Instead of dying!
Test plan:
Assuming you have a patron with borrowernumber=51 and another one that
can be deleted with borrowernumber=42
- authorities-home.pl
* Delete an authority record
* hit /cgi-bin/koha/authorities/authorities-home.pl?op=delete
- basket/sendbasket.pl
* Send a basket to someone
* hit /cgi-bin/koha/basket/sendbasket.pl?email_add=1
- members/apikeys.pl
* Generate and delete an API key for a patron
* hit /cgi-bin/koha/members/apikeys.pl?patron_id=51&op=delete
- members/deletemem.pl
* Delete a patron
* hit /cgi-bin/koha/members/deletemem.pl?member=42&op=delete_confirmed
- members/mancredit.pl
* Add a manual credit
* hit /cgi-bin/koha/members/mancredit.pl?borrowernumber=51&add=1
- members/maninvoice.pl
* Add a manual invoice
* hit /cgi-bin/koha/members/maninvoice.pl?borrowernumber=51&add=1
- members/member-flags.pl
* Change permissions for a patron
* hit /cgi-bin/koha/members/member-flags.pl?member=51&newflags=1
- members/member-password.pl
* Change the password for a patron (from the staff interface)
* hit /cgi-bin/koha/members/member-password.pl?member=51&newpassword=aA1
- members/memberentry.pl
* Edit some patron's info
* hit /cgi-bin/koha/members/memberentry.pl?borrowernumber=51&op=save
- members/paycollect.pl
* Pay an individual fine
* hit something like /cgi-bin/koha/members/paycollect.pl?borrowernumber=51&pay_individual=1&accounttype=L&amount=1.00&amountoutstanding=1.00&accountlines_id=157&paid=1
You may need to edit some values
- tools/import_borrowers.pl
* Import some patrons
* hit /cgi-bin/koha/tools/import_borrowers.pl?uploadborrowers=1
- tools/picture-upload.pl
* Upload an image for a patron
* You will need to edit the html content
hit Home › Tools › Upload patron images
then locate the csrf_token input and modify its value
Note for QA:
- Opac is not done as blocking_errors.inc does not exist for this
interface
- ill/ill-requests.pl
I did not manage to replace this occurrence
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies several tools templates to use the
Bootstrap grid instead of YUI.
This patch also removes obsolete "text/javascript" attributes from
<script> tags and "text/css" attributes from <style> tags in the
modified templates.
To test, apply the patch and view the following pages, confirming that
they look correct at various browser widths:
- Tools -> MARC modification templates
- View and edit templates
- Tools -> Batch patron modification
- Test each step of the process
- Tools -> Overdue notice/status triggers
- Tools -> Upload patron images
- Test each step of the upload process
- Tools -> Quote editor
-> Quote uploader
- Import quotes
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Code and variables to deal with the update child feature are not
centralized but copied/pasted in several scripts. Which leads to issues
obsviously (bug 20805 for instance).
Moreover the strings used by the templates are also in several template
files (or .inc)
To deal with that this patch introduces the idea to create 1 .inc file
per .js file
Here we have members-menu.inc for members-menu.js
Test plan:
- Remove all your adult categories (categories.category_type='A')
- Create a patron with a child category
- Try to update to adult category
=> The entry does no longer appears! (This is a change in the behaviour)
- Create one adult category
- Update to adult category
=> There is a JS confirmation message, if you accept the patron will
be updated to the adult category
- Create (at least) another adult category
- Create another child
- Update to adult category
=> No more confirmation message but a popup to select the adult category
- Pick one
=> The patron has been updated to the adult category
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies two patron-related tools templates in the staff
client so that JavaScript is included in the footer instead of the
header.
To test, apply the patch and test the JavaScript-driven features of
each modified template: All button controls, DataTables functionality,
form validation, etc.
- Import patrons
- Upload patron images
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Edit for QA: Fixed datepickers on import patron form
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42
Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.
Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert
Note that the cardnumber var was not escaped neither, it's now.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The C4::Members::PutPatronImage inserted/updated the image of a patron.
This can be done easily with ->find->set->store or ->new->store
Test plan:
1/ Modify the image of a patron from the patron detail page
2/ Add an image to a new patron
3/ Use the "Upload patron images" tools (tools/picture-upload.pl) to add
or modify the image of a patron
4/ Use the "Upload patron images" tools (tools/picture-upload.pl) to add
or modify the image of several patrons, using a zip file.
Stress the script trying to get as many errors as possible (wrong
cardnumber, wrong mimetype, file does not exist, etc.)
With this patch, if the cardnumber does not exist, you will get a
specific error "Image not imported because this patron does not exist in
the database"
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Otherwise the label is red and a bit agressive :)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
The styling of the patron image upload form causes the text to be
smaller than it should be for the main body of a page. This patch
revises the form style and cleans up the markup a bit.
This patch also adds client-side validation of the form so that a file
upload is required, and a card number is required if an image file is
selected.
To test, apply the patch and go to Tools -> Upload patron images.
1. Confirm that the text in the form is the correct size.
2. With "Zip file" selected, confirm that submitting the form is blocked
and the file upload marked as required.
3. With "Image file" selected, confirm that submitting the form
with an empty card number field is blocked and the card number
field is marked as required.
4. Confirm that uploading zip files and single images still works
correctly.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch fixes some template structure problems and makes some
improvements:
- Correct grid structure so that page isn't narrower than it needs
to be.
- Move image upload messages out of message/error dialog and into
table so that lines are distinct and legible.
- Expand breadcrumbs specificity
- Capitalization corrections
To test: Upload patron images using both single images and zip files.
Test zip file upload with a file which contains valid and invalid
contents (non-existant patron numbers, invalid image files, etc). In all
cases image uploads should work correctly and errors should be legibly
displayed.
Signed-off-by: Marc Veron <veron@veron.ch>
With patch, error messages are displayed in a nice table.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Tested with zip and png files. Works great.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Text could not be correctly translated due to poor parsing of nested sentences in Pootle.
*Sentences de-nested to have whole sentence in each if /elsif branch
*Cleaned up <li></li> handling: moved closing </li> outside the for each loop to prevent orphaned closing </li>s.
*Changed indentation for better readibility
*Changed WARNING to ERROR because it is an *Error* during upload.
*Wording simplified (for translation).
*In one case added hint to refer to online help (size).
This way text should be easier to be translated in Pootle.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This patch also fixes some strings:
* itemcallnumber => item call number
* Profile marcfields=> Profile MARC fields