Commit graph

10 commits

Author SHA1 Message Date
Katrin Fischer
624eb9e1f5 Bug 19108: (follow-up) Fix Stored XSS in fieldmapping.pl and items_search_fields.pl
To test:
- Add a framework with script in the description
- Access the Keywords to MARC mapping page
- Add an item search field where both name and label are script
- Try to edit/delete the added mapping

With the patch no script should be executed and everything
should still work ok.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:51 -03:00
Amit Gupta
bfbba2339f Bug 19108: Fix Stored XSS in items_search_fields.pl
To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for new and edit page

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:50 -03:00
Aleisha Amohia
16414374aa Bug 17793: Make sysprefs search show on all Admin pages
This patch is amended to use the sysprefs search on all Administration
pages that do not have their own custom search.

To test:
1) Go to Administration
2) Notice Catalogue search at the top - seems out of place.
3) Apply patch and refresh page.
4) Notice admin / sysprefs search now shows and is more appropriate.
5) Confirm searching for sysprefs still works

This patch affects the following pages:
- admin-home.pl
- audio_alerts.pl
- authtypes.pl
- auth_tag_structure.pl
- authorised_values.pl
- biblio_framework.pl
- marctagstructure.pl
- branch_transfer_limits.pl
- branches.pl
- checkmarc.pl
- classsources.pl
- columns_settings.pl
- didyoumean.pl
- edi_accounts.pl
- edi_ean_accounts.pl
- fieldmapping.pl
- item_circulation_alerts.pl
- items_search_fields.pl
- items_search_field.pl
- item_types.pl
- koha2marklinks.pl
- matching-rules.pl
- oai_sets.pl
- oai_set_mappings.pl
- patron-attr-types.pl
- smart-rules.pl
- transport-cost-matrix.pl
- sms_providers.pl

Sponsored-by: Catalyst IT

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-02-17 15:34:11 +00:00
804677265e Bug 16239: Update templates
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 14:41:22 +00:00
e6e09c540f Bug 15803: Koha::AuthorisedValues - Remove C4::Koha::GetAuthorisedValueCategories
The subroutine C4::Koha::GetAuthorisedValueCategories just retrieves all
the authorised value categories.
We already have a method in the Koha::AuthorisedValues module to do this
job, let's use it!

Technical explanations:
The new subroutine of the AuthorisedValues TT plugin will allow to get
the authorised value categories from the templates.
The new html_helpers include file will get rid of the if selected else
end statements. Bug 15758 already uses this file, see the commit
description for more informations.

Test plan:
1/ Create or edit a new fund (aqbudgets.pl), the fields "statistic 1"
and "statistic 2" should be correctly filled with the list of authorised
value categories
2/ Edit subfields for a biblio and authority framework.
The "Authorized value" dropdown list should be correctly filled on both
pages
3/ Create new items search fields (from the administration area), same
as previously, the authorised value category dropdown list should be
correctly filled
4/ Add and edit patron attribute types, check the authorised value
category list.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-28 16:35:52 +00:00
ed449a5b5b Bug 16005 - Standardize use of icons for delete and cancel operations
This patch makes changes to Font Awesome icons in order to make icon
choice consistent for common actions.

<i class="fa fa-trash"></i> where something is deleted, removed, or
emptied.

<i class="fa fa-remove"></i> where an operation is cancelled (also where
selections are cancelled, as in checkboxes).

<i class="fa fa-times-circle"></i> for "close," as in baskets and
windows.

To test, apply the patch and view the following pages to confirm that
the correct icon is used:

- Acquisitions -> Vendor -> Vendor delete button.
- Acquisitions -> Vendor -> Edit -> Delete contact button.
- Acquisitions -> Invoices ->  Delete menu item.
- Cataloging -> Edit record -> Authority search pop-up (triggered from
  the tag editor for a tag linked to an authority) -> Clear field button
- Authorities -> Authority detail -> Delete button.
- Tools -> Quotes editor -> Quotes delete button.
- Reports -> View saved report -> Delete button.
- Reports -> Saved reports -> Delete menu item.
- Serials -> Subscription details -> Subscription close button.
- Administration -> Budgets -> Delete menu item.
- Administration -> Item search fields -> Delete button.
- Administration -> Z39.50/SRU servers -> Delete menu item.
- Catalog -> Advanced search -> Clear fields link.
- Cataloging -> Advanced editor -> Macros -> Delete macro button.
- Circulation -> Checkout -> Check out an item which is on hold for
  another patron. "Cancel checkout and place hold" button now uses the
  icon used elsewhere for holds.
- Course reserves -> Course -> Delete course button.
- Patrons -> Patron lists -> Add patrons -> Remove selected button.
- Acquisitions -> Suggestions -> Suggestion details -> Delete button.
- Lists -> List contents -> Remove selected button.

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-06-03 08:21:25 +00:00
5e1bcc4aa7 Bug 16242 - Move staff client JavaScript out of language directory
This patch moves the JavaScript files in prog/en/js to prog/js.
JavaScript files do not need to be in the directory which is processed
by the translator.

To test, apply the patch and visit various pages in the staff client to
confirm that JavaScript files are still loading correctly.

Revised: I intended for this to be built on top of Bug 15883 as well as
Bug 16242. Now it is.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883 and 16241
All seems to work, js files pulled from new dir.
No errors

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-04-29 14:32:42 +00:00
Aleisha
024af5ee9f Bug 15992: Renaming 'Operations' column heading to 'Actions'
to be consistent with other Administration tables
These actions were already made into buttons so will just make this small string change

To test:

1) Go to Admin -> Item search fields
2) Confirm column heading now reads 'Actions'

Sponsored-by: Catalyst IT

NOTE: Trivial string change, screen refresh confirms change.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-03-12 23:26:59 +00:00
fd74b271db Bug 15887: Revise layout and behavior of item search fields management
This patch adds some JavaScript to the item search fields management
page so that the add form is not displayed by default. This simplifies
the interface and makes it more consistent with other similar
interfaces.

Also changed in this patch:
- Changing instances of "Items search fields" to "Item search fields."
- Correct form structure to use ordered list
- Add "required" classes and enable built-in JS form validation.
- Add explicitly labeled "Choose" options to <select>s.
- Add missing ids to form fields (labels don't work without them).
- Correct classes of message and alert dialogs.
- Add JS confirmation of deletions.
- Convert MARC tag and subfield dropdowns to regular inputs (Bug 15384).

To test, apply the patch and go to Administration.

- Confirm that the "Item search fields" link is correct.
- Follow the link and confirm that the list of existing fields is shown
  by default, or a message saying there are no existing fields.
- Click the "New search field" button and confirm that it displays the
  entry form.
  - Confirm that submitting an empty form does not work.
  - Confirm that clicking the "Cancel" link correctly hides the form.
  - Confirm that submitting valid data works correctly.
- In the table of existing item search fields, confirm that the "Edit"
  button works correctly.
  - Confirm that submitting edits works correctly.
- In the table of existing item search fields, confirm that clicking
  "Delete" highlights the row in question and a confirmation dialog
  appears.
  - Test both canceling and confirming deletion.

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as described. JSHint OK, koha-qa OK.

Revision per QA: Undid the change making tag and subfield inputs text
fields.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-03-02 22:36:17 +00:00
Julian Maurice
7c2ff7940e Bug 11425: Add item search form in staff interface
Item search is available at catalogue/itemsearch.pl (link is in
catalogue/search.pl)
It only uses SQL (not Zebra)
* Use DataTables and server-side processing to be able to filter on
  individual columns after the first search is done.
* Allow to export results in CSV
* With Javascript disabled, search form still works (and CSV export too)

There is the possibility to define "Custom search fields" in a new admin
page admin/items_search_fields.pl (link is in admin/admin-home.pl)
A custom item search field is defined by:
* a name: its unique identifier
* a label: the text displayed to the user
* a MARC field/subfield: the field/subfield to query (it uses
  ExtractValue)
* an authorised values list (optional): if defined the list is displayed
  in the search form

New Perl dependency: Template::Plugin::JSON::Escape

Test plan:
1/ Apply the patch and run updatedatabase.pl
2/ Go to advanced search (staff interface), then click on "Go to item
search"
3/ Play with the search form! :)
In the 3rd fieldset you can add as many fields as you want and combine them with
boolean operators (AND, OR). You can use SQL jokers characters (%, _)
You can output to screen (in a DataTables table) or to a CSV file.
4/ In the DataTables table, play with filters and try sorting columns.
5/ Disable Javascript (with Firefox: extensions NoScript or YesScript,
or in about:config 'javascript.enabled' = false
6/ Reload the search page and do some searches on screen output. (there
is no sorting or filtering features, but there is still pagination)
7/ Try again CSV output.
8/ You can re-enable Javascript.
9/ Go to Administration > Items search fields
10/ Add a new field. Example for title (in UNIMARC):
  Name: title
  Label: Title
  MARC field: 200
  MARC subfield: a
  Authorised values category: None
(add another field with an authorised values category to see the
difference).
11/ As you are there try to update and delete some fields.
12/ Go back to items search form. You can see in the 3rd fieldset that
your fields have appeared in the selects.
13/ Try searching on them.
14/ I think you're done :)

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described. Good new option.
No koha-qa errors

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2014-11-04 19:08:12 -03:00