Commit graph

24 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
81431ee28a Bug 20226: Centralize update child code (CATCODE_MULTI)
Code and variables to deal with the update child feature are not
centralized but copied/pasted in several scripts. Which leads to issues
obsviously (bug 20805 for instance).

Moreover the strings used by the templates are also in several template
files (or .inc)

To deal with that this patch introduces the idea to create 1 .inc file
per .js file
Here we have members-menu.inc for members-menu.js

Test plan:
- Remove all your adult categories (categories.category_type='A')
- Create a patron with a child category
- Try to update to adult category
=> The entry does no longer appears! (This is a change in the behaviour)
- Create one adult category
- Update to adult category
=> There is a JS confirmation message, if you accept the patron will
be updated to the adult category
- Create (at least) another adult category
- Create another child
- Update to adult category
=> No more confirmation message but a popup to select the adult category
- Pick one
=> The patron has been updated to the adult category

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-14 11:58:26 +00:00
e08a36c25a Bug 20100: Explain why the checkbox is disabled
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-25 10:37:31 -03:00
d31b0bfdfc Bug 20100: (QA follow-up) Use template logic instead of js to disable superlib box
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-25 10:23:53 -03:00
ccf62d46d7 Bug 20100: Disallow access to superlibrarian privileges at client side
This last patch activates the check at client side.
If the pref ProtectSuperlibPrivs is enabled, non-superlibs should not be
able to change superlibrarian privileges via the interface.

Test plan:
[1] Enable the pref.
[2] Login as superlib and add/remove superlib privs to a staff user.
[3] Login as another user (no superlib, but having borrowers, permissions
    and staff_access). Verify that you cannot add or remove superlib
    privs.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: JM Broust <jean-manuel.broust@univ-lyon2.fr>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-25 10:23:53 -03:00
Julian Maurice
ed7543287b Bug 20538: Remove the need of writing [% KOHA_VERSION %] everywhere
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
  mechanism, it will be tedious

This patch:
- adds a Template::Toolkit plugin that generates <script> and
  <link> tags for JS and CSS files, and inserts automatically the Koha
  version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable

Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
   checking your browser's dev tools (there should be no 404 for JS and
   CSS files, and the Koha version should appear in filenames) and the
   server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-13 11:49:44 -03:00
0ab22e1c7c Bug 18789: Send Koha::Patron object to the templates
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.

That will make the code much more easier to maintain and will be less
error-prone.

The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.

In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.

Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:03:58 -03:00
047ca33a93 Bug 19641: Move patron templates to the footer
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.

This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.

To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.

Patrons -> Patrons home, patron search results
  -> Manage pending modification requests
  -> Patron detail page
    -> Edit patron
      -> Set guarantor
    -> Fines
       -> Account, Pay fines, Create manual invoice, Create manual
          credit
       -> Print receipts for different kinds of charges
    -> Routing lists
    -> Circulation history
    -> Holds history
    -> Notices
    -> Statistics
    -> Files
    -> Purchase suggestions
    -> Discharges
    -> Housebound
    -> Set permissions
    -> Change password
    -> Print summary, slips, and overdues
    -> Update child to adult patron type

Patron toolbar and patron search bar operations should work correctly on
all pages.

This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-15 13:30:23 -03:00
0ad922011c Bug 12904: Force browser to load new javascript files after upgrade
This patch has been automatically generated using:
  perl kv.pl **/*.tt **/*.inc

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
2018-02-08 14:53:24 -03:00
0c3c162f76 Bug 17905: FIX CSRF in member-flags
If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible

The exploit can be simulated triggering
    /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian

Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:24:12 +00:00
19a977dc7b Bug 15758: Koha::Libraries - Remove GetBranchName
This is the fourth and last patch set to remove C4::Branch.
The real purpose of this patch is to standardise and refactor some code
which is related to the libraries selection/display.
Its unconfessed purpose is to remove the C4::Branch package.

Before this patch set, only 6 subroutines still existed in the C4::Branch
package:
- GetBranchName
- GetBranchesLoop
- mybranch
- onlymine
- GetBranches
- GetBranch

GetBranchName basically returns the branchname for a given branchcode.
The branchname is only used for a display purpose and we don't need to
retrieve it in package or pl scripts (unless for a few exceptions).
We have a `Branches` template plugin with a `GetName` method which does
exactly this job.
To achieve this removal, we will use this template plugin and delete the
GetBranchName from pl and pm files.
The `Branches.all()` will now select the library of the logged in user
if no `selected` parameter has been passed.
This new behavior could cause regressions, for instance there are some
places where we do not want an option preselected (batch item
modification for instance), keep that in mind when testing.

GetBranchesLoop took 3 parameters: $branch and $onlymine.
The first one was used to set a "selected" flag, for a display purpose:
select an option in the libraries dropdown lists.
The second one was useless: If not passed or set to 0, the
`C4::Branch::onlymine` subroutine was called.
This onlymine flag was use to know if the logged in user was able to see
other libraries infos.
A patron can see the infos from other libraries if IndependentBranches
is not set OR if he has the superlibrarian permission.
Prior to this patch set, the "onlymine test" was done on different
places (neworderempty.pl, additem.pl, holidays.pl, etc.), including the
Branches TT plugin. In this patch set, this test is only done on one
place (C4::Context::only_my_library, code moved from
C4::Branch::onlymine).
To accomplish the same job as this subroutine, we just need to call the
`Branches.all()` method from the `Branches` TT plugin. It already
accepts a `selected` parameter to set a flag on the option to select.
To avoid the repetitive
  [% IF selected %]<option selected="selected">[% ELSE %]<option>[% END %]
pattern, a new `html_helpers` TT include file has been created, it
defines an `options_for_libraries` block, which takes a `selected`
parameter. We could imagine to use this include file for other
selects.

The 'mybranch` and `onlymine` subroutines of the C4::Branch package have
been moved to C4::Context. onlymine has been renamed with
only_my_library. There are only 4 occurrences of it, against 11 before
this patch set.
There 2 subroutines are Context-centric and it makes sense to put them
in `C4::Context` (at least it's the least worst place!)

GetBranches is the tricky part of this patch set: It retrieves all the
libraries, independently of the value of IndependentBranches.
To keep the same way as the existing calls of `Branches.all()`, I have
added a `unfiltered` parameter. If set, the `Branches.all()` will call
a usual Koha::Libraries->search method, otherwise
Koha::Libraries->search_filtered will be called. This new method will
check if the logged in user is allowed to see other libraries or only
its library.
Note that this `GetBranches` subroutine also created a `category` key:
it allowed to get the list of groups (of libraries) where this library
existed. Thanks to a previous patch set (bug 15295), this value was
not used anymore (I may have missed something!).

Note that the only use of `GetBranch` was buggy (see bug 15746).

Test plan (for the whole patch set):
The best way to test this whole patch set is to test with 2 instances: 1
with the patch set applied, 1 using master, to be sure there is no
regression.
It would be good to test the same with `IndependentBranches` and the
without `IndependentBranches`.
No difference should be found.
The tester must focus on the library dropdowns on as many forms as
possible.
You will notice changes in the order of the options: the libraries will
now be ordered by branchname (instead of branchcode in some places).
A special attention will be given to the following page:
- acqui/neworderempty.pl
- catalogue/search.pl
- members/members-home.pl (header?)
- opac/opac-topissues.pl
- tools/holidays.pl
- admin/branch_transfer_limits.pl
- admin/item_circulation_alerts.pl
- rotating_collections/transferCollection.pl
- suggestion/suggestion.pl
- tools/export.pl

Notes for QA:
- There are 2 FIXMEs in the patch set, I have kept the existing behavior,
but I am not sure it's the good one. Feel free to open a bug report and
I will fill a patch if you think it's not correct. Otherwise, remove the
FIXME lines in a follow-up patch.
- The whole patch set is huge and makes a lot of changes.
But it finally will tremendously reduce the number of lines:
716 insertions for 1910 deletions

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 14:36:01 +00:00
0336f32b65 Bug 16494 - Remove the use of "onclick" from some patron pages
This patch removes the use of "onclick" attributes from some patron
pages.

To test, apply the patch and:

- In Patrons, perform any search which will return multiple results.
  Confirm that the "select all" and "clear all" links work as expected.
  Font Awesome icons have been added to these links.

  In the left-hand sidebar, change any of the filters and click the
  "Clear" button. The form (and your search results) should reset.

- Open the 'Set permissions' page for any patron. Checking any
  permission with sub-permissions should correctly expand the tree and
  select all sub-permissions. The reverse should also work.

  Also changed in this file: The "Inconsistency detected" alert has been
  reformatted to make it translatable.

- View the detail page for a patron with one or more restrictions.
  Clicking the "View restrictions" link at the top of the page should
  jump you to and activate the restrictions tab.

- View the 'Notices' tab for a patron who has been sent one or more
  notices. Click any notice title to expand the notice. Clicking the
  "resend" button should resend the notice.

- Create a new patron with the same first and last name as an existing
  patron. This should trigger a duplicate warning message. Click the
  "View existing record" link to trigger a pop-up window with a patron
  detail brief view.

  In this window an "email" class has been added to the primary and
  secondary email lines so that long email addresses don't overlap the
  second column of data.

  Confirm that clicking the "close" button in this window closes the
  window. The changes to staff-global.css are included in this patch to
  prevent the close button from having an incorrect color change on
  hover.

Signed-off-by: FILIPPOS KOLOVOS <f.kolovos@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 13:46:54 +00:00
Julian Maurice
ba49225e25 Bug 16238: Use .prop() instead of .attr() for 'disabled'
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-04-29 14:18:24 +00:00
Julian Maurice
27770b7c8f Bug 16238: Use .prop() instead of .attr() for 'checked'
According to https://jquery.com/upgrade-guide/1.9/#attr-versus-prop-
.attr() is no longer correct to access the checked state of a checkbox.

This patch do the following replacements:
  .attr('checked')               =>  .prop('checked')
  .attr('checked, '')            =>  .prop('checked', false)
  .attr('checked, 'checked')     =>  .prop('checked', true)
  .attr('checked', boolValue)    =>  .prop('checked', boolValue)
  .removeAttr('checked')         =>  .prop('checked', false)
  .attr('checked') == 'checked'  =>  .is(':checked')

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-04-29 14:18:24 +00:00
6381d1853d Bug 16241 - Move staff client CSS out of language directory
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.

In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.

To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:

- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.

Revised: I intended for this to be built on top of Bug 15883. Now it is.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

On top of 15883
Works as described, all pages on test plan
No Errors

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-04-29 13:54:37 +00:00
8d70ea9487 Bug 13632: Use an include file to display permissions
This patch set moves the permissions' descriptions to the po files
instead of having them in the DB.

Test plan:
0/ Apply all patches
1/ Create a new installation
2/ Confirm the userflags and permissions tables are correctly populated
3/ Update the po file for a translated language
4/ Confirm you are able to translate the permissions descriptions
5/ Install the template files for this language
6/ Switch the interface to use this language and confirm the string are
correctly translated.

QA Note: At this point we could remove the userflags.flagdesc and
permissions.description DB fields, but I would prefer to keep them:
developers will know what the permission do without the need to go and
see the include file (we have it in the sql files and so, in the DB).

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-19 09:38:04 -03:00
a57f4aba22 Bug 13139 - Move treeview jQuery plugin outside of language-specific directory
This patch moves the treeview plugin in the staff client from the
language-specific lib/jquery/plugins directory to the one outside the
theme directory.

To test, apply the patch and view the "Set permissions" page for a
patron. The list of permissions should display in an expandable list as
usual.

Signed-off-by: Frederic Demians <f.demians@tamil.fr>

It works, following the test plan. I can see the jQuery treeview plugin moved
from 'prog' language specific directory to the global lib/plugins directory.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described. Found no other places where we use this plugin.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-27 12:36:53 -03:00
D Ruth Bavousett
8c130eede3 Bug 8061: RTL CSS overrides (staff client)
This patch tweaks a few templates, and enables right-to-left
flipping via CSS in the staff client.

Signed-off-by: Karam Qubsi <karamqubsi@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Amended patch, putting back author and adding sign off.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-04-07 12:51:54 -04:00
0839645894 Bug 9439 - Enforce superlibrarian mutual exclusivity of other permissions
Basically, when you check the checkbox for the superlibrarian permission
in the patron record, it will disable and uncheck all the other
permission checkboxes. When you uncheck the checkbox for the
superlibrarian permission, it will renable those boxes. There is also
some JS code there to ensure that the other boxes are disabled when
returning to the change permission screen (i.e. the patch is not just a
click handler).

In the event that the checkboxes for superlibrarian and other
permissions are already checked, the user will be shown a pop-up window
explaining that the superlibrarian permission is mutually exclusive to
the others (since it already includes the others) and that the
permissions for that patron will then be reset to just include the
superlibrarian permission.

Comment: Tested on master. Works as described.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-02-01 11:30:35 -05:00
Liz Rea
1b2132fb76 Bug 9382 - updating permission labels
first, replicate:
go to More -> permissions on any user. Notice that it says various things "privileges, flags, permissions" they are interchangeable and inconsistent.
also note that some of the permissions are nonsensical and/or not descriptive enough, or not using canonical terminology (borrowers instead of patrons, for example)

To test:
interface consistency changes

-> means "turns into"

- page title - privileges -> permissions
- breadcrumbs - privileges -> permissions
- headings - privileges -> permissions
- "set flags" button -> save

Permissions that have changed description:

- Catalogue changes to "Required for staff login" in bold (this was the original impetus for this boatload of changes)
- reports
- editauthorities
- management
- serials
- updatecharges
- circulate
- parameters
- borrowers
- tools
- staffaccess
- edit_patrons (only on updatedb, not on new db)

- Read through and make sure there are no typos, and that the descriptions seem to jive with what privileges the permission gives the user. Suggestions are, in fact, welcome.

- If you are feeling ambitious, go ahead and create a new, clean database and check the wording there as well - it should match what has been done in the db update.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Tested both with existing database and new database

Signed-off-by: Elliott Davis <elliott@bywatersolions.com>
Tested with existing database.  Introduces no new mysql-isms.
Kudos for adding that syspref in bold, that got me when I first started with Koha
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-01-31 11:12:54 -05:00
Katrin Fischer
bae9aacb3f Bug 2780 - Capitalize strings consistently (members)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
2012-04-10 10:04:09 +02:00
Katrin Fischer
1fd4a1e8af Bug 7760 - Add ids and classes to every staff page to help with customization (patrons)
Class is 'pat' and ids start with 'pat_'.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
2012-03-22 18:12:30 +01:00
Maxime Pelletier
6756581cf8 Bug 6794 : Fixing a bug with member flags in IE
Rebased for template toolkit

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
2011-09-01 21:02:38 +12:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
Renamed from koha-tt/intranet-tmpl/prog/en/modules/members/member-flags.tt (Browse further)