Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies some staff client circulation templates so that
JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
- Article requests (enable ArticleRequests system preference, have at
least one outstanding article request)
- Request article (Bibliographic detail page -> Request article).
- Item circulation statistics (Bibliographic detail page -> Items ->
View item's checkout history).
- On-site checkouts (enable OnSiteCheckouts system preference; Check out
some items as on-site checkouts; Go to Circulation ->
Pending on-site checkouts
- Overdues report (Circulation -> Overdues).
- Holds to pull (Circulation -> Holds to pull).
- Renew
- Holds ratios (Circulation -> Holds ratios).
- Check in
- Transfers to receive (Circulation -> Transfers to receive).
- Holds queue (Circulation -> Holds queue).
- Holds awaiting pickup (Circulation -> Holds awaiting pickup).
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If you hit the renewal limit on the renewal tab, the message gives you a
message like:
"Windows 8 / ( 50610018249545 ) has been renewed the maximum number of
times by Johnny Test ( 12345678 )"
And has a button that reads:
"Ignore and continue"
This button is misleading, as it may be interpreted as "ignore the limit
and continue to renew the item".
Signed-off-by: Dominic Pichette <dominic@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If a patron owes more than the OPACFineNoRenewals value, the issue won't
be auto renewed anymore (driven by the new pref OPACFineNoRenewalsBlockAutoRenew).
Test plan:
Note: You will have to manually change data in your DB, make sure you
have access to the sql cli.
1/ Set the OPACFineNoRenewals to 5 (for instance)
2/ Set OPACFineNoRenewalsBlockAutoRenew to block
3/ Check an item out to a patron and mark is as an auto renewal
4/ Make sure the patron does not have any fees or charges.
5/ Execute the automatic renewals cronjob script (misc/cronjobs/automatic_renewals.pl)
Confirm that the issue has been renewed
6/ Create an invoice for this patron with a amount > OPACFineNoRenewals (6
for instance)
7/ Execute the automatic renewals cronjob script (misc/cronjobs/automatic_renewals.pl)
Confirm that the issue has not been renewed.
8/ Set OPACFineNoRenewalsBlockAutoRenew to allow
9/ Execute the automatic renewals cronjob script (misc/cronjobs/automatic_renewals.pl)
Confirm that the issue has been renewed
Sponsored-by: University of the Arts London
Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com>
Signed-off-by: Janet McGowan <janet.mcgowan@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Edit: Fast cataloging link should now show on all pages, removed offline circulation links
Edit 2: Creates the syspref to activate or deactivate the sidebar
Edit 3: Fixing merge conflicts, using Koha::BiblioFrameworks to find FA
framework and adding sidebar to on-site checkouts
This adds a sidebar to
circ/branchoverdues.tt
circ/circulation.tt (I also fixed up some of the indentation in this file to make it easier to see where the divs started and ended)
circ/renew.tt
circ/returns.tt
circ/selectbranchprinter.tt
circ/transferstoreceive.tt
circ/view_holdsqueue.tt
circ/waitingreserves.tt
circ/branchtransfers.tt
circ/on-site_checkouts.tt
To test:
1) Confirm syspref CircSidebar is activated
2) Go to all of the above pages and confirm the sidebar menu shows up
3) Confirm fast cataloguing link and transfer link are there
4) Trigger any error messages you can possibly think of (i.e. on renew.pl: barcode does not exist). Confirm that this does not mess up the layout of the page
5) Go to a user account page, Check out tab. (Since this is a circ/circulation.pl page). Ensure the circ nav sidebar doesn't show up (confirm it looks as it usually does)
6) Deactivate circSidebar
7) Confirm pages all look normal
Sponsored-by: Catalyst IT
Signed-off-by: Jan Kissig <jkissig@th-wildau.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If an issue marked as auto_renew is renewed manually, we want to display
the latest auto renew date possible.
Test plan:
1/ Define circ rules as in the previous patch.
2/ Check a item out, mark it as an auto renewal
3/ Back date the issuedate and make sure it will be too late to renew it
4/ Use the Circulation > renew page (circ/renew.pl) to manually renew
this issue.
You should get a warning "You barcode has been scheduled for automatic renewal
and cannot be renewed anymore since DATE."
If the pref AllowRenewalLimitOverride is set, you will be allowed to
renew it anyway.
Sponsored-by: University of the Arts London
Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds a new circulation rule (no_auto_renewal_after) to block/allow
auto renewals after a given delay.
For instance, if the issue date is 10 days before today, and
no_auto_renewal_after is set to 10, tomorrow the issue won't be auto
renewed.
Test plan:
0/ Execute the update DB entry
Note: You will have to manually change data in your DB, make sure you
have access to the sql cli.
1/ Define a rule with no_auto_renewal_after (10 for instance) and
norenewalbefore (5 for instance).
(This new rule will behave the same as norenewalbefore: the unit depends
on the lengthunit value).
The automatic renewals will be done from 5 to 10 days ahead.
2/ Modify the issues.issuedate, to simulate a checkout in the past:
UPDATE issues
SET issuedate = "yyyy-mm-dd hh:mm:ss"
WHERE itemnumber = YOUR_ITEMNUMBER;
with issuedate = 2 days before for instance
3/ Execute the automatic renewals cronjob script (misc/cronjobs/automatic_renewals.pl)
Confirm that the issue has not been renewed (too soon)
4/ Repeat step 2 with a due date set as 11 days before
5/ Execute the automatic renewals cronjob script (misc/cronjobs/automatic_renewals.pl)
Confirm that the issue has not been renewed (too late)
6/ Repeat step 2 with a due date set as 7 days before
7/ Execute the automatic renewals cronjob script (misc/cronjobs/automatic_renewals.pl)
Confirm that the issue has been renewed (issues.renewals has been
incremented and date_due has been updated according your circ rules).
Sponsored-by: University of the Arts London
Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
In the Staff client, under Circulation > Renew, the message shown after
successful renewal of an item contains broken URLs. This is also true for
the message shown when you try to renew an item that is not checked out.
This patch fixes that.
Test plan:
1) Go to Circulation > Renew, and search for the barcode of a checked-out
item. In the 'Item renewed:' confirmation message, notice how the URLs
for the title and the barcode are broken.
2) Now search for the barcode of an item that is not checked out. In the
'Cannot renew:' message, notice how the URLs are broken here too.
3) Apply the patch.
4) Repeat steps 1) and 2). This time the URLs work fine.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
To test, apply the patch and test deletion in the following cases. Test
both confirmation and cancel actions.
Circulation -> Check out
-> An item that is checked out by someone else
-> An item that is on hold to someone else
-> To a patron that has more than noisuescharge in fines (Allow
AllowFineOverride syspref)
-> To a patron that has reached the max amount of checkouts (Allow
AllowTooManyOverride syspref)
-> To a patron that has more than noissuescharge in fines (Allow
AllowFineOverride syspref and set noissuescharge syspref)
-> Renew -> An item that is on hold to someone else
-> To a patron that is at max renewals (Allow AllowRenewalLimitOverride syspref)
-> An item that is not checked out by anyone
-> Check in -> An item that is in transit to another branch
And look for other confirmation dialogs and check if I've missed any
Sponsored-by: Catalyst IT
EDIT: Made changes from Comment 2
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2 links are wrong on the renew page, because item.biblioitemnumber does
not return the biblioitemnumber as expect the template.
Test plan:
Renew an item and check the item link.
It should contain a valid biblioitemnumber for the 'bi' parameter.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Link repaired. At first glance, I am wondering if biblioitemnumber is
of actual use here; is it only passed back and forth between script and
template?
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Test plan:
use circ/renew.pl to renew an issue.
Without this patch, you will get an error.
Note: The error exists for 1 year now and nobody complained?? Does
someone still use this script?
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Followed test plan from patch 1/2, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch removes 2 new occurrences introduced by bug 11351 and bug
10493.
Signed-off-by: Magnus Enger <digitalutvikling@gmail.com>
Removes a nasty "Template process failed: plugin error - EncodeUTF8:
plugin not found at /home/magnus/scripts/kohaclone/C4/Templates.pm line 124"
from /cgi-bin/koha/admin/itemtypes.pl
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch
- removes all html_entity usages in tt file which hide utf8 bugs
- removes all encode utf8 in tt plugins because we should get correctly
marked data from DBIC and other sources directly (cf plugin EncodeUTF8
used in renew.tt)
- adds some cleanup in C4::Templates::output: we now use perl utf8 file
handler output so we don't need to decode tt variables manually.
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch adds the new renewal errors 'auto_renew' and 'auto_too_soon'
to the renewal interface.
To test:
1) Issue two items:
- one with automatic renewal and no value for "No renewal before"
- another with automatic renewal and a value for "No renewal before"
2) Try to renew:
Home > Circulation > Renew
3) Confirm there are error messages explaining that the items have been
scheduled for automatic renewal and that one of the renewals is also
premature.
4) If global syspref AllowRenewalLimitOverride is set to "Allow" you
should be given the option to override.
Sponsored-by: Hochschule für Gesundheit (hsg), Germany
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch ensures that the new staff interface for renewals
recognizes when premature renewals are requested. If the
AllowRenewalLimitOverride system preference is enabled, staff members
are able to override the block:
To test:
[1] Set up a loan policy with a "no renewal before" value and
check out an item.
[2] In the renewal page, verify that attempting to renew the loan
results in an error forbidding the renew.
[3] If AllowRenewalLimitOverride is enabled, the operator should
also be given the option to override the block.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Adds a new Template Toolkit filter EncodeUTF8 to encode strings
to utf8 for correct display of diactritics.
Adds the new JavaScript function removeFocus() to staff-global.js
Use this function to remove the focus from any element for
repeated scanning actions on errors so the librarian doesn't
continue scanning and miss the error.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This works as described - you have to actually look at the
error and pick what you want to do or confirm it. I think
maybe tying the action to a shortcut (c = confirm or similar)
would be nice, so you can get away with only using the keyboard.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This template followup fixes some minor template errors and adds some
style to dialog buttons matching those seen on the circulation page.
To test, submit barcodes to trigger the various error conditions:
Non-existant barcode, over the renew limit, restricted patron, item on
hold. Override and Ignore buttons should be properly styled and
functional.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch adds a renewal tool that functions similar to the returns where a
librarian can continuously scan items for renewal. This script blocks
renewals that are impossible, and allow the same renewal overrides
as circulation.pl
Test plan:
1) Apply the patches for bug 8798
2) Apply this patch
3) Browse to /cgi-bin/koha/circ/renew.pl
4) Enter an invalid barcode, you should get an error message
5) Enter a valid, but not checked out barcode, you should get an error
message.
6) Enter a valid barcode that is checkout out and should be renewable,
you should get a success message.
7) Enable AllowRenewalLimitOverride
8) Enter a barcode for an item that has been renewed too many times
9) You should get a warning which you can override.
10) Disable AllowRenewalLimitOverride
11) Repeat steap 8
12) You should get a blocking error message
11) Enter a barcode for an item with unfilled holds on it,
you should get an overridable warning
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Passes all tests and QA script, some issues have been
addressed in follow-ups.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
