Test plan:
Go to the Fines -> Account page of a patron with fees linked to items
--> without patch there is no link to related item
--> with patch the link is presented in description column
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
Try to print a fee
--> without patch it explodes
--> with patch it works and the date is formatted according to
system wide date format setting
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The GetMemberAccountRecords may be a perf killer, it retrieves all the
account lines of a patron and then the related item and biblio
information.
Most of the time we only want to know how much the patron owns to the
library (sum of amountoutstanding). We already have this information in
Koha::Patron->account->balance.
This patch replaces the occurrences of this subroutine by fetching only
the information we need, either the balance, the detail, or both.
It removes the formatting done in the module, to use the TT plugin
'Price' instead.
There is a very weird and error-prone behavior/feature in
GetMemberAccountBalance (FIXME): as the accountlines.accounttype is a
varchar(5), the value of the authorised value used for the
ManInvInNoissuesCharge pref (category MANUAL_INV) is truncated to the 5
first characters. That could lead to unexpected behaviors.
On the way, this patchset also replace the GetMemberAccountBalance
subroutine, which returns the balance, the non issues charges and the
other charges. We only need to have the balance and the non issues
charges to calcul the third one.
Test plan:
Add several fees for a patron and play with HoldsInNoissuesCharge,
RentalsInNoissuesCharge and ManInvInNoissuesCharge.
The information (biblio and item info, as well as the account line) must
be correctly displayed on the different screens: 'Fines' module, fine
slips, circulation module
Note that this patchset could introduce regression on price formatting,
but will be easy to fix using the TT plugin.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
"$branch" is declared but not used at line 65, column 1. Unused
variables clutter code and make it harder to read. (Severity: 3)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
1) Have patron with address filled in
2) Edit the patron
-- without this patch the fields for address are blank
-- with patch the fields are filled with actual data
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Trivial changes here, just do a code review on the QA step
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This flag is not used in the templates
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
git grep IS_ADULT
must not return any results
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
When editing adult's info you must see the "Add child" button
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
When you are on a page related to a child you should see the "Update
child to adult patron" button
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Now that we have the 'patron' variable in all our templates, we can call
Koha::Patron->image and do the check from the templates.
Test plan:
On the different pages of the patron module, you should see the default
image if there is no image attached or the one that has been attached
(see pref patronimages)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.
That will make the code much more easier to maintain and will be less
error-prone.
The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.
In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.
Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
On first login, Koha explodes before the logged in user does not exist
in DB.
This patch deals with that by adding several checks when it's needed.
Test plan:
Use the DB user to create a superlibrarian user.
The DB user should no be allowed to do anything else.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Bug 18403: Fix patron creation
memberentry.pl can be called to create a new patron, in that case the
patron does not exist yet.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Technically a kid from your library group could have a guarantor
attached to another
group of library, let's deal with this case.
Test plan:
- Create a kid from your library group
- With a superlibrarian staff user create a guarantor that is outside of
the group of
libraries of the kid
- Login with a limited staff user and confirm that on the patron detail
page you do not
see the link to the guarantor detail page.
Note that you see the firstname and surname of the guarantor
Q. should it be hidden?
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch deals with patron's discharges.
Test plan:
Same as previously you will need to request dischages at the OPAC.
On the staff interface the logged in user should not be allowed to see
discharge
from patrons outside his library group.
The number of discharges waiting displayed on the mainpage should be
correct as well.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Bug 18403: (follow-up) Patron discharges
Fix QA issue:
forbidden pattern: Do not assume male gender, use they/them instead (bug 18432) (line 150)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Most of the time when we search for patrons we do not want to search for all patrons,
but just the ones the logged in user is allowed to see the information.
This patch takes care of that by adding a new search_limited method to Koha::Patrons.
When called this method only search for patrons that the logged in user is allowed
to see.
Test plan:
Patron autocomplete search should be limited
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"
Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.
Changes in discharge.pl are mainly indentation changes.
With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.
Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
borrowers => 1
and
borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
Look up a borrower, add a message (internal or opac)
Click the Details tab for that borrower
Messages should be displayed above the user information [is this the right place? it could go below]
adding messages on this page should make them immediately available
deleting messages on this page should delete them immediately and bring you back to the detail page.
Basically, make sure messages work from both the Check out and detail pages and that there are no typos.
Messages should work the same as they always have from the Check Out page.
sponsored-by: Catalyst IT
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Marjorie Vila <marjorie.barry-vila@collecto.ca>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Bug 19801 - Fixes for QA
- Fixes indentation
- changes messages to patron_messages (even though it's not like that on the circulation page.)
Signed-off-by: Marjorie Vila <marjorie.barry-vila@collecto.ca>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Test Plan:
Check the following files have been updated from
use strict;
use warnings;
to
use Modern::Perl;
boraccount.pl
default_messageprefs.pl
deletemem.pl
files.pl
mancredit.pl
maninvoice.pl
member-flags.pl
member-password.pl
memberentry.pl
members-home.pl
members-update-do.pl
moremember.pl
notices.pl
pay.pl
paycollect.pl
printfeercpt.pl
printinvoice.pl
printslip.pl
readingrec.pl
routing-lists.pl
setstatus.pl
update-child.pl
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We are passing the Koha::Patron::Category object to the template instead
of the categorycode.
To reproduce this bug you must test in a system which has only one
patron category of the "adult" type. View the details of a patron with a
child-type patron category and choose More -> Update child to adult
patron.
This results in an error:
Can't call method "category_type" on an undefined value at
/home/vagrant/kohaclone/members/update-child.pl line 84.
The URL of the error page shows a problem with the parameters being
passed:
members/update-child.pl?op=update&borrowernumber=12345&catcode=Koha::Patron::Category=HASH(0xa168a18)&catcode_multi=
Test plan:
Make sure you have only 1 adult patron category
Update a child to adult
=> With this patch applied the error is gone and the patron has been
correctly updated
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Patch applies without issue and functions as described.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Minor changes to pay.pl and paycollect.tt to allow writing off a partial amount of a fine.
Test plan:
0) Go to the Fines tab of a test patron's profile
1) Create a fine if there are none (under the Manual invoice tab)
2) Go to the "Pay fines" tab
3) Press the write off button on the corresponding account line
Without patch, you'll be asked to confirm, but will not be able to edit the amount
With patch, you'll be able to edit the amount.
Followed test plan, patch worked as described. Also ran QA test tool and
modified files passed
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To avoid $account, $accounts and @accounts variables in the same scope
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Previous changes were wrong, the notify_id was always equal to 1 and
GetBorNotifyAcctRecord was used to retrieved the account lines to pay
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It appears that has never worked.
Could someone confirm?
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Our librarians requested a reminder to unset "gone no address" flag from patron's
record once the patron has made a modification request to update their address.
I propose adding a message box under patron modification request to notify
librarians about patrons that have gone no address flag on, and an option to
unset the flag without the need of having to navigate into patron's details.
To test:
1. Apply patch
2. Set "Gone no address" flag for your test patron. You can do this by going
to patron modification screen in staff client.
3. Go to OPAC with your test patron
4. Make a modification request for your personal details
5. Go to staff client and see pending modification requests
6. Open the request you just created
7. Observe a message dialog that says this patron has gone no address flag set
8. Check the checkbox to unset the flag and approve the modification request
9. Click Submit
10. Observe your test patron no longer has gone no address flag set
11. Repeat steps 2-7
12. Do not check the checkbox, but approve the modification request
13. Observe your test patron still has gone no address flag set
14. Remove the gone no address flag from your test patron
15. Repeat steps 3-6
16. Observe there is no message dialog for gone no address
Followed test plan, patch worked as described. Also ran QA test tools
and all modified files passed
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
0) Have a patron with some current and old reserves
1) Go to patron circulation page
2) Notice, there is new item called "Holds history" in the left
circulation menu
3) Go to this page and confirm the data on this page are OK, and that
ui does behave as expected
4) Go to adminitration, columns setting, try to change the setting for
holdshistory table and confirm it is taken into account on holds history
page
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If someone decide the reuse the template->param statement to pass values
to the template, we will get the same issue.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If the logged in patron does not have the necessary permission we should
not redirect to circulation.pl but moremember.pl instead
Test plan:
With the borrowers permission, you should be able to edit a patron and
be redirect to the moremember page
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Security bug, trivial changes, no need to provide procedure for script
kiddies.
Test plan:
Pay fines using the different options from the "Pay fines" tab.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.
Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!
This patch makes things consistent everywhere and clean up some code.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch removes a really ugly way to generate a password: the whole
template was sent and parsed to retrieve the "#defaultnewpassfield" node.
To avoid the password to be sent plain text it is certainly better to
generate it client-side.
The same kind of passwords will be generated: 0-9a-zA-Z
The while loop prevents to get an invalid generated password.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There are other scripts where the borrower variable is not defined and
the fields are passed one by one.
To have a consistent behaviour we should add the title at the different
places.
Note that this script also add the use of the include file for
statistics.tt and remove the pass of parameters to the template, already
done later:
99 $template->param(%$borrower);
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Due to the way members-home.pl handles the variable $branch, the number
of patron modifications listed on members-home.pl may differ from the
number listed on mainpage.pl. When the librarian clicks this link, he or
she may see a different number than was listed, or none at all!
Test Plan:
0) Set IndependentBranchesPatronModifications = Yes
1) Create a number of modification request for BranchA
2) Log into the staff intranet with a patron without superlibrarian
permissions and set your branch to BranchB
3) Note the modifications alert to does not display on mainpage.pl
4) Click the "Patrons" link to take you to members-home.pl
5) Note the modifictions alert does display on this page
6) Apply this patch
7) Reload members-home.pl, note the alert no longer displays
QA notes: What was the point of the branch variable?
Followed test plan, patch worked as described. Also passed QA test tool
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The following warn is triggered when I click the Reverse button next to
an individual payment on the Account tab:
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_boraccount_2epl line
63, this can lead to vulnerabilities. See the warning in "Fetching the
value or values of a single named parameter" at /usr/share/perl5/CGI.pm
line 436.
To test:
1) Go to a members detail page in staff side, create a manual invoice,
pay it
2) Go to the Account tab, click Reverse next to the payment you just
made
3) Notice warns
4) Apply patch and repeat steps 1 & 2
5) Warns should be gone
Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The following warns are triggered when I click the Pay selected button:
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 267,
this can lead to vulnerabilities. See the warning in "Fetching the
value or values of a single named parameter" at
usr/share/perl5/CGI.pm line 436.
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line
273, this can lead to vulnerabilities. See the warning in "Fetching
the value or values of a single named parameter" at
/usr/share/perl5/CGI.pm line 436.
To test:
1) Go to a members detail page in staff side and create a manual
invoice
2) Go to the pay fines tab, select the fine you just created and click
Pay selected
3) Notice warns
4) Apply patch and repeat steps 1 & 2
5) Warns should be gone
Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The following warns are triggered when I click the Write Off button next
to an individual fine or charge:
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 171,
this can lead to vulnerabilities. See the warning in "Fetching the
value or values of a single named parameter" at
/usr/share/perl5/CGI.pm line 436. (this shows many times)
Use of uninitialized value in subroutine entry at
/usr/share/perl5/URI/Escape.pm line 184.
To test:
1) Go to a members detail page in staff side and create a manual
invoice
2) Go to the pay fines tab, click the Write off button next to the
invoice you just created
3) Notice warns
4) Apply patch and repeat steps 1 & 2
5) Warns should be gone
Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Go to a members detail page in staff client
2) Select the Fines tab in the left pane
3) Select the Create manual invoice tab below the button menu bar
4) Create a fine and click save (e.g. Type: Fine, Amount: 5.00)
5) Select the Pay fines tab below the button menu bar
6) Click Pay on the item
7) Blank the staff error log
8) click confirm
-- staff error log has message
9) apply this first patch
10) repeat steps 3-8
-- staff error log is blank
11) run koha qa test tools
Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Problem: A patron category "I" would cause display problems
on the details in the intranet. This is because the templates
confused patron category "I" with patron type "I" (organisation).
Patch:
- Cleans up variable confusion between categorycode and
categorytype.
- The template contained code to change the labels below
the address to 'Organisational phone:" etc., I have removed
this part as it does not match the edit form anymore.
- Initials, date of birth and gender are still hidden for
organisation - matching the edit form.
Bonus:
- The patron category description was missing on the
right and left side of the details tab. Now it displays.
- Fixes some html issues:
- doubled up class attribute in a tag
- doubled up </li></li>
To test:
- Create 3 patrons
- patron category code doesn't matter, but category type organisation
- patron category code 'I', category type NOT organisation
- patron category code NOT I, category type NOT organisaton
- Check details tab in patron account in staff for all 3
- Verify patron category description shows correctly
- Verify information added to the account displays correctly
(phone numbers, emails, ...)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The "Pay selected" option on the Fines tab in the borrower account page doesn't work as intended.
The fine on top of the list gets the amount deducted, even if another fine is choosen from the list.
Test Plan:
1) Create two or three fines, using the Create manual invoice function.
2) Choose one of the fines (not the one on the top) and click Pay selected
3) Pay a partial amount
4) Go back to the Pay fines tab an notice that the fine you selected has not changed. Instead, either the top fine or the total (see attachment) has ben affected.
5) Apply this patch
6) Repeat steps 1-3
7) Note the correct fine is paid
Signed-off-by: Andreas Hedström Mace <andreas.hedstrom.mace@sub.su.se>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Using the pay selected option from the borrowers account, to pay for one specific fine among other gives a 500 error, despite the payment going through.
Test Plan:
1) Add two fines using the Create manual invoice function.
2) Select one fine and "pay selected".
3) Pay a part of the amount.
4) Note error
5) Apply this patch
6) Repeat steps 1-3
7) No error!
Signed-off-by: Andreas Hedström Mace <andreas.hedstrom.mace@sub.su.se>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber
2. Notice the java script is executed.
4. Apply patch.
5. Reload page, and hit the page again /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>