Commit graph

8277 commits

Author SHA1 Message Date
f75afef591 Bug 17446: Typo seleted
Built on top of bug 17441

Test plan:
Just have a look at the changes. Trivial.
Git grep seleted. No results.

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 16:54:10 +00:00
1d0d5f1398 Bug 17365: Fix XSS in moremember.pl and memberentry.pl
There are certainly hundred of places where they are not escaped...

Test plan:
Create a patron with "Arun <script>alert('code injection');</script>" in
some of the fields.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 16:19:56 +00:00
Jesse Maseto
8cb65b367b Bug 7143 NEW added Kyle Hall as release manager.
Signed-off-by: Dani Elder <dani@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
2016-10-11 11:34:39 +00:00
62aa3f4292 Bug 17216: Use Koha::AVC from mss.pl
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 07:30:31 +00:00
f97249f56e Bug 17216: Update the admin interface
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 07:30:30 +00:00
a66b0e20d7 Bug 14899 - Convert links to buttons, add icons
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 05:22:00 +00:00
d8809285ad Bug 14899: Add a link to the new page in the admin
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 05:22:00 +00:00
39bdb865fc Bug 14899: Add the mapping configuration page in the admin module
This new page (admin/searchengine/elasticsearch/mappings.pl) will permit
to manage the ES mappings.
For the biblios and authorities indexes, the different mappings can be
managed from this single page.
The interface let you add, remove and update mappings and search fields.
It's also possible to reorder the mappings, as the order can be important
in the indexation process. Note that the table can be displayed in a
different order that the one it was before saving, but the mappings are grouped
by search field and the order inside the search field is preserved.

Limitations:
- If something went wrong during the insertion/deletion/modification,
  the users will loose all these changes.

TODO:
- Add a specific permission (?)
- Add some data checks client side (JS)
- Use checkboxes for facet and suggestible (lazy today...)
- Understand the difference between the 3 values that sortable can have
  and improve the value for the options in the select box.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 05:22:00 +00:00
57ffd456de Bug 14899: Add tableDND JS lib
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-11 05:22:00 +00:00
Andreas Roussos
884e28fab5 Bug 17310: Broken URLs in 'Item renewed' / 'Cannot renew' messages
In the Staff client, under Circulation > Renew, the message shown after
successful renewal of an item contains broken URLs. This is also true for
the message shown when you try to renew an item that is not checked out.

This patch fixes that.

Test plan:
1) Go to Circulation > Renew, and search for the barcode of a checked-out
   item. In the 'Item renewed:' confirmation message, notice how the URLs
   for the title and the barcode are broken.
2) Now search for the barcode of an item that is not checked out. In the
   'Cannot renew:' message, notice how the URLs are broken here too.
3) Apply the patch.
4) Repeat steps 1) and 2). This time the URLs work fine.

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-10-10 12:34:19 +00:00
421bc4523f Bug 7143: Release team for 16.11
Also adding Marc Veron as bug wrangler (see his mail on the general ml
dated Oct 5).

Test plan:
Verify changes by comparing with Roles for 16.11 page on the wiki.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-10 11:21:26 +00:00
8d0b412b52 Bug 16273: Add the new pref PatronSelfRegistrationPrefillForm
Sponsored-by: BULAC - http://www.bulac.fr/
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:51:13 +00:00
12beaef4b3 Bug 17083: Remove more event attributes from tools templates
This patch removes event attributes from several tool-related templates.
Events are defined instead in the JavaScript.

To test, apply the patch and:

- Go to Tools -> Label creator -> Manage -> Layouts and edit any layout.
  - In the "Font" setting, choose any font which includes the word
    "italic" or "oblique" in the name. Doing so should disable the
    "Oblique title" checkbox.
- Go to Tools -> Batch patron deletion/anonymization.
  - Submit the form without making any changes. You should be prompted
    to select an action.
- Go to Tools -> Inventory.
  - Select a batch of barcodes to upload.
  - Submit the form without selecting any filters. This should trigger a
    warning.
  - Also changed: Added Font Awesome icons to the "Select all" and
    "Clear all" links on the inventory results view.
- Go to Tools -> Notices and Slips.
  - Click "New notice"
  - Change the selection under "Koha module." The page should reload
    with the correct available message body fields. For instance,
    selecting "Holds" should make available reserves.* columns.
- Go to Tools -> Upload.
  - In the search form, enter a search term and click the 'Search'
    button. The form should submit.

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised. Event attributes removed

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:48:13 +00:00
3d84252c04 Bug 17056 - Remove event attributes from various templates
This patch removes event attributes from several templates, moving event
definitions into the JavaScript instead.

To test, apply the patch and:

- View the MARC detail page for any bibliographic record. Changing the
  framework selection should reload the display using the selected
  framework.

- Perform the same test on the labeled MARC view. (Set the
  viewLabeledMARC system preference to "Allow" if necessary).

- To test the changes to Reports you should have at least one report
  group and at least one report subgroup.
  - Create a new saved SQL report.
  - Select a report group. Doing so should trigger the display of report
    subgroups. Deselecting the report group should hide the subgroups.

- In Acquisitions -> Suggestions, create a new suggestion.
  - In the 'Acquisition information' section, changing values for
    copies, currency, and price should change the value in the total
    field.

- In Circulation -> Upload offline circulation file:
  - My patch for Bug 16602 added the required code but forgot to remove
    the corresponding onclick attributes.
  - Browse for an offline circulation file.
  - Clicking the 'Upload file' button should work correctly.
    - After uploading a file, both the 'Add to offline circulation
      queue' and 'Apply directly' buttons should work to trigger their
      corresponding processes (keeping Bug 16603 in mind).

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:47:47 +00:00
bd7e4fb0d9 Bug 16552: Add the ability to change the default holdings sort
This new enhancement will add the ability to change the default holdings
sort on OPAC displays to be by library, instead of item type.

This patch adds a new pref OPACHoldingsDefaultSortField with 3 different
possible values:
 - Item type
 - Home library
 - Holding library

Note that if OpacLocationBranchToDisplay is set not to display home libraries,
unexpected behaviors might happen if OPACHoldingsDefaultSortField is set to
"Home library", same for "Holding library".

Test plan:
- Confirm that the default value for OPACHoldingsDefaultSortField is
  'first column' after executing the DB entry and that there is no
  change in the behavior (first column is used to sort the holdings
  table on the detail page).
- Set OpacLocationBranchToDisplay to both and play with the different
  values of OPACHoldingsDefaultSortField
  => Confrm that the default column used to sort the table is correctly
  changed
- Set the pref SeparateHoldings on
  => Confirm that both tables (Holdings and other holdings) are sorted using
  the OPACHoldingsDefaultSortField value.

Sponsored-by: University of the Arts London

Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:44:03 +00:00
ae543d4758 Bug 15975 (QA Followup) Fix colspan for footer
Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:41:36 +00:00
99bdb7edbd Bug 15975 - Add Owning Library Column to Checkouts
To test:
1 - Checkout some items to a patron
2 - Note there is no 'Home library' column
3 - Apply patch
4 - Note there IS an 'Home library' column
5 - Use the columns configuration and ensure you can hide/display column at
will

Sponsored by: Coeur d'Alene Public Library (http://www.cdalibrary.org/)

Works as expected (after clearing browser cache).
Commit message amended (as of comment #7)
Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:41:36 +00:00
Hector Castro
d44d0acfec Bug 14668: (follow-up) JSON fails if single quotes are used
Change single quotes to double quotes also add brackets to serial
enumeration.

To test follow previous test plan for intranet.
Fix double semicolon

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:39:50 +00:00
Charles Farmer
ad0cd505eb Bug 14668: Show serial enumeration in INTRANET circulation.tt and OPAC patron's relatives' checkouts
TEST PLAN

1. THE CHECKOUT TAB, INTRANET
    1.1. Add a value to the 'h' subfield of an item. ie: 'volume #42'
    1.2. Check out the item to a patron
    1.3. Display this patron's issues in his checkout page
        1.3.1. The enumchron should be concatenated with the title

2. A PATRON'S RELATIVE, INTRANET + OPAC
    1.1. Add somebody to a patron's guarantee list
    1.2. Checkout a serial to this guarantee
    1.3. Visit the guarantor's OPAC and INTRANET checkout page
        1.3.1. You should see the enumchron in his guarantee's issues

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:39:50 +00:00
cf90317112 Bug 14435: Add the ability to store result's report
At one time it was possible to store the results of a report into the
saved_reports table.
This allowed the librarians to compare different results, from the Koha
interface.

This patch is a proof of concept and is not very polished (understood:
it cannot be pushed like that).

Test plan:
Execute the runreport.pl cronjob script with the new --store-results
option.
This will serialize into json the results and put it into the
saved_reports table.

On the "Saved report" list, the "Saved results" column is now populated
with a date (note that you can have several date for a given report).
If you click on this link, the data will be displayed in a simple table.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 15:24:02 +00:00
Andreas Roussos
f57df28f96 Bug 9896 - Show vendor in subscription search when creating an order for a subscription
In the staff client, when creating an order from a subscription
the vendor name should be shown in a separate column.

This patch adds that feature. The 'Vendor' column is added before
the 'Library' column since they appear in that order in Advanced
search.

Test plan:
0) [PREREQUISITES] In the Staff client, under Acquisitions, create
   a Vendor and associated Basket if you don't already have them.
   Then, under Serials, add a new Subscription using the Vendor
   you've just created.
1) Go to Acquisitions, and under 'Manage orders' search for a vendor,
   then click on 'Add to basket' and select 'From a subscription'.
2) Click 'Search' on the left hand side to search for all subscriptions.
   Notice how there is no 'Vendor' column in the results table.
3) Apply the patch.
4) Repeat step 2. Confirm that the patch works, i.e. there is now
   a 'Vendor' column which displays the vendor name.

Followed test plan, works as expected.

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 14:09:56 +00:00
98bca8f34b Bug 17331 - Show holding branch in holds awaiting pickup report
This patch adds a holdingbranch column to waitingreseves.tt and
separates 'Location' into Home branch and callnumber columns

To test:
1 - Have some holds waiting and holds over
2 - View the report before the patch
3 - Note that location contains homebranch and call number
4 - View the report after the patch
5 - Note the new columns
6 - Ensure data is correct and no info has been lost

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Fixed 2 capitalization issues.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 14:09:05 +00:00
66d669d073 Bug 14707: Update existing installations and correct wrong values
See http://hea.koha-community.org/, the countries are filled is wrong
values.
If we decide to update the free text with a dropdown list, we need to
handle these wrong data.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:53:18 +00:00
Julian FIOL
233dfb8c74 Bug 14707 : Replace UsageStatsCountry syspref from free text to a dropdown list.
This will avoid syntax problems with Hea when a user will fill this 2 sysprefs

The default choice for UsageStatsLibraryType and UsageStatsCountry is 'empty'

Test Plan
---------

1. Create a new Koha install
2. Go to the 'Administration' page
3. Go to 'Global system preferences'
4. Go to 'Administration'
5. At the end of this page you should see a dropdown menu for
- UsageStatsCountry with all countries
- UsageStatsLibraryType with all type of library
They both should be empty by default.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Not a complete list but is a start
Lots of new strings to translate :)
No errors

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:53:18 +00:00
Zeno Tajoli
cdac530034 Bug 13405 - System information has misleading information about indexing mode
With this patch when <zebra_bib_index_mode> or <zebra_auth_index_mode> are set to 'grs1'
it appears a link to https://wiki.koha-community.org/wiki/Switching_to_dom_indexing
instead of a misleading information.

To test:
a)Insert 'grs1' in <zebra_bib_index_mode> or <zebra_auth_index_mode> (file koha-conf.xml)
b)It appers a  misleading warning
c)Apply the patch
d)It appears a link to https://wiki.koha-community.org/wiki/Switching_to_dom_indexing.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:52:39 +00:00
Andreas Roussos
0f4644a5bf Bug 17312 - Typo in members-toolbar.inc / moremember-brief.tt / moremember.tt
The following three templates are using [% guarantorborrowernumber %]
while they should be using [% guarantor.borrowernumber %]:

members/members-toolbar.inc
members/moremember-brief.tt
members/moremember.tt

This doesn't result in any breakage; just a couple of 'Edit' links that
do not pass the guarantorid in the URL, and one case where guarantor
information is not shown in the staff client.

This patch fixes that.

Test plan:
0) [PREREQUISITE] Create a patron with a guarantor if you don't have one.
1) Go to Home > Patrons and search for a patron that has a guarantor. In
   the Details page for that patron, the 'Edit' link in the toolbar does
   not pass the guarantor's id in the URL (...&guarantorid=&...).
2) In the same page, the 'Edit' link under the patrons name (immediately
   under 'Guarantor') again does not include the guarantor id in the URL.
3) Go to Home > Patrons and click on 'New patron'. Pick any category from
   the drop down menu. Enter the Surname, First name, and Date of birth
   of the patron you used in step 1). This triggers the 'Duplicate patron
   record?' warning -- click on 'View existing record' and notice how the
   guarantor information is missing.
4) Apply the patch.
5) Repeat steps 1), 2), and 3) above. The URLs are fixed and patron info
   is showing.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:51:56 +00:00
Andreas Roussos
f9e3639da7 Bug 17289: Holds awaiting pickup shows date unformatted
In the Staff client, under Circulation -> Circulation reports,
the date shown in the heading of the 'Holds awaiting pickup'
report is not formatted according to the 'dateformat' system
preference.

This (trivial) patch fixes that.

Test plan:
1) In the Staff client, go to Circulation and under 'Circulation
   reports' click on 'Holds awaiting pickup'
   (cgi-bin/koha/circ/waitingreserves.pl).
2) Observe that the date shown in the heading is always formatted as
   yyyy-mm-dd regardless of the value of the 'dateformat' syspref.
3) Apply the patch.
4) Re-visit the 'Holds awaiting pickup' report. Confirm that the patch
   worked, i.e. the date shown in the heading is formatted according
   to the 'dateformat' system preference.

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:51:02 +00:00
Rafal Kopaczka
4da3bf5e48 Bug 17245: Untranslatable abbreviated names of seasons.
Because seasons strings are not available through DateTime module,
names of them where added in code, and templates. Bug 16289 adds new
abbreviated form to the code, but not to the templates. This patch
should fix the problem.

To test:
1. Apply patch.
2. Run "misc/translator/translate update" for you language.
3. Check if names are in po/ file for language.
4. Check if generating next issue for serial and prediction patterns
works correct.

NOTE: or "create {language code}" instead of update.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:50:28 +00:00
Andreas Roussos
6fc03f1968 Bug 10768 - Improve the interface related to itemBarcodeFallbackSearch
When the itemBarcodeFallbackSearch syspref is on, the wording in the
interface should reflect that you can enter a barcode OR a keyword.
Additionally, in the results of a keyword search the "Fast cataloging"
link should be more descriptive. This patch fixes these issues.

Test plan:

0) [PREREQUISITES] Ensure you have a Fast Add ('FA') framework defined,
   and that your itemBarcodeFallbackSearch syspref is set to 'Enable'.
1) Go to Circulation -> Check out, search for a patron, then select a
   patron to Check out. Notice how the text above the textbox reads
   "Enter item barcode:".
2) Type something generic (not a barcode) in the textbox so that you'll
   get at least one item as a result. Notice how the text in the yellow
   warning box reads "The barcode was not found: <terms> Fast cataloging".
3) Apply the patch.
4) Repeat step 1), now the text above the textbox should read
   "Enter item barcode or keyword:".
5) Repeat step 2), now the text in the yellow warning box should read
   "The barcode was not found: <terms> Add record using fast cataloging".

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:49:05 +00:00
50a37fbf5b Bug 16816: Do not copy parameters used when duplicating a report
If a report is duplicated from the report list, the new report will
contain the tag (<<YEAR>> for instance), but from the reports results
page it copies the values used for the results.

Test plan:
Create a new sql report with tags
Duplicate it from the report list: no expected changes
Run it and duplicate it: the tags must not have been replaced

Signed-off-by: Andreas Roussos <arouss1980@gmail.com>
Ran and duplicated a report, the tags remained intact.

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:48:08 +00:00
613c83f4e3 Bug 17300: Fix serials search
Since bug 16157, the location value is always "All" and the serial
search won't return anything.

Test plan:
Search for some serials.
Without this patch, it won't return any results
With this patch applied, the result search should be consistent

Reproduced with serial's "Advanced search" and search filter in
left hand column. Fixed by this patch.
Signed-off-by: Marc <veron@veron.ch>

Advanced search works fine again.
Signed-off-by: Andreas Roussos <arouss1980@gmail.com>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:46:21 +00:00
1a2d804a80 Bug 17296: Display warning if AnonymousPatron is not correctly set
Bug 14655 added a warning to the about page ("System information" tab)
if the AnonymousPatron feature is not correctly configured.
But actually there is one case when it's not displayed.

Test plan:
Set AnonymousPatron to a non existing patron
Set at least 1 borrowers.privacy == 2
go on the about page.
Without this patch you do not get the warning
With this patch you will see "Some patrons have requested a privacy on
returning item but the AnonymousPatron pref is not set correctly. Set it
to a valid borrower number if you want that this feature works
correctly."

Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:45:34 +00:00
d26cda6f9e Bug 17316: Do not display the list's name if the user does not have permission - Staff
Same as previous patch but for the staff interface

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:13:58 +00:00
9734726846 Bug 16800: Fix XSS in additem.pl
Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:10:59 +00:00
79cd9e9fd4 Bug 16800: Fix XSS in catalogue/*detail.tt - isbn
Test plan:
catalogue a bibliographic record with a isbn=
  </title><script>alert('XSS')</script>

Go on the detail pages.
=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:10:59 +00:00
3169434cfa Bug 16800: Fix XSS in catalogue/*detail.tt - author
Test plan:
catalogue a bibliographic record with a author=
  </title><script>alert('XSS')</script>

Go on the detail pages.
=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:10:58 +00:00
515208d5ec Bug 16800: Fix XSS in catalogue/*detail.tt - title
Test plan:
catalogue a bibliographic record with a title=
  </title><script>alert('XSS')</script>

Go on the detail pages.
=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

This of course means that any html in the title will no longer be
evaluated. :

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:10:58 +00:00
1eaa8f0476 Bug 16752 [Revised] Remove the use of event attributes from some acquisitions templates - Uncertain prices
This patch modifies the acquisitions uncertain prices template to remove
event attributes onclick and onchange.

Also changed on the uncertain prices page: Added a label to the orders
filter, removed redundant form submit function.

- Locate a vendor which has orders with uncertain prices
- Click the 'Uncertain prices' tab in the left-hand sidebar
- Enter invalid data in the "price" field for any order. Confirm that an
  error is triggered when the field loses focus.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

QA Revision: Corrected input type of submit button.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:56:43 +00:00
968159af51 Bug 16752 - Remove the use of event attributes from some acquisitions templates - Transfer order
This patch removes the use of 'onclick' from the acquisitions transfer
order process. The patch also modifies the style of some links and
buttons to conform with current guidelines.

- Locate an open basket with items in it
- Click the 'Transfer' link for a title in the basket
- In the pop-up window:
  - Confirm that the 'Cancel' button at the bottom of the window is a
    Bootstrap-style button.
  - Search for a vendor; Confirm that the 'Choose' link is a
    Bootstrap-style button.
  - Choose a vendor; Confirm that the 'Choose' link on the following
    page is a Bootstrap-style button.
  - Confirm that clicking the 'Choose' button transfers the item to the
    correct basket.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:56:43 +00:00
cc79085820 Bug 16752 - Remove the use of event attributes from some acquisitions templates - Funds
This patch modifies the funds administration page and other files
related to the process of searching for and selecting fund owners and
users in order to remove the use of event attributes like 'onclick.'

Also changed in this patch: I have revised the way the "select owner"
and "select user" controls look. They are now links with Font Awesome
icons.

- Go to Administration -> Funds and open a fund for editing.
- Test the process of adding and updating an owner:
  - Click the 'Select owner' link.
  - Search for and select an owner in the pop-up window.
  - Save the fund and verify that the owner was saved correctly.
  - Perform the same test with the 'Remove owner' link.
- Use the same process to test the addition and removal of users.
  - Confirm that the 'Remove' link works correctly before and after
    submitting the form to save changes to the fund.

This patch changes a file which is used by both the funds template and
the template used when setting a guarantor on a patron. To test the
changes in that context:

- Open a 'child' type patron record.
- Under 'Guarantor information,' test the process of setting and
  removing a guarantor to confirm that data is saved correctly.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:56:42 +00:00
Marc Véron
9fdd7603bf Bug 13134: Fix template file to make category appear
This is a followup to rescue the bug.

To test: Follow test plan from comment #1

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:55:14 +00:00
f3322257d5 Bug 13134 - Add patron category to returns confirmation dialogs
Some librarians find it useful to know what category a patron is before
confirming a reserve or transfer from the checkin screen.

This patch adds the patron category to the hold and transfer popups
to the patron information already displayed. The li tags that contain
the patron category have the class "patron-category" to allow this data
to be easily hidden.

Test Plan:
1) Apply this patch
2) Trap a hold for a patron, note the patron category is now displayed
3) Trap a hold for pickup at another loation, note the patron category
   is now displayed

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:53:21 +00:00
2e79c211db Bug 17010 [Follow-up] Canceling a hold awaiting pickup no longer alerts librarian about next hold
This patch makes a minor change to the markup to make the button in the
confirmation dialog conform to the appearance of similar buttons.

To test, follow the original test plan for this bug and verify that the
"OK" button in the dialog looks correct.

Signed-off-by: Liz Rea <liz@catalyst.net.nz>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:34:44 +00:00
b80a18ee2f Bug 17010 - Canceling a hold awaiting pickup no longer alerts librarian about next hold
In previous versions of Koha, if a hold canceled from the "Holds over" tab had other holds on it,
the librarian would be alerted with the message "This item is on hold for pick-up at your library"
and directed to check it in to fill the next hold. This no longer happens.

Test Plan:
1) Apply this patch
2) Find a hold that has been waiting too long
3) Cancel that hold via waitingreserves.pl
4) Note you get the message "This item is on hold for pick-up at your library"
5) Confirm the ok button redirects you to the correct tab

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:34:44 +00:00
11bf7e7bef Bug 17146: Fix CSRF in picture-upload.pl
If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42

Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.

Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:33:58 +00:00
da03dbd458 Bug 17114: Fix XSS in picture-upload.pl
To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert

Note that the cardnumber var was not escaped neither, it's now.

Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:33:02 +00:00
b6fe9f23cc Bug 16276: Add a new pref TrackLastPatronActivity and new column borrowers.lastseen
Sponsored-by: BULAC - http://www.bulac.fr/
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>

https://bugs.koha-community.org/show_bug.cgi?id=12276

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-13 17:27:42 +00:00
7acb7e14fa Bug 16276: Make the batch patron deletion tool deal with last_seen
This patch adds the same change as the previous one to the batch patron
deletion tool.

If the pref TrackLastPatronActivity is enabled, the librarians will be
able to delete patrons who do not have been connected since a given
time.

Test plan:
Define a date for the "who have not been connected since" options and
confirm that it works as expected.

Sponsored-by: BULAC - http://www.bulac.fr/
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>

https://bugs.koha-community.org/show_bug.cgi?id=12276

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-13 17:27:42 +00:00
c78c927695 Bug 17147 [Revised] Streamline messages following batch record modification
This patch changes the display of informational messages during and
after the batch record modification process. Instead of showing a
separate dialog for each record modified, messages are now grouped into
one dialog.

To test, apply the patch and clear your browser cache if necessary. You
must have at least one MARC modification template defined.

- Go to Tools -> Batch record modification.
- Submit a list of biblionumbers which contains at least one number
  which doesn't exist in your database.
- Confirm that warning and success messages are grouped instead of
  showing in separate dialogs.
- Submit a list of biblionumbers using a MARC modification template
  which contains no actions. Confirm that the resulting error message is
  correctly formatted.

Revision formats the error messages without the unordered list, which
was giving them padding which didn't look correct inside a dialog.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

Edit for QA: Removed obsolete changes to CSS.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-13 17:25:28 +00:00
57f66d5132 Bug 16949: Simplify the checkbox checked condition
It's easier to use jQuery selector to know if checkboxes are checked.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-13 17:24:38 +00:00