Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch updates three single-column course reserves templates to use
the Bootstrap grid:
- course-reserves.tt - The main Course Reserves page
- course-details.tt - The detail view of an individual course
- course.tt - Editing a course
- add_items-step1.tt - Adding items to a course, step 1 (scan barcode)
- add_items-step2.tt - Adding items to a course, step 2
- invalid-course.tt - The error page shown if you try to view
course_reserves/course-details.pl directly without passing a course id
in the URL
- Also changed in this template: Error message has been wrapped in the
standard "dialog alert" <div>.
Each of these pages should look correct, with a single centered column
with wide margins on either side. At lower browser widths the margins
should disappear.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Clicking on the cancel link when adding a new course to course reserves
displays the message 'Invalid Course!'. It would be better if it
redirected back to the main Course Reserves page.
This patch redirects the user back to the main course reserves page.
To Test:
1. Go to Course Reserves
2. Click '+ New Course'
3. Cancel the process
4. You are shown 'Invalid Course!'
5. Apply patch and repeat steps 1-3
6. You are redirected back to the main course reserves page
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client course reserves templates so that
JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of
each page: All button controls, DataTables, autocomplete, etc.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Ensure UseCourseReserves is enabled
2) Go to Course Reserves, create a course
3) Edit course
4) Click Cancel
5) Notice you are returned to the courses home page rather than returned
to the course
6) Apply patch
7) Go to edit course and click cancel again
8) Confirm you are returned to the course and that this feels like the
natural expectation.
Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Followed test plan from patch 1/2, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch upgrades the version of jQueryUI included in the Koha staff
client from v1.8.23 to v.1.10.4. The upgrade introduces a few minor API
changes which require the updates in this patch:
- In CSS, the term "active" is used instead of "selected"
- Autocomplete functions use slightly changed parameters
Changes to the default jQueryUI CSS allows us to remove some instances
of "!important" from jQueryUI-related CSS in the staff client's main CSS
file.
To test:
Testing changes to autocomplete:
- Enable the CircAutocompl system preference. Try searching in the
header's "Check out" tab. Autocomplete should look correct and
function correctly.
- In Circulation -> Overdues: The patron attribute authorized value
filter (must have patron attributes enabled, and a patron attribute
defined which uses authorized values.
- Course reserves -> Course -> Edit: Searching for an instructor
- In the unimarc_field_210c_bis.pl plugin:
1. Link the publisher name field in your MARC structure to
the unimarc_field_210c_bis.pl plugin.
2. Open a MARC record for editing and click the "tag editor" link to
launch the plugin.
3. Type the first few letters of a publisher which exists in your
database. You should get an autocomplete menu of publishers
which match your search.
4. Select one and click the "choose" button to fill the field in the
MARC editor.
- Tools -> Patron lists: Add a list or choose an existing list and add
patrons. Perform a search for a patron.
- Placing a hold: After choose a title and clicking "Place hold,"
search for a patron.
- Tags management: The sidebar filter for "reviewer" should let you
search by patron name.
Other jQueryUI widget changes:
- Check tabs appearance in header search, biblio detail, cataloging, and
circulation patron fines pages.
To confirm other jQueryUI widgets still function correctly:
- Check accordion (collapsing sections) in Patrons -> Patrons requesting
modifications and the MARC subfield structure edit screen.
- Check datepickers, especially in Circulation with the added timepicker.
Test a linked datepicker, for example in Reports -> Stats wizards ->
Circulation where the value in one date field affects what dates are
available in the matching field.
- Check the calendar interface in Tools -> Calendar
To confirm that the new jQueryUI default CSS is more flexible (fixing
Bug 11042), add the following CSS to your IntranetUserCSS system
preference and confirm that the header search active tab border color
changes (hash mark escaped so that it will appear in commit msg):
\#header_search ul.ui-tabs-nav li.ui-tabs-active {
background-color: #FFFFF1;
border: 1px solid #800000;
border-top: 0 !important;
top: -2px;
}
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
The page for adding a new course includes some custom form
validation JavaScript which can be removed in favor of HTML5 validation
attributes and Koha's built-in validation plugin. This patch does so.
To test, apply the patch and go to Course reserves -> New course. Try
submitting the form without entering a department, course number,
and/or course name. This should trigger validation warnings.
Submission of the form with valid data should work correctly. Editing an
existing course should also work correctly.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
In some cases clicking the "remove" link to remove a course instructor
when editing a course reserves course doesn't work. I suspect this is
caused by leading zeroes in the card number. This patch refactors the
relevant function to fix the problem and to remove inline JavaScript
from generated markup.
Other changes:
- Make the "Remove" text translatable
- Re-order the first name and last name when added by JavaScript to
match the template's "surname, firstname" order.
To test:
1. If necessary, create or modify a patron to have a card number
with leading zeroes.
2. Go to Course reserves and add or edit a course.
3. If you are editing a course and there are existing instructors, click
the "remove" link. Nothing will happen.
4. Perform a patron search and choose one of the results. The name
should be added to the list of instructors in the format "surname,
firstname."
5. Click the "remove" link next to the patron name which was just added.
Nothing will happen.
6. Apply the patch and repeat step 4. The "remove" link should work.
7. Add an instructor and save the course reserve. Repeat steps 2 and 3.
The "remove" link should now work.
To test the translation fix, after applying the patch run "translate
update [language code]" and confirm that the "Remove" string is listed
in the updated po file for course_reserves/course.tt.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Fixing this line:
<legend>[% IF course_id %] Edit [% ELSE %] Create [% END %] course</legend>
As grammar works different in different languages, having single
strings like that in a predefined order makes having a nice translation
unnecessarily hard.
This will make it a little easier:
<legend>[% IF course_id %]Edit course[% ELSE %]Create course[% END %]</legend>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
The course reserves entry form should not be shown if there are no
DEPARTMENT authorized values, since this prevents the form from being
submitted. This patch replaces the form with an error message when no
DEPARTMENT authorized values are found.
Also corrected:
- Corrected grid structure for more standard display
- Converted labels with no corresponding inputs to <span class="label">
- Closed unclosed tags
- Corrected incorrect capitalization
This patch contains whitespace changes, so please ignore whitespace when
examining changes.
To test, delete any DEPARTMENT authorized values, if present. Create a
new course in Course Reserves. You should see a warning that no
DEPARTMENT values were found.
If you are logged in with the correct permission, the warning should
contain a link to the correct authorized value page. If you do no, the
warning should refer the problem to an administrator.
After creating one or more DEPARTMENT values, the form should display
and submit correctly.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
After this patch has been applied, I get an error message and no form
if I don't have any DEPARTMENTs defined, which makes sense given that
the form can't be submitted without a DEPARTMENT.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script.
You now see a useful error message, when no departments have been
defined. Else you are taken to the correct form.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch corrects instances of the non-[American]-standard spelling
"authorised" when used in text.
The following instances are corrected:
- In Administration -> Funds, the error message displayed if you do not
have permission to edit a fund.
- In Administration -> Authorized values, the instructions linked to the
"Libraries limitation" field.
- In Administration -> MARC bibliographic framework test, instructions
related to linking to authorized values.
- In the course reserves add form, error messages referring to missing
authorized values.
- In guided reports, error messages shown when an authorized value
chosen as a report parameter doesn't exit.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Adds a course reserves system for academic libraries.
The course reserves system allows libraries to create courses
and put items on reserves for those courses.
Each item with at least one reserve can have some of its attributes
modified while it is on reserve for at least one active course.
These attributes include item type, collection code, shelving location,
and holding library. If there are no active courses with this item
on reserve, it's attributes will revert to the original attributes
it had before going on reserve.
Test Plan:
1) Create new authorised value categories DEPARTMENT and TERM
2) Create a new course, add instructors to that course.
3) Reserve items for that course, verify item attributes have changed.
4) Disable course, verify item attributes have reverted.
5) Enable course again, verify item attributes again.
6) Delete course, verify item attributes again.
7) Create two new courses, add the same item(s) to both courses.
8) Disable one course, verify item attributes have not reverted.
9) Disable both courses, verify item attributes have reverted.
10) Enable one course, verify item attributes are again set to the
new values.
11) Edit reserve item attributes, verify.
12) Disable all courses, edit reserve item attributes, verify
the item itself still has its original attributes, verify
the reserve item attributes have been updated.
13) Verify the ability to remove instructors from a course.
14) Verify new permissions, top level coursereserves, with
subpermissions add_reserves and delete_reserves.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Corinne Bulac <corinne.hayet@bulac.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
http://bugs.koha-community.org/show_bug.cgi?id=8125
