Commit graph

22 commits

Author SHA1 Message Date
Mark Tompsett
77871b408c Bug 13272: (follow-up) fix concerns from comment #5
Correct the two issues I pointed out.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-01 11:18:31 +00:00
Christopher Brannon
92a2d74c1c Bug 13272: Adds type="text" to inputs missing it
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-01 11:18:30 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
0ab22e1c7c Bug 18789: Send Koha::Patron object to the templates
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.

That will make the code much more easier to maintain and will be less
error-prone.

The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.

In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.

Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:03:58 -03:00
047ca33a93 Bug 19641: Move patron templates to the footer
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.

This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.

To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.

Patrons -> Patrons home, patron search results
  -> Manage pending modification requests
  -> Patron detail page
    -> Edit patron
      -> Set guarantor
    -> Fines
       -> Account, Pay fines, Create manual invoice, Create manual
          credit
       -> Print receipts for different kinds of charges
    -> Routing lists
    -> Circulation history
    -> Holds history
    -> Notices
    -> Statistics
    -> Files
    -> Purchase suggestions
    -> Discharges
    -> Housebound
    -> Set permissions
    -> Change password
    -> Print summary, slips, and overdues
    -> Update child to adult patron type

Patron toolbar and patron search bar operations should work correctly on
all pages.

This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-15 13:30:23 -03:00
4bc92169dc Bug 18403: Update permissions - borrowers => 1|* becomes borrowers => 'edit_borrowers'
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.

Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
  borrowers => 1
and
  borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:37 -03:00
David Gustafsson
cfed10325b Bug 19471: Show creation date in patron restrictions list
Test plan:
1. Go to the "Details" vertical tab of a patron.
2. Click the "Restriction" tab in the bottom and add a manual restriction.
3. Verify a creation date is visible.

4. Edit the same patron.
5. Under "Patron restrictions" verify the creation date of the listed
   restiction is visible.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-01-10 10:50:19 -03:00
804677265e Bug 16239: Update templates
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 14:41:22 +00:00
Jonathan Druart
f91ed3d8bf Bug 14060: Remove readonly attributes on date inputs
In order to remove accessibility issues due to the readonly attributes
on date inputs, this patch will remove them and introduce a javascript
validation on them.

This patch is not perfect for some reason:
I didn't manage to force the user to select a valid date. One solution
would be to reopen the datepicker plugin until a valid date is inserted.
But it could be annoying for users (and for me: I did not manage to
implement this solution).
You will note that input is emptied if the date is not valid. This is a
quick and efficient solution to prevent submitting invalid date and make
Koha explodes. A proper solution would be to implement the check server
side send a friendly message to the user.

Test plan:
For all inputs, try an invalid and a valid date.
 1/ Debar a patron
 2/ On the checkout tables (circulation and moremember), add a renewal
due date (at the bottom of the tables)
 3/ On the checkout page, specify a due date
 4/ On the return page, specify a return date
 5/ On the invoice page (acquisition module), enter a shipment and
billing date
 6/ On the invoice search page (invoices.pl) use filters shipment and
billing dates
 7/ On the offline circ page, specify a due date
 8/ On the edit patron page (memberentry), add a debarment
 9/ On the reserve page (reserve/request.pl), use the date inputs to
suspend until a defined date
10/ Edit patrons in a batch (tools/modborrowers.pl) and use the
registration and expiry date inputs

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 12:04:19 +00:00
Hector Castro
dba6cfe441 Bug 16888: (follow-up)Add Font Awesome Icons to Members
Remove fa-ban according with QA comment 4

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-07-15 18:02:48 +00:00
Hector Castro
ae41952077 Bug 16888: Add Font Awesome Icons to Members
Add Font Awesome Icons to:
- "Select/Clear all" links to pay.tt (Pay fines tab)
- "Filter icon" in "filter paid transactions" to Accout tab (boraccount.tt)
- "Trash icon" to Remove option in "Manual restrictions"
(borrower_debarments.inc) also add "Ban and plus icon" to "Add manual restriction"

To test:
-Apply patch
-Select a patron who has fines
-Go to "Fines->Pay fines" tabs and see the icons in "Select/Clear all"
-Choose the "Account" tab and sse the icon in "Filter paid transactions"
-Select the "Check out" tab and go to "Restrictions"
-Add a manual restriction and notice about the two new icons fa-plus and fa-band
-See the new button btn-mini and the fa-trash icon
-Verify that all works as expected

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-07-15 18:02:48 +00:00
Morgane Alonso
a1285ba9c0 Bug 12509 - Fix Untranslatable Restriction added by overdues process
Changes the value of the "comment" column in "borrower_debarments" table
from "Restriction added by overdues process yyyy-mm-dd hh:mm:ss" to
"OVERDUE_PROCESS yyyy-mm-dd hh:mm:ss" in the overdue_notices.pl. Then in
the templates "moremember.tt", "circulation.tt", "memberentrygen.tt",
"opac-reserve.tt" and "opac-user.tt" the value of "comment" is
check, if it's an automatical comment due to overdue process it'll
write "Restriction added by overdues process yyyy-mm-dd hh:mm:ss",
then if there is a customizable comment it will be written without
modification. Like this, the comment "Restriction added by overdues
process" is written in the po files and can be translated later.

To test:
1) create a patron with automatical restriction due to overdue process;
2) apply patch;
3) run misc/cronjobs/overdue_notices.pl;
4) verify if the comment "Restriction added by overdues process" is well
   written and translatable on the following page :
    - opac patron home page (opac-user.tt);
    - opac item reservation page (opac-reserve.tt);
    - pro patron page (moremember.tt);
    - reservation item for a patron (circulation.tt, memberentrygen.tt);
5) try to translate the comment in po files;
6) sign off.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-07-08 12:41:47 +00:00
0c476f1508 Bug 16557 - Remove the use of "onclick" from several include files
This patch modifies several include files, removing "onclick" attributes
in favor of defining events in JavaScript.

A reusable "toggle" function has been added to the global JS file so
that clicking elements with the class "toggle_element" will toggle the
display of elements as defined in the click target's "data-element"
attribute.

Also changed: In subtypes_unimarc.inc some capitalization errors have
been fixed and label/id pairs corrected.

To test, apply the patch and clear your browser cache if necessary.

- On the Acquisitions home page, click the "Orders search" header search
  tab. Clicking the [+] link should expand and collapse the additional
  search fields.

- On the checkout or patron detail page, view the "Restrictions" tab.
  Click to add a restriction and use the datepicker to select a date.
  Clicking the "Clear date" link should clear the date.

- Trigger the help window on any page. Clicking the "close window"
  button should work correctly.

- Go to Administration -> Patron categories -> Edit. Checking and
  unchecking messaging preference options should work correctly. The "do
  not notify" checkbox should clear other checkboxes in that row and
  vice versa.

- In Serials, from a subscription detail page, clicking the "Renew"
  button should trigger the renew popup.

- Go to Acquisitions -> Vendor -> Add to basket -> From a subscription.
  Clicking the "Advanced search" link in the left hand sidebar should
  toggle the sidebar search form.

- In a UNIMARC system, view the advanced search page. Clicking the "Show
  coded information filters" link should show additional search fields.
  (I tested in my MARC21 system by temporarily moving line 174 of
  advsearch.tt to line 172).

Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 13:51:01 +00:00
a8942c2884 Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues
Revert "DBRev to make notes of the XSS patches and the new important dependency."

This reverts commit e140603a59.

Revert "Bug 13618: Specific for branches.opac_info"

This reverts commit 06e4a50f00.

Revert "Bug 13618: (follow-up) Specific for other prefs"

This reverts commit d6475a111f.

Revert "Bug 13618: Fix for debarredcomment and patron messages"

This reverts commit dd98c9df92.

Revert "Bug 13618: Do not display html tags in patron's notices"

This reverts commit a065b243fe.

Revert "Bug 13618: Do not display &nbsp; and html tags in item fields content"

This reverts commit baeeaffbf8.

Revert "Bug 13618: Fix for system preference description"

This reverts commit a967a09261.

Revert "Bug 13618: Remove html filters for newly pushed code"

This reverts commit 0e98662b10.

Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"

This reverts commit fc2fb605e5.

Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"

This reverts commit bc308fdd9c.

Revert "Bug 13618: Fix for edit biblios and items"

This reverts commit 811c4e8402.

Revert "Bug 13618: followup to remove tabs"

This reverts commit ca8e8c397c.

Revert "Bug 13618: Fix last occurrences recently introduced to master"

This reverts commit bb417b256b.

Revert "Bug 13618: Fix for news"

This reverts commit ae5b98020a.

Revert "Bug 13618: Fix escape on sending baskets or shelves by email"

This reverts commit a7731ffe25.

Revert "Bug 13618: Specific for XSLTBloc"

This reverts commit 11fa38dc29.

Revert "Bug 13618: Specific for Salutation on editing a patron"

This reverts commit 36c07ad6d3.

Revert "Bug 13618: Specific for other prefs"

This reverts commit e6ea281a3b.

Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"

This reverts commit 7824874557.

Revert "Bug 13618: Specific for ColumnsSettings"

This reverts commit 1834da3da3.

Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"

This reverts commit 21ae62b253.

Revert "Bug 13618: Fix error 'Not a GLOB reference'"

This reverts commit 602bdbab4c.

Revert "Bug 13618: Specific for the ISBD view"

This reverts commit d254362435.

Revert "Bug 13618: Specific for pagination_bar"

This reverts commit 8837a8ae68.

Revert "Bug 13618: Specific places where we don't need to escape variables - intra"

This reverts commit 00eff140b3.

Revert "Bug 13618: Remove html filters at the intranet"

This reverts commit 7db851ff03.

Revert "Bug 13618: Specific places where we don't need to escape variables"

This reverts commit 49a3738b8d.

Revert "Bug 13618: Remove html filters at the OPAC"

This reverts commit cedaa0e23e.

Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"

This reverts commit 01b38d3b13.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-11 19:39:53 +00:00
dd98c9df92 Bug 13618: Fix for debarredcomment and patron messages
At the OPAC and intranet.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-01-29 17:54:17 +00:00
Yohann Dufour
45975f4087 Bug 8007: Discharge - Glue
This patch adds:
- links to the new pages.
- syspref description
- links on the main page (intranet)
- the DISCHARGE type for debarment

Signed-off-by: Lucie <lucie.rousseaux@dracenie.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-30 12:33:53 -03:00
Mark Tompsett
f37fc8b08c Bug 11182: remove spurious logged warnings in circulation
TEST PLAN
---------
 1) Log into staff client
 2) Click 'Circulation'
 3) Click 'Check out'
 4a) Type a patron name, click 'Submit'
 4b) If necessary, select which one, and click 'Select'
 5) Check the error logs, new warnings
 6) Apply patch
 7) Click 'Circulation'
 8) Click 'Check out'
 9a) Type a patron name, click 'Submit'
 9b) If necessary, select which one, and click 'Select'
10) Check the error logs, no new warnings
11) Click the 'Restrictions' tab
12) Click 'Add manual restriction'
13) Add a dummy restriction
14) Click the 'Restrictions' tab
15) Click 'Remove'
16) Click 'OK'
17) Confirm that no additional error log entries were added
     and adding/deleting restrictions hasn't broken.

Signed-off-by: Jesse Weaver <pianohacker@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-04-29 17:49:48 +00:00
Jonathan Druart
d45c9a673b Bug 10863: Add 2 circulation permissions: force_checkout and lift_restriction
This patch adds 2 circulation permissions: force_checkout and
lift_restriction.

During upgrade, these two permission are added to existing staff
users that already have the base circulate permission.

force_checkout allows a librarian to force a checkout if a limitation
occurred.

lift_restriction allows a librarian to lift a restriction for a patron.

Test plan:
1/ Find a debarred patron and go on the checkout page. The "Lift
restriction" button should be present only if the logged librarian has
the lift_restriction permission.
2/ If the force_checkout permission is set, a librarian should be
allowed to check out in several cases:
- age restriction
- the item is issued to another patron
- the item is not for loan
- the patron has overdue items
- the item is lost
- the item is a high demand item
- the item is reserved
- another case ?

Signed-off-by: Cedric Vita <cedric.vita@dracenie.com>

Bug 10863: The force checkout permission should not affect high holds

- typo checkout => check out.
- the force checkout permission does not affect high holds.

Signed-off-by: Cedric Vita <cedric.vita@dracenie.com>

Bug 10863: Follow-up: Adding missing permissions to translated files

This patch adds the 2 new permissions to all remaining sample files.
If the permissions don't get installed, the problem is bigger than
having an English description.

Also adds back the question "Check out anyway?" for high demand items (HIGHHOLDS).

Test xt/permissions.t passes now.

Bug 10863: Rename lift_restriction with manage_restrictions

The pref manage_restrictions now takes into account "Lost card" and
"Gone no address" restrictions.

Test plan:
- log in with a user with manage_restrictions permission
- verify you can set/unset restrictions when editing a patron
- log in with a user without manage_restrictions permission
- verify you cannot set/unset restrictions when editing a patron

Signed-off-by: Mathieu Saby <mathieu.saby@univ-rennes2.fr>
Note: The AgeRestrictionOverride pref has to be set to "Allow" if you
want to override the age restriction, even if the new permission is set.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Passes koha-qa.pl, works as advertised

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-01-07 03:59:53 +00:00
3a76f4298c Bug 11283: make restriction type translatable
The new restrictions system has different types:
MANUAL, OVERDUES and SUSPENSION.

Those are shown in the interface and seem to come directly from the
database, so they are not translatable.

As they are hardcoded translations should be possible and be handled in
the template.

Test Plan:
1) Create a patron with one of each type of restriction
2) Apply this patch
3) Note you see the type with only the first letter capitialized,
   this indicates you are seeing the translatable string

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script. Strings now appear in
updated po files:
  msgid "%s %s Manual %s Overdues %s Suspension %s "

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-11-27 16:47:42 +00:00
Jonathan Druart
d69247b381 Bug 2720: (follow-up) fix the "remove" links
If there are more than one restriction, the "remove" links don't display
the JavaScript alert.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-31 01:56:32 +00:00
0532bdc956 Bug 2720: (follow-up) improve data entry form for manual restrictions
This follow-up to Bug 2720 makes some template changes which I think
make the interface a little more consistent and streamlined.

Instead of incorporating the manual entry form into the table it is
broken out and follows standard form structure. This lets the table be
hidden altogether if there are no existing restrictions.

The manual entry form is hidden by default and shown when you click a
link to add a manual restriction.

These changes have been applied to both the include file used for
circulation and patron detail and to the patron entry form template.

To test, add and remove manual restrictions from the circulation page,
the patron detail page, and the patron edit page. All operations should
work correctly.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-31 01:54:20 +00:00
80897930b7 Bug 2720 - Overdues which debar automatically should undebar automatically when returned
This patch adds a more extensible and flexible debarments system to Koha. The fields
borrowers.debarred and borrowers.debarredcomment are retained for compatibility and
speed.

This system supports having debarments for multiple reasons. There are currently
three types of debarments:
OVERDUES    - Generated by overdue_notices.pl if the notice should debar a patron
SUSPENSION  - A punative debarment generated on checkin via an issuing rule
MANUAL      - A debarment created manually by a librarian

OVERDUE debarments are cleared automatically when all overdue items have been returned,
if the new system preference AutoRemoveOverduesRestrictions is enabled. It is disabled
by default to retain current default functionality.

Whenever a borrowers debarments are modified, the system updates the borrowers debarment
fields with the highest expiration from all the borrowers debarments, and concatenates
the comments from the debarments together.

Test plan:
 1) Apply patch
 2) Run updatedatabase.pl
 3) Verify the borrower_debarments table has been created and
    populated with the pre-existing debarments
 4) Run t/db_dependent/Borrower_Debarments.t
 5) Manually debar a patron, with an expiration date
 6) Verify the patron cannot be issued to
 7) Add another manual debarment with a different expiration date
 8) Verify the 'restricted' message lists the date farthest into the future
 9) Add another manual debarment with no expiration date
10) Verify the borrower is now debarred indefinitely
11) Delete the indefinite debarment
12) Verify the debarment message lists an expiration date dagain
13) Enable the new system preference AutoRemoveOverduesRestrictions
14) Set an overdue notice to debar after 1 day of being overdue
15) Check out an item to a patron and backdate the due date to yesterday
16) Run overdue_notices.pl
17) Verify the OVERDUES debarment was created
18) Return the item
19) Verify the OVERDUES debarment was removed
20) Disable AutoRemoveOverduesRestrictions
21) Repeat steps 15 though 18, verify the OVERDUES debarment was *not* removed
22) Add issuing rules so that an overdue item causes a temporary debarment
23) Check out an item to a patron and backdate the due date by a year
24) Return the item
25) Verify the SUSPENSION debarment was added to the patron

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-31 01:53:22 +00:00