This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch updates two patron-related templates to use the
Bootstrap grid instead of the YUI grid.
This patch also corrects an unrelated error in update-child.tt where
some JS variable declarations required by members-menu.js were
missing.
To test you must have more than one adult-type patron category defined.
- Locate and view a child-type patron record.
- From the "More" menu in the toolbar, choose "Update child to adult
patron."
- The popup window which appears should look correct and work
correctly.
- The table of patron categories should be sortable.
- Add a new patron and enter the first and last names of an existing
patron.
- When Koha asks to confirm a possible duplicate record, click the
"View existing record" link. The popup which is triggered should
look correct.
Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch corrects the footer include for two patron-related popup
windows. popup-bottom.inc should be considered obsolete, and
"'intranet-bottom.inc' popup_window=1" used in its place.
To test you must have more than one adult-type patron category defined.
- Locate and view a child-type patron record.
- From the "More" menu in the toolbar, choose "Update child to adult
patron."
- The popup window which appears should look correct and work
correctly.
- Add a new patron and enter the first and last names of an existing
patron.
- When Koha asks to confirm a possible duplicate record, click the
"View existing record" link. The popup which is triggered should
look correct.
Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.
This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
Patrons -> Patrons home, patron search results
-> Manage pending modification requests
-> Patron detail page
-> Edit patron
-> Set guarantor
-> Fines
-> Account, Pay fines, Create manual invoice, Create manual
credit
-> Print receipts for different kinds of charges
-> Routing lists
-> Circulation history
-> Holds history
-> Notices
-> Statistics
-> Files
-> Purchase suggestions
-> Discharges
-> Housebound
-> Set permissions
-> Change password
-> Print summary, slips, and overdues
-> Update child to adult patron type
Patron toolbar and patron search bar operations should work correctly on
all pages.
This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Adds logic from the previous fix to the brief patron summary
shown when checking a possible patron duplicate.
Bonus: Also fixes missing patron category description there.
To Test:
- Add 2 patrons
- Add a patron with the same surname and firstname as an
existing patron in order to trigger the duplicate message
- Click "View existing patron"
- Verify display is correct when existing patron is
- an organisation
- not an organisation
- Verify that the patron category description shows
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The following three templates are using [% guarantorborrowernumber %]
while they should be using [% guarantor.borrowernumber %]:
members/members-toolbar.inc
members/moremember-brief.tt
members/moremember.tt
This doesn't result in any breakage; just a couple of 'Edit' links that
do not pass the guarantorid in the URL, and one case where guarantor
information is not shown in the staff client.
This patch fixes that.
Test plan:
0) [PREREQUISITE] Create a patron with a guarantor if you don't have one.
1) Go to Home > Patrons and search for a patron that has a guarantor. In
the Details page for that patron, the 'Edit' link in the toolbar does
not pass the guarantor's id in the URL (...&guarantorid=&...).
2) In the same page, the 'Edit' link under the patrons name (immediately
under 'Guarantor') again does not include the guarantor id in the URL.
3) Go to Home > Patrons and click on 'New patron'. Pick any category from
the drop down menu. Enter the Surname, First name, and Date of birth
of the patron you used in step 1). This triggers the 'Duplicate patron
record?' warning -- click on 'View existing record' and notice how the
guarantor information is missing.
4) Apply the patch.
5) Repeat steps 1), 2), and 3) above. The URLs are fixed and patron info
is showing.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
- Apply patch
- Create a new patron with the same first and last name as an existing
patron. This should trigger a duplicate warning message. Click the
"View existing record" link to trigger a pop-up window with a patron
detail brief view.
- Verify that the address information displays the same way as on the
patron details screen (moremember.pl).
- Change syspref 'AddressFormat' and verify that the address displays
as appropriate.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Works as described: AddressFormat is taken into account on 'view exiting
record' dialog box.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the use of "onclick" attributes from some patron
pages.
To test, apply the patch and:
- In Patrons, perform any search which will return multiple results.
Confirm that the "select all" and "clear all" links work as expected.
Font Awesome icons have been added to these links.
In the left-hand sidebar, change any of the filters and click the
"Clear" button. The form (and your search results) should reset.
- Open the 'Set permissions' page for any patron. Checking any
permission with sub-permissions should correctly expand the tree and
select all sub-permissions. The reverse should also work.
Also changed in this file: The "Inconsistency detected" alert has been
reformatted to make it translatable.
- View the detail page for a patron with one or more restrictions.
Clicking the "View restrictions" link at the top of the page should
jump you to and activate the restrictions tab.
- View the 'Notices' tab for a patron who has been sent one or more
notices. Click any notice title to expand the notice. Clicking the
"resend" button should resend the notice.
- Create a new patron with the same first and last name as an existing
patron. This should trigger a duplicate warning message. Click the
"View existing record" link to trigger a pop-up window with a patron
detail brief view.
In this window an "email" class has been added to the primary and
secondary email lines so that long email addresses don't overlap the
second column of data.
Confirm that clicking the "close" button in this window closes the
window. The changes to staff-global.css are included in this patch to
prevent the close button from having an incorrect color change on
hover.
Signed-off-by: FILIPPOS KOLOVOS <f.kolovos@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
print slip and show the member detail page, the 3 dates date of birth,
date enrolled and date of expiry should be displayed correctly.
Followed test pan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This is a(nother) vestige of Koha (2.2?).
This patch removes unused code related to the 'ethnicity'.
In detail:
There is no way to fill the ethnicity table.
There is no way to fill the borrowers.ethnicity and borrowers.ethnotes.
BUT if borrowers.ethnicity exists, the value is displayed on
members/moremember.pl (and only here).
Test plan:
Apply this patch and confirm there is no regression on
adding/updating/deleting patrons.
Note that you don't see the ethnicity value on the moremember.pl page even if a patron has it.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Labeling a phone number field "mobile phone" eliminates the usefulness
of having the labels "primary" and "secondary." Generic labels let the
user populate the fields according to their importance rather than their
type.
To test I recommend editing a patron record so that the values in the
patron record contain a label matching the table column:
borrowers.phone : 555-555-1234 (primary - phone)
borrowers.phonepro : 555-555-5678 (secondary - phonepro)
borrowers.mobile : 555-555-9012 (other - mobile)
View this patron's information in the various affected templates and
verify that the labels correctly match the data:
- OPAC "your personal details" (opac-memberentry.pl)
- Submit changes to primary, secondary, and other phone via the OPAC.
In the staff client, view the confirmation for those changes.
- Patron details in the staff client (moremember.pl)
- Patron entry/edit in the staff client (memberentrygen.pl)
- Patron duplicate confirmation in the staff client
(you can navigate directly to
/members/moremember.pl?borrowernumber=XXXX&print=brief)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Touches three member templates.
Changes label Other into Mobile.
This is consistent with database field name and OPAC.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Fix for switched phone numbers on patron details page.
This patch fixes switched phone numbers on patron details page and also makes phone number labels more uniform.
To Test:
1. Apply the patch.
2. Create/modify a patron entering some unique data into the "Secondary phone:" and "Other phone:" fields (different data for each).
3. Save the patron record.
4. Go to the patrons details page and make sure the data entered into the "Secondary phone:" field is displaying next to the "Secondary phone:" label and that the data entered into the "Other phone:" field is displaying next to the "Other phone:" label.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
When renewing a patron from the patron details page, ensure that
the "Patron's account has been renewed until XXX" is actually
displayed.
This patch introduces a was_renewed CGI and template parameter
to clarify the intent of the relevent template sections.
To test:
- Before applying the patch, renew a patron from the patron
details page and verify that you don't see the renewal confirmation.
- After applying the patch, renew the patron from the details page
and verify that the "Patron's account has been renewed until XXX"
message shows up.
- Renew the patron from the checkout page and verify that the confirmation
message shows up.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Message now displays for both tabs.
Fixed tab to make QA script pass.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
The labels for emails on the patron forms say 'primary' and
'secondary.' This patch does the same thing for the phones.
phone is now 'Primary phone', mobile is now 'Secondary phone',
and 'phonepro' is now 'Other phone'. This way the type of phone
does not matter and the phone that the patron wants to be called
at the most is the 'primary.'
This is just a step in the direction of fixing Bug 5252, not a
complete fix.
This patch also updated a stray reference to Home Email. Both the
OPAC and staff client are updated with this patch.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
