Commit graph

23 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
81431ee28a Bug 20226: Centralize update child code (CATCODE_MULTI)
Code and variables to deal with the update child feature are not
centralized but copied/pasted in several scripts. Which leads to issues
obsviously (bug 20805 for instance).

Moreover the strings used by the templates are also in several template
files (or .inc)

To deal with that this patch introduces the idea to create 1 .inc file
per .js file
Here we have members-menu.inc for members-menu.js

Test plan:
- Remove all your adult categories (categories.category_type='A')
- Create a patron with a child category
- Try to update to adult category
=> The entry does no longer appears! (This is a change in the behaviour)
- Create one adult category
- Update to adult category
=> There is a JS confirmation message, if you accept the patron will
be updated to the adult category
- Create (at least) another adult category
- Create another child
- Update to adult category
=> No more confirmation message but a popup to select the adult category
- Pick one
=> The patron has been updated to the adult category

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-14 11:58:26 +00:00
d6f99f0df1 Bug 20701: Add csrf protection to maninvoice.pl
TO test:
1 - Be signed in to Koha
2 - Add a manual invoice to an account, works fine
3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save
4 - Apply patches
5 - Test that everything continues to work as expected (but more securely)
6 - Try adding a new invoice via URL
7 - Should get 'internal server error' and wrong csrf token in logs

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-05-23 12:19:33 -03:00
Mark Tompsett
3b47ed3f90 Bug 20719: USE Branches in TT files
TEST PLAN
---------
In the staff client on a kohadevbox:
1) Enable the HouseboundModule system preference.
2) Enable the EnableBorrowerFiles system preference.
3) Go to a patron detail page.
   -- note the Home library is shown.
4) Go to Fines tab (left pane)
   -- Home library is still shown.
5) Click each of the four horizontal tabs
   (Account, Pay fines, Create manual invoice,
    Create manual credit)
   -- Home library not visible for both create tabs
      and the account tab
6) Click the 'Create manual invoice' tab, and create
   some kind of entry.
7) On the 'Account' tab, the table has a 'Details' button.
   Click that.
   -- Home library not visible.
8) Click the 'Details' tab in the left pane.
9) Click 'More' button and choose 'Delete'
   -- Home library not visible when asked for delete
      confirmation.
10) Cancel that, and if you know how to actually
    set up the Norwegian system preferences you can
    figure out how to test the nl-search change.

After seeing all these not visible, apply this patch.
Repeat all the steps, but this time the Home library
should be visible.

Works OK.

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-05-11 10:52:45 -03:00
Julian Maurice
ed7543287b Bug 20538: Remove the need of writing [% KOHA_VERSION %] everywhere
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
  mechanism, it will be tedious

This patch:
- adds a Template::Toolkit plugin that generates <script> and
  <link> tags for JS and CSS files, and inserts automatically the Koha
  version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable

Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
   checking your browser's dev tools (there should be no 404 for JS and
   CSS files, and the Koha version should appear in filenames) and the
   server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-13 11:49:44 -03:00
0ab22e1c7c Bug 18789: Send Koha::Patron object to the templates
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.

That will make the code much more easier to maintain and will be less
error-prone.

The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.

In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.

Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:03:58 -03:00
4c45a5011b Bug 19641: (follow-up) Move patron templates to the footer
Fix bad merge conflict with bug 12904

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-15 15:09:37 -03:00
047ca33a93 Bug 19641: Move patron templates to the footer
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.

This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.

To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.

Patrons -> Patrons home, patron search results
  -> Manage pending modification requests
  -> Patron detail page
    -> Edit patron
      -> Set guarantor
    -> Fines
       -> Account, Pay fines, Create manual invoice, Create manual
          credit
       -> Print receipts for different kinds of charges
    -> Routing lists
    -> Circulation history
    -> Holds history
    -> Notices
    -> Statistics
    -> Files
    -> Purchase suggestions
    -> Discharges
    -> Housebound
    -> Set permissions
    -> Change password
    -> Print summary, slips, and overdues
    -> Update child to adult patron type

Patron toolbar and patron search bar operations should work correctly on
all pages.

This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-15 13:30:23 -03:00
d28c2152ab Bug 17014: Simplify some code
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-31 14:33:52 +00:00
a7bdc6eb3e Bug 17014 - Remove more event attributes from patron templates
There are many patron-related templates which still use event attributes
to define events. This patch updates these templates so that events are
defined in JavaScript.

To test apply the patch and check out to a patron.

- From the Print menu in the toolbar, choose "Print summary." The patron
  summary page should open and the print dialog should be automatically
  triggered.

- From the Print menu in the toolbar, choose "Print slip." The patron
  slip page should open and the print dialog should be automatically
  triggered.

- From the Print menu in the toolbar, choose "Print quick slip." The
  patron quick slip page should open and the print dialog should be
  automatically triggered.

- Click the patron's "Fines" tab in the left-hand sidebar and then
  choose the "Account" tab.
  -- Click the "Print" button for an account payment (the link should
     point to printfeercpt.pl). A print receipt page should open and
     the print dialog should be automatically triggered.
  -- Follow the same procedure for a transaction which is not an account
     payment (the link should point to printinvoice.pl).

- Click the "Create manual invoice" tab.
  -- Select one of the "type" choices. Doing so should automatically
     populate the "Description" field with the corresponding code.
  -- If necessary, define one or more values for the MANUAL_INV
     authorized value and confirm that those invoice types work as well.

- From the patron's "Pay fines" tab, click the "Pay amount" button. In
  the "collect from patron" field, enter any combination of letters,
  numbers, and symbols. When you tab away from that field your text
  should be reformatted to currency format.

- From the patrons home page, change the filter in the left-hand sidebar
  and submit it. The correct results should be returned.

Signed-off-by: EricGosselin <eric.gosselin.5@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-31 14:33:51 +00:00
Marc Véron
117ee49514 Bug 4041: Third step - Display address on patron's pages using the system preference
This patch displays the address information in the left column of the patron's pages using the new system preference.
The address is formatted in member-display-address-style-us.inc and member-display-address-style-de.inc

To test:
- Apply patch on top of 1st and 2nd patch
- Select 'German style' in system preference 'addressformat' in I18N/L10N
- Verify that the address information displays properly in the left column of all patron's pages.
- Verify that the address displays properly in the main area of moremember.pl as well (Note: In right column, Alternate address /contact are not yet touched))
- Switch system preference to US style, repeat checks

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
AMending without changes to put this patch at the end of the patch list / Marc

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-29 11:25:11 -03:00
Jonathan Druart
9bb2dc2ed7 Bug 2542: Replace default value "0" with ""
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-08 14:48:17 -03:00
Jonathan Druart
0e279fb2e0 Bug 2542: Validate the amount of a manual invoice/create
If a manual invoice/credit amount is not correctly set, it should not be
accepted.

Test plan:
Try to create a manual invoice and a manual credit with an amount containing
something else than numbers.
It should not be possible.

Followed test plan. Patch behaves OK, including that negative values are not allowed.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-08 14:48:12 -03:00
526af4ea07 Bug 12542: Tabs inconsistency in different circ-menu.inc uses
Differences between circ-menu.tt and circ-menu.inc always crop up when a
new menu item is added--usually only to circ-menu.inc as happened with
Bug 9261.

Other sidebar differences are present due to differences in the patron
data passed by various patron-related script to their templates. This
patch also irons out some of these inconsistencies.

To test, apply the patch and check out to a patron whose record has more
than just basic data: othername, country, patron attributes, street
number, road types, etc. View the following pages and compare the patron
data and visible tabs to confirm that they match:

circ/circulation.pl?borrowernumber=X
members/boraccount.pl?borrowernumber=X
members/files.pl?borrowernumber=X
members/mancredit.pl?borrowernumber=X
members/maninvoice.pl?borrowernumber=X
members/member-flags.pl?member=X
members/member-password.pl?member=X
members/moremember.pl?borrowernumber=X
members/notices.pl?borrowernumber=X
members/pay.pl?borrowernumber=X
members/paycollect.pl?borrowernumber=X
members/purchase-suggestions.pl?borrowernumber=X
members/readingrec.pl?borrowernumber=X
members/routing-lists.pl?borrowernumber=X
members/statistics.pl?borrowernumber=X
tools/viewlog.pl?do_it=1&modules=MEMBERS&modules=circulation&src=circ&object=X

The only difference I've found which is not fixed by this patch is the
display of extended patron attributes in the sidebar of moremember.pl.
This is a piecemeal fix for a problem which really deserves a
centralized solution, but at least it gets us back to consistency for
the moment.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Going through all tabs shows consistency is back. A mid term solution should
implement this in a centralized way. Great job Owen!
No koha-qa errors btw.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-18 10:41:27 -03:00
Jonathan Druart
2aafa78f08 Bug 11563: (follow-up) improve selector for adding noEnterSubmit to select elements
Test plan:
To test on modified pages:
- Press enter when cursor is on input or select and verify the form is not
submitted.

Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-04-11 18:04:36 +00:00
Holger Meißner
41a77e659b Bug 11554: Capitalization fix in patron account on fines tab
Works as described.

To test: Create patron account with outstanding fines. Open "Fines" tab.
Confirm that capitalization is correct.

Sponsored-by: Hochschule für Gesundheit (hsg), Germany
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
String patch.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-01-15 15:33:56 +00:00
be869ab279 Bug 8215 - Course Reserves
Adds a course reserves system for academic libraries.

The course reserves system allows libraries to create courses
and put items on reserves for those courses.

Each item with at least one reserve can have some of its attributes
modified while it is on reserve for at least one active course.
These attributes include item type, collection code, shelving location,
and holding library. If there are no active courses with this item
on reserve, it's attributes will revert to the original attributes
it had before going on reserve.

Test Plan:
  1) Create new authorised value categories DEPARTMENT and TERM
  2) Create a new course, add instructors to that course.
  3) Reserve items for that course, verify item attributes have changed.
  4) Disable course, verify item attributes have reverted.
  5) Enable course again, verify item attributes again.
  6) Delete course, verify item attributes again.
  7) Create two new courses, add the same item(s) to both courses.
  8) Disable one course, verify item attributes have not reverted.
  9) Disable both courses, verify item attributes have reverted.
 10) Enable one course, verify item attributes are again set to the
     new values.
 11) Edit reserve item attributes, verify.
 12) Disable all courses, edit reserve item attributes, verify
     the item itself still has its original attributes, verify
     the reserve item attributes have been updated.
 13) Verify the ability to remove instructors from a course.
 14) Verify new permissions, top level coursereserves, with
     subpermissions add_reserves and delete_reserves.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Corinne Bulac <corinne.hayet@bulac.fr>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

http://bugs.koha-community.org/show_bug.cgi?id=8125
2013-05-21 15:50:55 -07:00
Liz Rea
6c6fe37ced Bug 8054 - double clicking can cause duplicate payments/fines
Uses preventDoubleForSubmit() to prevent double form submissions in the fines module.

To test:

Create a manual invoice/fine
Create some manual fines, click save like mad - you should get only one fine (without, you will get several if you click madly enough)

Click Pay fines
Pay some fines, clicking save like mad on each. You should only get one payment. (without, you will get several payments)

Create a manual credit
Create a credit, click save like mad. You should only get one credit. (without you will get several if you click madly enough)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-11 08:14:12 -04:00
68b30468c3 Bug 8143 [REVISED] Upgrade jQuery tabs to current jQueryUI version
Current jQuery-driven tabs are done using a very old
version of the tabs plugin. This patch upgrades jQueryUI
to the latest version and adds the tabs widget dependency
to the jqueryui js file and updates the syntax for existing
tabs:

- $("#foo > ul").tabs(); changes to $("#foo").tabs();
- Remove full URL from tab links (use #anchor only).

Pages with "static" tabs (tabs which are built in the
markup rather than generated by the plugin) have been
modified to use their own style. Examples: pay.tt in
the staff client and opac-readingrecord.tt in the OPAC.

Edit: Minor revision to some uncorrected markup

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-06-10 15:22:58 +02:00
Katrin Fischer
bae9aacb3f Bug 2780 - Capitalize strings consistently (members)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
2012-04-10 10:04:09 +02:00
Katrin Fischer
1fd4a1e8af Bug 7760 - Add ids and classes to every staff page to help with customization (patrons)
Class is 'pat' and ids start with 'pat_'.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
2012-03-22 18:12:30 +01:00
0f80707d7c Bug 7080 - Revised - Clean up interface on fine payment screens
- Move some content out of table cells
- Improve table markup with <thead>, <tbody>, and <tfoot>
- Improve breadcrumb specificity on paycollect.pl
- Add clearer messages for different actions (Pay selected fines, pay an
  individual fine, etc.
- Add client-side warning to pay.pl when writing-off all
- Correcting terminology: When a verb, "write off," when a noun: "Writeoff."

Revision: Correcting tab label case according to Bug 2780 guidelines

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
I checked all 4 fine tabs and performed different fine actions.
The layout on all pages looks clean and correct.
I tested the new client-side warning and made sure it's translatable.
Labels have proper capitalization.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-02-15 16:42:42 +01:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
Renamed from koha-tt/intranet-tmpl/prog/en/modules/members/maninvoice.tt (Browse further)