Commit graph

161 commits

Author SHA1 Message Date
5825026448 Bug 21526: uri escape TT variables when used in 'a href'
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-26 17:09:57 +00:00
7c05f4fbe4 Bug 21068: Remove NorwegianPatronDB related code
Bug 11401 introduced code to support Norwegian national library card.
This code is too specific to be part of Koha as it, it should be a
plugin instead.
Moreover nobody uses it, but a modified version (see comment 3).

Test plan:
Add/edit/delete patron and make sure there are no regressions introduced
by these patches

Signed-off-by: Benjamin Rokseth <benjamin.rokseth@deichman.no>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-30 13:40:29 +00:00
9874c902ef Bug 21209: (bug 20828 follow-up) Step 4 of moremember is used for Housebound and additional attributes
Test plan:

1) Make sure the HouseboundModule is enabled in system preferences
2) Go to a patron file
3) Next to Housebound roles, click on "Add"
4) Check "Yes" next to one of the two roles (or both)
5) Click "Save"
6) The "Add" button is now "Edit", click on it

The page is the one to edit housebound roles.

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-24 16:23:26 +00:00
fd9ea323fe Bug 13618: Escape patron's attributes - do we want that?
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:08 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
81431ee28a Bug 20226: Centralize update child code (CATCODE_MULTI)
Code and variables to deal with the update child feature are not
centralized but copied/pasted in several scripts. Which leads to issues
obsviously (bug 20805 for instance).

Moreover the strings used by the templates are also in several template
files (or .inc)

To deal with that this patch introduces the idea to create 1 .inc file
per .js file
Here we have members-menu.inc for members-menu.js

Test plan:
- Remove all your adult categories (categories.category_type='A')
- Create a patron with a child category
- Try to update to adult category
=> The entry does no longer appears! (This is a change in the behaviour)
- Create one adult category
- Update to adult category
=> There is a JS confirmation message, if you accept the patron will
be updated to the adult category
- Create (at least) another adult category
- Create another child
- Update to adult category
=> No more confirmation message but a popup to select the adult category
- Pick one
=> The patron has been updated to the adult category

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-14 11:58:26 +00:00
5260482a61 Bug 20779: Style refresh for patron detail page
This patch makes style and markup changes to the patron detail page
template in order to make the display of information somewhat more
compact and to increase the visibility of the edit controls.

To test you should enable the patronimages system preference. Apply the
patch and view the detail page for a patron.

- Check that the page looks correct and that sections like "Alternate
  address" and "Alternative contact" are empty when there is no data.
- Check that the "Manage patron image" tool works correctly.

Signed-off-by: Cab Vinton <director@plaistowlibrary.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-09 12:05:07 +00:00
9d4c735061 Bug 20828: Step 4 of moremember is used for Housebound and additional attributes
This patch modifies the patron edit process so that "Housebound roles"
can be edited as a separate step.

To test, apply the patch and open an existing patron's detail page
(moremember.tt). Test the "edit" links for 'Housebound roles' and
'Additional attributes and identifiers' and confirm that each opens its
own edit page, and saving changes works correctly.

Signed-off-by: Cab Vinton <bibliwho@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-09 11:28:58 +00:00
14f54d4e13 Bug 20520: Re-indent moremember.tt
This patch reindents the template for the patron detail page,
moremember.tt:

- Trailing spaces removed
- Indentation changed to a consistent 4 spaces
- Markup indentation made more consistent

To test, view the patron detail page. There should be no visible
difference before and after the applying the patch.

HTML validation before and after the patch should return the same
results.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-29 20:37:43 +00:00
Amit Gupta
a8f864c590 Bug 20867: Ability to show membership renewal date on moremember.pl page
Test case:
1. Create the patron.
2. Search the patron whose date of membership is about to expire or expired.
3. Click on More->Renew patron.
4. Now membership is renewed.
5. Apply the patch.
6. Reload the page now you will able to see the Membership renewal date.

Signed-off-by: Maryse Simard <maryse.simard@inlibro.com>
Followed the test plan and it works.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 20:23:29 +00:00
Katrin Fischer
2e1ff5e961 Bug 20794: Hide holds tab on details when user lacks circulate_remaining_permissions
If a user doesn't have circulate_remaining permissions, but has borrowers:
- checkouts tab is hidden
- details tab is visible
- holds tab on details is visible, but results in an error

The problem is that the svc/holds script requires circulate_remaining_permissions.

To test:
- Create 2 staff users with and without circulate_remaining_permissions
  Both need borrowers permission
- Go to the details tab in a patron's account who has holds
- Verify that you get a datatables error for the staff patron without
  circulate_remaining_permissions
- Apply patch
- Verify that now the holds tab is no longer displayed for this patron

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-22 13:28:55 +00:00
b2f5371b01 Bug 20792: (bug 18789 follow-up) Fix patron edit page if TranslateNotices is set
translated_language is not a Koha::Patron's method but a simple variable
sent to the template.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-05-21 10:58:19 -03:00
Julian Maurice
ed7543287b Bug 20538: Remove the need of writing [% KOHA_VERSION %] everywhere
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
  mechanism, it will be tedious

This patch:
- adds a Template::Toolkit plugin that generates <script> and
  <link> tags for JS and CSS files, and inserts automatically the Koha
  version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable

Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
   checking your browser's dev tools (there should be no 404 for JS and
   CSS files, and the Koha version should appear in filenames) and the
   server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-13 11:49:44 -03:00
f3b8f17395 Bug 20518: Don't show "Messages" header and link on patron details if there are no messages
This patch modifies the patron detail page so that the "Messages" header
is not displayed if there are no messages.

Unrelated: A minor change was made to moremember.pl to quiet an error in
the log, "Use of uninitialized value $print in string eq at
members/moremember.pl line 219."

To test, apply the patch and open the detail page for a patron who has
no messages. There should be no "Messages" header or "add message" link.

Add a message to the patron's account. The message should appear, along
with the "Messages" header and "add message" link.

The error logs should show no errors.

Signed-off-by: Maksim Sen <maksim.sen@inlibro.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-11 16:45:09 -03:00
b4c23e1a3e Bug 18789: Use Koha::Patron->image from the templates
Now that we have the 'patron' variable in all our templates, we can call
Koha::Patron->image and do the check from the templates.

Test plan:
On the different pages of the patron module, you should see the default
image if there is no image attached or the one that has been attached
(see pref patronimages)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:03:58 -03:00
0ab22e1c7c Bug 18789: Send Koha::Patron object to the templates
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.

That will make the code much more easier to maintain and will be less
error-prone.

The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.

In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.

Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:03:58 -03:00
047ca33a93 Bug 19641: Move patron templates to the footer
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.

This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.

To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.

Patrons -> Patrons home, patron search results
  -> Manage pending modification requests
  -> Patron detail page
    -> Edit patron
      -> Set guarantor
    -> Fines
       -> Account, Pay fines, Create manual invoice, Create manual
          credit
       -> Print receipts for different kinds of charges
    -> Routing lists
    -> Circulation history
    -> Holds history
    -> Notices
    -> Statistics
    -> Files
    -> Purchase suggestions
    -> Discharges
    -> Housebound
    -> Set permissions
    -> Change password
    -> Print summary, slips, and overdues
    -> Update child to adult patron type

Patron toolbar and patron search bar operations should work correctly on
all pages.

This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-15 13:30:23 -03:00
fda87270ad Bug 18403: Guarantors
Technically a kid from your library group could have a guarantor
attached to another
group of library, let's deal with this case.

Test plan:
- Create a kid from your library group
- With a superlibrarian staff user create a guarantor that is outside of
the group of
libraries of the kid
- Login with a limited staff user and confirm that on the patron detail
page you do not
see the link to the guarantor detail page.

Note that you see the firstname and surname of the guarantor
Q. should it be hidden?

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:41 -03:00
cee2cf9ff9 Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"

Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.

Changes in discharge.pl are mainly indentation changes.

With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:38 -03:00
Liz Rea
0927962b45 Bug 19801: Display messages on user details page as well as on check out page
To test:

Look up a borrower, add a message (internal or opac)
Click the Details tab for that borrower
Messages should be displayed above the user information [is this the right place? it could go below]
adding messages on this page should make them immediately available
deleting messages on this page should delete them immediately and bring you back to the detail page.

Basically, make sure messages work from both the Check out and detail pages and that there are no typos.

Messages should work the same as they always have from the Check Out page.

sponsored-by: Catalyst IT
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>

Signed-off-by: Marjorie Vila <marjorie.barry-vila@collecto.ca>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>

Bug 19801 - Fixes for QA

- Fixes indentation
- changes messages to patron_messages (even though it's not like that on the circulation page.)

Signed-off-by: Marjorie Vila <marjorie.barry-vila@collecto.ca>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
2018-02-08 17:01:14 -03:00
0ad922011c Bug 12904: Force browser to load new javascript files after upgrade
This patch has been automatically generated using:
  perl kv.pl **/*.tt **/*.inc

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
2018-02-08 14:53:24 -03:00
Amit Gupta
e0e063a85b Bug 19612: Fix XSS in members/memberentry.pl
To Test
1. Hit the page /cgi-bin/koha/members/memberentry.pl
2. Add a text in the field address, address2, city, state, country,
   zipcode, B_streetnumber, B_city, B_country, B_zipcode that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-01-09 16:01:50 -03:00
ebd7c422b4 Bug 19456: Make patron-title ability to be generated with or without html tags
Modified pages:
circ/circulation.pl
circ/circulation_batch_checkouts.pl
members/boraccount.pl
members/files.pl
members/holdshistory.pl
members/housebound.pl
members/moremember.pl
members/notices.pl
members/purchase-suggestions.pl
members/readingrec.pl
members/routing-lists.pl
members/statistics.pl

Test plan:
0) Do not apply the patch
1) Have a patron with title/salution filled in
2) Confirm bug, go for example to circ/circulation page and see there is
html in <title> tag (you can see it in your browser page/window title)
3) Apply the patch
4) Go through circulation/patron pages (see modified page above) and
confirm there is no html in <title> tag, but on the page itself the
salutation should be in <span class="patron-title">

Signed-off-by: David Bourgalt <david.bourgault@inlibro.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-12-07 09:37:10 -03:00
Katrin Fischer
82f183c5ea Bug 19129 - Clean up Details tab for Organisation patrons
Problem: A patron category "I" would cause display problems
on the details in the intranet. This is because the templates
confused patron category "I" with patron type "I" (organisation).

Patch:
- Cleans up variable confusion between categorycode and
  categorytype.
- The template contained code to change the labels below
  the address to 'Organisational phone:" etc., I have removed
  this part as it does not match the edit form anymore.
- Initials, date of birth and gender are still hidden for
  organisation - matching the edit form.

Bonus:
- The patron category description was missing on the
  right and left side of the details tab. Now it displays.
- Fixes some html issues:
  - doubled up class attribute in a tag
  - doubled up </li></li>

To test:
- Create 3 patrons
  - patron category code doesn't matter, but category type organisation
  - patron category code 'I', category type NOT organisation
  - patron category code NOT I, category type NOT organisaton
- Check details tab in patron account in staff for all 3
  - Verify patron category description shows correctly
  - Verify information added to the account displays correctly
    (phone numbers, emails, ...)

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-01 13:02:23 -03:00
a66c0b1dd7 Bug 18469: QA Follow-up
Restore datepicker class
Use Koha.Preference
Copy changes to moremember

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-15 12:17:43 -03:00
40cd76882e Bug 17762: Add the lang attribute to the patron form
Not the opac because we do not want the patron to modify it, they won't
be necessary translated.

Sponsored-by: Orex Digital

Signed-off-by: Hugo Agud <hagud@orex.es>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-09 20:56:40 +00:00
3c344c20cf Bug 18553 - Incorrect "Loading..." tag on moremember.tt when no clubs defined
To test:
1 - Have no clubs
2 - View Details tab for a patron
3 - Note the 'Loading' tag near the tabs
4 - Apply patch
5 - Load patron details and notice 'Loading' is gone
6 - Add a club and verify tab shows as expected

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-09 07:50:07 -04:00
589aa06991 Bug 12461 [QA Followup]
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-28 08:37:44 -04:00
95429af685 Bug 12461 - Add patron clubs feature
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
   * Here you can add fields that can be filled out at the time
     a new club is created based on the template, or a new enrollment
     is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-28 08:37:44 -04:00
b0dc5fc0f3 Bug 15498: Let the user choose the CSV profile to export circ history
The way the export options are displayed at the bottom of the checkouts table
was not consistent.
Prior to this patch set, they are display if ExportRemoveFields or
ExportWithCsvProfile is set.
It does not make any sense, the user could want to export the checkouts in
iso2709 format without having to define a csv profile and fill the pref.

Moreover the behavior of this pref did not match its description: it's used as
a default CSV profile when exporting records from the export tools or the
command line.

This patch set adds a new pref ExportCircHistory and remove
ExportWithCsvProfile. The new pref is set if ExportWithCsvProfile or
ExportRemoveFields were set.
A new dropdown list with the CSV profile list will be displayed in the
export area, at the bottom of the checkouts table.

Note that now --csv_profile_id is mandatory for the export command line
(misc/export_records.pl) if the export format is csv.

Test plan:
0/ Do not execute the DB entry
1/ Clear both ExportWithCsvProfile and ExportRemoveFields prefs
2/ Execute the DB entry
3/ ExportCircHistory should not be set and the export options should not
be displayed at the bottom of the checkouts table.
4/ Remove the pref
  DELETE FROM systempreferences WHERE variable='ExportCircHistory';
and reinsert the previous one, with a value:
  INSERT INTO systempreferences (variable, value) VALUES
  ('ExportWithCsvProfile', 'something');
Execute the DB entry again
=> The now pref should be now set
5/ Export some checkouts using the CSV entry
6/ Note that the export tool and commandline script still work using the
csv format. You have to provide a --csv_profile_id option to make it
work.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-31 11:13:47 +00:00
Kyle M Hall
8255344215 Revert "Bug 12461 - Add patron clubs feature"
This reverts commit 4f1eefdbb8.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-02-26 20:41:27 -05:00
4f1eefdbb8 Bug 12461 - Add patron clubs feature
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
   * Here you can add fields that can be filled out at the time
     a new club is created based on the template, or a new enrollment
     is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
2017-02-23 19:42:36 +00:00
804677265e Bug 16239: Update templates
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 14:41:22 +00:00
e17209de48 Bug 17434: Moremember displaying primary and secondary phone number twice
Test plan:
1) Create patron category with category code "P" and create a patron
with this category
2) Fill in either the primary or other phone number
3) Go to patron details page (moremember.pl)
=> without patch you see primary/other phone duplicated
=> with patch you should see the number only once as expected

Signed-off-by: Lucio Moraes <lmoraes@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-28 11:46:24 +00:00
bbcb2fbeaf Bug 14610 [QA Followup] - Implement staff patron tab
Also fixes a few other minor issues

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-26 12:15:17 +00:00
c517689bb6 Bug 5670: Use Koha.Preference to retrieve syspref from templates
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-21 18:18:09 +00:00
Alex Sassmannshausen
20c2ea7d3a Bug 5670: [Followup] Add 'step 4' edit button.
* koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt:
  Place housebound role form inside the 'step 4' section.
* koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt:
  Add 'step 4' edit button for housebound role.

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-21 18:18:08 +00:00
Alex Sassmannshausen
88f4b828f5 Bug 5670: [QA Followup] Display HouseboundRole info.
* Koha/Patron.pm (housebound_role): New method.
* koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt: Add
  section for HouseboundRole information
* members/moremember.pl: Pass HouseboundRole info to template.

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-21 18:18:06 +00:00
1d0d5f1398 Bug 17365: Fix XSS in moremember.pl and memberentry.pl
There are certainly hundred of places where they are not escaped...

Test plan:
Create a patron with "Arun <script>alert('code injection');</script>" in
some of the fields.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 16:19:56 +00:00
Andreas Roussos
0f4644a5bf Bug 17312 - Typo in members-toolbar.inc / moremember-brief.tt / moremember.tt
The following three templates are using [% guarantorborrowernumber %]
while they should be using [% guarantor.borrowernumber %]:

members/members-toolbar.inc
members/moremember-brief.tt
members/moremember.tt

This doesn't result in any breakage; just a couple of 'Edit' links that
do not pass the guarantorid in the URL, and one case where guarantor
information is not shown in the staff client.

This patch fixes that.

Test plan:
0) [PREREQUISITE] Create a patron with a guarantor if you don't have one.
1) Go to Home > Patrons and search for a patron that has a guarantor. In
   the Details page for that patron, the 'Edit' link in the toolbar does
   not pass the guarantor's id in the URL (...&guarantorid=&...).
2) In the same page, the 'Edit' link under the patrons name (immediately
   under 'Guarantor') again does not include the guarantor id in the URL.
3) Go to Home > Patrons and click on 'New patron'. Pick any category from
   the drop down menu. Enter the Surname, First name, and Date of birth
   of the patron you used in step 1). This triggers the 'Duplicate patron
   record?' warning -- click on 'View existing record' and notice how the
   guarantor information is missing.
4) Apply the patch.
5) Repeat steps 1), 2), and 3) above. The URLs are fixed and patron info
   is showing.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:51:56 +00:00
11bf7e7bef Bug 17146: Fix CSRF in picture-upload.pl
If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42

Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.

Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:33:58 +00:00
777355089a Bug 17284 - Patron details page ( moremember.pl ) show logged in library as patron's home library
The patron details page always show the logged in library as the
patron's home library instead of the true home library. This bug is
particular to moremember.pl and does not affect other patron pages.

Test Plan:
1) Find a patron with a home library other than the logged in library
2) Note the patron home library as shown on moremember.pl matches
   the logged in library and not the patron's true home library
3) Apply this patch
4) Reload moremember.pl, the correct home library should display!

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-12 09:04:43 +00:00
453e8e7235 Bug 16908: Koha::Patrons - Remove GetSortDetails
This subroutine was only used in one script and its job is the same as
GetAuthorisedValueByCode.
It's better to use the AuthorisedValues TT plugin to retrieve AV
descriptions.

Test plan:
Edit a patron with sort1 and/or sort2 defined.
On the patron details page (members/moremember.pl) you should see the
sort1 and/or sort2 info displayed.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-09 13:12:28 +00:00
19a977dc7b Bug 15758: Koha::Libraries - Remove GetBranchName
This is the fourth and last patch set to remove C4::Branch.
The real purpose of this patch is to standardise and refactor some code
which is related to the libraries selection/display.
Its unconfessed purpose is to remove the C4::Branch package.

Before this patch set, only 6 subroutines still existed in the C4::Branch
package:
- GetBranchName
- GetBranchesLoop
- mybranch
- onlymine
- GetBranches
- GetBranch

GetBranchName basically returns the branchname for a given branchcode.
The branchname is only used for a display purpose and we don't need to
retrieve it in package or pl scripts (unless for a few exceptions).
We have a `Branches` template plugin with a `GetName` method which does
exactly this job.
To achieve this removal, we will use this template plugin and delete the
GetBranchName from pl and pm files.
The `Branches.all()` will now select the library of the logged in user
if no `selected` parameter has been passed.
This new behavior could cause regressions, for instance there are some
places where we do not want an option preselected (batch item
modification for instance), keep that in mind when testing.

GetBranchesLoop took 3 parameters: $branch and $onlymine.
The first one was used to set a "selected" flag, for a display purpose:
select an option in the libraries dropdown lists.
The second one was useless: If not passed or set to 0, the
`C4::Branch::onlymine` subroutine was called.
This onlymine flag was use to know if the logged in user was able to see
other libraries infos.
A patron can see the infos from other libraries if IndependentBranches
is not set OR if he has the superlibrarian permission.
Prior to this patch set, the "onlymine test" was done on different
places (neworderempty.pl, additem.pl, holidays.pl, etc.), including the
Branches TT plugin. In this patch set, this test is only done on one
place (C4::Context::only_my_library, code moved from
C4::Branch::onlymine).
To accomplish the same job as this subroutine, we just need to call the
`Branches.all()` method from the `Branches` TT plugin. It already
accepts a `selected` parameter to set a flag on the option to select.
To avoid the repetitive
  [% IF selected %]<option selected="selected">[% ELSE %]<option>[% END %]
pattern, a new `html_helpers` TT include file has been created, it
defines an `options_for_libraries` block, which takes a `selected`
parameter. We could imagine to use this include file for other
selects.

The 'mybranch` and `onlymine` subroutines of the C4::Branch package have
been moved to C4::Context. onlymine has been renamed with
only_my_library. There are only 4 occurrences of it, against 11 before
this patch set.
There 2 subroutines are Context-centric and it makes sense to put them
in `C4::Context` (at least it's the least worst place!)

GetBranches is the tricky part of this patch set: It retrieves all the
libraries, independently of the value of IndependentBranches.
To keep the same way as the existing calls of `Branches.all()`, I have
added a `unfiltered` parameter. If set, the `Branches.all()` will call
a usual Koha::Libraries->search method, otherwise
Koha::Libraries->search_filtered will be called. This new method will
check if the logged in user is allowed to see other libraries or only
its library.
Note that this `GetBranches` subroutine also created a `category` key:
it allowed to get the list of groups (of libraries) where this library
existed. Thanks to a previous patch set (bug 15295), this value was
not used anymore (I may have missed something!).

Note that the only use of `GetBranch` was buggy (see bug 15746).

Test plan (for the whole patch set):
The best way to test this whole patch set is to test with 2 instances: 1
with the patch set applied, 1 using master, to be sure there is no
regression.
It would be good to test the same with `IndependentBranches` and the
without `IndependentBranches`.
No difference should be found.
The tester must focus on the library dropdowns on as many forms as
possible.
You will notice changes in the order of the options: the libraries will
now be ordered by branchname (instead of branchcode in some places).
A special attention will be given to the following page:
- acqui/neworderempty.pl
- catalogue/search.pl
- members/members-home.pl (header?)
- opac/opac-topissues.pl
- tools/holidays.pl
- admin/branch_transfer_limits.pl
- admin/item_circulation_alerts.pl
- rotating_collections/transferCollection.pl
- suggestion/suggestion.pl
- tools/export.pl

Notes for QA:
- There are 2 FIXMEs in the patch set, I have kept the existing behavior,
but I am not sure it's the good one. Feel free to open a bug report and
I will fill a patch if you think it's not correct. Otherwise, remove the
FIXME lines in a follow-up patch.
- The whole patch set is huge and makes a lot of changes.
But it finally will tremendously reduce the number of lines:
716 insertions for 1910 deletions

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 14:36:01 +00:00
363e45a5eb Bug 14060: Force the input to contain a valid date
Before this patch, the user was still allowed to enter a valid date.
Now, if the date is not valid, the input is emptied.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 12:04:20 +00:00
Jonathan Druart
d53fb6db6a Bug 14060: Add OnClose event on missing datepicker
The "suspend until" inputs (hold list on circ/circulation.pl and
members/moremember.pl) were not set in the same way.
The minDate option should be set for both (bug 10703 removed it for
circ/circulation.pl).
This patch reintroduces the option and add the OnClose event on both.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 12:04:19 +00:00
Jonathan Druart
f91ed3d8bf Bug 14060: Remove readonly attributes on date inputs
In order to remove accessibility issues due to the readonly attributes
on date inputs, this patch will remove them and introduce a javascript
validation on them.

This patch is not perfect for some reason:
I didn't manage to force the user to select a valid date. One solution
would be to reopen the datepicker plugin until a valid date is inserted.
But it could be annoying for users (and for me: I did not manage to
implement this solution).
You will note that input is emptied if the date is not valid. This is a
quick and efficient solution to prevent submitting invalid date and make
Koha explodes. A proper solution would be to implement the check server
side send a friendly message to the user.

Test plan:
For all inputs, try an invalid and a valid date.
 1/ Debar a patron
 2/ On the checkout tables (circulation and moremember), add a renewal
due date (at the bottom of the tables)
 3/ On the checkout page, specify a due date
 4/ On the return page, specify a return date
 5/ On the invoice page (acquisition module), enter a shipment and
billing date
 6/ On the invoice search page (invoices.pl) use filters shipment and
billing dates
 7/ On the offline circ page, specify a due date
 8/ On the edit patron page (memberentry), add a debarment
 9/ On the reserve page (reserve/request.pl), use the date inputs to
suspend until a defined date
10/ Edit patrons in a batch (tools/modborrowers.pl) and use the
registration and expiry date inputs

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 12:04:19 +00:00
27a7cdef1a Bug 16893: Missing closing tag disrupts patron detail page style
A missing closing </i> causes the the patron detail page to be in all
italics if the patron has a restriction message. This patch corrects it.

To test, apply the patch and locate a patron who has a restriction
message. The restriction message should be in italics but the rest of
the page should display normally.

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Rest of the page displayed normally

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-07-15 15:03:58 +00:00
Marc Véron
03795b65d5 Bug 10760: Alternate Address: Display street number and street type
This patch displays alternate streetnumber and street type on patron's
detail page.

To test:
- Apply patch
- Verify that the alternate address information displays follwing the
  setting in syspref AddressFormat and contains street type and
  street number (as appropriate)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-07-08 13:45:41 +00:00
Alex Sassmannshausen
6a493842cf Bug 6906 - show 'Borrower has previously issued...
New feature: provide granular means to configure warnings about items
that have been issued to a particular borrower before, according to
their checkout history.

- Global syspref ('CheckPrevCheckout'), set to 'hardno' by default,
  allows users to enable this feature library wide.
- Per patron category pref allows libraries to create overrides per
  category, falling back on the global setting by default.
- Per patron pref allows switching the functionality on at the level
  of patron. Fall-back to category settings by default.

* Koha/Patron (wantsCheckPrevCheckout, doCheckPrevCheckout): New
  methods.
* C4/Circulation.pm (CanBookBeIssued): Introduce CheckPrevCheckout
  check.
* admin/categories.pl: Pass along checkprevcheckout.
* koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt: Expose
  CheckPrevCheckout per category setting.
* koha-tmpl/intranet-tmpl/prog/en/modules/preferences/patrons.pref:
  Expose CheckPrevCheckout syspref.
* koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt:
  Expose per patron CheckPrevCheckout preference.
* koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt: Expose
  per patron CheckPrevCheckout preference.
* koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt: Add
  'CHECKPREVCHECKOUT' confirmation message.
* installer/data/mysql/kohastructure.sql: Modify structure of
  'categories', 'borrowers', 'oldborrowers'.
* installer/data/mysql/sysprefs.sql: Add 'CheckPrevCheckout'.
* installer/data/mysql/atomicupdate/checkPrevCheckout.sql: New file.
* t/db_dependent/Patron/CheckPrevCheckout.t: New file with unit tests.

Test plan:
- Apply patch.
- Run updatedatabase.
- Regenerate Koha Schema files.
- Run the unit tests.
- Verify 'CheckPrevCheckout' is visible in Patrons sysprefs and can be
  switched to 'hardyes', 'softyes', 'softno' and 'hardno'.
  + Check out previously checked out items to a patron, checking the
    message appears as expected.
- Verify no 'Check previous checkouts' setting appears on the borrower
  category pages if the syspref is set to a 'hard' option.
- Verify 'Check previous checkouts' setting appears on the borrower
  category pages and can be modified per borrower category.
  + Issue previously issued items to a borrower, checking the message
    appears as expected (This setting should override the default
    setting if that is set to a 'soft' option).
- Verify no 'Check previous checkouts' setting appears on the individual
  borrower pages if the syspref is set to a 'hard' option.
- Verify 'Check previous checkouts' setting appears on individual
  borrower pages and can be modified.
  + Issue previously issued items to a borrower, checking the message
    appears as expected (This setting should override the category
    setting and the default setting if the latter is set to a 'soft'
    option).

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-07-08 13:40:08 +00:00