Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.
Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
borrowers => 1
and
borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
* koha-tmpl/intranet-tmpl/prog/en/includes/members-menu.inc: Add a link
to the housebound module view if it is switched on.
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Overdue and Hold notices can be sent even if EnhancedMessagingPreference is set to "Don't Allow", so Notices tab have to be visible in all cases.
Test plan :
- without patch :
- set EnhancedMessagingPreference to "Don't Allow" and go to patron record : there is no Notices tab
- set EnhancedMessagingPreference to "Allow" and og to patron record : there is a Notices tab
- apply this patch :
- go to patron record, you cas see a Notices tab
- change the value of EnhanceMessagingPreferences, Notices tab is always visible.
Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch adds:
- links to the new pages.
- syspref description
- links on the main page (intranet)
- the DISCHARGE type for debarment
Signed-off-by: Lucie <lucie.rousseaux@dracenie.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Adds the ability to attach unlimited arbitrary files to
a borrower record.
Test Plan:
1) Enable system preference EnableBorrowerFiles
2) Look up borrower record, click 'Files' tab on left
3) Upload a file, download the file, delete the file.
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
rebased for current master.
Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
rebased again; some indentation issues in include menus.
This patch adds a new 'statistics' tab in the Patron module.
For a borrower, this tab contains a table with:
- number of checkout for today
- number of checkin for today
- "precedent state", the number of checkouts the patron had yesterday on
its library card
- "actual state", the number of checkouts on the borrower card at the current date
A new syspref (StatisticsFields) contains a list of fields (separated by
pipe (|) on which the table results is based. The default value is
location|itype|ccode
Signed-off-by: Mathilde Formery <mathilde.formery@ville-nimes.fr>
Changes to notices tab to make it a full replacement for messages tab.
Removes messages tab from patron account.
- repairs view of patron address in left column (category description, branch)
- shows some explanation, when there are no messages for a borrower
- makes the notice an expandable field, a click on the subject will
expand the field to show the message content
- makes message status and message transport type translatable,
by moving the possible values into the template
- removes the messaging tab from various menus
- removes the files that were associated with the messaging tab
- preserves the line breaks in message content to improve readability
Also fixes Bug 6593 - Some information missing from the "Notices" tab.
Signed-off-by: Liz Rea <lrea@nekls.org>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Also corrected several links to viewlog.pl that
didn't take into account the recent renaming
of one of its parameters from 'module' to 'modules'
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
