Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Code and variables to deal with the update child feature are not
centralized but copied/pasted in several scripts. Which leads to issues
obsviously (bug 20805 for instance).
Moreover the strings used by the templates are also in several template
files (or .inc)
To deal with that this patch introduces the idea to create 1 .inc file
per .js file
Here we have members-menu.inc for members-menu.js
Test plan:
- Remove all your adult categories (categories.category_type='A')
- Create a patron with a child category
- Try to update to adult category
=> The entry does no longer appears! (This is a change in the behaviour)
- Create one adult category
- Update to adult category
=> There is a JS confirmation message, if you accept the patron will
be updated to the adult category
- Create (at least) another adult category
- Create another child
- Update to adult category
=> No more confirmation message but a popup to select the adult category
- Pick one
=> The patron has been updated to the adult category
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
TO test:
1 - Be signed in to Koha
2 - Add a manual invoice to an account, works fine
3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save
4 - Apply patches
5 - Test that everything continues to work as expected (but more securely)
6 - Try adding a new invoice via URL
7 - Should get 'internal server error' and wrong csrf token in logs
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
TEST PLAN
---------
In the staff client on a kohadevbox:
1) Enable the HouseboundModule system preference.
2) Enable the EnableBorrowerFiles system preference.
3) Go to a patron detail page.
-- note the Home library is shown.
4) Go to Fines tab (left pane)
-- Home library is still shown.
5) Click each of the four horizontal tabs
(Account, Pay fines, Create manual invoice,
Create manual credit)
-- Home library not visible for both create tabs
and the account tab
6) Click the 'Create manual invoice' tab, and create
some kind of entry.
7) On the 'Account' tab, the table has a 'Details' button.
Click that.
-- Home library not visible.
8) Click the 'Details' tab in the left pane.
9) Click 'More' button and choose 'Delete'
-- Home library not visible when asked for delete
confirmation.
10) Cancel that, and if you know how to actually
set up the Norwegian system preferences you can
figure out how to test the nl-search change.
After seeing all these not visible, apply this patch.
Repeat all the steps, but this time the Home library
should be visible.
Works OK.
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.
That will make the code much more easier to maintain and will be less
error-prone.
The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.
In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.
Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.
This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
Patrons -> Patrons home, patron search results
-> Manage pending modification requests
-> Patron detail page
-> Edit patron
-> Set guarantor
-> Fines
-> Account, Pay fines, Create manual invoice, Create manual
credit
-> Print receipts for different kinds of charges
-> Routing lists
-> Circulation history
-> Holds history
-> Notices
-> Statistics
-> Files
-> Purchase suggestions
-> Discharges
-> Housebound
-> Set permissions
-> Change password
-> Print summary, slips, and overdues
-> Update child to adult patron type
Patron toolbar and patron search bar operations should work correctly on
all pages.
This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There are many patron-related templates which still use event attributes
to define events. This patch updates these templates so that events are
defined in JavaScript.
To test apply the patch and check out to a patron.
- From the Print menu in the toolbar, choose "Print summary." The patron
summary page should open and the print dialog should be automatically
triggered.
- From the Print menu in the toolbar, choose "Print slip." The patron
slip page should open and the print dialog should be automatically
triggered.
- From the Print menu in the toolbar, choose "Print quick slip." The
patron quick slip page should open and the print dialog should be
automatically triggered.
- Click the patron's "Fines" tab in the left-hand sidebar and then
choose the "Account" tab.
-- Click the "Print" button for an account payment (the link should
point to printfeercpt.pl). A print receipt page should open and
the print dialog should be automatically triggered.
-- Follow the same procedure for a transaction which is not an account
payment (the link should point to printinvoice.pl).
- Click the "Create manual invoice" tab.
-- Select one of the "type" choices. Doing so should automatically
populate the "Description" field with the corresponding code.
-- If necessary, define one or more values for the MANUAL_INV
authorized value and confirm that those invoice types work as well.
- From the patron's "Pay fines" tab, click the "Pay amount" button. In
the "collect from patron" field, enter any combination of letters,
numbers, and symbols. When you tab away from that field your text
should be reformatted to currency format.
- From the patrons home page, change the filter in the left-hand sidebar
and submit it. The correct results should be returned.
Signed-off-by: EricGosselin <eric.gosselin.5@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch displays the address information in the left column of the patron's pages using the new system preference.
The address is formatted in member-display-address-style-us.inc and member-display-address-style-de.inc
To test:
- Apply patch on top of 1st and 2nd patch
- Select 'German style' in system preference 'addressformat' in I18N/L10N
- Verify that the address information displays properly in the left column of all patron's pages.
- Verify that the address displays properly in the main area of moremember.pl as well (Note: In right column, Alternate address /contact are not yet touched))
- Switch system preference to US style, repeat checks
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
AMending without changes to put this patch at the end of the patch list / Marc
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
If a manual invoice/credit amount is not correctly set, it should not be
accepted.
Test plan:
Try to create a manual invoice and a manual credit with an amount containing
something else than numbers.
It should not be possible.
Followed test plan. Patch behaves OK, including that negative values are not allowed.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Differences between circ-menu.tt and circ-menu.inc always crop up when a
new menu item is added--usually only to circ-menu.inc as happened with
Bug 9261.
Other sidebar differences are present due to differences in the patron
data passed by various patron-related script to their templates. This
patch also irons out some of these inconsistencies.
To test, apply the patch and check out to a patron whose record has more
than just basic data: othername, country, patron attributes, street
number, road types, etc. View the following pages and compare the patron
data and visible tabs to confirm that they match:
circ/circulation.pl?borrowernumber=X
members/boraccount.pl?borrowernumber=X
members/files.pl?borrowernumber=X
members/mancredit.pl?borrowernumber=X
members/maninvoice.pl?borrowernumber=X
members/member-flags.pl?member=X
members/member-password.pl?member=X
members/moremember.pl?borrowernumber=X
members/notices.pl?borrowernumber=X
members/pay.pl?borrowernumber=X
members/paycollect.pl?borrowernumber=X
members/purchase-suggestions.pl?borrowernumber=X
members/readingrec.pl?borrowernumber=X
members/routing-lists.pl?borrowernumber=X
members/statistics.pl?borrowernumber=X
tools/viewlog.pl?do_it=1&modules=MEMBERS&modules=circulation&src=circ&object=X
The only difference I've found which is not fixed by this patch is the
display of extended patron attributes in the sidebar of moremember.pl.
This is a piecemeal fix for a problem which really deserves a
centralized solution, but at least it gets us back to consistency for
the moment.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Going through all tabs shows consistency is back. A mid term solution should
implement this in a centralized way. Great job Owen!
No koha-qa errors btw.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Test plan:
To test on modified pages:
- Press enter when cursor is on input or select and verify the form is not
submitted.
Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Works as described.
To test: Create patron account with outstanding fines. Open "Fines" tab.
Confirm that capitalization is correct.
Sponsored-by: Hochschule für Gesundheit (hsg), Germany
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
String patch.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Adds a course reserves system for academic libraries.
The course reserves system allows libraries to create courses
and put items on reserves for those courses.
Each item with at least one reserve can have some of its attributes
modified while it is on reserve for at least one active course.
These attributes include item type, collection code, shelving location,
and holding library. If there are no active courses with this item
on reserve, it's attributes will revert to the original attributes
it had before going on reserve.
Test Plan:
1) Create new authorised value categories DEPARTMENT and TERM
2) Create a new course, add instructors to that course.
3) Reserve items for that course, verify item attributes have changed.
4) Disable course, verify item attributes have reverted.
5) Enable course again, verify item attributes again.
6) Delete course, verify item attributes again.
7) Create two new courses, add the same item(s) to both courses.
8) Disable one course, verify item attributes have not reverted.
9) Disable both courses, verify item attributes have reverted.
10) Enable one course, verify item attributes are again set to the
new values.
11) Edit reserve item attributes, verify.
12) Disable all courses, edit reserve item attributes, verify
the item itself still has its original attributes, verify
the reserve item attributes have been updated.
13) Verify the ability to remove instructors from a course.
14) Verify new permissions, top level coursereserves, with
subpermissions add_reserves and delete_reserves.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Corinne Bulac <corinne.hayet@bulac.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
http://bugs.koha-community.org/show_bug.cgi?id=8125
Uses preventDoubleForSubmit() to prevent double form submissions in the fines module.
To test:
Create a manual invoice/fine
Create some manual fines, click save like mad - you should get only one fine (without, you will get several if you click madly enough)
Click Pay fines
Pay some fines, clicking save like mad on each. You should only get one payment. (without, you will get several payments)
Create a manual credit
Create a credit, click save like mad. You should only get one credit. (without you will get several if you click madly enough)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Current jQuery-driven tabs are done using a very old
version of the tabs plugin. This patch upgrades jQueryUI
to the latest version and adds the tabs widget dependency
to the jqueryui js file and updates the syntax for existing
tabs:
- $("#foo > ul").tabs(); changes to $("#foo").tabs();
- Remove full URL from tab links (use #anchor only).
Pages with "static" tabs (tabs which are built in the
markup rather than generated by the plugin) have been
modified to use their own style. Examples: pay.tt in
the staff client and opac-readingrecord.tt in the OPAC.
Edit: Minor revision to some uncorrected markup
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
- Move some content out of table cells
- Improve table markup with <thead>, <tbody>, and <tfoot>
- Improve breadcrumb specificity on paycollect.pl
- Add clearer messages for different actions (Pay selected fines, pay an
individual fine, etc.
- Add client-side warning to pay.pl when writing-off all
- Correcting terminology: When a verb, "write off," when a noun: "Writeoff."
Revision: Correcting tab label case according to Bug 2780 guidelines
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
I checked all 4 fine tabs and performed different fine actions.
The layout on all pages looks clean and correct.
I tested the new client-side warning and made sure it's translatable.
Labels have proper capitalization.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>