This patch makes the web-based self-check module pages
specify that no browser (or proxy caching) occur at all.
This prevents a security issue where letting the SCO session time out,
then hitting the back button allowed one to view the previous
patron's session.
This patch adds an optional fifth parameter to output_with_http_headers(),
and output_html_with_http_headers(), a hashref for miscellaneous
options. One key is defined at the moment: force_no_caching, which if
if present and set to a true value, sets HTTP headers to specify no
browser caching of the page at all.
To test:
[1] Start a web-based self-check session and optionally perform
some transactions.
[2] Allow the session to time out (it may be helpful to set
SelfCheckTimeout to a low value such as 10 seconds).
[3] Hit the back button. You should not see the previous patron's
self-check session.
[4] Verify that prove -v t/Output.t passes.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Enable patronimages
4) Verify patron images are still displaying correctly
5) Test deleting a patron image
6) Test adding a patron image from moremember.pl
7) Test adding a patron image from tools/picture-upload.pl
Signed-off-by: Srdjan <srdjan@catalyst.net.nz>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
- the dateformat value is send to all templates (from
C4::Auth::get_template_and_user)
- remove all assignment of dateformat in all .pl files
- the DHTMLcalendar_dateformat variable is unused
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Fixed conflicts:
- opac/sco/sco-main.pl
- reports/acquisitions_stats.pl
- tools/cleanborrowers.pl
All tests pass, perlcritic problems appeared in some files
before and after these patches were applied.
Checked sorting in following pages:
- acqui/addorderiso2709.tt - list of staged imports in acq
- acqui/histsearch.tt - sorting of dates in acq search result list
- acqui/invoices.tt - billing date in list of invoices in acq
- acqui/lateorders.tt - list of late orders in acq
- acqui/ordered.tt - ordered titles and estimated costs for a fund
- acqui/parcels.tt - receive shipment page
- acqui/spent.tt - received titles and actual costs for a fund
...
- serials-search.tt - subscription search result list
...
- opac/sco/sco-main.tt - due dates in list of checked out items
- reports/acquisitions-stats.tt - date searches, display of dates
- tools/cleanborrowers.tt
- tools.holidays.tt - different views of dates library is closed,
adding dates
Checked dates display according to system preference everywhere and
searching, entering dates etc. still worked as expected.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Add system preferences SCOUserCSS and SCOUserJS to define separate CSS and JavaScript for the Self Checkout Module.
Test plan:
1) Apply patch
2) Run updatedatabase.pl
3) Add something arbitrary to the new sysprefs SCOUserCSS and SCOUserJS ( such as TestCSS and TestJS ).
4) Load the SCO module in a browser, and view the HTML, verify the CSS and JS values in the system preferences have been included.
Signed-off-by: Marc Veron <veron@veron.ch>
I tested with an alert('hello') as JavaScript and some background-color for the CSS. Worked as expected.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Several changes in this patch, the largest of which is that the
renew/return dialogs no longer require JavaScript in order to properly
alter and submit the form. Instead each button uses a separate form.
To test, log in to self checkout and submit a barcode which is checked
out and can be renewd, and a barcode which is checked out but has
reached the checkout limit. On the resulting dialogs each button
should function properly.
Also changed: I removed some useless JavaScript processing related
to a bogus "valid_session" variable which was unused.
Similarly removed is template logic based on a "timedout" variable which
was not set by the script. Note that the script contains NO server-
side handling of timeout. Timeout is dependent on JavaScript.
To test these changes, confirm that with JavaScript enabled you are
automatically logged out after the time specified in the SelfCheckTimeout
preference.
Other minor changes: Terminology and capitalization corrections,
minor style tweaks.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
To Test:
Sign in to self checkout.
Enter a barcode and click submit.
Click the finish button
You should be prompted with a message asking if you would like a receipt.
If you click OK you should be taken to the page with the receipt.
If you click Cancel you should not see the reciept and you should be logged out.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Added copyright to print slip for SCO
Modified POD and copyright. Also perltidied
updated print slip option to show on the click of the finish button instead of the submit button
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Elliott Davis <elliott@bywatersolutions.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
If the patron has depts that prevent issuing and the system preference 'AllowFineOverride' is set to 'allow', the amount is not displayed in the user message.
Additionally, patch adds currency symbol to amount.
Test plan:
Do self checkout with patron who has debts that are over the limit.
Test with and without preference 'AllowFineOverride' set.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Changing "CanBookBeIssuedCheckout" to "CanBookBeIssued"
To test, try to renew an item which has no renewals left. Before the patch
you'll get an error:
Undefined subroutine &main::CanBookBeIssuedCheckout called at /opac/sco/sco-main.pl line 135.
After the patch you'll get the correct message about having no renewals left.
Other tests: checking out a barcode which doesn't exist, checking out an
item which is on hold for another patron.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Observe AllowItemsOnHandCheckout syspref when using SIP self checkout
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
To test:
* place an item on hold for patron A
* attempt to circulate that item to patron B (via SIP/selfcheck)
syspref off: item should not circulate to patron B
Syspref On: item should circulate to patron B
Both conditions passed in our testing.
Also verified that normal staff client behavior regarding this situation was preserved. It was.
The patronid value (cardnumber) set by checkpw in the case of SelfCheckoutByLogin
was improperly scoped with 'my' inside a conditional. The changes followup to 5995
made this more apparent, causing logins to fail.
Also added "parts copyright" statement to the script, since ByWater Solutions did make some
significant contributions to the operations of the page
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Enables the library to choose whether to have patrons scan their barcodes for self checkout, or login
with username and password. Uses 'checkpw' for compatibility with LDAP authentication.
Also introduces a few new system preferences to make Self Checkout more secure and manageable:
SelfCheckTimeOut: the number of seconds before the self-checkout login times out for a patron
AllowSelfCheckReturns: indicate whether or not patrons can return materials via self-checkout
SelfCheckHelpMessage: user-configurable HTML to show specific text on the Help page.
Thank you to Marlboro College in Marlboro, VT for sponsoring and testing this development!
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
The WebBasedSelfCheck preference is now functional - if a user
tries to use /cgi-bin/koha/sco/sco-main.pl if the preference
is not on, they get redirected to the OPAC home page.
Also, the patron image web service now returns HTTP 403 (forbidden) unless
both WebBasedSelfCheck and ShowPatronImageInWebBasedSelfCheck are on.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Some small, single-branch corporate and special libraries use unattended self-checkout stations, and would like to automate the staff login, so that just going to the sco/sco-main.pl URL would bring the self-check up ready for patron use. This patch create three sysprefs, AutoSelfCheckAllowed, and AutoSelfCheckID/AutoSelfCheckPass. If the site wants to allow automated login, staff would then need to create the selfcheck user record and enter that login ID and password into the sysprefs. The kohaclone/opac/sco/sco-main.pl script has been modified to check these sysprefs and pass values (if present and allowed) into the self-check URL. The URL then bypasses the staff login page and comes up ready for checkout, waiting for the first patron barcode.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Improved the error messages displayed to users
by web-based self-checkout when a problem with
a loan occurs.
This changed was sponsored by the Plano Independent
School District.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
[1] Change the default sort order of checked out
items to have the most recent loans displayed
first.
[2] Add the ability (via jQuery tablesorter) for
the user to sort the list of loans.
Also fixed the formatting of the due date.
This change was sponsored by the Plano Independent School
District.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Adds a new system preference, ShowPatronImageInWebBasedSelfCheck;
if this preference is ON, a patron's image is displayed
if available when using web-based self-check.
Note: a patch for updatedatabase.pl will be made when this
change is ready to push.
This change is sponsored by the Plano Independent School
District.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
* test for NO_MORE_RENEWALS now does expect
that hash key will always exist
* removed unconditional warn
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
~ vestigial broken scripts and templates removed
~ meaningless dependencies removed
~ Focus handling issues resolved for cross-browsers
~ Timeout only invoked for non-first screen. This keeps the refresh from
flooding the logs continuously for no purpose.
~ two halves of "validuser" conditional linked in TMPL
~ elsif's used for $op conditionals
The focus should now appear on the "Return to Account Summary" button during errors.
The user can scan anything (w/ carriage return) and get back to the first screen.
Also, special functionality is added for the magic barcode "__KOHA_NEW_CIRC__".
This effectively ends the patron session and logs them out so the next patron can begin.
The purpose is for patrons to avoid having to use a keyboard at all, if libraries
print and have this special barcode available for patrons at the SCO station.
Enhancement was requested by Plano Independent School District.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
GetPendingIssues did several bad things:
~ select * on a 4 table join,
~ including multiple namespace collisions,
~ including large fields marc and marcxml from biblioitems,
~ return ($count, \@array_being_counted).
Not everything is fixed here (see FIXMEs), but the situation is
improved considerably, with bug 2900 resolved. The "timestamp"
namespace collision in query should be resolved by separate patch.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Use 'patronid' instead of 'userid' as the query parameter
for passing the patron userid or barcode around; 'userid'
is claimed by C4::Auth and should be used only for
authentication pages.
Fixes the problem where entering a patron's card
number would cause a redirect to the OPAC login
page.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Patch also removes a hard-coded English string from the script and some unused functions from sco.js.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Most Perl scripts (as opposed to modules) do
not need to require Exporter.
No user-visible or documentation changes.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
GetMemberDetails() returns only one hashref now,
not two. In all cases where the caller was
expecting two output values, the $flags return
was ignored anyway.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
HTML::Template is no more used, some were remaining,
fixing the "use ...;" to H::T::Pro only
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>