This last patch activates the check at client side.
If the pref ProtectSuperlibPrivs is enabled, non-superlibs should not be
able to change superlibrarian privileges via the interface.
Test plan:
[1] Enable the pref.
[2] Login as superlib and add/remove superlib privs to a staff user.
[3] Login as another user (no superlib, but having borrowers, permissions
and staff_access). Verify that you cannot add or remove superlib
privs.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: JM Broust <jean-manuel.broust@univ-lyon2.fr>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.
That will make the code much more easier to maintain and will be less
error-prone.
The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.
In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.
Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.
This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
Patrons -> Patrons home, patron search results
-> Manage pending modification requests
-> Patron detail page
-> Edit patron
-> Set guarantor
-> Fines
-> Account, Pay fines, Create manual invoice, Create manual
credit
-> Print receipts for different kinds of charges
-> Routing lists
-> Circulation history
-> Holds history
-> Notices
-> Statistics
-> Files
-> Purchase suggestions
-> Discharges
-> Housebound
-> Set permissions
-> Change password
-> Print summary, slips, and overdues
-> Update child to adult patron type
Patron toolbar and patron search bar operations should work correctly on
all pages.
This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible
The exploit can be simulated triggering
/cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian
Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This is the fourth and last patch set to remove C4::Branch.
The real purpose of this patch is to standardise and refactor some code
which is related to the libraries selection/display.
Its unconfessed purpose is to remove the C4::Branch package.
Before this patch set, only 6 subroutines still existed in the C4::Branch
package:
- GetBranchName
- GetBranchesLoop
- mybranch
- onlymine
- GetBranches
- GetBranch
GetBranchName basically returns the branchname for a given branchcode.
The branchname is only used for a display purpose and we don't need to
retrieve it in package or pl scripts (unless for a few exceptions).
We have a `Branches` template plugin with a `GetName` method which does
exactly this job.
To achieve this removal, we will use this template plugin and delete the
GetBranchName from pl and pm files.
The `Branches.all()` will now select the library of the logged in user
if no `selected` parameter has been passed.
This new behavior could cause regressions, for instance there are some
places where we do not want an option preselected (batch item
modification for instance), keep that in mind when testing.
GetBranchesLoop took 3 parameters: $branch and $onlymine.
The first one was used to set a "selected" flag, for a display purpose:
select an option in the libraries dropdown lists.
The second one was useless: If not passed or set to 0, the
`C4::Branch::onlymine` subroutine was called.
This onlymine flag was use to know if the logged in user was able to see
other libraries infos.
A patron can see the infos from other libraries if IndependentBranches
is not set OR if he has the superlibrarian permission.
Prior to this patch set, the "onlymine test" was done on different
places (neworderempty.pl, additem.pl, holidays.pl, etc.), including the
Branches TT plugin. In this patch set, this test is only done on one
place (C4::Context::only_my_library, code moved from
C4::Branch::onlymine).
To accomplish the same job as this subroutine, we just need to call the
`Branches.all()` method from the `Branches` TT plugin. It already
accepts a `selected` parameter to set a flag on the option to select.
To avoid the repetitive
[% IF selected %]<option selected="selected">[% ELSE %]<option>[% END %]
pattern, a new `html_helpers` TT include file has been created, it
defines an `options_for_libraries` block, which takes a `selected`
parameter. We could imagine to use this include file for other
selects.
The 'mybranch` and `onlymine` subroutines of the C4::Branch package have
been moved to C4::Context. onlymine has been renamed with
only_my_library. There are only 4 occurrences of it, against 11 before
this patch set.
There 2 subroutines are Context-centric and it makes sense to put them
in `C4::Context` (at least it's the least worst place!)
GetBranches is the tricky part of this patch set: It retrieves all the
libraries, independently of the value of IndependentBranches.
To keep the same way as the existing calls of `Branches.all()`, I have
added a `unfiltered` parameter. If set, the `Branches.all()` will call
a usual Koha::Libraries->search method, otherwise
Koha::Libraries->search_filtered will be called. This new method will
check if the logged in user is allowed to see other libraries or only
its library.
Note that this `GetBranches` subroutine also created a `category` key:
it allowed to get the list of groups (of libraries) where this library
existed. Thanks to a previous patch set (bug 15295), this value was
not used anymore (I may have missed something!).
Note that the only use of `GetBranch` was buggy (see bug 15746).
Test plan (for the whole patch set):
The best way to test this whole patch set is to test with 2 instances: 1
with the patch set applied, 1 using master, to be sure there is no
regression.
It would be good to test the same with `IndependentBranches` and the
without `IndependentBranches`.
No difference should be found.
The tester must focus on the library dropdowns on as many forms as
possible.
You will notice changes in the order of the options: the libraries will
now be ordered by branchname (instead of branchcode in some places).
A special attention will be given to the following page:
- acqui/neworderempty.pl
- catalogue/search.pl
- members/members-home.pl (header?)
- opac/opac-topissues.pl
- tools/holidays.pl
- admin/branch_transfer_limits.pl
- admin/item_circulation_alerts.pl
- rotating_collections/transferCollection.pl
- suggestion/suggestion.pl
- tools/export.pl
Notes for QA:
- There are 2 FIXMEs in the patch set, I have kept the existing behavior,
but I am not sure it's the good one. Feel free to open a bug report and
I will fill a patch if you think it's not correct. Otherwise, remove the
FIXME lines in a follow-up patch.
- The whole patch set is huge and makes a lot of changes.
But it finally will tremendously reduce the number of lines:
716 insertions for 1910 deletions
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the use of "onclick" attributes from some patron
pages.
To test, apply the patch and:
- In Patrons, perform any search which will return multiple results.
Confirm that the "select all" and "clear all" links work as expected.
Font Awesome icons have been added to these links.
In the left-hand sidebar, change any of the filters and click the
"Clear" button. The form (and your search results) should reset.
- Open the 'Set permissions' page for any patron. Checking any
permission with sub-permissions should correctly expand the tree and
select all sub-permissions. The reverse should also work.
Also changed in this file: The "Inconsistency detected" alert has been
reformatted to make it translatable.
- View the detail page for a patron with one or more restrictions.
Clicking the "View restrictions" link at the top of the page should
jump you to and activate the restrictions tab.
- View the 'Notices' tab for a patron who has been sent one or more
notices. Click any notice title to expand the notice. Clicking the
"resend" button should resend the notice.
- Create a new patron with the same first and last name as an existing
patron. This should trigger a duplicate warning message. Click the
"View existing record" link to trigger a pop-up window with a patron
detail brief view.
In this window an "email" class has been added to the primary and
secondary email lines so that long email addresses don't overlap the
second column of data.
Confirm that clicking the "close" button in this window closes the
window. The changes to staff-global.css are included in this patch to
prevent the close button from having an incorrect color change on
hover.
Signed-off-by: FILIPPOS KOLOVOS <f.kolovos@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
According to https://jquery.com/upgrade-guide/1.9/#attr-versus-prop-
.attr() is no longer correct to access the checked state of a checkbox.
This patch do the following replacements:
.attr('checked') => .prop('checked')
.attr('checked, '') => .prop('checked', false)
.attr('checked, 'checked') => .prop('checked', true)
.attr('checked', boolValue) => .prop('checked', boolValue)
.removeAttr('checked') => .prop('checked', false)
.attr('checked') == 'checked' => .is(':checked')
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.
In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.
To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:
- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.
Revised: I intended for this to be built on top of Bug 15883. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883
Works as described, all pages on test plan
No Errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch set moves the permissions' descriptions to the po files
instead of having them in the DB.
Test plan:
0/ Apply all patches
1/ Create a new installation
2/ Confirm the userflags and permissions tables are correctly populated
3/ Update the po file for a translated language
4/ Confirm you are able to translate the permissions descriptions
5/ Install the template files for this language
6/ Switch the interface to use this language and confirm the string are
correctly translated.
QA Note: At this point we could remove the userflags.flagdesc and
permissions.description DB fields, but I would prefer to keep them:
developers will know what the permission do without the need to go and
see the include file (we have it in the sql files and so, in the DB).
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch moves the treeview plugin in the staff client from the
language-specific lib/jquery/plugins directory to the one outside the
theme directory.
To test, apply the patch and view the "Set permissions" page for a
patron. The list of permissions should display in an expandable list as
usual.
Signed-off-by: Frederic Demians <f.demians@tamil.fr>
It works, following the test plan. I can see the jQuery treeview plugin moved
from 'prog' language specific directory to the global lib/plugins directory.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described. Found no other places where we use this plugin.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch tweaks a few templates, and enables right-to-left
flipping via CSS in the staff client.
Signed-off-by: Karam Qubsi <karamqubsi@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Amended patch, putting back author and adding sign off.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Basically, when you check the checkbox for the superlibrarian permission
in the patron record, it will disable and uncheck all the other
permission checkboxes. When you uncheck the checkbox for the
superlibrarian permission, it will renable those boxes. There is also
some JS code there to ensure that the other boxes are disabled when
returning to the change permission screen (i.e. the patch is not just a
click handler).
In the event that the checkboxes for superlibrarian and other
permissions are already checked, the user will be shown a pop-up window
explaining that the superlibrarian permission is mutually exclusive to
the others (since it already includes the others) and that the
permissions for that patron will then be reset to just include the
superlibrarian permission.
Comment: Tested on master. Works as described.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
first, replicate:
go to More -> permissions on any user. Notice that it says various things "privileges, flags, permissions" they are interchangeable and inconsistent.
also note that some of the permissions are nonsensical and/or not descriptive enough, or not using canonical terminology (borrowers instead of patrons, for example)
To test:
interface consistency changes
-> means "turns into"
- page title - privileges -> permissions
- breadcrumbs - privileges -> permissions
- headings - privileges -> permissions
- "set flags" button -> save
Permissions that have changed description:
- Catalogue changes to "Required for staff login" in bold (this was the original impetus for this boatload of changes)
- reports
- editauthorities
- management
- serials
- updatecharges
- circulate
- parameters
- borrowers
- tools
- staffaccess
- edit_patrons (only on updatedb, not on new db)
- Read through and make sure there are no typos, and that the descriptions seem to jive with what privileges the permission gives the user. Suggestions are, in fact, welcome.
- If you are feeling ambitious, go ahead and create a new, clean database and check the wording there as well - it should match what has been done in the db update.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Tested both with existing database and new database
Signed-off-by: Elliott Davis <elliott@bywatersolions.com>
Tested with existing database. Introduces no new mysql-isms.
Kudos for adding that syspref in bold, that got me when I first started with Koha
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
