Test Plan:
1) Create a basket with a non-default value for aqbasket.create_items
2) Click Edit from basket.pl
3) Click Save without changing anything
4) Note that aqbasket.create_items is no longer set
5) Apply this patch
6) Restart all the things!
7) Repeat steps 1-3
8) Note create_items is unchanged!
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This also moves the admin page for additional fields for all tables to a
single common screen, and factors out display/input parsing logic.
Test plan:
1. Create an additional field for a subscription (under Serials -> Add
subscription fields).
2. Apply patch.
3. Visit Additional fields under administration, and verify that
the field created above still shows under the list for the
subscription table.
4. Create at least four fields for aqbasket for each combination of
searchable/not-searchable and with/without an authorized value.
5. Create an order basket, and verify that all fields are visible and
correctly save.
6. Edit the basket, verifying that changes to these additional fields
are saved.
7. Add an order to the basket (contents are irrelevant).
8. Go to advanced search within acquisitions.
9. Verify that only the searchable fields show in the form, and that
their contents may be searched.
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch removes some unnecessary " "'s from the template for
creating a new basket in acquisitions. This fixes the alignment on the
form fields.
To test, apply the patch and go to Acquisitions -> Vendor -> New basket.
All the form fields should be correctly left-aligned with each other.
Signed-off-by: Pierre-Luc Lapointe <pierreluc.lapointe@inLibro.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch updates several acquisitions module templates to use the
Bootstrap grid.
- acqui/z3950_search.tt - Acquisitions -> Vendor -> View basket -> Add
to basket -> From an external source. The Z39.50 search form should
look correct.
- Search for a title. The search results page should look correct.
- acqui/addorder.tt - Acquisitions -> Vendor -> View basket -> Add to
basket. Add an order to the basket which costs more than is available
in the fund you select. The error/confirmation screen should look
correct.
- acqui\modordernotes.tt - Acquisitions -> Vendor -> View basket -> Add
internal or vendor note. The note add form should look correct.
- acqui/cancelorder.tt - Acquisitions -> Vendor -> View basket -> Cancel
order (from an open basket which has existing orders). The
confirmation screen should look correct.
- acqui\basketheader.tt - Acquisitions -> Vendor -> New basket. The new
basket edit form should look correct.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies some staff client acquisitions templates so that
JavaScript is included in the footer instead of the header.
This patch adds a JavaScript file, acquisitions-menu.js, which controls
the highlighting of the current page in the sidebar. Highlighting will
be temporarily broken for pages which have not been modified to include
this file
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
- Acquisitions home page
- Datatable, Inactive budget controls
- Vendor search results
- Acquisitions -> Vendor search
- Datatables, "Show all" links
- Basket
- Acquisitions -> Vendor -> Basket
- Datatables, button controls, add managing user
- Add to basket from a staged file
- Acquisitions -> Vendor -> Basket -> Add to basket from a staged file
- Datatables, tabs, selection controls
- Edit basket
- Acquisitions -> Vendor -> Edit basket
- Form validation
- EDIFACT messages
- Acquisitions -> EDIFACT messages
- Datatables, message preview
- Orders search
- Acquisitions -> Order search
- Full orders search form
- Patron autocomplete in "Basket created by" field
- Datepickers
- Orders search results
- Datatables, column visibility
- Invoices
- Acquisitions -> Vendor -> Invoices -> Invoice
- Form validation, datepickers, datatables
- Invoice files (enable AcqEnableFiles preference)
- Manage invoice files
- File list datatable
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This adds a new basket attribute (create_items) that can optionally be
set to override AcqCreateItem.
The following have been modified to reflect this (with the value of
create_items that causes them to behave differently in parentheses):
* Cancelling receipt of an order (receiving)
* Creating an order by hand or from MARC (ordering)
* Receiving an order (receiving)
* Showing orders with uncertain price (ordering)
* Showing orders (receiving)
* Showing acquisition details in the OPAC (ordering)
Test plan:
1) Create baskets with "Create items when:" set to ordering,
receiving, cataloging and unset.
2) Test each of the above for each of these baskets, verifying that
the basket-specific attribute overrides AcqCreateItem if set and
falls back to the syspref otherwise.
NOTE: A check of AcqCreateItem in opac-detail.tt was removed because it
was redundant; the code path in question cannot be triggered unless
create_items/AcqCreateItems is set to the correct value anyway.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Barbara Fondren <bfondren@roundrocktexas.gov>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To Test
1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.
Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
When you edit the basket from the basket summary page,
saving the change brings you back to the basket summary
page, but cancelling brings you to the baskets page of
the vendor.
To test:
- Add a basket in acq
- Test cancel link returns to baskets page of vendor
- Add a basket and save
- Edit this basket
- Test cancel link now returns to basket summary page
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch moves the JavaScript files in prog/en/js to prog/js.
JavaScript files do not need to be in the directory which is processed
by the translator.
To test, apply the patch and visit various pages in the staff client to
confirm that JavaScript files are still loading correctly.
Revised: I intended for this to be built on top of Bug 15883 as well as
Bug 16242. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883 and 16241
All seems to work, js files pulled from new dir.
No errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
* Add `AFTER` to DB update
* Change "Is standing order basket:" to "Orders are standing:"
* Disable item creation when adding from a staged file
* Correctly show is_standing for existing baskets
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This allows creation of special baskets that include standing orders.
These orders do not have a known quantity (and may not have a known
price in advance). Upon receipt, the received items are split into a new
completed order.
Test plan:
1) Run updatedatabase.pl.
2) Run prove t/db_dependent/Acquisition/StandingOrders.t . (and the
other Acquisition tests).
3) Create a new basket, mark it as a standing order basket.
4) Add an order to this basket, and notice that the quantity field is
missing (and thus not required).
5) Receive items for this order, and notice that the original order is
unchanged. The new child order line should have the correct price
and quantity information.
(Note: the QA tools output what seems to be a spurious spelling error
for Test::More's "isnt" in StandingOrders.t.)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The page for adding a new basket in Acquisitions includes some custom
form validation JavaScript which can be removed in favor of HTML5
validation attributes and Koha's built-in validation plugin. This patch
does so.
To test, apply the patch and go to Acquisitions -> Choose a vendor ->
New basket. Try submitting the form without entering a basket name. This
should trigger a validation warning.
Submission of the form with valid data should work correctly. Editing an
existing basket should also work correctly.
Patch works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as expected, passes all tests and QA script.
Tried adding a new basket with/without basket name and editing
an existing basket editing/emptying the basket name.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
When a user creates a new vendor, a new borrower or a new basket
(maybe on others page too, to be listed), a creation form is displayed,
but the focus is still on the search textbox on page top.
It would be probably better to switch the focus to the first field of
the creation form.
This patch adds the focus, for acquisitions module, on first input for
pages with a data creation or modification or pages with only one form
(like Z3950 search).
Test plan :
Go to pages and look where is the focus :
- acqui/basketgroup.pl : focus on "Basket group name:"
- acqui/basketheader.pl : focus on "Basket name:"
- acqui/invoices.tt : focus on "Invoice no:"
- acqui/modordernotes.pl : focus on "Notes:"
- acqui/neworderempty.pl : focus on "Title:"
- acqui/supplier.pl : focus on "Name:"
- acqui/z3950_search.pl : focus on "Title:"
Signed-off-by: Melia Meggs <melia@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
The focus choice is relevant and works as described.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Labels which precede a text input or select typically have a colon
before them:
Name: [____]
This patch cleans up templates where labels in this context lack a
colon. Exceptions to this rule include radio buttons, checkboxes, and
labels inside tables.
To test, view the affected pages and confirm that labels look
consistent.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Patch adds more consistency.
Work for translators could be made easier using CSS instead
of whitespace after colon.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
This patch adds a new menu for vendor-related pages in which
vendor related "views" can be linked to: baskets, basket groups,
contracts, invoices, uncertain prices.
The acquisitions toolbar is pared down to vendor-related actions:
New basket, contract, or vendor; edit vendor, delete vendor,
receive shipment.
Other small improvements have been made to other pages: corrections
to breadcrumbs and title tags, adding useful links betweeen pages.
Vendor menu and toolbar are added to booksellers.pl
when there is only one "search result" (i.e. a vendor id is passed).
- Menu appears when booksellerid variable is present
- Redundant heading removed
- Additional variables added to enable proper display of the toolbar
- Revision corrects broken links pointed out by QA.
- Revision adds check of existing baskets and subscriptions as a
condition on display of the vendor delete button.
TODO: Add coverage of Basket groups page.
To test, navigate Acquisitions pages and test as many links and buttons
as you can, confirming that nothing is broken on vendor pages, invoice
pages, contract pages, uncertain price pages, etc.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
All tests pass - I like this very much!
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All tests and QA script pass.
Tests done:
1) New toolbar - vendor search
- no results = button to create new vendor shows
- 1 result = additional new options show
- more than one result = button to create new vendor shows
2) Vendor views
- acq toolbar consistent with 1 result in vendor search
- new tabs on the left
- checked all links have the needed parameters and work correctly
3) New toolbar - different pages
- Toolbar is formatted consistently
- Delete vendor shows only up when it should - no baskets or
subscriptions
- Links work correctly
Works nicely, great groundwork for further improvements.
TODO Add new toolbar to (new) invoices page.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
- adding 2 select option in basdketheader.tmpl (delivery and billing
place)
- adding 2 more fields in basket csv export
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Tested together with patches for bug 7302.
This is the first patch for bug 7760 and touches all pages in acquisitions.
This adds a unique id "acq_<filename>" and a class "acq" to the body tag of
each page in acquisitions.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
New revision updates for current master and cleans up new
instances introduced by recent commits.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
2 problems found, fixing those in follo up patches:
- late orders don't allow more than 1 order to be selected
- basketgroups: 'Edit vendor' does the same as 'Manage orders'
