This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch changes the term ISO2709 in the templates to use
MARC instead.
Test plan:
- The term was changed on the following pages in staff:
- Advanced catalouging editor > Save to catalog
- Patron account > Check out (Activate ExportCircHistory) > Format
- Patron account > Check out > Help page
- Lists > Download list
- Acquisitions > Add order to basket > From a staged file (breadcrumbs)
- Administration > System preferences > ExportRemoveFields
- Cart > Download
- Tools > Export data > Output format
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"
Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.
Changes in discharge.pl are mainly indentation changes.
With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client's lists templates so that
JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of the
lists page: All button controls, DataTables functionality, form
validation, etc.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Same as previous patch but for the staff interface
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Introduced by bug 14544, the shelfnumber is not correctly passed to the
template.
The shelf variable is passed to the template, to access the shelfnumber,
we need to get shelf.shelfnumber.
Test plan:
At the intranet, try to download a list.
Without this patch it won't work.
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
The shelfnumber was not filled and result in a software error
Can't call method "get_contents" on an undefined value at
/home/koha/src/virtualshelves/sendshelf.pl line 74.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Whith patch mail is sent.
No errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
We should be using Font Awesome for our icons instead of Glyphicons, for
the reasons discussed on bug 13696.
Test Plan:
1) Apply this patch
2) Note all Glyphicons have been replaced with FA icons in the staff intranet
3) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/modules/
should give no results
4) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/includes/
should give no results
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
We need a follow-up to cover the files changes since this
patch was written. Especially to cover the changes in the
label creator modules.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
The print list button only prints the page you are viewing, and not the
entire list.
Test Plan:
1) Apply this patch
2) Create a list with enough items that it will paginate
3) Browse to that list, click the 'print list' button
4) Note the entire list prints, not just the visible items
Tested in staff client, works as expected.
It would be great to have the same for OPAC as well (OPAC still prints first page only).
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
In the staff client, if you initiate a list edit from the list contents
view you should be redirected to that same view after saving your
changes. The OPAC already works this way.
To test, view the contents of an existing list. Click the "Edit list"
item under the "Edit" menu. Click save on the list edit form and you
should be redirected back to the contents view of that list.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch converts the toolbar include file used by lists pages to
Bootstrap, replacing YUI button and menu code with Bootstrap markup.
To test, view any page in virtualshelves/ which uses
virtualshelves-toolbar.inc (shelves.pl). Buttons and menus should look
correct and work correctly when viewing own lists, others' lists, etc.
Revised: corrected bug number and title
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Comment: Work as described. No error. Looks very good.
As well as Bug 9616 the result is 10px downward from the original.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works nicely, on problems found.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
The window feature dependant= should have been written as dependent=
Note that this feature is ignored in most/current browsers.
Since the feature was misspelled, removing it will not change any
behavior or hurt anybody.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Passed-QA-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Getting a list in CSV format was impossible because the
shelfid parameter was empty in the URL.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Corrected an instance where <!-- TMPL_IF --> was embedded inside an HTML tag (conflicts with translation script). Modified styling of confirm button to match existing interface convention.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Added logic to create a list of private lists to check on deletion. Multiple pages have the ability to delete lists, both private and public. Default option of retrieving a user's lists is retrieving the public ones. Now private lists of the owner are retrieved as well and checked upon deletion request. This allows any method of deletion to delete the correct list without examining the myriad of options currently used to indicate display of privateshelves and expect all pages to know whether a shelf number comes from a private or public list. Since deletion occurs based on shelf number and the virtualshelves table has a primary key on shelf number, this will not cause unwanted deletion of shelves.
UPDATE: added logic for conditional creation of shelves. Also note change in staff side as deletions worked except for viewing a populated shelf, then deleting. The confirm message showed, but the display was of public shelves, not private.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Adding code to refresh "Lists" button lists display in OPAC masthead.inc
Adding javascript to force refresh of parent window to update "Lists" button menu
Adding query limits and ability to specify row count and offset in queries related to Virtualshelves.
Also added the ability to return total record counts for specified virtualshelves.
Adding C4::VirtualShelves::GetRecentShelves which returns a list of the most recently modified shelves for
a given set of parameters. This allows the user to be offered active private and open lists to add books
to in drop down menus while also allowing drop down menus to be limited to a reasonable length.
This also limits the shelves stored in the user's session to a fixed number. A further enhancement might
be to add a syspref to enable a staff member to define the limit. Currently it is hardcoded at 10 per
list type (private/public-open).
Adding pagination to list/shelf related screens
Moving refresh shelves code into C4::VirtualShelves::RefreshShelvesSummary and tidying up a bit
Correcting several inconsistancies in the shelves templates as well as handling shelf management on
the intranet side correctly.
Correcting "Add To:" drop-down list to show only lists the patron has permission to add to
Correcting a few C4::VirtualShelves::GetShelvesSummary API calls
Modifications for template consistancy
Breaking up a 1367 char line of javascript in opac-results.tmpl
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
* prior to this commit, virtual shelvesn't did not function in
the OPAC! Now they do, except for deletion from virtual shelves
in list form
* I've re-named 'Virtual Shelves' to 'Lists' as per our agreed
upon convention
* while vshelves aren't perfect yet, they're in enough of a working
state for the RC1 now
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
