Ho, another bug!
The email was not correctly filtered.
Test plan:
Use the evil string for an email, do a search.
=> Notice that without this patch the results never show up
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Ho, a bug!
Some fields in the address where double filtered.
Test plan:
Use the evil strings in the address field and do a search, you will see
double html encoded characters without this patch.
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
The patron's data was not correctly escaped actually.
Test plan:
This is a good value for the whole patchset: <strong>fir's"tname</strong> \123 ❤
use it for a patron's firstname, then do a search
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This will fix the previous failure. Note that other fields like
borrowernumber, Price escaped values, integers, etc. could be escaped
the same way but will be useless (save polar bears).
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To replicate:
Edit a patron to have a circ note, include quoted text in it, such as "this is quoted string"
Go to the patron search, search for a set of results that would include the patron with the quotes in the note
Enjoy looking at "Processing" for forever.
Test Plan:
1) Apply this patch
2) Attempt to replicate using the steps above
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
I took this a step further and used <script>"something in
quotes"</script> for my test note and this worked just fine. YAY.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies templates where a pop-up window is used to display
patron search results. A link has been added to the patron name which
triggers a modal window displaying more details about that patron. With
each page in the test plan, check that clicking linked names in search
results triggers a modal with the correct data.
- Acquisitions -> Vendor -> View basket -> Add user
- Acquisitions -> Vendor -> Add to basket -> From a new (empty) record
-> Add user
- Acquisitions -> Funds -> Edit fund -> Select owner
- Tools -> Patron card creator -> Manage -> Card batches -> Edit -> Add
patrons
- Serials -> Subscription -> Edit routing list -> Add recipients
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Generated with:
perl -p -i -e 's/\|\s?\$Price\s?\|\s?html\s%]/| \$Price %]/g' **/*.tt **/*.inc
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
When permission 'manage_patron_lists' is off, there is no checkbox on
/cgi-bin/koha/members/member.pl to merge patrons.
Test plan:
Remove permission manage_patron_lists
Add permission edit_borrowers
Search for patrons
=> Without this patch you will not be able to select patrons to merge
(checkboxes are not displayed)
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch modifies the funds administration page and other files
related to the process of searching for and selecting fund owners and
users in order to remove the use of event attributes like 'onclick.'
Also changed in this patch: I have revised the way the "select owner"
and "select user" controls look. They are now links with Font Awesome
icons.
- Go to Administration -> Funds and open a fund for editing.
- Test the process of adding and updating an owner:
- Click the 'Select owner' link.
- Search for and select an owner in the pop-up window.
- Save the fund and verify that the owner was saved correctly.
- Perform the same test with the 'Remove owner' link.
- Use the same process to test the addition and removal of users.
- Confirm that the 'Remove' link works correctly before and after
submitting the form to save changes to the fund.
This patch changes a file which is used by both the funds template and
the template used when setting a guarantor on a patron. To test the
changes in that context:
- Open a 'child' type patron record.
- Under 'Guarantor information,' test the process of setting and
removing a guarantor to confirm that data is saved correctly.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Format the values in patron search results following syspref CurrencyFormat.
To verify:
- Search for patrons who have fines or credits
- In result table, column 'Fines' does not respect syspref CurrencyFormat
(e.g. for FR)
To test:
- Apply patch
- Repeat steps above, verify that fines display as appropriate
- Change syspref Currencyformat, verify display
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 10318 added the email to the patron search results but it has been
removed later.
This patch reintroduced it where it was (no new column).
Test plan:
Search for patrons and confirm that the emails are displayed.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch updates the guarantor search template so that event
definition is done in the script rather than in an onclick attribute.
This patch also increases the size of the popup window to help prevent
the need for horizontal scrolling and adds Bootstrap style to the
"select" button.
To test, apply the patch and clear your browser cache if necessary.
- Go to Patrons and add a patron with a "child" category type.
- In the "Guarantor information" section, click the "Set to patron"
button.
- In the pop-up window, search for a patron.
- Click the "Select" button next to a patron.
- The window should close, and the patron you selected should now appear
as the guarantor. The guarantor's address information should be added
to the "Main address" section.
Tested on top of Bug 13041 and Bug 16386, works as expected, however see
Bug 16458
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
We have several others places where a td contains buttons. This patch
fixes the ones in table generated server-side.
Test plan:
Search for patrons and shelves: the buttons should not wrap
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
EDIT: Adding nowrap styles to the Action column. I chose to do it with a span because that's the way it's already done in this file for another column.
To test:
1) Go to Patrons and do a search that will bring up more than one result
2) Confirm 'Edit' now shows as a font awesome button and works as expected
3) Confirm the button does not wrap when you make your browser narrower
Sponsored-by: Catalyst IT
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
If patron infos contain invalid JSON chars (\t for instance), the
results won't appear.
The solution is to escape these info.
Test plan:
Edit patron infos in DB (update borrowers set surname="foobar\t" where
borrowernumber=42)
Search for foobar (you should have more than 1 result)
Without this patch, DT retrieves a bad formatted JSON and the results
won't appear.
With this patch, the table result appears
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Test plan:
1) Apply the patch
2) Type into search form patron's name & check his date of birth in
autocompletion
3) Go to intranet/cgi-bin/koha/members/member.pl & submit
a search with more than one result .. now should in the table appear
patron's date of birth
4) Try show/hide columns section if it works correctly for date of birth
5) Go to intranet/cgi-bin/koha/admin/columns_settings.pl -> go to
patrons section & check there is dateofbirth & it's functionality
Signed-off-by: Frederic Demians <f.demians@tamil.fr>
Works as described. Syspref dateformat respected. Column dateofbirth
configurable, but mandatory on autocompletion search result.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch set display amounts for charge, fine, price etc. right aligned in tables
on patron pages.
To test, apply patch and verify that amounts appear right aligned on following pages:
- Go to Home > Patrons, perform a search (Column 'Fines')
- Go to a patron with fines and credits
- Checkout tab (circulation.pl): Columns 'Charge', 'Fine', 'Price'
(maybe you have to show column with 'Show / hide colums')
- Fines Tab > Pay fines (pay.pl): Columns 'Amount', 'Amount Outstanding'
- Fines Tab > Account (boraccount.pl): Columns 'Amount', 'Outstanding'
Note: Test here 'Filter paid transactions' as well
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Working on bug 13497 and bug 9314, I run into some Koha vestiges.
The category_type parameter should not be passed to memberentry.
On creating a new patron, the categorycode should be passed, and on
editing, it's useless. We can work with the borrowernumber and retrieve
these values.
Details of the changes:
- members-toolbar.inc: Remove the category_type parameter passed to
memberentry.pl
- memberentrygen.tt: Just remove the useless category_type parameter on
editing a patron. Also remove the unused one passed to
guarantor_search.pl.
- tables/members_results.tt: the borrowernumber is enough to edit a
patron.
- memberentry.pl: check_categorytype is never used in the template, all
the process to calculate/retrieve it is unnecessary.
- members/nl-search.tt: The borrowernumber is enough to edit a patron.
Test plan:
Try to create and edit patrons and verify that
- the guarantor search still work
- the form (memberentry) behave as before
Edit a patron from the nl-search.pl script (Magnus?)
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 9314 (13497 already pushed)
No evident regressions found, add/edit patron works,
search/set guarantor works.
Cant test nl-patron.pl save for exec it.
prove -v t/NorwegianPatronDB.t runs
No koha-qa errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
In a couple of patron searches, the address is displayed.
If the address contain invalid json characters, DataTables won't manage
to parse the results and display them.
This patch makes the templates more readable by creating a BLOCK instead
of a long line and escape the invalid json characters calling the TT
plugin (To.json).
Test plan:
Edit a patron and add something like:
patron <address> \123 ☎ ⚑
in the address field.
Search for this patron using the main patron search (members/member.pl)
and the guarantor search.
Confirm that a result with this patron is correctly displayed.
Regression test: Since Koha::Template::Plugin::To::json is modified,
confirm that the add users to basket search (on acqui/basket.pl?basketno=X
click on the "Add user" button) still works as expected.
Signed-off-by: Christopher Brannon <cbrannon@cdalibary.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Previous patch removed the name column, it's a regression.
This patch reintroduces it.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch is the main patch.
The "common" template is improved to allow different type of picking:
"add" or "select".
The first one appends a patron to a list, the second one selects the
patron and close the result search window.
The members/guarantor_search.pl has completly changed but is quite the
same file as acqui/add_user_search.pl. Both should exist: they don't
belong to the same module (acqui vs members), the picking type is
different (add vs select) and the columns are not the same.
The changes in the common template are very powerful, it's now possible
to list the column we want! This will be very useful for further
reusability.
Before this patch, all patrons mathing the pattern were return. Now only
the first 20 are (depends on the DataTables selected value).
For QA: This patch introduces a new template plugin "To", for now it
permits to convert a perl structure to json. In the idea, it could
permit to convert foo to bar too.
Test plan:
1/ Verify there is no regression in the guarantor search. When the
selection has been done, all data from the guarantor should fill the
form in the "main address" section.
Note that the request is done when the search input in not empty and the
user stop to write for 1 sec.
2/ Verify there is no regression on the 2 other pages where this patron
search is used: link a patron to an order and to a basket (in the
acquisition module).
Signed-off-by: Morag Hills <the.invinnysible.one@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch removes double patron card numbers from patron search results.
To test:
Search patrons
See card number 12345 in first column and in second column like Testman, John (12345)
Apply patch
Patron card number no longer dispays in second colum
Further testing:
Search for other places in intranet where patron-title.inc is used (git grep 'patron-title.inc')
The card number still should display at the other places.
Signed-off-by: Chris <chris@bigballofwax.co.nz>
http://bugs.koha-community.org/show_bug.cgi?id=8096
Signed-off-by: Chris <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
On the patron search results page there are several patron fields which
do not show: street number, road type, and state. This patch adds them.
To test, go to Patrons -> Search patrons and perform a search. In the
table of patron search results each patron record should display the
correct information including street number, road type, and state.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described, passes tests and QA script.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Works as described.
This patch fixes the issues raised in bug 9811 comment 105, 106 and 107:
1/ Add missing space between category and type.
2/ Fix error on searching an empty string (caused by a previous rebase).
3/ Remove sort option on checkbox/borrowernumber column.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch restores the enhancement introduced by Bug 10318.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Issue:
When a patron has backslashes in his circulation notes, the JSON transportation
layer cannot send the message because it will fail JSON validation when trying to
validate backslashed non-literal characters (\s \d ...).
This causes the whole search to fail when even one Borrower has a non-literal
backslashed character in his notes.
Solution:
The Borrowers' circulation notes are filtered through a regexp which doubles all
backslashes to prepare them for the JSON validation routine.
Result:
Backslashes pass through unchanged.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch add DataTables using server-side processing for the patrons
search.
It adds:
- 1 module C4/Utils/DataTables/Members.pm
- 2 services svc/members/search and svc/members/add_to_list
- 1 template members/tables/members_results.tt
- 1 new practice which is to add template for DataTables in a
subdirectory named 'tables'.
Impacted scripts: members/members-home.pl and members/members.pl
To go further: We can imagine that all patrons searches use the same
service with no big changes: 1 little template creates a JSON file and
to implement DataTables on the template page, that's all.
Amended patch: Since bug 10565 has been pushed, these patches don't
apply cleanly. I had to rewrite a part of the patron list feature.
I removed the choice to add all resultant patrons from a search. I think
this choice is useless with this patch: we are able to display the
number of patrons we want and to select all of them.
Test plan:
- Check that there is no regression on searching patrons.
- Try filters on the left of the screen.
- Try to sort each column.
- Try the "Browse by last name" links.
- Check that the "Clear" button clears yours filters.
- Try with IndependantBranches ON and OFF.
- Verify this feature does not break the patron list feature (cf bug
10565).
Signed-off-by: Cedric Vita <cedric.vita@dracenie.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script, couldn't find any regressions
or problems. Some notes left on the bug.
Bug 9811: Add unit tests for C4::Utils::DT::Members
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Bug 9811: QA followup
- removes 2 tabs
- removes mysqlisms
- add sort on borrowernotes
- fix wrong capitalization
- cat => Category
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Thx for fixing these!
Bug 9811 - multilines notes brakes JSON
In new patron search feature, the search results are fetched using Ajax and returned in JSON format.
The JSON is created by TT using koha-tmpl/intranet-tmpl/prog/en/modules/members/tables/members_results.tt.
One of the fields is the borrower notes. When this notes contains several lines, the JSON is broken.
This patch uses TT fileters to consert in notes linefeeds into HTML line break (html_line_break) and then remove linefeeds (collapse).
Test plan :
- perform a member search that does not return a borrower with a circ note
- edit one of the borrowers returned by this search
- enter serveral lines of text in "Circulation note" and save
- reperform the member search
=> circ note is well displayed on several lines
Bug 9811: use count(primary_key) instead of count(*)
Bug 9811: A limit clause should be always added.
By default, we want to retrieve 20 first results.
Bug 9811: Load the page without any data.
Displaying the first 20 patrons is not useful. With this patch, the
table is hidden and no record is retrieved by default.
On the same way, the existing side effect on redirect disappears.
Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
-------------
-TEST REPORT-
-------------
For the filter: Tested all the search fields, branches, search type.
Found a bug with "date of birth", followup provided.
Tested display limits and verified that AJAX-queries are
efficient (using LIMIT clause) to not stress DB needlessly.
Tested adding Patrons to a list.
A good feature, which seems to work quite well.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Adding my test plan to the last patch of this bug.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>