This patch modifies templates where a pop-up window is used to display
patron search results. A link has been added to the patron name which
triggers a modal window displaying more details about that patron. With
each page in the test plan, check that clicking linked names in search
results triggers a modal with the correct data.
- Acquisitions -> Vendor -> View basket -> Add user
- Acquisitions -> Vendor -> Add to basket -> From a new (empty) record
-> Add user
- Acquisitions -> Funds -> Edit fund -> Select owner
- Tools -> Patron card creator -> Manage -> Card batches -> Edit -> Add
patrons
- Serials -> Subscription -> Edit routing list -> Add recipients
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch modifies the funds administration page and other files
related to the process of searching for and selecting fund owners and
users in order to remove the use of event attributes like 'onclick.'
Also changed in this patch: I have revised the way the "select owner"
and "select user" controls look. They are now links with Font Awesome
icons.
- Go to Administration -> Funds and open a fund for editing.
- Test the process of adding and updating an owner:
- Click the 'Select owner' link.
- Search for and select an owner in the pop-up window.
- Save the fund and verify that the owner was saved correctly.
- Perform the same test with the 'Remove owner' link.
- Use the same process to test the addition and removal of users.
- Confirm that the 'Remove' link works correctly before and after
submitting the form to save changes to the fund.
This patch changes a file which is used by both the funds template and
the template used when setting a guarantor on a patron. To test the
changes in that context:
- Open a 'child' type patron record.
- Under 'Guarantor information,' test the process of setting and
removing a guarantor to confirm that data is saved correctly.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If you are trying to add a user as a manager of a basket in
acquisitions, a JavaScript error will be triggered if that user has a
single quote in their name (e.g. "O'Neil"). This patch corrects the
issue by removing the "onclick" attribute and using the JS change made
in Bug 16386.
Also changed by this patch: Increased the size of the patron search
popup and made a correction to some invalid HTML.
To test you should have a patron whose name contains a single quote who
is also a user with permission to manage acquisitions.
- Apply the patch and go to Acquisitions.
- Locate an open basket and view the details for that basket.
- In the "Managed by" section, click the "Add user" button to trigger
the patron search popup.
- Search for the patron described above and click the "Add" button.
- In the parent window, the patron you chose should have been added to
the "Managed by" section.
Tested on top of Bug 16383, behaves as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
If patron infos contain invalid JSON chars (\t for instance), the
results won't appear.
The solution is to escape these info.
Test plan:
Edit patron infos in DB (update borrowers set surname="foobar\t" where
borrowernumber=42)
Search for foobar (you should have more than 1 result)
Without this patch, DT retrieves a bad formatted JSON and the results
won't appear.
With this patch, the table result appears
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
To Test -
1. If you don't have a budget and a fund, make at least one of each.
2. Go to funds from budgets.
3. Either make a new fund or edit an existing one and then click Edit owner, which will bring up a pop-up tab.
4. Search for a patron.
5. Using the tab key try to navigate onto the Select link.
6. Notice it skips select.
7. Apply the patch and then repeat steps 3-5, notice the select link can now be accessed through using the keyboard.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This first patch remove the previous way to search for users to link to
budgets.
Test plan:
1/ Edit or create a fund
2/ Edit the owner of this fund a select a patron
3/ Add 1+ users to the user lists of this fund
Tested together with other patches.
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch is the main patch.
The "common" template is improved to allow different type of picking:
"add" or "select".
The first one appends a patron to a list, the second one selects the
patron and close the result search window.
The members/guarantor_search.pl has completly changed but is quite the
same file as acqui/add_user_search.pl. Both should exist: they don't
belong to the same module (acqui vs members), the picking type is
different (add vs select) and the columns are not the same.
The changes in the common template are very powerful, it's now possible
to list the column we want! This will be very useful for further
reusability.
Before this patch, all patrons mathing the pattern were return. Now only
the first 20 are (depends on the DataTables selected value).
For QA: This patch introduces a new template plugin "To", for now it
permits to convert a perl structure to json. In the idea, it could
permit to convert foo to bar too.
Test plan:
1/ Verify there is no regression in the guarantor search. When the
selection has been done, all data from the guarantor should fill the
form in the "main address" section.
Note that the request is done when the search input in not empty and the
user stop to write for 1 sec.
2/ Verify there is no regression on the 2 other pages where this patron
search is used: link a patron to an order and to a basket (in the
acquisition module).
Signed-off-by: Morag Hills <the.invinnysible.one@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
The displayed patron's name should be surname + firstname
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
A previous enhancement allows to link basket with patrons.
Next patches will use the same way to link order with patrons.
In order to avoir c/p of code, this patch refactores this part of code.
Test plan:
1/ Verify there is no regression on adding/modifying users to a basket.
(acqui/basket.pl?basketno=XXX, "Managed by", "Add user").
2/ Note that you get a friendly message if the user is already present in the
list and when the user has correctly been added to the list.
3/ Note that the list uses the member search service (ie. DataTable +
serverside processing).
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
