Correct the two issues I pointed out.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.
That will make the code much more easier to maintain and will be less
error-prone.
The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.
In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.
Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.
This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
Patrons -> Patrons home, patron search results
-> Manage pending modification requests
-> Patron detail page
-> Edit patron
-> Set guarantor
-> Fines
-> Account, Pay fines, Create manual invoice, Create manual
credit
-> Print receipts for different kinds of charges
-> Routing lists
-> Circulation history
-> Holds history
-> Notices
-> Statistics
-> Files
-> Purchase suggestions
-> Discharges
-> Housebound
-> Set permissions
-> Change password
-> Print summary, slips, and overdues
-> Update child to adult patron type
Patron toolbar and patron search bar operations should work correctly on
all pages.
This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.
Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
borrowers => 1
and
borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
1. Go to the "Details" vertical tab of a patron.
2. Click the "Restriction" tab in the bottom and add a manual restriction.
3. Verify a creation date is visible.
4. Edit the same patron.
5. Under "Patron restrictions" verify the creation date of the listed
restiction is visible.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
In order to remove accessibility issues due to the readonly attributes
on date inputs, this patch will remove them and introduce a javascript
validation on them.
This patch is not perfect for some reason:
I didn't manage to force the user to select a valid date. One solution
would be to reopen the datepicker plugin until a valid date is inserted.
But it could be annoying for users (and for me: I did not manage to
implement this solution).
You will note that input is emptied if the date is not valid. This is a
quick and efficient solution to prevent submitting invalid date and make
Koha explodes. A proper solution would be to implement the check server
side send a friendly message to the user.
Test plan:
For all inputs, try an invalid and a valid date.
1/ Debar a patron
2/ On the checkout tables (circulation and moremember), add a renewal
due date (at the bottom of the tables)
3/ On the checkout page, specify a due date
4/ On the return page, specify a return date
5/ On the invoice page (acquisition module), enter a shipment and
billing date
6/ On the invoice search page (invoices.pl) use filters shipment and
billing dates
7/ On the offline circ page, specify a due date
8/ On the edit patron page (memberentry), add a debarment
9/ On the reserve page (reserve/request.pl), use the date inputs to
suspend until a defined date
10/ Edit patrons in a batch (tools/modborrowers.pl) and use the
registration and expiry date inputs
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Remove fa-ban according with QA comment 4
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Add Font Awesome Icons to:
- "Select/Clear all" links to pay.tt (Pay fines tab)
- "Filter icon" in "filter paid transactions" to Accout tab (boraccount.tt)
- "Trash icon" to Remove option in "Manual restrictions"
(borrower_debarments.inc) also add "Ban and plus icon" to "Add manual restriction"
To test:
-Apply patch
-Select a patron who has fines
-Go to "Fines->Pay fines" tabs and see the icons in "Select/Clear all"
-Choose the "Account" tab and sse the icon in "Filter paid transactions"
-Select the "Check out" tab and go to "Restrictions"
-Add a manual restriction and notice about the two new icons fa-plus and fa-band
-See the new button btn-mini and the fa-trash icon
-Verify that all works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Changes the value of the "comment" column in "borrower_debarments" table
from "Restriction added by overdues process yyyy-mm-dd hh:mm:ss" to
"OVERDUE_PROCESS yyyy-mm-dd hh:mm:ss" in the overdue_notices.pl. Then in
the templates "moremember.tt", "circulation.tt", "memberentrygen.tt",
"opac-reserve.tt" and "opac-user.tt" the value of "comment" is
check, if it's an automatical comment due to overdue process it'll
write "Restriction added by overdues process yyyy-mm-dd hh:mm:ss",
then if there is a customizable comment it will be written without
modification. Like this, the comment "Restriction added by overdues
process" is written in the po files and can be translated later.
To test:
1) create a patron with automatical restriction due to overdue process;
2) apply patch;
3) run misc/cronjobs/overdue_notices.pl;
4) verify if the comment "Restriction added by overdues process" is well
written and translatable on the following page :
- opac patron home page (opac-user.tt);
- opac item reservation page (opac-reserve.tt);
- pro patron page (moremember.tt);
- reservation item for a patron (circulation.tt, memberentrygen.tt);
5) try to translate the comment in po files;
6) sign off.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch modifies several include files, removing "onclick" attributes
in favor of defining events in JavaScript.
A reusable "toggle" function has been added to the global JS file so
that clicking elements with the class "toggle_element" will toggle the
display of elements as defined in the click target's "data-element"
attribute.
Also changed: In subtypes_unimarc.inc some capitalization errors have
been fixed and label/id pairs corrected.
To test, apply the patch and clear your browser cache if necessary.
- On the Acquisitions home page, click the "Orders search" header search
tab. Clicking the [+] link should expand and collapse the additional
search fields.
- On the checkout or patron detail page, view the "Restrictions" tab.
Click to add a restriction and use the datepicker to select a date.
Clicking the "Clear date" link should clear the date.
- Trigger the help window on any page. Clicking the "close window"
button should work correctly.
- Go to Administration -> Patron categories -> Edit. Checking and
unchecking messaging preference options should work correctly. The "do
not notify" checkbox should clear other checkboxes in that row and
vice versa.
- In Serials, from a subscription detail page, clicking the "Renew"
button should trigger the renew popup.
- Go to Acquisitions -> Vendor -> Add to basket -> From a subscription.
Clicking the "Advanced search" link in the left hand sidebar should
toggle the sidebar search form.
- In a UNIMARC system, view the advanced search page. Clicking the "Show
coded information filters" link should show additional search fields.
(I tested in my MARC21 system by temporarily moving line 174 of
advsearch.tt to line 172).
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch adds:
- links to the new pages.
- syspref description
- links on the main page (intranet)
- the DISCHARGE type for debarment
Signed-off-by: Lucie <lucie.rousseaux@dracenie.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
TEST PLAN
---------
1) Log into staff client
2) Click 'Circulation'
3) Click 'Check out'
4a) Type a patron name, click 'Submit'
4b) If necessary, select which one, and click 'Select'
5) Check the error logs, new warnings
6) Apply patch
7) Click 'Circulation'
8) Click 'Check out'
9a) Type a patron name, click 'Submit'
9b) If necessary, select which one, and click 'Select'
10) Check the error logs, no new warnings
11) Click the 'Restrictions' tab
12) Click 'Add manual restriction'
13) Add a dummy restriction
14) Click the 'Restrictions' tab
15) Click 'Remove'
16) Click 'OK'
17) Confirm that no additional error log entries were added
and adding/deleting restrictions hasn't broken.
Signed-off-by: Jesse Weaver <pianohacker@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch adds 2 circulation permissions: force_checkout and
lift_restriction.
During upgrade, these two permission are added to existing staff
users that already have the base circulate permission.
force_checkout allows a librarian to force a checkout if a limitation
occurred.
lift_restriction allows a librarian to lift a restriction for a patron.
Test plan:
1/ Find a debarred patron and go on the checkout page. The "Lift
restriction" button should be present only if the logged librarian has
the lift_restriction permission.
2/ If the force_checkout permission is set, a librarian should be
allowed to check out in several cases:
- age restriction
- the item is issued to another patron
- the item is not for loan
- the patron has overdue items
- the item is lost
- the item is a high demand item
- the item is reserved
- another case ?
Signed-off-by: Cedric Vita <cedric.vita@dracenie.com>
Bug 10863: The force checkout permission should not affect high holds
- typo checkout => check out.
- the force checkout permission does not affect high holds.
Signed-off-by: Cedric Vita <cedric.vita@dracenie.com>
Bug 10863: Follow-up: Adding missing permissions to translated files
This patch adds the 2 new permissions to all remaining sample files.
If the permissions don't get installed, the problem is bigger than
having an English description.
Also adds back the question "Check out anyway?" for high demand items (HIGHHOLDS).
Test xt/permissions.t passes now.
Bug 10863: Rename lift_restriction with manage_restrictions
The pref manage_restrictions now takes into account "Lost card" and
"Gone no address" restrictions.
Test plan:
- log in with a user with manage_restrictions permission
- verify you can set/unset restrictions when editing a patron
- log in with a user without manage_restrictions permission
- verify you cannot set/unset restrictions when editing a patron
Signed-off-by: Mathieu Saby <mathieu.saby@univ-rennes2.fr>
Note: The AgeRestrictionOverride pref has to be set to "Allow" if you
want to override the age restriction, even if the new permission is set.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Passes koha-qa.pl, works as advertised
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
The new restrictions system has different types:
MANUAL, OVERDUES and SUSPENSION.
Those are shown in the interface and seem to come directly from the
database, so they are not translatable.
As they are hardcoded translations should be possible and be handled in
the template.
Test Plan:
1) Create a patron with one of each type of restriction
2) Apply this patch
3) Note you see the type with only the first letter capitialized,
this indicates you are seeing the translatable string
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script. Strings now appear in
updated po files:
msgid "%s %s Manual %s Overdues %s Suspension %s "
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
If there are more than one restriction, the "remove" links don't display
the JavaScript alert.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This follow-up to Bug 2720 makes some template changes which I think
make the interface a little more consistent and streamlined.
Instead of incorporating the manual entry form into the table it is
broken out and follows standard form structure. This lets the table be
hidden altogether if there are no existing restrictions.
The manual entry form is hidden by default and shown when you click a
link to add a manual restriction.
These changes have been applied to both the include file used for
circulation and patron detail and to the patron entry form template.
To test, add and remove manual restrictions from the circulation page,
the patron detail page, and the patron edit page. All operations should
work correctly.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch adds a more extensible and flexible debarments system to Koha. The fields
borrowers.debarred and borrowers.debarredcomment are retained for compatibility and
speed.
This system supports having debarments for multiple reasons. There are currently
three types of debarments:
OVERDUES - Generated by overdue_notices.pl if the notice should debar a patron
SUSPENSION - A punative debarment generated on checkin via an issuing rule
MANUAL - A debarment created manually by a librarian
OVERDUE debarments are cleared automatically when all overdue items have been returned,
if the new system preference AutoRemoveOverduesRestrictions is enabled. It is disabled
by default to retain current default functionality.
Whenever a borrowers debarments are modified, the system updates the borrowers debarment
fields with the highest expiration from all the borrowers debarments, and concatenates
the comments from the debarments together.
Test plan:
1) Apply patch
2) Run updatedatabase.pl
3) Verify the borrower_debarments table has been created and
populated with the pre-existing debarments
4) Run t/db_dependent/Borrower_Debarments.t
5) Manually debar a patron, with an expiration date
6) Verify the patron cannot be issued to
7) Add another manual debarment with a different expiration date
8) Verify the 'restricted' message lists the date farthest into the future
9) Add another manual debarment with no expiration date
10) Verify the borrower is now debarred indefinitely
11) Delete the indefinite debarment
12) Verify the debarment message lists an expiration date dagain
13) Enable the new system preference AutoRemoveOverduesRestrictions
14) Set an overdue notice to debar after 1 day of being overdue
15) Check out an item to a patron and backdate the due date to yesterday
16) Run overdue_notices.pl
17) Verify the OVERDUES debarment was created
18) Return the item
19) Verify the OVERDUES debarment was removed
20) Disable AutoRemoveOverduesRestrictions
21) Repeat steps 15 though 18, verify the OVERDUES debarment was *not* removed
22) Add issuing rules so that an overdue item causes a temporary debarment
23) Check out an item to a patron and backdate the due date by a year
24) Return the item
25) Verify the SUSPENSION debarment was added to the patron
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>