Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"
Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.
Changes in discharge.pl are mainly indentation changes.
With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client's rotating collections templates so
that JavaScript is included in the footer instead of the header.
The patch moves JavaScript from each template and the rotating
collections toolbar into a single external JavaScript file.
To test, apply the patch and test the JavaScript-driven features of
each page: All button controls, DataTables functionality, form
validation, etc.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch makes changes to Font Awesome icons in order to make icon
choice consistent for common actions.
<i class="fa fa-trash"></i> where something is deleted, removed, or
emptied.
<i class="fa fa-remove"></i> where an operation is cancelled (also where
selections are cancelled, as in checkboxes).
<i class="fa fa-times-circle"></i> for "close," as in baskets and
windows.
To test, apply the patch and view the following pages to confirm that
the correct icon is used:
- Acquisitions -> Vendor -> Vendor delete button.
- Acquisitions -> Vendor -> Edit -> Delete contact button.
- Acquisitions -> Invoices -> Delete menu item.
- Cataloging -> Edit record -> Authority search pop-up (triggered from
the tag editor for a tag linked to an authority) -> Clear field button
- Authorities -> Authority detail -> Delete button.
- Tools -> Quotes editor -> Quotes delete button.
- Reports -> View saved report -> Delete button.
- Reports -> Saved reports -> Delete menu item.
- Serials -> Subscription details -> Subscription close button.
- Administration -> Budgets -> Delete menu item.
- Administration -> Item search fields -> Delete button.
- Administration -> Z39.50/SRU servers -> Delete menu item.
- Catalog -> Advanced search -> Clear fields link.
- Cataloging -> Advanced editor -> Macros -> Delete macro button.
- Circulation -> Checkout -> Check out an item which is on hold for
another patron. "Cancel checkout and place hold" button now uses the
icon used elsewhere for holds.
- Course reserves -> Course -> Delete course button.
- Patrons -> Patron lists -> Add patrons -> Remove selected button.
- Acquisitions -> Suggestions -> Suggestion details -> Delete button.
- Lists -> List contents -> Remove selected button.
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
To test:
1) Go to Tools -> Rotating Collections
2) Click on any rotating collection ('Add or remove items' from drop down menu)
3) Click 'Delete' from toolbar. Validate you are now asked to confirm your deletion. Check that cancel works, then check that confirm works.
Sponsored-by: Catalyst IT
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
I've added the word 'rotating' before collection, to make
it clear for translators what is meant here.
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
We should be using Font Awesome for our icons instead of Glyphicons, for
the reasons discussed on bug 13696.
Test Plan:
1) Apply this patch
2) Note all Glyphicons have been replaced with FA icons in the staff intranet
3) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/modules/
should give no results
4) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/includes/
should give no results
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
We need a follow-up to cover the files changes since this
patch was written. Especially to cover the changes in the
label creator modules.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This follow-up makes drastic changes to the templates in order to bring
them into compliance with established patterns and markup guidelines.
Only minor changes are made to perl scripts.
Changes:
- Add a toolbar include for displaying new, edit, transfer, and delete
buttons.
- Improve title and breadcrumbs with collection titles and better
specificity.
- Correct page structure which was inconsistent with the markup of
similarly-structured pages.
- Correct styling of error and informational messages.
- Added detailed error messages for a couple of conditions which were
not defined in the template.
- Add link to the detail page of titles which are in a collection using
the view defined in the IntranetBiblioDefaultView preference.
- Add a link to remove an item from a collection directly without having
to scan the barcode.
- Add client-side validation to collection creation form.
- In RotatingCollections.pm, add biblionumber to the list of columns
returned by GetItemsInCollection.
- In rotating_collections/*.pl, remove obsolete declaration of system
preference variables.
To test, perform all the operations associated with Rotating
Collections:
- Add a new collection
- Edit an existing collection
- Add items to a collection
- Remove items from a collection (via barcode and link)
- Test the behavior of all new toolbar buttons
- Verify that titles and breadcrumbs look correct and links work
correctly.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
