Commit graph

27 commits

Author SHA1 Message Date
5825026448 Bug 21526: uri escape TT variables when used in 'a href'
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-26 17:09:57 +00:00
Katrin Fischer
81875ab282 Bug 14786: Use MARC istead of ISO2709 everywhere
This patch changes the term ISO2709 in the templates to use
MARC instead.

Test plan:
- The term was changed on the following pages in staff:
  - Advanced catalouging editor > Save to catalog
  - Patron account > Check out (Activate ExportCircHistory) > Format
  - Patron account > Check out > Help page
  - Lists > Download list
  - Acquisitions > Add order to basket > From a staged file (breadcrumbs)
  - Administration > System preferences > ExportRemoveFields
  - Cart > Download
  - Tools > Export data > Output format

Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-17 13:55:19 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
cee2cf9ff9 Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"

Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.

Changes in discharge.pl are mainly indentation changes.

With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:38 -03:00
03e01e670d Bug 19657: Move lists templates JS to the footer
This patch modifies the staff client's lists templates so that
JavaScript is included in the footer instead of the header.

To test, apply the patch and test the JavaScript-driven features of the
lists page: All button controls, DataTables functionality, form
validation, etc.

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-12-11 11:34:22 -03:00
804677265e Bug 16239: Update templates
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 14:41:22 +00:00
d26cda6f9e Bug 17316: Do not display the list's name if the user does not have permission - Staff
Same as previous patch but for the staff interface

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:13:58 +00:00
b6ded94433 Bug 15453: Assign the correct shelfid to the download list links
Introduced by bug 14544, the shelfnumber is not correctly passed to the
template.
The shelf variable is passed to the template, to access the shelfnumber,
we need to get shelf.shelfnumber.

Test plan:
At the intranet, try to download a list.
Without this patch it won't work.

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-01-07 18:54:34 +00:00
f2c6bd2c61 Bug 14544: Fix regression on sending an email from staff
The shelfnumber was not filled and result in a software error
Can't call method "get_contents" on an undefined value at
/home/koha/src/virtualshelves/sendshelf.pl line 74.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Whith patch mail is sent.
No errors

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-11-16 15:44:37 -03:00
6f75aa11ff Bug 14544: Make the intranet side independent of Page.pm
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-11-05 09:58:01 -03:00
0cab6f2ef3 Bug 14915: Use Font Awesome instead of Glyphicons for the staff intranet
We should be using Font Awesome for our icons instead of Glyphicons, for
the reasons discussed on bug 13696.

Test Plan:
1) Apply this patch
2) Note all Glyphicons have been replaced with FA icons in the staff intranet
3) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/modules/
   should give no results
4) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/includes/
   should give no results

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
We need a follow-up to cover the files changes since this
patch was written. Especially to cover the changes in the
label creator modules.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-27 10:02:42 -03:00
9495ecaab6 Bug 13986: Printing a list only prints the results of the page you are viewing
The print list button only prints the page you are viewing, and not the
entire list.

Test Plan:
1) Apply this patch
2) Create a list with enough items that it will paginate
3) Browse to that list, click the 'print list' button
4) Note the entire list prints, not just the visible items

Tested in staff client, works as expected.
It would be great to have the same for OPAC as well (OPAC still prints first page only).
Signed-off-by: Marc Veron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-05-15 16:01:33 -03:00
daa98e73f8 Bug 10714: Redirect to list contents view upon save after initiating edit from list contents view (staff)
In the staff client, if you initiate a list edit from the list contents
view you should be redirected to that same view after saving your
changes. The OPAC already works this way.

To test, view the contents of an existing list. Click the "Edit list"
item under the "Edit" menu. Click save on the list edit form and you
should be redirected back to the contents view of that list.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-02-20 16:53:32 +00:00
dfae3fd997 Bug 9621 - Replace YUI menu on lists pages with Bootstrap
This patch converts the toolbar include file used by lists pages to
Bootstrap, replacing YUI button and menu code with Bootstrap markup.

To test, view any page in virtualshelves/ which uses
virtualshelves-toolbar.inc (shelves.pl). Buttons and menus should look
correct and work correctly when viewing own lists, others' lists, etc.

Revised: corrected bug number and title
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Comment: Work as described. No error. Looks very good.
As well as Bug 9616 the result is 10px downward from the original.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works nicely, on problems found.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-02-18 08:03:42 -05:00
d3b50910da Bug 7368: Removing occurrences of dependant= feature in javascript open calls
The window feature dependant= should have been written as dependent=
Note that this feature is ignored in most/current browsers.
Since the feature was misspelled, removing it will not change any
behavior or hurt anybody.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Passed-QA-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2012-11-20 07:23:03 -05:00
Adrien Saurat
5641b90b63 Bug 7363: allows downloading of lists in CSV format
Getting a list in CSV format was impossible because the
shelfid parameter was empty in the URL.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-01-13 12:13:33 +01:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
7cc44be17d Moving some list functions into the standard toolbar.
- Adding download functions to menu button
- Some markup corrections
2010-01-05 13:54:08 +01:00
41db97255c Corrections and tweaks to recent lists fixes.
Corrected an instance where <!-- TMPL_IF --> was embedded inside an HTML tag (conflicts with translation script). Modified styling of confirm button to match existing interface convention.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2008-12-01 11:24:25 -06:00
Allen Reinmeyer
25eb36f21f Bug #2531 Cannot delete private shelf
Added logic to create a list of private lists to check on deletion.  Multiple pages have the ability to delete lists, both private and public.  Default option of retrieving a user's lists is retrieving the public ones.  Now private lists of the owner are retrieved as well and checked upon deletion request.  This allows any method of deletion to delete the correct list without examining the myriad of options currently used to indicate display of privateshelves and expect all pages to know whether a shelf number comes from a private or public list.  Since deletion occurs based on shelf number and the virtualshelves table has a primary key on shelf number, this will not cause unwanted deletion of shelves.

UPDATE:  added logic for conditional creation of shelves.  Also note change in staff side as deletions worked except for viewing a populated shelf, then deleting.  The confirm message showed, but the display was of public shelves, not private.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2008-11-20 08:33:59 -06:00
Chris Nighswonger
9971756a24 kohabug 2159 Improving "Lists" button list refreshes after adding/changing lists/shelves
Adding code to refresh "Lists" button lists display in OPAC masthead.inc

Adding javascript to force refresh of parent window to update "Lists" button menu

Adding query limits and ability to specify row count and offset in queries related to Virtualshelves.
Also added the ability to return total record counts for specified virtualshelves.

Adding C4::VirtualShelves::GetRecentShelves which returns a list of the most recently modified shelves for
a given set of parameters. This allows the user to be offered active private and open lists to add books
to in drop down menus while also allowing drop down menus to be limited to a reasonable length.
This also limits the shelves stored in the user's session to a fixed number. A further enhancement might
be to add a syspref to enable a staff member to define the limit. Currently it is hardcoded at 10 per
list type (private/public-open).

Adding pagination to list/shelf related screens

Moving refresh shelves code into C4::VirtualShelves::RefreshShelvesSummary and tidying up a bit

Correcting several inconsistancies in the shelves templates as well as handling shelf management on
the intranet side correctly.

Correcting "Add To:" drop-down list to show only lists the patron has permission to add to

Correcting a few C4::VirtualShelves::GetShelvesSummary API calls

Modifications for template consistancy

Breaking up a 1367 char line of javascript in opac-results.tmpl

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-07-22 15:48:13 -05:00
Paul POULAIN
a710ca99c5 adding some strings to be parsed by translator tool
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-02-29 09:05:38 -06:00
Joe Atzberger
e7dec207fa Shelves - bugfix 1403 amongst others
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-01-15 15:33:08 -06:00
Joshua Ferraro
85092daa56 Warning: Big Commit. Fixing Virtual Shelves
* prior to this commit, virtual shelvesn't did not function in
    the OPAC! Now they do, except for deletion from virtual shelves
    in list form
  * I've re-named 'Virtual Shelves' to 'Lists' as per our agreed
    upon convention

  * while vshelves aren't perfect yet, they're in enough of a working
    state for the RC1 now

Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-23 14:31:14 -06:00
89b6ed5c1f Re-working virtual shelves interface to try to make it cleaner and make the steps more clear. Still a couple of bugs: some redirects need to change in the script (after adds, deletes, and edits), to match the changes in what displays at each step. Also, the toolbar delete button needs troubleshooting.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-10-29 16:47:40 -05:00
532ce95798 Fixing delete shelf button javascript problem. Now works well with and without javascript: No-js users will not get a warning, but they will get a form button rather than a link.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-10-29 15:51:37 -05:00
83f2c12b21 Re-working virtual shelves interface to try to make it cleaner and make the steps more clear. Still a couple of bugs: some redirects need to change in the script (after adds, deletes, and edits), to match the changes in what displays at each step. Also, the toolbar delete button needs troubleshooting.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-10-29 15:46:28 -05:00