Commit graph

26 commits

Author SHA1 Message Date
Julian Maurice
96cc447045 Bug 25898: Prohibit indirect object notation
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-15 12:56:30 +02:00
638786e719 Bug 24663: Remove authnotrequired if set to 0
It defaults to 0 in get_template_and_user

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-03 10:40:35 +02:00
ae53caa681
Bug 22868: Move suggestions_manage subperm out of acquisition perm
Bug 11911 replaced the permission of suggestions.pl (create a purchase
suggestion) from catalogue => 1 to acquisition => 'suggestions_manage'.
However we have a lot of acquisition scripts that have lax permissions
(acquisition => '*' which means any sub permissions of acquisition is
enough).

That causes problem when a circulation staff can create purchase
suggestions but not access acquisition information.

One solution is to move the suggestions_manage subpermission out of the
acquisition permission and create a new suggestion permission.

Test plan:
0. Setup
* Create a patron with several permission (and full acquisition
permission)
* Create another patron with several permission, and suggestions_manage
permission
* Create another patron without the suggestions_manage permission
1. Apply the patch and execute the update database entry
2. Note that the third patron you create still does not have
suggestions_manage
3. Confirm that you can create a purchase suggestion if you have
suggestions_manage, but cannot access acquisition pages if you do not
have any subpermissions of the acquisition permission

Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-01-30 08:27:00 +00:00
eaee34f47a
Bug 24018: Remove die "Not logged in"
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-01-20 14:03:49 +00:00
4fe300dec1 Bug 12159: Fix getting extended patron attributes for circ-menu
Changes:
- Replace getting preference ExtendedPatronAttributes by Koha.Preference
in templates
- Add Koha::Patron->attributes for getting patrons extended attributes
- Use this method in circ-menu.inc
- Remove getting attributes from members perl scripts

Test plan:
0) Apply the patch
1) Add some patron attributes type - with free text, authorised value,
    limited by libraries...
2) Add some values to this attributes for some patrons
3) Go through as many patron pages as you can and confirm that
attributes are shown at side panel when they shoul and are not shown
when they should not be shown

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Removed Koha/Schema/Result/BorrowerAttribute.pm
[EDIT] Added missing semicolon on L114 in Koha/Patron/Attribute.pm

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-03-28 13:05:22 +00:00
Katrin Fischer
b8a2365a34 Bug 11911: Add a separate permission for managing suggestions
Without this patch only catalogue permission was required
for managing suggestions. This patch adds a new permission
in the acquisition module do manage suggestions and updates
staff user permissions accordingly.

To test:
- Make sure there is a pending suggestion
- Create a few users with different permission sets:
  - User 1: only catalogue
  - User 2: any acquisition permission
  - User 3: cataloguing permission
- Check all of them can access: /cgi-bin/koha/suggestion/suggestion.pl
- Apply the patch
- Verify all of them now have the suggestions_manage permission
- Verify everything displays correctly on:
  - intranet start page
  - patron account in staff
  - acquisition start page
  - suggestion page (try to access by URL too)
- Remove suggestions_manage for a staff user
- Repeat tests above, access should be denied/links not visible

Bonus:
- Fixes the link on the acquisition start page for late orders
  to mage the permissions of the page itself: order_receive

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-23 15:34:20 +00:00
b4c23e1a3e Bug 18789: Use Koha::Patron->image from the templates
Now that we have the 'patron' variable in all our templates, we can call
Koha::Patron->image and do the check from the templates.

Test plan:
On the different pages of the patron module, you should see the default
image if there is no image attached or the one that has been attached
(see pref patronimages)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:03:58 -03:00
0ab22e1c7c Bug 18789: Send Koha::Patron object to the templates
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.

That will make the code much more easier to maintain and will be less
error-prone.

The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.

In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.

Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:03:58 -03:00
cee2cf9ff9 Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"

Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.

Changes in discharge.pl are mainly indentation changes.

With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:38 -03:00
4bc92169dc Bug 18403: Update permissions - borrowers => 1|* becomes borrowers => 'edit_borrowers'
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.

Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
  borrowers => 1
and
  borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:37 -03:00
96a42b873a Bug 19621: Use Koha.Preference on template side to display/hide "Routing lists" tab
Patch applies without issue and functions as described.

Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-12-22 13:15:36 -03:00
9af6c4e34b Bug 19080: Handle non-existing patrons gratefully
This is a recurrent bug we have over the last years. When a script is
called with non-existent borrowernumber it will crashes.
We need to handle this gracefully instead of letting the script crashes.

On bug 18403 a new subroutine is added to the codebase
(output_and_exit_if_error) to handle this kind of errors correctly.
Since it is not pushed yet, I propose to just redirect to a script that
handle it correctly (circulation.pl) instead of adding this message to
all these scripts.

Test plan:
Hit different scripts from the members module and pass a non-existent
borrowernumber.
You must be redirected to circulation.pl with a friendly message.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-25 11:03:37 -03:00
2b90ea2cb0 Bug 17829: Move GetMember to Koha::Patron
GetMember returned a patron given a borrowernumber, cardnumber or
userid.
All of these 3 attributes are defined as a unique key at the DB level
and so we can use Koha::Patrons->find to replace this subroutine.
Additionaly GetMember set category_type and description.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-07-10 13:14:19 -03:00
b59df2bce7 Bug 17578: GetMemberDetails - Remove GetMemberDetails
All the values different from the ones GetMember returned has been
managed outside of GetMemberDetails.
It looks safe to replace all the occurrences of GetMemberDetails with
GetMember.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-12-16 13:12:44 +00:00
c840c93835 Bug 15758: Koha::Libraries - Ultimate duel for C4::Branch
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 14:36:04 +00:00
19a977dc7b Bug 15758: Koha::Libraries - Remove GetBranchName
This is the fourth and last patch set to remove C4::Branch.
The real purpose of this patch is to standardise and refactor some code
which is related to the libraries selection/display.
Its unconfessed purpose is to remove the C4::Branch package.

Before this patch set, only 6 subroutines still existed in the C4::Branch
package:
- GetBranchName
- GetBranchesLoop
- mybranch
- onlymine
- GetBranches
- GetBranch

GetBranchName basically returns the branchname for a given branchcode.
The branchname is only used for a display purpose and we don't need to
retrieve it in package or pl scripts (unless for a few exceptions).
We have a `Branches` template plugin with a `GetName` method which does
exactly this job.
To achieve this removal, we will use this template plugin and delete the
GetBranchName from pl and pm files.
The `Branches.all()` will now select the library of the logged in user
if no `selected` parameter has been passed.
This new behavior could cause regressions, for instance there are some
places where we do not want an option preselected (batch item
modification for instance), keep that in mind when testing.

GetBranchesLoop took 3 parameters: $branch and $onlymine.
The first one was used to set a "selected" flag, for a display purpose:
select an option in the libraries dropdown lists.
The second one was useless: If not passed or set to 0, the
`C4::Branch::onlymine` subroutine was called.
This onlymine flag was use to know if the logged in user was able to see
other libraries infos.
A patron can see the infos from other libraries if IndependentBranches
is not set OR if he has the superlibrarian permission.
Prior to this patch set, the "onlymine test" was done on different
places (neworderempty.pl, additem.pl, holidays.pl, etc.), including the
Branches TT plugin. In this patch set, this test is only done on one
place (C4::Context::only_my_library, code moved from
C4::Branch::onlymine).
To accomplish the same job as this subroutine, we just need to call the
`Branches.all()` method from the `Branches` TT plugin. It already
accepts a `selected` parameter to set a flag on the option to select.
To avoid the repetitive
  [% IF selected %]<option selected="selected">[% ELSE %]<option>[% END %]
pattern, a new `html_helpers` TT include file has been created, it
defines an `options_for_libraries` block, which takes a `selected`
parameter. We could imagine to use this include file for other
selects.

The 'mybranch` and `onlymine` subroutines of the C4::Branch package have
been moved to C4::Context. onlymine has been renamed with
only_my_library. There are only 4 occurrences of it, against 11 before
this patch set.
There 2 subroutines are Context-centric and it makes sense to put them
in `C4::Context` (at least it's the least worst place!)

GetBranches is the tricky part of this patch set: It retrieves all the
libraries, independently of the value of IndependentBranches.
To keep the same way as the existing calls of `Branches.all()`, I have
added a `unfiltered` parameter. If set, the `Branches.all()` will call
a usual Koha::Libraries->search method, otherwise
Koha::Libraries->search_filtered will be called. This new method will
check if the logged in user is allowed to see other libraries or only
its library.
Note that this `GetBranches` subroutine also created a `category` key:
it allowed to get the list of groups (of libraries) where this library
existed. Thanks to a previous patch set (bug 15295), this value was
not used anymore (I may have missed something!).

Note that the only use of `GetBranch` was buggy (see bug 15746).

Test plan (for the whole patch set):
The best way to test this whole patch set is to test with 2 instances: 1
with the patch set applied, 1 using master, to be sure there is no
regression.
It would be good to test the same with `IndependentBranches` and the
without `IndependentBranches`.
No difference should be found.
The tester must focus on the library dropdowns on as many forms as
possible.
You will notice changes in the order of the options: the libraries will
now be ordered by branchname (instead of branchcode in some places).
A special attention will be given to the following page:
- acqui/neworderempty.pl
- catalogue/search.pl
- members/members-home.pl (header?)
- opac/opac-topissues.pl
- tools/holidays.pl
- admin/branch_transfer_limits.pl
- admin/item_circulation_alerts.pl
- rotating_collections/transferCollection.pl
- suggestion/suggestion.pl
- tools/export.pl

Notes for QA:
- There are 2 FIXMEs in the patch set, I have kept the existing behavior,
but I am not sure it's the good one. Feel free to open a bug report and
I will fill a patch if you think it's not correct. Otherwise, remove the
FIXME lines in a follow-up patch.
- The whole patch set is huge and makes a lot of changes.
But it finally will tremendously reduce the number of lines:
716 insertions for 1910 deletions

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-08 14:36:01 +00:00
545b64f869 Bug 15635: Koha::Patron::Images - Remove GetPatronImage
To retrieve a patron image, we can call Koha::Patron::Images->find or
Koha::Patrons->find->image
Both will return a Koha::Patron::Image object.

Test plan:
1/ From the patron/member module, open all tabs on the left (Checkouts,
detail, fines, etc.)
The image should be correctly displayed.
2/ At the OPAC, on the patron details page (opac-memberentry.pl) the
image should be displayed as well.
3/ Same on the sco module.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-03-04 12:54:15 +00:00
bde685fa92 Bug 15542: Always display the patron's info the same way.
The patron's information displayed in the member module
(includes/circ-menu.inc and includes/member-display-address-style-*.inc)
are not always displayed the same way.
Sometimes the streetnumber is missing, sometimes it's the streettype.
Sometimes the streettype is after the address, sometimes before...

Test plan:
Go on a patron detail page, and open all the tabs on the left (Check
out, Fines, Notices, etc.)
Without this patch, the patron's info displayed will differ from one page to
another.
With this patch, they will be displayed the same everywhere.

Followed test plan, works as expected. (Tested both patches together.)
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-01-23 19:15:08 +00:00
Marc Véron
117ee49514 Bug 4041: Third step - Display address on patron's pages using the system preference
This patch displays the address information in the left column of the patron's pages using the new system preference.
The address is formatted in member-display-address-style-us.inc and member-display-address-style-de.inc

To test:
- Apply patch on top of 1st and 2nd patch
- Select 'German style' in system preference 'addressformat' in I18N/L10N
- Verify that the address information displays properly in the left column of all patron's pages.
- Verify that the address displays properly in the main area of moremember.pl as well (Note: In right column, Alternate address /contact are not yet touched))
- Switch system preference to US style, repeat checks

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
AMending without changes to put this patch at the end of the patch list / Marc

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-29 11:25:11 -03:00
Jonathan Druart
e20270fec4 Bug 11944: use CGI( -utf8 ) everywhere
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-01-13 13:07:21 -03:00
526af4ea07 Bug 12542: Tabs inconsistency in different circ-menu.inc uses
Differences between circ-menu.tt and circ-menu.inc always crop up when a
new menu item is added--usually only to circ-menu.inc as happened with
Bug 9261.

Other sidebar differences are present due to differences in the patron
data passed by various patron-related script to their templates. This
patch also irons out some of these inconsistencies.

To test, apply the patch and check out to a patron whose record has more
than just basic data: othername, country, patron attributes, street
number, road types, etc. View the following pages and compare the patron
data and visible tabs to confirm that they match:

circ/circulation.pl?borrowernumber=X
members/boraccount.pl?borrowernumber=X
members/files.pl?borrowernumber=X
members/mancredit.pl?borrowernumber=X
members/maninvoice.pl?borrowernumber=X
members/member-flags.pl?member=X
members/member-password.pl?member=X
members/moremember.pl?borrowernumber=X
members/notices.pl?borrowernumber=X
members/pay.pl?borrowernumber=X
members/paycollect.pl?borrowernumber=X
members/purchase-suggestions.pl?borrowernumber=X
members/readingrec.pl?borrowernumber=X
members/routing-lists.pl?borrowernumber=X
members/statistics.pl?borrowernumber=X
tools/viewlog.pl?do_it=1&modules=MEMBERS&modules=circulation&src=circ&object=X

The only difference I've found which is not fixed by this patch is the
display of extended patron attributes in the sidebar of moremember.pl.
This is a piecemeal fix for a problem which really deserves a
centralized solution, but at least it gets us back to consistency for
the moment.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Going through all tabs shows consistency is back. A mid term solution should
implement this in a centralized way. Great job Owen!
No koha-qa errors btw.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-18 10:41:27 -03:00
Viktor Sarge
3acbead049 Bug 12332: Fix for tab "Purchase suggestions" not lighting up
This patch changes the file purchase-suggestions.pl with "suggestionsview => 1" for the template parameter.
In circ-menu.inc i changed the condition from "suggestions" to "suggestionsview" since it seemed to conflict with the existing variable suggestions (and in that case only highlighting the tab when there were suggestions).

Please note that I fixed the troubles with the tab "Fines" in a separate patch 9245.

Test plan:
1) Verify that "Purchase suggestions" does not light up as it should when clicked.
2) Install the patch.
3) Verify that the tab "Purchase suggestions" now actually light up when clicked.

Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Works as advertised.
2014-07-08 10:43:46 -03:00
2453b991b8 Bug 11802 - corrects for the patron purchase suggestions page
This patch corrects some errors with the staff client's patron purchase
suggestions page (members/purchase-suggestions.pl).

To test, apply the patch and make sure the patronimages system
preference is enabled.

- View the purchase suggestions page for a patron whose record has a
  patron image attached. The image should appear in the left-hand
  sidebar.

- View the page for a patron who has submitted no purchase suggestions.
  The message should be styled correctly.

- The toolbar on the page should look correct and work correctly.

Signed-off-by: Jesse Maseto <jesse@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-03-10 15:11:53 +00:00
Jonathan Druart
967a48e5af Bug 9261: (follow-up) QA improvements and GPL version change
This patch:

- changes the GPL version from 2 to 3.
- uses the datatables.inc file
- removes the single pixel before and after the DT (modifying the sDom
  value).

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-11-15 00:24:24 +00:00
8505942344 Bug 9261: (follow-up) fix various issues identified during QA
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-11-15 00:22:11 +00:00
be51854e46 Bug 9261 - Allow librarians to make purchase suggestions for patrons
This patch adds a new tab to the patron side menu for purchase
suggestions.  From this new tab, a librarian can view the patron's
existing purchase suggestios and also create new suggestions in the
name of that patron.

Test Plan:
1) Apply patch
2) Ensure the system preference 'suggestions' is enabled
3) View the details for a patron
4) Click the new 'Purchase suggestions' tab
5) Click the 'New purchase suggestion' button
6) Add the new purchase suggestions
7) You should now end up back at the borrower's purchase suggestions
8) Verify the new purchase suggestion was added

Signed-off-by: Corey Fuimaono <agent.075@gmail.com>

Step though the test plan. All OK.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-11-15 00:20:23 +00:00