Commit graph

35 commits

Author SHA1 Message Date
9ea7fbcb30
Bug 25002: JS Includes should be wrapped with template comments
This patch adds HTML comments to Template::Toolkit include files which
contain <script> tags so that it is clear where the embedded scripts can
be found in the code.

To test, apply the patch and view source on the following pages to
verify the presence of the comments:

Acquisitions home page:
  - acquisitions-toolbar.inc
  - validtor-strings.inc
  - js_includes.inc
  - format-price.inc
Acquisitions -> Add order from new record,
Acquisitions -> Receive order:
  - additem.js.inc
Cataloging -> Add/Edit item:
  - columns_settings.inc
  - strings.inc
  - select2.inc
  - calendar.inc
  - str/cataloging_additem.inc
Authorities home page:
  - authorities_js.inc
Bibliographic detail page:
  - catalog-strings.inc
Cataloging -> Advanced editor:
  - cateditor-ui.inc
  - cateditor-widgets-marc21.inc
Administration -> Item types:
  - greybox.inc
ILL requests:
  - ill-list-table-strings.inc
Web installer
  - installer-intranet-bottom.inc
Web installer -> Onboarding
  - installer-strings.inc
Lists -> List contents -> Merge records
  - merge-record-strings.inc
Patrons -> Patron -> Change password
  - password_check.inc
  - str/members-menu.inc
Patrons -> Patron -> Print summary
  - slip-print.inc
Circulation -> Check out
  - timepicker.inc
Administration -> System preferences:
  - str/tinymce_i18n.inc
  - wysiwyg-systempreferences.inc
Cataloging -> Z39.50 Search:
  - z3950_search.inc

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-29 17:15:20 +01:00
0658d84732
Bug 22957: Remove type attribute from script tags: Staff client includes 1/2
This patch removes the "type" attribute from <script> tags in several
staff client include files. Also removed: Obsolete "//<![CDATA[ //]]>"
markers.

This patch also makes minor indentation changes, so diff using the "-w"
flag.

To test, apply the patch and confirm that examples of affected pages
work properly without any JavaScript errors in the browser console:

 - Acquisitions -> Vendor (uses acuisitions-toolbar.inc)
 - Acquisitions -> Vendor -> Add to basket -> From a new (empty) record
   (uses additem.js.inc)
 - Catalog -> Search results -> Bibliographic detail view. (uses
   browser-strings.inc, catalog-strings.inc, datatables.inc, and
   format_price.inc )
 - Tools -> Label creator -> Manage -> Label batches -> Export batch
   (uses greybox.inc)

Validating the HTML source of any of these pages should return no errors
related to the "type" attribute.

Signed-off-by: Nadine Pierre <nadine.pierre@inLibro.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-07-15 11:27:58 +01:00
a344b8cf8c Bug 22023: Further improve responsive layout handling of staff client menu bar
This patch makes a number of changes in order to improve the way the
staff client's header menu adjusts at narrower browser widths:

 - Updated version of Bootstrap 3.3.7 which includes the "collapse"
   JavaScript plugin.
 - Modified default Bootstrap CSS using Bootstrap's customization tool.
   These changes facilitate the removal of some custom CSS (overriding
   Bootstrap) from staff-global.scss.
 - Added Bootstrap config file for loading customizations at
   https://getbootstrap.com/docs/3.3/customize/
 - Revised button classes for buttons in Bootstrap-styled toolbars.

   The modified default CSS resets the base font size in Bootstrap to
   better match our global CSS. A side-effect of this is that toolbar
   buttons ended up looking smaller than they should. Changing the
   button class solves this.

 - Restructure the header menu in order to allow different rules to
   govern the appearance of the navigational part of the menu
   (Circulation, Search, etc) and the user menu (Set library, My
   account, Log out).

 - Modify the cart JS to so that the popup works well at narrow widths.

To test, apply the patch, regenerate the staff client CSS, and clear
your browser cache.

 - Log in to the staff client and observe the layout of the header menu
   as you adjust the browser to various widths.
   - Confirm that sections of the menu "collapse" as the window gets
     narrower.
   - Confirm that dropdown menus behave correctly and that links work.
   - Confirm that the Cart link works as expected when the cart empty
     and when it has items.
- Install and enable multiple translations, including at least one
  set of sub-languages (e.g. fr-FR and fr-CA).
  - Test the appearance of the language menus in the footer at
    various browser widths.
- View pages with button toolbars and confirm that they appear unchanged
  (e.g. biblio detail page, patron detail page).

NOTE: While this patch is intended to make improvements to staff client
responsiveness, it does so within a limited scope. There are still many
pages which do not work well at narrower browser widths.

Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-03-13 05:31:28 +00:00
5825026448 Bug 21526: uri escape TT variables when used in 'a href'
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-26 17:09:57 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
cee2cf9ff9 Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"

Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.

Changes in discharge.pl are mainly indentation changes.

With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:38 -03:00
804677265e Bug 16239: Update templates
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 14:41:22 +00:00
ed449a5b5b Bug 16005 - Standardize use of icons for delete and cancel operations
This patch makes changes to Font Awesome icons in order to make icon
choice consistent for common actions.

<i class="fa fa-trash"></i> where something is deleted, removed, or
emptied.

<i class="fa fa-remove"></i> where an operation is cancelled (also where
selections are cancelled, as in checkboxes).

<i class="fa fa-times-circle"></i> for "close," as in baskets and
windows.

To test, apply the patch and view the following pages to confirm that
the correct icon is used:

- Acquisitions -> Vendor -> Vendor delete button.
- Acquisitions -> Vendor -> Edit -> Delete contact button.
- Acquisitions -> Invoices ->  Delete menu item.
- Cataloging -> Edit record -> Authority search pop-up (triggered from
  the tag editor for a tag linked to an authority) -> Clear field button
- Authorities -> Authority detail -> Delete button.
- Tools -> Quotes editor -> Quotes delete button.
- Reports -> View saved report -> Delete button.
- Reports -> Saved reports -> Delete menu item.
- Serials -> Subscription details -> Subscription close button.
- Administration -> Budgets -> Delete menu item.
- Administration -> Item search fields -> Delete button.
- Administration -> Z39.50/SRU servers -> Delete menu item.
- Catalog -> Advanced search -> Clear fields link.
- Cataloging -> Advanced editor -> Macros -> Delete macro button.
- Circulation -> Checkout -> Check out an item which is on hold for
  another patron. "Cancel checkout and place hold" button now uses the
  icon used elsewhere for holds.
- Course reserves -> Course -> Delete course button.
- Patrons -> Patron lists -> Add patrons -> Remove selected button.
- Acquisitions -> Suggestions -> Suggestion details -> Delete button.
- Lists -> List contents -> Remove selected button.

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-06-03 08:21:25 +00:00
0cab6f2ef3 Bug 14915: Use Font Awesome instead of Glyphicons for the staff intranet
We should be using Font Awesome for our icons instead of Glyphicons, for
the reasons discussed on bug 13696.

Test Plan:
1) Apply this patch
2) Note all Glyphicons have been replaced with FA icons in the staff intranet
3) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/modules/
   should give no results
4) git grep "icon-" ./koha-tmpl/intranet-tmpl/prog/en/includes/
   should give no results

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
We need a follow-up to cover the files changes since this
patch was written. Especially to cover the changes in the
label creator modules.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-27 10:02:42 -03:00
Jonathan Druart
58c652a0fc Bug 12054: Inactive vendors should be inactive
This patch make inactive vendors really inactive.
That means an inactive vendor would not be able to add a basket / add an order.

Revised test plan
=================

1/ In the acquisition module create 2 vendors: 1 active and 1 inactive.

2/ On the acqui/booksellers.pl, acqui/uncertainprice.pl,
   admin/aqcontract.pl and acqui/supplier.pl (pages which include the
   acq toolbar), you should be able to, for both the 'active' as well
   as the inactive vendor :
     (a) add new basket
     (b) add order items to the basket

   Remark: This is *wrong*. You should be able to do so only for active
           vendor.

3/ Apply the patch

4/ Go to the links in step #2 above and select the inactive vendor
   you should no longer be able to:
   (a) add new basket
   (b) add order items to the basket

   Remark: This is the *correct* behaviour

5/ No change should be noted for vendor marked "active", and should
   be able to undertake operations 4 (a), 4 (b) and 4 (c).

   Remark: This is the *correct* behaviour.

6/ run koha qa tests tool

Bug 12054: (follow-up) Inactive vendors should be inactive

Don't display "add order""block and buttons if the vendor is inactive.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
2015-07-20 10:34:55 -03:00
36aa22d3c8 Bug 9674 - Replace YUI buttons and menu on acquisitions pages with Bootstrap
This patch converts the toolbar on acquisitions pages to Bootstrap,
replacing YUI button code with Bootstrap markup.

To test, view acquisitions pages and confirm that buttons look correct
and work correctly:

- acqui-home.pl (Acquisitions home page)
- booksellers.pl (Acquisitions -> Vendor search)
- supplier.pl (Acquisitions -> Vendor search -> Vendor)
- aqcontract.pl (Acquisitions -> Vendor search -> Vendor -> Contracts)
- uncertainprice.pl (Aquisitions -> Vendor search -> Vendor -> Uncertain
  prices)

View these pages for vendors with and without orders.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Comment: Buttons works. No errors.
Tested vendors with and without orders (delete button in last case)

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works nicely, changes are consistent.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-02 12:22:07 -05:00
81c90ba3bf Bug 8913 [Revised] Improve acquisitions navigation
This patch adds a new menu for vendor-related pages in which
vendor related "views" can be linked to: baskets, basket groups,
contracts, invoices, uncertain prices.

The acquisitions toolbar is pared down to vendor-related actions:
New basket, contract, or vendor; edit vendor, delete vendor,
receive shipment.

Other small improvements have been made to other pages: corrections
to breadcrumbs and title tags, adding useful links betweeen pages.

Vendor menu and toolbar are added to booksellers.pl
when there is only one "search result" (i.e. a vendor id is passed).

- Menu appears when booksellerid variable is present
- Redundant heading removed
- Additional variables added to enable proper display of the toolbar

- Revision corrects broken links pointed out by QA.
- Revision adds check of existing baskets and subscriptions as a
  condition on display of the vendor delete button.

TODO: Add coverage of Basket groups page.

To test, navigate Acquisitions pages and test as many links and buttons
as you can, confirming that nothing is broken on vendor pages, invoice
pages, contract pages, uncertain price pages, etc.

Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>

All tests pass - I like this very much!

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All tests and QA script pass.

Tests done:
1) New toolbar - vendor search
  - no results = button to create new vendor shows
  - 1 result = additional new options show
  - more than one result = button to create new vendor shows

2) Vendor views
  - acq toolbar consistent with 1 result in vendor search
  - new tabs on the left
  - checked all links have the needed parameters and work correctly

3) New toolbar - different pages
  - Toolbar is formatted consistently
  - Delete vendor shows only up when it should - no baskets or
    subscriptions
  - Links work correctly

Works nicely, great groundwork for further improvements.

TODO Add new toolbar to (new) invoices page.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-02-20 09:17:21 -05:00
Julian Maurice
98447dbcc9 Bug 8666: Hide 'New basket' link if supplier is inactive
Signed-off-by: Koha Team Lyon 3 <koha@univ-lyon3.fr>

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-09-04 18:02:15 +02:00
3e358cb993 Bug 2780 - Capitalize strings consistently
Corrections to Acquisitions include files. Patch
also includes some corrections to unescaped ampersands.

Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2012-04-04 17:51:23 +02:00
Adrien Saurat
b2180b8bd4 Bug 4969: deletion of suppliers
If a vendor/bookseller has no basket/subscription link, it can now
be deleted (after a JS confirmation).

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Verified that I can only delete vendors without linked orders or
subscriptions.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-03-13 15:12:26 +01:00
7fcff602f5 Bug 7113: Standardize vendor id name in templates and scripts
New revision updates for current master and cleans up new
instances introduced by recent commits.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
2 problems found, fixing those in follo up patches:
- late orders don't allow more than 1 order to be selected
- basketgroups: 'Edit vendor' does the same as 'Manage orders'
2012-02-17 19:04:00 +01:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
Paul Poulain
c0ecd7df4f Bug 6072: fixing permission inconsistencies MT5306
In large libraries, some librarian may have permission only
to recieve shipments This patch fixes some permission :
* booksellers page = accessible to anyone that has at least 1 acq permission
* parcels = accessible to anyone with order_recieve
* supplier detail = accessible to anyone that has at least 1 acq permission,
  but modifying accessible only if vendor_manage

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-04-08 13:10:12 +12:00
Jean-André Santoni
a5273d7ebb Added "ordered" column in acqui-home budget display
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-04-29 23:47:31 -04:00
Matthias Meusburger
1da207acf6 MT2345 : Changes on contracts
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-04-29 23:26:55 -04:00
Jean-André Santoni
06bd4fcae5 Hide basket actions if no basket
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-04-29 23:26:52 -04:00
Jean-André Santoni
5546383f70 New contract button
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-04-29 23:25:25 -04:00
Alex Arnaud
1bab833bc4 (BUG #4346) replaces Basket grouping by Basket groups in acquisitions-toolbar.inc
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-04-07 11:22:42 -04:00
Jean-André Santoni
022978d4f4 [MT2593] Added "ordered" column in acqui-home budget display 2010-01-28 15:11:52 +01:00
Matthias Meusburger
0b5cc8f809 MT2345 : Changes on contracts 2010-01-28 15:11:51 +01:00
Jean-André Santoni
e4fc74acdd [MT2346] Hide basket actions if no basket 2010-01-28 15:11:48 +01:00
Jean-André Santoni
50679ac182 [MT2345] New contract button 2010-01-28 15:11:44 +01:00
Nicole Engard
5b72b999b1 Bug 3840: Change 'New' button to 'New Vendor' for clarity 2009-12-20 14:27:49 +01:00
Paul Poulain
89c0cda081 [replace previous] fix for 3612 (bookseller improvements)
- removing useless fields from aqbooksellers table: specialty, deliverydays,followupdays,followupscancel,nocalc, invoicedisc They were in the DB schema, but unused for years
- reworked bookseller and contract gui
- no warning thrown

NOTE : updatedatabase not done for field removal in aqbooksellers table. Should have:
ALTER TABLE `aqbooksellers`
  DROP `deliverydays`,
  DROP `followupdays`,
  DROP `followupscancel`,
  DROP `specialty`,
  DROP `nocalc`;
2009-09-30 11:30:34 +02:00
Paul Poulain
aa708232fe partial fix for mantis #1498 2009-09-30 11:30:24 +02:00
Paul Poulain
332e09b3cb changes in acquisition toolbar to deal with new features 2009-09-30 11:30:21 +02:00
Ryan Higgins
7fe042a008 Change LateOrders to inclusive <=, s/supplier/vendor , s/parcel/shipment.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-04-01 06:37:00 -05:00
Joe Atzberger
3f17ad4adc acqui - fix to use GetBookSellerFromId(supplierid) instead of partial name based lookup
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-03-08 11:19:21 -06:00
1eb4513d43 Standardizing YUI toolbar
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-10-20 17:05:41 -05:00
ddfe9f2c26 More work on global resident search, toolbars, and menus.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-10-05 13:56:46 -05:00