Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies two patron-related tools templates in the staff
client so that JavaScript is included in the footer instead of the
header.
To test, apply the patch and test the JavaScript-driven features of
each modified template: All button controls, DataTables functionality,
form validation, etc.
- Import patrons
- Upload patron images
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Edit for QA: Fixed datepickers on import patron form
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42
Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.
Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert
Note that the cardnumber var was not escaped neither, it's now.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The C4::Members::PutPatronImage inserted/updated the image of a patron.
This can be done easily with ->find->set->store or ->new->store
Test plan:
1/ Modify the image of a patron from the patron detail page
2/ Add an image to a new patron
3/ Use the "Upload patron images" tools (tools/picture-upload.pl) to add
or modify the image of a patron
4/ Use the "Upload patron images" tools (tools/picture-upload.pl) to add
or modify the image of several patrons, using a zip file.
Stress the script trying to get as many errors as possible (wrong
cardnumber, wrong mimetype, file does not exist, etc.)
With this patch, if the cardnumber does not exist, you will get a
specific error "Image not imported because this patron does not exist in
the database"
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Otherwise the label is red and a bit agressive :)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
The styling of the patron image upload form causes the text to be
smaller than it should be for the main body of a page. This patch
revises the form style and cleans up the markup a bit.
This patch also adds client-side validation of the form so that a file
upload is required, and a card number is required if an image file is
selected.
To test, apply the patch and go to Tools -> Upload patron images.
1. Confirm that the text in the form is the correct size.
2. With "Zip file" selected, confirm that submitting the form is blocked
and the file upload marked as required.
3. With "Image file" selected, confirm that submitting the form
with an empty card number field is blocked and the card number
field is marked as required.
4. Confirm that uploading zip files and single images still works
correctly.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch fixes some template structure problems and makes some
improvements:
- Correct grid structure so that page isn't narrower than it needs
to be.
- Move image upload messages out of message/error dialog and into
table so that lines are distinct and legible.
- Expand breadcrumbs specificity
- Capitalization corrections
To test: Upload patron images using both single images and zip files.
Test zip file upload with a file which contains valid and invalid
contents (non-existant patron numbers, invalid image files, etc). In all
cases image uploads should work correctly and errors should be legibly
displayed.
Signed-off-by: Marc Veron <veron@veron.ch>
With patch, error messages are displayed in a nice table.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Tested with zip and png files. Works great.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Text could not be correctly translated due to poor parsing of nested sentences in Pootle.
*Sentences de-nested to have whole sentence in each if /elsif branch
*Cleaned up <li></li> handling: moved closing </li> outside the for each loop to prevent orphaned closing </li>s.
*Changed indentation for better readibility
*Changed WARNING to ERROR because it is an *Error* during upload.
*Wording simplified (for translation).
*In one case added hint to refer to online help (size).
This way text should be easier to be translated in Pootle.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This patch also fixes some strings:
* itemcallnumber => item call number
* Profile marcfields=> Profile MARC fields