields are: - Type-checked against the database - Protected from SQL injection using parameterised queries Many scenarios for business rule checking are covered by workflow operations rather than manual data entry. For example, when loaning an item, the loan and due dates are derived automatically instead of being entered manually. Model-driven design allows business rules to be centralised in the model rather than being distributed throughout the user interface. Examples include: - When changing an item location, only valid destinations are available for selection - When manually updating a loan record, the return date must be on or before the loan date ### SETLS servers The following service providers are used by SETLS:
**Feature****Provider****Location**
Web applicationAmazonSydney, Australia
DatabaseAmazonSydney, Australia
EmailAmazonSydney, Australia
SMSAmazonSydney, Australia
The list of IP address ranges currently used by the Amazon is available from [AWS IP address ranges - AWS General Reference (amazon.com)](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) The SETLS database is not currently protected by encryption at rest. This is scheduled to be resolved in 2024. # What to do in case of suspected data breach In the case of suspected data breaches ie a committee members phone is stolen, or there is a break in and your laptop (which is left logged in) is stolen, please follow the below steps to help secure your data and email LOG OUT THE USER (pictured) If you are confident in which user/s are logged in/saved on the devices, go to their account and select login history. You have the option of logging out specific sessions, or logging all sessions out. If it is your own account that has been compromised, logging all out will boot you out, so you may want to have another committee member on standby to do the next steps. REMOVE ADMIN PRIVILEGES Go to Profile, edit, and change Security Level to normal. This means that even if the person manages to log in, they won't be able to access anything other than that account's details. RESET PASSWORD Go to Username/Password, and generate a new password. This means that the password saved on the device will no longer work. Note: I know some toy libraries also leave their emails logged in on their laptops, so there is a chance that if you email out the new password it will be received by the thief, which is why its so important to revoke those admin privileges. [![image-1641018913281.jpg](https://wiki.setls.com.au/uploads/images/gallery/2022-01/scaled-1680-/image-1641018913281.jpg)](https://wiki.setls.com.au/uploads/images/gallery/2022-01/image-1641018913281.jpg) # Release Notes ## 2024-05-26 2024-05-11 release applied to all sites. Issues with ruby/rails bump, so rolled that back. - Fixed bug that left reservable as nil on new categories - Add reservations check to edit loan history - Updates to GRTL bag label - Standardized names on locked members table, volunteer histories table, added member ID ## 2024-05-11 (Dev release only) - bump to ruby 3.2.4 and rails 7.1.3 - Add "found it" button to missing pieces on toy - All admin users to view and edit member's current branch - Allow new items to be created in status locations other than "in library" - protect SeTLS Admin account from de-identification - remove spellcheck from email forms due to depreciation ## 2024-04-28 - Changes to edit transaction form to prevent issues with Paypal and other validations - Restrict options for delimiter ('-', '.', or none) - Add Holds option - "Admins can override holds", which allows items with holds to be loaned out to other members - Fixed issues with returning toy from one member and loan to another workflow - Allow admin users to loan toys out from non-"in library" status locations - Updates to Waikato Large label ## 2024-03-14 - Fix bug that allowed loans on the first day of a reservation - Set legacy flag for new fee types ## 2024-03-10 - Render line breaks for special event descriptions - Optimize items never loaned query - Fix transaction type nil issue for bond histories - Fix bug in toys never loaned report, add shelf location - Remove unused toy\_library\_settings columns from schema - fix bug in self service member look up ## 2024-03-04 - Add delete button to member membership history table - Fix bug for running balance on member's transaction table ## 2024-02-29 - Fix bug in banking forms ## 2024-02-25 - Member/Transaction History page overhaul - New table layout - Select multiple functionality with pay via and delete options - New email - Payment Receipt - New element for Payment related emails - "list\_of\_selected\_transactions". Adds a table of the selected transactions to the email - Refactor Loan History tables - Change "All Loans" (only shows 100 records) to "Last 12 months of Loans", include Member ID for export - Remove Overdue Loans as same information included in Current Loans - Finish adding user association to loan histories, update "last borrowed" on item display - Fix bug in create membership type when C&C on and Holds off - Standardize Locked membership type across all sites - Update member picker to avoid interactions with password managers - C&C - Allow Admin to add toys to basket even if expired or confirmed ## 2024-01-24 - Add legacy option for branches - Create printable stocktake document for Upper Hutt - Fix text error in invoices - Update to Waikato Bag Label barcodes ## 2024-01-15 - Fix bug in email template "loan table" ## 2024-01-09 - Fix bug in charge\_rent - Fix bug for nil suburb - Use includes to find Branch in the toys index list ## 2024-01-07 - Don't show required rosters value if member pays roster levy - Fix bug with purchase orders in invoices - Fix item code generation for numeric prefixes (Cataloguing Styles) - Add list of invalid items - Update locked members list to include member 2 details and last membership type - Block 'move to missing' box when reporting a missing piece on an item that is on loan ## 2023-12-24 - Overhaul of Member page view - Missing Pieces box only shows amount currently missing (list removed), and will turn red if any current missing pieces - Volunteer History box - - shows only details for the "current" membership, and future nominations - Indicates amount remaining to do - Displays colour based on the current membership, not the "most recent" one (so won't be red for early renewals) - Various efficiency changes - Rework Member Holds page to have multi-select actions - Added "available\_holds" element to Hold Now Available Email - when used with multi-select, will fill with table of the available holds - Make session expiry occur at midnight - Add legacy filters to Manual Bond Form and Single Volunteering Session create - Improve Cataloguing Style validations - Items that do not obey Cataloguing style rules will no longer be considered valid (and cannot be borrowed/updated until fixed) - Banner added to items to indicate if invalid - Remove delete button from Branches - Reformat loans table email element to include pieces - Add purchase date to all items (including deleted) list - Improve email uniqueness check - Various work cleaning up item associations ## 2023-11-28 - Allow reservations to be booked for pick up on the same day a reservation is due to be returned - Correctly order shelf location search box in item pictures page - Fix bug in Membership Type create when holds turned off ## 2023-11-16 - Prevent double dots in emails - Add browser-side validation for children's birthdates - Patch nil string bug for storage location index ## 2023-11-13 - Feature added: Item Notes - Remove large "money saved" box, replace with menu bubble - Smaller "Did you know?" summary when member views their own page - Summary added to Previous Loans page - Fixes to Mt Albert Bag Label - Fixes to Brisbane South Bag Label ## 2023-10-07 - Replace I18n translation with tls.item - Remove resource locale (now handled by tls.item) - Overhaul of Member Kind to Membership Type - Rename across site - Update new/edit form - Update show - Overhaul of Annual Fee to Membership Fee on site (database level to come later) - Fix bug that didn't set legacy on new transaction types - Update item popularity reports - Use date purchased, or date created in SeTLS if date purchased is not set, for "time owned" calculation - Include items that have never been borrowed - Correctly sort time based columns (time owned, time since first loan) ## 2023-10-02 - Only show reservable on categories if reservations are turned on - Remove defunct paypal emails - Extend item name length - Fix duplicate member suggestions for online sign ups - Add "edit return dates" to login level options - Add billing details to SeTLS Invoice pages - Update invoice templates ## 2023-09-25 - Fix 'unknown member' error when creating a reservation from member page and another member has same name - Change actual volunteering sessions list to include today - Add loan receipt and member expiry emails - Item page now checks borrowing rights when loaning to member ## 2023-09-13 - Make membership history table scroll on narrow screens - OSMPTL label updates - Fix 'toy' on user homepage ## 2023-09-09 - Upgrade to Rails 7 ## 2023-09-06 - Fixed bug that caused infinite loops for memberships with nil date values - Update Primary Label to be more responsive - Add time to loan history (only visible to admin or "view other member" levels) - Add optimistic concurrency check (to fix bug where Edit Toy page is open while toy is returned, then gets saved and accidentally changes the location back) - Update Sunbury Label to handle Maori macrons ## 2023-08-31 - Fix a bunch of bugs from 2023-08-30 release (whoops) ## 2023-08-30 - Add "exclude member from nightly emails" feature - excluded members will not receive emails as generated as part of the nightly job - Updated automatic emails index table, added "class" for nightly or action based - Fixed bug in "members who are owed money" page and updated language - Updated Member/Profile page to have edit button a the top as well - Update deidentifying logic for demo sites ## 2023-08-25 - Fix bug in member search - Fix bug that didn't count non-standard tasks - Fix Kew performance issue with locked member in error state - Update MapBox API key ## 2023-08-24 - Fix bug related to duty levies in renewal logic - Fix bug in C&C pages - Fix more @tls typos - Update barcode generator to handle lower case ## 2023-08-23 - Member/Missing Pieces - replace list of selected items with summary when completing an action (ie "You have emailed about 6 missing pieces from 3 toys") - Fix incorrect volunteer status for tasks on renewal date (credit is now assigned to the new membership history) - Fix typos from @tls update ## 2023-08-21 - Fix item suggestions for non-admins - Membership History page overhaul - New classification logic - Renew member function automatically calculates dates - Fix bug that rendered a blank screen when errors occurred in renewing - Clean up ToyLibrarySettings.first (use @tls) ## 2023-08-14 - Fix bug in password resets - Fix markermap for non-branch sites - Updates to Brissouth Label ## 2023-08-13 - Add Microsoft Logins - Update Puma to 6.x - Reimplement "..." on item search ## 2023-08-06 - Remove SearchToySuggestions (and fix bug with Copy Toy) - Fix select box autocomplete for more than 10 items - Move privacy policy to promo site ## 2023-07-30 - Fix sorting bug on Picture Warnings, Text Warnings, and Member/Missing Piece History pages - Add link to report missing pieces page to take back to the member's page to send email ## 2023-07-22 - Updates to Gosnells label - add barcode - Uses Thumbnails added to Settings. - When Thumbnails turned on, toy images will be applied the following email elements - list\_of\_all\_toys - list\_of\_overdue\_toys - list\_of\_toys\_due\_in\_X\_days - list\_of\_click\_and\_collect\_toys - list\_of\_all\_missing\_pieces - New email elements added: - the\_toy\_pic (if Thumbnails turned on) - list\_of\_selected\_missing\_pieces (Thumbnails) - the\_toy\_branch (for multiple branches) - Missing piece table functionality and layout overhauled, ability to email about selected pieces added ## 2023-07-16 - Update Collingwood Bag Label to be more responsive when long pieces list - Update Htl Bag Label to include warnings - Roll out pages side of Thumbnails feature - Image on Toy Banner (aside from Edit and Show) - Image in toy related tables on Member's Page (Current Loans, Previous Loans, Reservations, Holds) - \[Security\] Clean up password fields in forms, tables and JSON ## 2023-07-08 - Fix bug in Collingwood Bag Label for "nil" Descriptions - Drop unused "returnperiod" from items - Add uses\_thumbnails migration (in preparation for Thumbnails Feature release) ## 2023-06-25 - Update Collingwood Bag Label - Remove active member filter on volunteering emails - Update Common Warnings and Common Picture Warnings to be Warnings - Text and Warning - Pictures - Add webp handler for Prawn PDF generator ## 2023-06-04 - Fixed bug that prevented images from being removed - Improve messaging in Single Volunteer Session creation page ## 2023-05-21 - Toy page overhaul - Reordering of fields - Add Colour to Category - Remove defunct return loan period field - Remove links if user not authorized - Fix bug that broke Pop Up Alerts if line breaks or special characters were used - Add "Image Last Updated" to page - Public and Regular Members only able to access "in circulation" toy pages - Edit/Add toy pages match flow of View Toy - Prevent Holds on non-"in circulation" toys by members - Update Copy Toy to include all fields, and use item selector - KDFC bag label update - Legacy Flag added to Discovery Types - Click and Collect Summary PDF updates (add shelf location for toys in basket, and items currently on loan for "return" type bookings) - Fix bug in HDTL box label ## 2023-04-24 - Improved click and collect booking form - Fix issue preventing nightly stats calculation ## 2023-04-23 - Add setting to control whether driver's licenses are recorded - Add report for members with driver's license details - Include reservations in active member calculation for billing - Bag label updates - Little Buddies branch display - Mt Albert - Fix incorrect fee type used for reservation charges ## 2023-04-11 - Fix error when renewing or reserving items - Fix incorrect transaction description for renewals and reservations ## 2023-04-10 - Remove traces of old terminology (private comments now Alerts, public comments now Description) - Update Alerts table to include item location, category, and if the alerts are marked as pop up - Fix bug in Click and Collect for branches open on the same day - Updated rent calculation to only allocate a charge if the value is non-0 - Add "test" messaging to Welcome Email tests (missed in earlier email rework) - Add WEBP to supported image types, improved messaging for jp2 (non-supported) - Create script for converting a site to Branch mode ## 2023-03-01 - Update Stats of Today charting - Replace jxsgraph with chart.js - Correctly handle no logo set for MonashTwo bag label - Toy Well Seeding script template - Revise Darebin bag label to print multiple to a page - Fix LogoTwo error on settings page ## 2023-02-09 - Rework MonashTwo bag label - New Tuart bag label - Add account balance to expired members report - Fix volunteer session display on homepage for branches ## 2023-01-18 - Add custom toy ID on bag label for Yarra Ranges - Add multiple click-and-collect sessions ## 2023-01-07 - Fix error reporting missing pieces at library - Don't try to email members without an email address ## 2023-01-05 - Fix issue with excluded dates on settings page - Overhaul scheduled member emails ## 2022-12-29 - Bag labels - Fix GRTL layout when barcodes not enabled - Add colors and branch addresses to Yarra Ranges - Second piece column calculation based on order instead of count - Hide missing piece and payment reminder email buttons if member doesn't have an email recorded - Add paging for sent automatic emails - Fix 1toN allocation when no toys exist - Fix incorrect links in contract expiry emails ## 2022-12-07 - Toy library can choose if money saved calculation is from purchase price or replacement cost - Manning label bug fixes - Fix bug introduced in item status display update ## 2022-11-27 - Expand de-identify function to completely wipe profile - Retrospective de-identify script to clean up old data - Prevent locking of members with "active" data (holds, reservations, loans) - Locked unverified members no longer show in the unverified list - Project Colour - "Colors enabled" added to specific label templates - Colour and font colour added to Toy Categories, visible to sites that have a supported template - New Cairns Bag Label created - Item status display improvements - Fix bug that doesn't show "on loan" for reservations with no loan history - Only show last loan/reservation (instead of both) - Over all tidy up of flow - Toy Library Settings review - Fix bug that prevented non-Australian sites from having Member self renew config options - List config errors, and highlight in the view - Highlight possible issues in yellow (ie emails that don't have a login) - Calendar Automation display improvements - Prevent negative values for toy costs (purchase, replacement, rental) - Correct permissions in Item Policy - Add reference to $20 contract renewal fee to contract expiring auto-email ## 2022-10-01 - Add Pundit for managing page permissions - Review Login Levels index page, configure options to match settings turned on - Develop Manage Member Holds (Login Level option) - Can add holds via toy and member pages - Can loan holds - Can see hold history - Can see holds receipt - Add ability to view Loan History to View Other Members (Login Level Option) - Fixed bug that showed member balance if Normal Members Can View Transactions was turned on, even if Login Level wasn't View Member Balance = true - Add "Signed in as <Last Name>" to Admin view - Add "At <Branch> (Switch?)" for multiple branches - Add "available holds" to Member page menu - Handle nils in Storage Location (bundytoylibrary error) - Block pasting of images into tinymce - Geocode settings and branches, fix heatmaps (lat long now set from address) ## 2022-08-11 - Fix max renewals field on toy category list - Tell user when email is not found on password reset - Fix calculation of number of SMS messages sent last month - Keep current branch when editing an item - Add time zone and item text to settings - Update Mornington bag label to fix logo width - Update GRTL bag label to add picture warnings and improve layout - Replace how\_to links with wiki - Show separate hold and alert banners when returning toys ## 2022-07-27 - Permanent fix for scheduled mail job failing ## 2022-07-26 - Fix 'number of toys on loan' reports (introduced on 2022-07-04) ## 2022-07-25 - Hotfix scheduled mail job failing ## 2022-07-23 - Start preparing for Rails 6 - zeitwerk fixes - fix filenames in send\_data - Reservations changes - Fix success message not being shown when making a reservation - Improve display of reservations on toy history page - Improve pickup/return buttons on member pages - Fix calendar links when creating actual opening hours in branch mode - Improve daily stats page - Prevent item being renewed if a conflicting reservation exists - Add SMS spend tracker - Only send SMS invoice if messages have been sent - Remove member 2 login when email is changed - Don't create member suggestion if member is locked - Add item suggestion to returns page - Add Sunbury bag label ## 2022-07-05 - Block access Bulk Email feature from Sample TL - Fix 'unknown' membership expiry bug ## 2022-07-04 - First release of Bulk Email feature - Fixed self-renewal using incorrect fee type (PPTL) - Online sign up - branch\_id is now set when they are verified (to match the branch\_id of the user verifying them) - Fix invoice to display as $1 instead of 100c - BTL Vic Bag label update ## 2022-06-24 - Fix asset compilation error caused by d3 upgrade in August 2021 ## 2022-06-18 - New public sign up page released, major changes include - Skills Options (formerly Talents) now listed as checkboxes for ease of reading - Membership options listed as checkboxes to give all examples at a glance - Javascript verification to ensure that Member 1 First Name, Last Name, and Email are filled - Javascript check that Member 1 email and Member 2 email are not the same - Javascript to ensure Helmet Waiver signed box is ticked (if configured) - Overall language and flow changes ## 2022-06-14 - Remove edit option from Actual Volunteering Sessions - Create job for future bulk email - Add Branch addresses to homepage in branch mode - Email displayed on homepage as text - Gosnells Bag Label now handles non-1toN catalogue items - Rename of Talents to Skills (Options), and clarification of Skills (Free Text) - Skills (Free Text) (aka Skills Report) added to Members drop down menu - Overhaul of drop down menus (removal of duplicate links, update terminlogy, group toy actions) ## 2022-06-06 - Add heuristic notification for dropped PayPal payments ## 2022-05-22 - Fix error after failed login when online signups are enabled - Fix alertbox script error on member pages - PayPal reliability improvements - Fix precision of balance calculation - Use separate order lines for fees and donations - Stabilise PayPal callback to avoid losing payments ## 2022-05-19 - Hide Volunteer Calendar options on member sign up, and Volunteer History, unless Volunteers is enabled - Removal of Click and Collect references in Member view when in Appointment mode - Bookings/Click and Collect daily summary on home page - Improve language from Sign up to Join here for public view - Fix loan validation bug ## 2022-05-14 - Show due date and days overdue in loans history on member and toy pages - Show all branch addresses on Primary bag label - Add appointment reminder email ## 2022-05-09 - In appointment mode, allow bookings until slot start time - Fix glitch when refreshing page after picking up, returning or cancelling reservations ## 2022-05-05 - Fix bag label warnings for Little Buddies and Yarra Ranges - Hide deleted toys in warnings and picture warnings lists - Redesign bag label for Gosnells - Update AWS credentials & move email to Sydney region ## 2022-04-27 - Line breaks in Home Page Text now show on public homepage, and in toy library settings - Update of LittleBuddies bag label - Added rake task for bulk emailing without creating membership essentials ## 2022-04-17 - Added template text to C&C Emails in install:email - Removed superseded bag labels - Added Appointment Mode to C&C - Tidied up Toy Library Settings layout - Creation of YarraRanges bag label to replace Mt Evelyn ## 2022-04-03 - Add SMS consent to admin signup page - Replaced "parent" with "member" on admin and online signup pages - Handle missing toy pic and library logo on Primary bag label - use reCAPTCHA instead of humanizer for online signups - Added member SMS list ## 2022-03-30 - Changed logo descriptions in settings to "website" and "bag label" to reflect how where they're used - Use the correct membership length when unlocking a member - Hide legacy membership types when unlocking a member - Clarified payment details in invoice and reminder emails - Fixed issue preventing PayPal.Me links in invoice emails from working correctly - Fixed reservation calendar to ignore returned loans - Block loaning an item when a conflicting reservation exists (introduced on 2022-03-06) - Remove empty warning space on Primary bag label - Add SMS consent to member ## 2022-03-09 - Fix incorrect loan period from logged-in user instead of borrowing member ## 2022-03-06 - Fix picture warnings for Monash2 - Remove unused bag label designs - Fix Primary bag label borders and logo - Fix broken link to "blank picture" on settings page - Remove "T/" prefix from barcodes on new bag labels - Add database transaction when loaning toy ## 2022-02-26 - Amendments to Geraldton bag label - Amendments to Monash bag label - Amendments to Primary bag label - Fix formatting on renewal fee pdf - Traffic light tables replaced with Volunteering status (all, and restricted to volunteering members) - Member email, phone number added to volunteering status lists ## 2022-02-16 - Fixed missing column in past opening hours table - Added new primary bag label design - Fix PayPal issue with more than two decimal places - Fix error when manually creating opening hours (introduced on 2022-02-13) - Remove delete button from unverified members ## 2022-02-13 - Fixed Darebin bag label size - Fixed membership end date update when verifying new member - Add link to contract renewal invoice PDF on invoices page - Check excluded dates when manually creating opening hours - Prevent deleting opening hours with associated information ## 2022-02-08 - Fix picture warning image quality on bag labels - Email member when nominating a special event roster - Add mini bag label for Geraldton - Display item attributes in selected order instead of alphabetical - Add contract expiry email notifications - New invoicing rules for March 2022 ## 2022-01-25 - Show time for sent SMS messages - Show queue position on hold receipt - Hide hold receipt from non-admin users - Fix columns on item list when branches and shelf locations are both enabled - Increase font size for Geraldton bag label - Sort attribute picker alphabetically when editing item - Update address for Lincoln bag label - Fix SMS to use the country from settings ## 2022-01-06 - Invoice batch job should correctly update HQ - Add credentials for new HQ API - Add Geraldton bag lab - Fix daily stats to use loan/return times instead of create/update times - Changes for SMS billing ## 2021-12-27 - Prevent member payment reminders being incorrectly reported as sent twice - Update Google Maps Geocoding API key - Removed reference to two-year contract renewals - Update Willetton bag label to remove address and use configurable text - Add Darebin bag label ## 2021-11-14 - Allow members to pay renewal fees using PayPal when "charge a fee to hire most toys" is set - Fix performance & memory usage of some stats pages - Reinstate automatic\_sms table for all sites ## 2021-11-05 - Fixed self-service renewals not redirecting after clicking the "renew" button ## 2021-08-22
- New rules for changing item location. This should help with click & collect and quarantine issues. - "On loan", "Click & collect" and "Quarantine" are now considered 'special' locations. "In library" and any custom locations are considered 'normal' - You cannot change the location from 'special' to 'normal' or vice versa. You must use the "return", "loan" or "release" features to change the location for these items - You can change the location to a *future* quarantine from a normal location - Tidy of add/edit toy page - New format for invoice and reminder emails - Outstanding balance is now more obvious and can be paid by PayPal.Me - Invoice emails are now sent even if the invoice has a zero charge - Reminder emails are sent if you have an outstanding balance - Updated SETLS ongoing fees page - Replaced "waiting on" and "in credit" values in header with outstanding balance - Removed "don't pay if less than $50" - All overdue invoices with an amount greater than zero will be highlighted - Fix issue where items could not be created when using 'ttcnopadding' with a delimiter
# Set up Microsoft logins If your organization uses Microsoft work or school accounts, these can be used to log into SETLS. To set this up, an administrator may need to follow the steps below. ## Basic setup 1. Sign into the [Azure Portal](https://portal.azure.com/#home) 2. Switch to the appropriate tenant using the 'Cog' button in the top right 3. Open the **Azure Active Directory** service 4. Click **Enterprise applications** in the menu on the left 5. Click **SeTLS - Serious Toy Library Software** - If SeTLS is not in the list, attempt to sign into SeTLS using your Microsoft account, then come back and refresh the page. You may need to use an account with one of the 'Application Administrator' or 'Cloud Application Administrator' roles. 6. Click **Properties** in the menu on the left - Set **Enabled for users to sign-in** to **Yes**

TIP: this link will take you directly to the list of [Enterprise applications](https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null) in Azure Active Directory.

## Providing consent When using Microsoft accounts, consent must be provided to the application. This can be done: - By the organization on behalf of all users, or specified users - this is referred to as "admin consent" - By individual users - this is referred to as "self service"

For more information, see [Overview of user and admin consent - Microsoft Entra | Microsoft Learn.](https://learn.microsoft.com/en-gb/azure/active-directory/manage-apps/user-admin-consent-overview)

### Admin consent 1. Follow steps 1-5 above to open **SeTLS - Serious Toy Library Software** 2. Click **Permissions** in the menu on the left 3. Click the **Grant admin consent for <organisation>** button - Log in with your Microsoft account if necessary 4. Refresh the list to see the list of permissions ### Self-service 1. Follow steps 1-5 above to open **SeTLS - Serious Toy Library Software** 2. Click **Self-service** in the menu on the left 3. Set **Allow users to request access to this application** to **Yes** 4. Click **Select group** and choose an AAD group - we recommend creating a dedicated group, for example "SETLS Users" 5. Set **Require approval before granting access to this application** to **Yes** if needed

Self-service is subject to global settings found on the [Consent and permissions](https://portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings) page.

# How Do Barcodes Work?
SeTLS can work with traditional "wedge" style barcode scanners, on any field that accepts input from a keyboard traditionally.
To use barcodes effectively for toys, turn on the "Toys use barcodes?" boolean in Toy library settings.
SeTLS will expect the value given by the barcode to match either the value in the toy's "Barcode" field, or if that is empty, it will default to the Toy's ID (the number on the toy itself, not the database ID). Using the "Barcode" field is of most use if you are using pre-made stickers or have values different to the Toy's ID for historical reason - keeping the Barcode field empty and letting it default to the Toy ID is the most stable option.
#### How do I get barcodes on my toys?
[Some labels](https://wiki.setls.com.au/books/label-templates) have Barcodes supported, and will generate the barcode when printed. Other options include specific barcode label makers, where you create barcodes for values you choose yourself, or barcode stickers with pre-created values. If using the barcode stickers, you will need to update each toy with the value on the sticker, and if the sticker is replaced, you will need to update the toy again.