Commit graph

17 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
cee2cf9ff9 Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"

Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.

Changes in discharge.pl are mainly indentation changes.

With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:38 -03:00
804677265e Bug 16239: Update templates
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 14:41:22 +00:00
9c5b819100 Bug 15009: QA follow-up
This patch adds a test to check the unicity of auth cats, simplify
the GetBudgetAuthCats subroutine and make it return an arrayref of scalar
instead of an arrayref of hashref with only 1 key.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-04-29 13:00:21 +00:00
0cab6f2ef3 Bug 14915: Use Font Awesome instead of Glyphicons for the staff intranet
We should be using Font Awesome for our icons instead of Glyphicons, for
the reasons discussed on bug 13696.

Test Plan:
1) Apply this patch
2) Note all Glyphicons have been replaced with FA icons in the staff intranet
3) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/modules/
   should give no results
4) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/includes/
   should give no results

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
We need a follow-up to cover the files changes since this
patch was written. Especially to cover the changes in the
label creator modules.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-27 10:02:42 -03:00
8b648c94f9 Bug 9628 - Replace YUI buttons and menus on budgets administration pages with Bootstrap
This patch converts the toolbar include file used by budgets
administration pages to Bootstrap, replacing YUI button and menu code
with Bootstrap markup.

To test, create, view, and edit budgets. Buttons and menus should look
correct and work correctly. Functions include:

- New budget
- New fund
- Edit budget
- Duplicate budget
- Plan by (months, libraries, etc)

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Comment: Work as described. No error.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works nicely, no problems found.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-02-18 08:24:37 -05:00
Alex Arnaud
0023e2a1ce Bug 8224 - Make authorized values appear in planning list
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
I can confirm the bugs on current master and this patch fixes both problems.

- Pull down list for "Planning" on the budget page was not showing
  categories of authorized values
- Planning page showed the categories, but budget_period_id was
  missing from the URL

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-06-25 16:24:13 +02:00
4800a515c5 Bug 2780 - Capitalize strings consistently (Budgets)
Correcting Budgets-related includes.

Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2012-04-04 17:51:27 +02:00
Gaetan Boisson
d500929cfd Bug 7731 - Library should be used instead of branch and site
standardized the use of the term "library" instead of "Branch" accross the interface and opac

Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-03-20 15:17:08 +01:00
Chris Hall
deeefdeaec Bug 6943: Added ability to duplicate a budget tree (from the edit sub menu)
http://bugs.koha-community.org/show_bug.cgi?id=6943
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
- all new javascript alerts have translations markers _()
- hierarchies and permissions were copied correctly

Possible enhancements:
- make it possible to move orders from old to new funds
- make it possible to change description while copying, saving 1 additional
step

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-02-03 17:53:59 +01:00
Jared Camins-Esakov
66fb80f436 Bug 6158: Permissions scoped wrong for T::T
Permission flags should always have absolute scope.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-04-12 09:16:27 +12:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
Paul Poulain
5b16634c0c BZ6087: remove duplicate budget link
this feature doesn't exist yet, so the link is useless

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-04-09 10:56:21 +12:00
cf3c2fadeb Fix for Bug 4996 - Untranslatable strings in budget/fund toolbar
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-07-20 16:11:29 -04:00
Nicole Engard
c4f7259cc1 bug 4205 remove extra 'plan by' option
There wasn't a conditional in place to stop the planning
pull down from showing a blank 'plan by' option.

This patch also makes the other 'plan by' options look
cleaner by removing the all caps.

Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-06-03 20:04:23 -04:00
Nicole Engard
2616faf132 follow-up to bug 3854: resolve budget period language issues
top level: "Root Budget" becomes "Budget"
second level: "Budget" becomes "Fund"
third level and below: "Sub-Budget" is also a "Fund", but for things
like the "create sub-budget" link, they'll be changed to "create child
fund".

Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-02-03 15:11:19 -05:00
a078297d1f Fix for Bugs 3998, 3968. Includes other markup corrections and reformats
Bug 3998: Confusing warning on budget add page
Bug 3968: Empty Blue Box Pop Up

- Removed warning, made budget amount a required field.
- Added conditional logic to prevent display of tooltip when there is no content
- Moved filter form into sidebar
- Changed Budgets.pm to pass an ID to a form field
- Improvements to breadcrumbs and title tags
- Restructured budgets admin toolbar to match existing toolbar patterns:
  "new," "edit," etc.
2010-01-20 22:31:58 +01:00
Renamed from koha-tmpl/intranet-tmpl/prog/en/includes/budgets-admin.inc (Browse further)