Apply 'Break lines on chained methods' to the new JS code introduced in
this patchset to prevent really long lines.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patchset makes opac-memberentry.pl use the API instead of the old
svc scripts for ajax calls, for setting privacy configuration in the
OPAC.
To test:
1) Disable OPACPrivacy
2) Enable AllowPatronToSetCheckoutsVisibilityForGuarantor
3) Enable AllowPatronToSetFinesVisibilityForGuarantor
4) Have a known patron be the guarantee of someone (so things display)
5) Log into the OPAC, go to the 'your personal details' tab
6) Change 'Allow your guarantor to view your current checkouts?' and
click the 'Update' button.
=> SUCCESS: Operation succeeds
7) Reload the tab
=> SUCCESS: The page reflects the expected changes (i.e. the API did it
right)
8) Repeat 6 and 7 with the 'Allow your guarantor to view your current
fines?' option
=> SUCCESS: It works as well
- Sign off :-D
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adds two preferences
1. AllowPatronToSetFinesVisibilityForGuarantor: Allow/Don't allow patrons to choose their own privacy settings for showing the patron's fines to the patron's guarantor
2. AllowStaffToSetFinesVisibilityForGuarantor: Allow/Don't allow staff to set the ability for a patron's fines to be viewed by linked patrons in the OPAC
Also adds a tinyint, non nullable, default to 0 column in borrower and deletedborrower named privacy_guarantor_fines.
1. privacy_guarantor_fines = 0 => don't allow guarantor to see guarantee's fines
2. privacy_guarantor_fines = 1 => allow guarantor to see guarantee's fines
To test:
1) git reset --hard master
2) apply patches (including dependencies)
3) perl installer/data/mysql/updatedatabase.pl
4) dbic
5) restart_all
6) in intranet search for AllowPatronToSetFinesVisibilityForGuarantor and AllowStaffToSetFinesVisibilityForGuarantor preferences
SUCCESS => both preferences should be present
7) search for a patron with guarantor
SUCCESS => in details tab, in "Library use" section you should see a row labeled "Show fines to guarantor"
8) edit
CHECK => in Guarantor information there is no "Show fines to guarantor" select
9) set AllowStaffToSetFinesVisibilityForGuarantor preference to "Allow"
10) return to patron with guarantor and edit
SUCCESS => in Guarantor information section there is a "Show fines to guarantor" select
11) change "Show fines to guarantor" select to "Yes" and save
SUCCESS => Value is saved
12) go to details tab
SUCCESS => in "Library use" section you see a row labeled "Show fines to guarantor" with value "Yes"
13) set OPACPrivacy preference to "Allow"
14) open 2 opacs, one with a patron that has a guarantor and another that hasn't and go to "your privacy" tab.
CHECK => in both opacs you should not see a "Allow your guarantor to view your current fines?" select
15) in intranet set AllowPatronToSetFinesVisibilityForGuarantor to "Allow"
16) refresh both opacs
SUCCESS => in Patron that has guarantor you see a "Allow your guarantor to view your current fines?" select
=> in Patron without guarantor you don't see a "Allow your guarantor to view your current fines?" select
17) in Patron with guarantor change value of select and save
SUCCESS => Value is saved
18) in intranet set OPACPrivacy preference to "Don't allow" and AllowPatronToSetFinesVisibilityForGuarantor to "Don't allow"
19) got to "your personal details" in both opacs
CHECK => in both opacs you should not see no Privacy section with a "Allow your guarantor to view your current fines?" select
20) in intranet set AllowPatronToSetFinesVisibilityForGuarantor to "Allow"
21) refresh both opacs
SUCCESS => in Patron that has guarantor you see a "Allow your guarantor to view your current fines?" select in a Privacy section
=> in Patron without guarantor there is no Privacy section
22) in Patron with guarantor change value of select and update
SUCCESS => Value is saved
23) Sign off
Signed-off-by: Agustin Moyano <agustinmoyano@theke.io>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adds the ability to set an unlimited number of guarantors
for a given patron. As before, each guarantor may be linked to another
Koha patron, and all the behavior that applies to a given guarantor
remains the same.
Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Find some patrons with guarantors, verify the still have their guarantor
4) Test adding and removing guarantors on a patron record, both Koha users and not
5) Verify the "Add child" button works
6) Verify NoIssuesChargeGuarantees still works
7) Verify tools/cleanborrowers.pl will not delete a guarantor
8) Verify the guarantors are displayed on moremember.pl
9) Verify the guarantor is removed by members/update-child.pl
10) Verify the guarantor is removed by misc/cronjobs/j2a.pl
11) Verify import patrons converts guarantor_id, relationship, contactfirstname,
and contactsurname into a guarantor
12) prove t/Patron.t
13) prove t/db_dependent/Circulation.t
14) prove t/db_dependent/Circulation/NoIssuesChargeGuarantees.t
15) prove t/db_dependent/Items.t
16) prove t/db_dependent/Koha/Patrons.t
17) prove t/db_dependent/Members.t
18) prove t/db_dependent/Patron/Relationships.t
Signed-off-by: Kim Peine <kmpeine@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Agustin Moyano <agustinmoyano@theke.io>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Test plan:
Toggle value of pref AddressFormat and verify change on opac-memberentry.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Maryse Simard <maryse.simard@inlibro.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To test:
PatronSelfRegistration = Allow
PatronSelfRegistrationDefaultCategory = PT (or some other real category)
GDPR_Policy = Enforced
PrivacyPolicyURL = Some URL
- Go to <opac>/cgi-bin/koha/opac-memberentry.pl and verify that the text "privacy
policy" displays a link to the current page, not the URL in PrivacyPolicyURL
- Go to Administration > System preferences > Patrons > Privacy
- Verify that the descriptions of GDPR_Policy and PrivacyPolicyURL does not
mention that PrivacyPolicyURL needs to be set if GDPR_Policy is set.
- Apply the patch
- Verify that opac-memberentry.pl now links to the URL in PrivacyPolicyURL
- Verify that the syspref descriptions mention the relationship between them
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Bin Wen <bin.wen@inlibro.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies a few templates in the OPAC so that all available
information on password requirements is displayed for each case where
the patron is setting a password:
- If the RequireStrongPassword system preference is set, a message
should appear listing strong password requirements and minimum
password length.
- If RequireStrongPassword is not set, the message should only ask for
a minimum password length.
To test, apply the patch and enable the PatronSelfRegistration and
OpacResetPassword preferences.
On the following pages, test with RequireStrongPassword both on and
off. The correct messages should appear.
- OPAC -> Forgot password. Follow the process to reset your password
until you reach the step where you are entering the new password.
- OPAC -> Register here. Check the password section of the registration
form.
- OPAC -> Log in -> Change your password.
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 13618 took care of the KohaDates output but not if it is called
with a parameter (eg. [% var | $KohaDates with_hours => 1 %]).
We could avoid unnecessary processing by removing the extra html filter.
Patch generated with the following command:
% perl -p -i -e 's/KohaDates([^%\|]*)\s?\|\s?html\s?/KohaDates $1/g' **/*.inc **/*.tt
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
We add a section for the GDPR consent in opac-memberentry (only for the
self-registration). Not when editing personal details.
Test plan:
[1] Enable selfregistration (with confirm) and GDPR policy.
[2] Register a new account in OPAC. Verify that the GDPR checkbox is
required.
[3] After you submit, you should see a date in borrower_modifications
field gdpr_proc_consent.
[4] When you confirm, verify that the consent is visible on your consents.
[5] Enable selfregistration without confirmation mail. Register again.
[6] Check your consents tab again.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
it also removes 'category_type' and 'description' from a couple of
opac scripts, they are not needed.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch is a reimplementation of the original from Indranil Das Gupta
and the QA follow-up from Julian Maurice. Original test plan:
Conformance rules for HTML5 is generating warnings for <script> element
with type="text/javascript" attribute when the OPAC page is checked
with W3C Validator. This patch removes the cause of these warnings.
Test plan
=========
1/ Paste the URL to your OPAC page (if it is hosted) to W3C Validator
and watch about 10+ warnings being generated by the validator.
2/ Apply patch and re-submit the page to the Validator. The warnings
would be gone.
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.
Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!
This patch makes things consistent everywhere and clean up some code.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To validate password fields we need to use the validate jQuery plugin.
To make things reusable this patch adds a new include file
'password_check.inc' at the intranet and opac sides, it creates 3 new
validation methods:
- password_strong => make sure the passwords are strong enough according
to the values of the RequireStrongPassword and minPasswordLength prefs
- password_no_spaces => prevent passwords to be entered with leading or
trailing spaces
- password_match => make sure both password fields match
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The HTML code was "text" instead of "password".
TEST PLAN
----------
1) 'Allow' PatronSelfRegistration system preference
2) Define the PatronSelfRegistrationDefaultCategory system preference (e.g. PT)
3) Open OPAC
4) Click 'Register here' on the right. (/cgi-bin/koha/opac-memberentry.pl)
5) Scroll to bottom
6) enter some passwords
-- visible
7) apply this patch
8) refresh page
9) repeat 5-6 as needed
-- passwords should not be visible while entering
10) run koha qa test tools
Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The file opac-memberentry.tt exposes template directives to translation where
translators should not be confronted with.
Example from po file:
"%s [%% UNLESS hidden.defined('B_address') && hidden.defined('B_address2') && "
"hidden.defined('B_city') && hidden.defined('B_state') && hidden."
"defined('B_zipcode') && hidden.defined('B_country') && hidden."
"defined('B_phone') && hidden.defined('B_email') && hidden."
"defined('contactnote') %%] "
To test:
- Apply patch
- Verify that advanced search in OPAC the page 'your personal details'
behaves as before
- Verify that you can change values and submit an update request
- Create a new translation for a 'language' aa-AA (perl translate create aa-AA)
- Verify that template directives ar no longer exposed in aa-AA-opac-bootstrap.p
NOTE: Followed test plan similar to bug 18776 comment 3.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
When a field is not editable but displayable in the OPAC, and you submit
an incomplete/wrong update, those attributes are displayed as empty.
This patch fixes that.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds proper extended attributes display and handling on the
patron modifications moderation page (members-update.pl).
It also adds changes checking to the opac-memberentry.pl page so it
only saves a modification request if there are changes (it only checked
regular fields and not the extended ones).
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
Verify that different values in 'CardnumberLength' system preference
display correctly in the self reigstration form
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
Enable self registration
Make sure cardnumber is not in
'PatronSelfRegistrationBorrowerUnwantedField'
Enter an invalid or used cardnumber
Submit form
Note errors appears correctly but cardnumber is not editable
Apply Patch
Enter an invalid or used cardnumber
Submit form
Note errors appears correctly and cardnumber is editable
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Currently a patron can select a home library in the list of all
libraries defined in the system.
However some of these libraries might not accept self registration.
This patch adds a new pref to display only the allowed libraries.
Test plan:
0/ Apply the patch, do not fill the new pref
1/ Self register a new patron
=> All the libraries defined should be displayed in the "Home library"
dropwdown list
2/ Fill the pref PatronSelfRegistrationLibraryList with some of the
branchcode defined in the system
=> Self register a new patron and confirm that the dropdown list has
been filtered.
Sponsored-by: BULAC - http://www.bulac.fr/
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To avoid multiple registrations, it would be good to check the unicity
of the primary email address.
This patchset adds a new pref PatronSelfRegistrationEmailMustBeUnique.
If on, a patron will get "This email address already exists in our
database" if he try to register with an existing email address.
Test plan:
1/ Register a new patron with an email address
2/ Make an other registration using the same email address
=> With the pref PatronSelfRegistrationEmailMustBeUnique on, you won't be allowed
=> With the pref off, no change should be noticed.
Sponsored-by: BULAC - http://www.bulac.fr/
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described, no errors.
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
There is only one instance on onclick here, and that is the clear date
function.
To test, make sure clicking 'Clear date' next to Date of Birth works the
same before and after the patch.
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
In patron acount ("your personal details" tab, which serves as a form
for submitting update requests as well) it's not possible to display
some account details like expiration date etc., without enabling
the field for branch / library update requests too.
To reproduce:
1) set OPACPatronDetails to "Allow"
2) clear PatronSelfModificationBorrowerUnwantedField preference
- all possible fields in the update requests form are visible
in patron account, including some extra details (card number,
expiration date, category) in the "Library" section on top
3) put 'branchcode' in PatronSelfModificationBorrowerUnwantedField preference
4) the whole 'Library' section disappears
To test:
1) apply patch
2) put 'branchcode' in PatronSelfModificationBorrowerUnwantedField,
'Library' section should remain visible (sans branch selection option)
3) put 'branchcode|cardnumber|datexpiry|categorycode' in the same
preference, 'Library' section should now disappear
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
When registering a new patron, if something went wrong, the form is
resent to the template but without the categorycode (not a dropdown list
anymore, but just displayed as a readonly value # TODO LATER).
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
At the OPAC there is no way to empty this value.
I think it should be allowed to empty it.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This subroutine just reads the content of a pref, split it, add an
empty string and returns.
It is not really useful and the code in the script (memberentry.pl) uses
the only occurrence of CGI::popup_menu
Let's remove it and build the dropdown list in the template.
Test plan:
1/ Empty BorrowersTitles, edit a patron and confirm that the "Salutation"
does not appear
2/ Fill BorrowersTitles with "Mr|Mrs|Miss|Ms", edit a patron and confirm
that the "Salutation" dropdown list is correctly filled.
The default option should be selected if you are editing a patron with a
title defined.
This should also be tested at the OPAC.
Followed test pan, works as expected in Staff and OPAC
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If an attacker can get an authenticated Koha user to visit their page
with the code below, they can update the victim's details to arbitrary
values.
Test plan:
Trigger
/cgi-bin/koha/opac-memberentry.pl?action=update&borrower_B_city=HACKED&borrower_firstname=KOHA&borrower_surname=test
=> Without this patch, the update will be done (or modification
request)
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)
Do some regression tests with this patch applied (Update patron infos)
QA note: I am not sure it's useful to create a digest of the DB pass,
but just in case...
Reported by Alex Middleton at Dionach.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch fixes two splitted sentences to avoid translation issues:
The entered <a href="#borrower_cardnumber">card number</a> is the wrong length.
The entered <a href="#borrower_cardnumber">card number</a> is already in use.
To test:
Apply patch and verify that html in the 2 that are changed is correct and that
they are not splitted by a-tags.
Note: I could not figure out under which conditions this code displays in
the OPAC self registration form.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The message on opac-memberentry does no longer apply.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This would be incorrectly hidden when autoMemberNum is on.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Test plan:
1. Open OPAC self-registration page while logged out.
2. Note that cardnumber and categorycode are not shown.
3. Remove cardnumber and categorycode from
PatronSelfRegistrationBorrowerUnwantedField.
4. Enable autoMemberNum.
5. Reload self-registration page, note that categorycode now shows.
6. Disable autoMemberNum.
7. Reload self-registration page, note that cardnumber now shows.
8. Try saving a patron with an existing cardnumber; this should fail
and explain why.
9. Set CardnumberLength, and verify that those length restrictions are
enforced.
10. Verify that patron can be created with custom categorycode and
cardnumber.
Signed-off-by: Michael Sauers <msauers@dospace.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Make captcha visible even if password field is hidden
Remove password confirmation field before submitting modification
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
1) "Contact information" should be "Password"
2) Don't pass sysprefs from the script to the template, use Koha.Preference()
3) minPasswordLength is optional, we cannot always assume it is set
4) Password field when does not follow convention completely when mandatory
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch allows patrons to create thier own password during OPAC self
registration. It sets the password field to be hidden by default, and
allows for a system generated password if no password is supplied and
field is not mandatory
1 - Apply patch
2 - run updatedatabase.pl
3 - Check syspref "PatronSelfRegistrationBorrowerUnwantedField" - it
should contain 'password'
4 - Check self registration on opac - there should be no change
5 - Remove 'password' from PatronSelfRegistrationBorrowerUnwantedField
6 - Password field should now be visible in OPAC self registration
7 - Register a patron: If no passwor is supplied you should get a system
generated password
8 - Register a patron with a password, your password should be used
9 - Add 'password' to PatronSelfRegistrationBorrowerMnadatoryField
10 - Attempt to register a patron with no password - it should fail
11 - Try all combinations if mismatched/short/missing passwords and view
correct error messages
12 - prove t/db_dependent/Members.t
Sponsored by : Do Space (www.dospace.org)
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
