Commit graph

9 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Kyle M Hall
bba218444e Bug 18474: (QA follow-up) Remove useless else in template
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-02 18:07:34 -03:00
6ef1e5d4ed Bug 18474: Restore multiple holds when patron is searched for
We lost the ability to place multiple holds when we are searching for
patrons. The multi_holds parameter is lost and not handled correctly in
the template.

Test plan:
- Make sure you can place multiple holds for a patron you will search for
- Same for simple hold

TODO the multiple holds view should not be displayed if only 1 record
has been selected from the search result.

Signed-off-by: claude brayer <claude.brayer@cea.fr>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-02 18:07:34 -03:00
3672df5226 Bug 20221: Fix for JavaScript error during checkout patron search
This patch fixes a bug caused by the changes in Bug 19641. JavaScript
embedded in circ-patron-search-results.inc executes before jQuery is
loaded.

This patch adds a separate javascript file which can be included both in
circulation.tt and request.tt since both use the same include.

To test, apply the patch and submit a patron name in the check out form.
On the page of search results, clicking a table row should work the same
as clicking the patron name link.

Perform the same test during the hold process: Locate and place a hold
on a title. In the patron search form, submit a patron name and test the
behavior of the search results screen.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:00:57 -03:00
4edfc7900f Bug 19398: Format date of birth in circ patron search
When searching for a patron from the circulation tab, the results table
shows the date of birth unformatted.

Test plan:
Apply this patch, search for patrons in the circ tab and confirm that
the date of birth are correctly formatted according to the dateformat
syspref

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-10-06 12:00:20 -03:00
65ed212fae Bug 14874 - Add ability to search for patrons by date of birth from checkout and patron quick searches
This patch adds a new syspef 'DefaultPatronSearchFields' which defines
the fields that should be used when searching for a patron if none are
defined.

To test:
1 - Aply patch, updatedatabase
2 - Ensure patron search has not changed
3 - Add dateofbirth to new pref
4 - Ensure things work wll
5 - Experiment with adding and removing other fields from borrowers
table
6 - prove t/db_dependent/Utils/Datatables_Members.t

Tested together with followup. Works as described.
Signed-off-by: Marc Véron <veron@veron.ch>

Bug 14874 (QA Followup)

    Fix atomicupdate file name

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-27 13:21:13 +00:00
38d1a1862d Bug 16462 - Change default sorting of circulation patron search results to patron name
This patch changes the default sort of patron quick search results from
the circulation header search or when searching for a patron during the
hold process.

To test:

In Circulation:
- Perform a search by name for a patron which will
  return multiple search results.
- Confirm that the results are sorted by patron name.

In the catalog:
- Locate and place a hold on a title.
- When prompted to select a patron to place the hold for, perform a
  search by name which will return multiple results.
- Confirm that the results are sorted by patron name.

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 13:05:02 +00:00
04e5c2630c Bug 16596: Display library and patron category descriptions instead of their code
Test plan:
On circ/circulation-home.pl and reserve/request.pl, search for patrons
The descriptions for the libraries and patron categories should be
displayed.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

On top of Bug 13336
Works as described, now descriptions instead of codes.
No errors

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

https://bugs.koha-community.org/show_bug.cgi?id=16455

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-10 16:51:26 +00:00
4c04f6f8e0 Bug 16336 [Revised] UX of holds patron search with long lists of results
Bug 15793 made a change to an interface which is also found in the place
hold template. This patch creates a new include file to be used by both
circulation.tt and request.tt so that these pages do not diverge.

In the process, this patch removes some markup and JavaScript which was
made obsolete by Bug 15793 and should have been removed.

This patch also revises the sorting of the results table so that the
patron name is sortable (Bug 16334) and the default sort is on card
number (matching 3.20.x and 3.22.x).

To test:

In Circulation:
- Perform a search by name for a patron which will
  return multiple search results.
- The table of results which displays should look correct and work
  correctly, including DataTables sorting.
- Clicking any table row should forward you to the checkout page for
  that patron.

In the catalog:
- Locate and place a hold on a title.
- When prompted to select a patron to place the hold for, perform a
  search by name which will return multiple results.
- Confirm that the table of patron results looks correct and works
  correctly.
- Clicking any table row should forward you to the place hold page for
  that patron and the title you selected.

Revision: Although the table row was clickable, you couldn't
middle-click it to open the link in a new tab. The patron name is now a
real link you can middle-click or right-click. The row is still
clickable as well.

Signed-off-by: Aleisha <aleishaamohia@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-06-03 08:19:44 +00:00