Bug 18349: If a confirmation is required, consider as blocker

Only RENEW_ISSUE should not be considered as blocker, others should.
Note that this code is not robust and the whole script as well as the
return of CanBookBeIssued should be rewrittent completely.
We need a small patch to easy backport to stable releases

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d28d5a280d590bb19afbea23705802aa46af5e6d)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 9062df67c8df0e6416ee69c01bf10e0acf111bf7)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18349: $borrower is a hashref

I guess this code was never called before...

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 6b75e5b4783cff1d14816ce363e8095569d67718)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 3ef6f12596d75ec2548e9081e89694df3536bb7e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18349: SCO - Do not trust the confirmed flag

The "confirmed" flag is used to know if that user confirmed a situation
that needs a confirmation.
But if the issue/renew is impossible the CanBookBeIssued and the
'impossible flags' should be checked.

Otherwise a patron can checkout and renew bypassing the circulation
rules (Understand 'no limit' here...)

Test plan:
Want to renew?
Checkin $barcode, then
/cgi-bin/koha/sco/sco-main.pl?patronid=$cardnumber&barcode=$barcode&confirmed=1&op=checkout

Want to bypass the checkin?
Same url...

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 85bd15a83ffdab0c2e28eae54e50ce4dee9e608b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit dbee200409d738fcf7c4fdcfb2cd19f5d6d36c04)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17309 - Renewing and HomeOrHoldingBranch syspref

The AddRenewal subroutine currently uses the circulation rules for the branch
stored in the Issues table (which is the holding branch) when calculating the new due date.

This patch replaces using the branch from the Issues table with the branch
specified by the HomeOrHoldingBranch syspref.

To test:
1. Set up 2 branches, Branch1 and Branch2
2. Set up a loan rule in Branch1 for DVDs with a 21 day loan period and a
   21 day renewal period.
3. Set up a loan rule in Branch2 for DVDs with a 14 day loan period and a
   14 day renewal period.
4. Checkout a DVD belonging to Branch1 while logged into Branch2. It will
   receive the correct 21 day loan period.
5. Renewing the same DVD while logged into either Branch1 or Branch2
   will give a 14 day due date, rather than 21 days.
6. Checkout a DVD belonging to Branch2 while logged into Branch1. It will
   receive the correct 14 day loan period.
7. Renewing the same DVD while logged into either Branch1 or Branch2
   will give a 21 day due date, rather than 14 days.
8. Apply the patch and repeat steps 4-7. The correct due date should be given
   when the item is renewed, regardless of where it is checked out or renewed.

This update removes reassignment of $branch variable.

Signed-off-by: Cédric Vita <cedric.vita@dracenie.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7d35bdf58a0bcebab20df47b50b249cafe12ddb6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 0a26e824ae3861fefb8a615c7e042fbfc83698f4)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18266: Fix internal error when paying fine for lost item without.. item

If a fine is created for a lost item but the itemnumber is not supplied,
the system will return it.
The item should not be mark as returned if there is no item linked to
the fine.

Test plan:
1. Turn StoreLastBorrower on
2. Create a manual invoice for a lost item, do not supply a barcode
3. Pay the fines 'Pay fines > Pay'

=> Without this patch applied you get
Can't call method "last_returned_by" on an undefined value at
/home/marc/koha/C4/Circulation.pm line 2188.

=> With this patch applied, you must not get the error.

(cherry picked from commit a59f056631e882ce166eed7eb6e366481449b148)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17945 - Breadcrumbs broken on opac-serial-issues.pl

==TEST PLAN==
1) Make a subscription with a record
2) Search and view the record in OPAC
3) Click on the subscription tab and click more details
4) The breadcrumb will say 'Detals for' without the record name
5) Apply patch
6) Refresh the page
7) The breadcrumb will display the name of the record

(fixed small error)

Signed-off-by: Sonia BOUIS <sonia.bouis@univ-lyon3.fr>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 39bcba540a6c00fc374284dc025297a568befed6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 9668331d4260928dbe91ec9710031e5ac63f5346)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18263: Make use of syspref 'CurrencyFormat' for Account and Pay fines tables

On Home > Patrons > Accounts for... and Home > Patrons > Pay fines for...,
make the amounts display as defined in syspref 'CurrencyFormat'

To test:
- Apply patch
- Give a patron a high fine or credit (e.g. 12345.67)
- Got to pages Home > Patrons > Accounts for... and
  Home > Patrons > Pay fines
- Verify that amounts display following syspref 'CurrencyFormat'
  (e.g. 12'345.67 for syspref set to 360'000.00 (CH)

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit db467287d174827e52c322cb86d75b8628df52fe)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 3db9848f1acb904f67312c55a35fd262c46829aa)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18209: Add default, 'Actions' and fix case

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f14de0007c47ae66d0276186df073c0375d37610)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 168a10de25ad64830ed0c448571e0607b64d4bd9)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18209 - Patron's card manage.pl page is not fully translatable

The headers of the tables displayed in patroncards/manage.tt are hardcoded in the .pl and thus cannot be translated.

This simple fix reuse the translate_card_element tool already in the code to make the strings translatable.

Applied patch and verified that table headers on manage.pl display the same as before.
Signed-off-by: Marc Véron <veron@veron.ch>
Re-tested, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit bb1492e9f67439753bf428bd06fa710791e70c74)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 0a3b7777bbeb88e39903ceee35464d5eaec231e3)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 12972 - Transfer slip and transfer message (blue box) can conflict

Instead of passing the homebranch to the slip, let's pass
TransferWaitingAt (the value we display)

To test:
1 - Check in an item that will initiate a transfer (hold or automatic
        item return)
2 - Note the transfer message and receipt match
3 - Remove the reason for transfer (bot don't cancel transfer)
    i.e. cancel hold or change homebranch of item to current library
4 - Check the item in again
5 - Note the message displays the transfer destination and the slip
shows the homebranch
6 - Apply patch
7 - Repeat 5 but note slip and message match
8 - Test any edge cases for correctness
9 - sign off

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f454013ec9beb8f6e4c382253b76bfac5ca65244)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 29526afcef6143ddafac8ffd00820ef9086ccaa0)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 7728: [QA Follow-up] Fix POD whitespace

Resolves complaints from qa tools.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 53f2b56fa15fac2f0d2ef0777e95f436d6914ec7)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit b4ef4f4e3b1b6c2176d7faaa906d92b195dc4c55)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 7728: Fix subs history end date consistency

Without this patch, there is an inconsistency in subscriptions:
 * a new subscription has no history end date set (as expected)
 * if you renew it, a date is set.

This patch removes the setting of the history end date during renewal

Test plan:
 * create a subscription, go to subscription-detail.pl page, tab "Summary". No History end date is set
 * renew the subscription => a date has been set
 * apply the patch
 * create another subscription
 * renew it => no history end date has been set
 * sign-off

Signed-off-by: beroud <isabelle.beroud@univ-lyon3.fr>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 1843ee148b25a904d8baffbbe8f0ea504b539a64)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 30cfdb9096282175f4bf92b65021a8ef6e3fd052)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18244: Patron card creator does not take in account fields with underscore (B_address etc.)

Fields with underscore like B_address do not print on patron cards.

To reproduce:
- Create patron card layout using fields with underscore in their name
  (e.g. <surname><B_address> )
- Print (export) patron card
- Verify that fields without underscore are replaced by their value,
  but fields with underscore do not replace but show the field name

To test:
- Apply patch
- Try to reproduce and verify that fields with underscore are replace
  as expected

Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a723de2ae0c393743fc111955ee81b5e6c5b7f4a)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit da9371a1d6a257d6d598c9299a33aedff183fc4c)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 14535: Update the supplier filter too

The combobox on the left side of late orders is filled by sub
GetBooksellersWithLateOrders. The same change as in the first patch
must be made here to include suppliers with late orders without a
price.

Bonus: Sort the list.

Test plan:
[1] Run t/db_dependent/Bookseller.t.
[2] Go to late orders. Use the filter on suppliers.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Srdjan <srdjan@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b76eac9ca2c32a5db51b9b8ca32a2cf4fa6397b5)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 92ddd4bbc7f3f40241202ae19750e93d5ee2d30b)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 14535: Late orders does not show orders with price = 0

This patch removes the filter of unitpricesupplier <> 0 and
unitpricelib <> 0 from GetLateOrders as used in lateorders.pl.
This allows you to claim late orders without a price entered.

Test plan:
[1] Run t/db_dependent/Acquisition.t
[2] Check if you see an order with no price in lateorders.pl. (If needed,
    remove prices from a few orders.)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Srdjan <srdjan@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 71f267fd3f3750510e3df5f2819d57ed45dcf919)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit f305629f14ae925cf58dc62e39f871fd6ec1c8f5)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 12913: [QA Follow-up] Reword 'change item status' and add zero status

The zero status should be added in @notforloans. It is a legitimate status
for available books. The zero status description can be translated in
the template.
The 'Change item status' is confusing. We mean that we saw a notforloan
status that we do not expect (read: does not exist in the table).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 664d6534171677455f3cf1467e8726146714133a)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit dbb0b4a4b09233a7b68fc29deef8220f61fb5950)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 12913 - wrong inventory results when notforloan filter is not used

In inventory tool, there is a test on scanned items notforloan value : if the value is not one of authorized values, the inventory results displays the problem "Change item status".
The bug is that if notforloan filter is not used, the notforloan values array is not filled and so all scanned items are marked with this problem.

Test plan :
- Check you have in default framework an item subfield mapped with items.notforloan and with an authorized value catergory, for example 'NOTFORLOAN'
- Check the authorized value category has at least value '0'
- Create a new value in this category, for example '9'
- Create a biblio with default framework
- Create an item with barcode='000AAA1', callnumber='ZZZAAA1' and notforloan=0
- Create an item with barcode='000AAA2', callnumber='ZZZAAA2' and notforloan=9
- Delete new value created above, for example '9'
- Create a file 'barecodes.txt' containing 2 lines '000AAA1' and '000AAA2'
- Go to inventory tool : /cgi-bin/koha/tools/inventory.pl
- Choose file in 'Barcode file'
- Enter item callnumber between 'ZZZ' and 'ZZZZ'
- Check 'Compare barcodes list to results'
- Submit
=> without patch, you get 2 results with problem 'Change item status' even for item with notforloan=0
=> with patch, you get 1 result with 'Change item status' on item with notforloan=9

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 358fb744c74cc63b7d2ae7d7e406ada205502ea8)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit f75915336c072765a330ca7e39646326ef11212b)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17995 - HOLDPLACED notice should have access to the reserves table

To test:
1 - Add reserves.reservenotes to HOLDPLACED message
2 - Enable emailLibrarianWhenHoldIsPlaced OpacHoldNotes sysprefs
3 - Place a hold via OPAC with a note
4 - view the messagequeue and note the reservenotes is blank
5 - Apply patch
6 - Place a hold with a note
7 - view the messagequeue and note the reservenotes is populated

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 3b794b1312d0cfac81b302d0e823e2c5683a1f0e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 75ac2341774368975be08ee635851605f06a7b7d)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18022: Fix possible crash if CircAutoPrintQuickSlip=clear screen

If CircAutoPrintQuickSlip is set to clear screen, the $borrowernumber variable
is reset but $borrower.
In 16.11.x and before that causes the app to crash, because
$borrower->{flags} is set to a hashref by GetMemberDetails, if
$borrowernumber is set.

This case is better handled in master (17.05) but side-effects could
happen: if $borrowernumber is reset, $borrower should be reset too.

The way to drive this behaviour is terrible and lot of things should be
done to clean this area. This patch is a quick and easy fix to make it
backportable easily.

Test plan:
On master, no change expected
On 16.11 and before:
0. Set CircAutoPrintQuickSlip=clear screen
1. Create a new patron
2. Set permission for this patron to 'reservesforothers' (or something
else).
3. Go on the circulation tab
4. Do not fill the barcode input and submit
=> Without this patch you will get an error
Can't use string ("64") as a HASH ref while "strict refs"....
=> With this patch apply you will get a blank screen (expected
behaviour).

I would recommend to test this patch with the other value of
CircAutoPrintQuickSlip as well

(cherry picked from commit 34565e7f7d38298d37f449520dd5bc20cec833f8)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18058: Allow borrower_message_preferences to be truncated

borrower_message_preferences cannot be truncated because of the foreign.
DBMS fails with
  "Cannot truncate a table referenced in a foreign key constraint"

To avoid that we should remove the FK check and truncate the other table
as well.

I am wondering if we really need a truncate here
  DELETE FROM borrower_message_preferences;
should do the job, but leave it as it because of the param name.

Test plan
  perl misc/maintenance/borrowers-force-messaging-defaults --doit --truncate
Should no longer raise the error message

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit dd88c8f710e4915dac6437355c356f0632b776fb)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit e2f860386dd811b2be3b2988b690c2d28d748336)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Increment version for 3.22.19

Update release notes for 3.22.19

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Translation updates for Koha 3.22.19

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 15854: Use a READ and WRITE LOCK on message_queue

To make sure we will not never get a race conditions for these kinds of
notices, we need to add a LOCK on the message_queue table.

This does not smell the best way to do that, but I faced deadlock issues
when I tried to use "UPDATE FOR"

https://dev.mysql.com/doc/refman/5.7/en/innodb-locking-reads.html
https://dev.mysql.com/doc/refman/5.7/en/lock-tables.html
https://dev.mysql.com/doc/refman/5.7/en/commit.html

To test this patch, or another solution, you need to apply manually this
change:

         my $message = C4::Message->find_last_message($borrower, $type, $mtt);
         unless ( $message ) {
+            sleep(1);
             C4::Message->enqueue($letter, $borrower, $mtt);
         } else {

And repeat the test plan from first patch.
Do not forget to truncate the message_queue table.

Followed test plans, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit be156d9ad9e5bcfadab34d44f90e04fd61e256ad)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit ab23d1368343ad115a5072f7264b99c7bee68675)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 15854: Simplify the code to limit race conditions

There is an obvious race condition when CHECKIN and RENEWAL are
generated from circulation.pl calling svc/renew or svc/checkin in AJAX.

The 2 first queries will try to get the id of the last message
(find_last_message) and if it does not exist, they will insert it.
Theorically that could be lead to have several "digest" messages for a
given patron.
I did not recreate more than 2 messages, from the third one at least one
of the two firsts existed in the DB already.

This patch just simplifies the code to make the SELECT and INSERT or
UPDATE closer and limit the race condition possibilities.

Test plan:
0. Set RenewalSendNotice and circ rules to have a lot of renewals available
1. Use batch checkouts (or one by one) to check out several items to a
patron
2. Empty message_queue (at least of this patron)
3. Renew them all at once ("select all" link, "renew or check in"
button)
4. Check the message_queue
Without this patch you have lot of chances to faced a race condition and
get at least 2 messages for the same patron. This is not expected, we
expect 1 digest with all the messages.
With this patch apply you have lot of chances not to face it, but it's
not 100% safe as we do not use a mechanism to lock the table at the DBMS
level.

Tested both patches together, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 607b14516a955c9989e4764c69527edbc1f36ba0)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit bdae6c9492ea8db223c03753090060592a330be7)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18010: Remove potential exposure from gettemplate

A similar bad template check from C4::Auth::get_template_and_user
should be applied in C4::Templates::gettemplate.

Before this patch it would be possible to expose files like:
my $template = C4::Templates::gettemplate(
    '/etc/passwd', 'intranet', CGI::new, 1
);
print $template->output;

Note that the is_plugin flag in the above call is the culprit. This patch
provides a quick security fix without touching get_template_and_user, and
can be backported to stable branches.
I will provide an enhanced and centralized check on report 17989, also
removing the is_plugin flag.

Note: We allow .pref here too for use in admin/preferences.pl.

Test plan:
[1] Run t/db_dependent/Auth.t (triggering get_template_and_user and
    gettemplate).
[2] Run t/db_dependent/Templates.t again (see first test plan).
    The tests should no longer fail.
[3] Open a page on opac or intranet.
[4] Open a systempreferences tab.
[5] Add a book to the cart and send it ([opac-]sendbasket uses gettemplate).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit fbbd4b40f0d71b79194fc186e66f985488be26c6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 74fe3f5cda7cac22640f9ae3d68b3d62a6765dc0)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18010: Unit test for gettemplate

A trivial test, similar to the ones in Auth.t.
Without the check in gettemplate (added in the second patch), the passwd
file will be exposed and the test fails.

Test plan:
Run t/db_dependent/Templates.t without second patch. The two tests in the
last subtest should fail.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 5508897d5a2b73c30d50fed26a6bfed62bf49398)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Conflicts:
t/db_dependent/Templates.t

(cherry picked from commit 1161a67476b5b61358fdaecca57b012e663a7b02)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18094: Only search in searchable patron attributes if searching in standard fields

Test plan:
- Add a new patron attrbute and mark it searchable
- Populate a new patron with 'potato' in that field
- Add/edit another patron to have email potato@invalidemail.com'
- Perform a patron search with query 'potato' (in standard fields)
=> Both patrons are returned
- Perform a patron search with filters 'Email' and query 'potato'
=> Only 1 patron is returned and you are redirected to the patron detail page.

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 5823d4ca6a71404d502eeb7f1bf5dd152fd98e22)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit b294550ac6db804193928af798500e18d83de9db)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18246: Patron card creator: Unit not always displays properly in layouts

To reproduce:

1) Create a new layout
2) Select an unit in "Units selection"
3) Save
4) Edit layout again
5) Select other unit, e.g. 'SI Centimeter'
6) Save
7) Repeat
8) Edit again
Error: Latest unit seems to stick and can no longer be changed, because
in units drop down, multiple untis are marked as selected.

To test:
1) Apply patch
2) Repeat steps above, verify that value for units always display as expected.

Signed-off-by: Jesse Maseto <jesse@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 37da40b323d8bc012724510fe4839dcb908c2b3b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 95bccfbbb8f2b0d0de064ae34dca24e3d59852a4)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 8603: Patron card creator - 'Barcode Type' doesn't stick in layouts

To reproduce:

1. Make a new layout
2. Tick "Print card number as barcode"
3. Change 'Barcode Type' to anything other than Code39
4. Save
5. Edit it again
6. Its back to Code39

To test:
1. Apply patch
2. Repeat steps above
3. Verify that 'Barcode type' is selected as expected

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
https://bugs.koha-community.org/show_bug.cgi?id=18063

https://bugs.koha-community.org/show_bug.cgi?id=8063

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 20ad341eefc555e0cf2b0f2862347e8a48b28935)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 34a91f6e3d7da38aafb37a57a962c1d852f9101a)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Increment version for 3.22.18

Update release notes for 3.22.18

Translation updates for 3.22.18

Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required

From opac/opac-memberentry.pl, authnotrequired is set.
That means a patron can access the page without being logged in. It is
used on this page for the self registration feature.

From C4::Auth::get_template_and_user, we have
  $userid = $q_userid;
$q_userid is previously set to the 'userid' CGI param.

We end up here if authonotrequired is set AND CGISESSID does not exist.

Test plan:
- Run:
  $ prove t/db_dependent/Auth.t
=> FAIL: Regression test for checkauth fails
- Apply this patch
- Run:
  $ prove t/db_dependent/Auth.t
=> SUCCESS: Tests pass.
- Sign off :-D

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Bug 18275: Regression test

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Bug 16202: GetIssuingCharges should return a collectable amount

Charges should not include elements less than a penny/cent
they are not displayed but can be saved to the database
causing "odd" behaviour down the line

Make the routine round the resultant charge to nearest cent,
so consistent values are returned.
Removed the one case where it was rounded post call.
Although the main danger is values generated by the discount
calculation apply the rounding to all returned charges in case
the item charge is defined using the 3rd or 4th decimal
places.

NOTE: prove -v t/db_dependent/Circulation.t triggers the change.
      Though, all the returned amounts are 0.00 only.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d84ed89557e2c921f261b1c620434d432dcbd3f7)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 661e6389c990c603cbc6a0a9444c27ec9d01afe2)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17947: Searching my library first shows the branchcode by the search bar rather than branchname

Test Plan
1: Turn on SearchMyLibraryFirst and go into OPAC
2: It should say Search (in <Branch Code> Only)
3: Apply patch and refresh page. It should now say Search (in <Library Name> only)

Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit e8420b5d80558a8a74f7f6a1421352dcad2c9c88)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 0b1311ccb9f0b0a67ae94f0304ac0bd4f31a7485)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17895: 'Re-set' typo fix

To test:
1) Log into OPAC and go to change your password
2) Enter current password incorrectly and click Submit changes
3) Observe error message and typo 're-set'
4) Apply patch and refresh page
5) May be asked to resend data - if so, click Resend, if not, repeat
step 2
6) Observe error message and corrected spelling of 'reset'

Sponsored-by: Catalyst IT
Signed-off-by: Caitlin Goodger <caitlingoodger.student@wegc.school.nz>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 86ec263b2d0994ecb53ff283ef246b529d4570e2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 56938d7630ae4f90b3bcf650bbce3a6c5ad2c81e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17852 Follow up.Multiple URLs (856) in list email are broken

This is a follow-up to my previous patch. This fixes it on the OPAC and
the previous one was from the intranet
Test Plan
1: Add multiple urls to a biblographic record
2: Add the biblographic record to a list and then email it from the OPAC
3: See that the links are broken and have been merged into one.
4: Apply patch
5: Send the list again and see that the links work

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit e914a29788a1a85399a135d3cfd19ef9ee6f5a28)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17852; Multiple URLs (856) in list email are broken.

Test Plan
1: Add multiple urls to a biblographic record
2: Add the biblographic record to a list and then email it.
3: See that the links are broken and have been merged into one.
4: Apply patch
5: Send the list again and see that the links work

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit bcbd75fba2bc69b3aa26672db16d350a09d48c25)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17865 'If a subscription has no history end date, it shows as expired today in OPAC'

--TEST PLAN--
1) View a subscription with no history end date
2) Search for an item with a subcription in OPAC
3) Under subscription tab click more details
4) The end date will be the current date
5) Apply patch and refresh
6) The end date will not be shown

Signed-off-by: Baptiste Wojtkowski <baptiste.wojtkowski@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit 8b096e91f1c07ba0295ef3fdc700eefb7d3a9834)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18111: Follow-up for 3.22.x

Replace [% frameworkcode %] by 'default' wherever needed

Bug 18111: Swap framework_name and frameworkcode

With the frameworkcode changed to an empty string, which really
is closer to the physical reality, some javascript somewhere
breaks. This means the spinner does not appear when you confirm
that you wish to import it.

TEST PLAN
----------
1) apply first patch
2) export default framework, doesn't matter format
3) import default framework using that file.
4) answer yes or whatever it is.
   -- spinner does not appear.
5) apply this patch
6) import default framework use the same file.
7) answer yes or whatever it is.
   -- spinner does appear.
8) decide if you wish to find and fix the javascript conditions.
   if yes -- do so, and then obsolete this once you have.
   if not -- sign this off after running koha qa test tools

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit 3b4e164903ec532ad616d7e9021719bbd00b292e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18111: Fix import of default framework

Caused by bug 16035.

Recreate the issue:
Go to Home › Administration › MARC frameworks
For the default framework: Actions > import
It will not work

Test plan:
Confirm test plans from bug 16035 and bug 17389 still pass
Confirm that the import for the default framework now works

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit 07eefd02ba363c6072b6370e4360a91360e31ab2)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Increment version for 3.22.17

Update release notes for 3.22.17

Translation updates for 3.22.17

Update DB rev (3.22.16.001)

Bug 17913: Add AuthorityMergeMode preference

Original patch from bug 5572, dating back to 2011!
Amended by Marcel de Rooy January 2017. Renamed the pref.

The fix on this report is based on this preference.
Depending on the pref, subfields will be deleted or kept.

Test plan:
Run the dbrev.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17913: [3.22.x] Authority merge fix

[PUSHED_17.05]

Squashed into one patch for 3.22.x.

Bug 17909: QA followup: remove unused var and move global var

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit 1d28489f76a6890b38009e5f5b92ccd1d18051bc)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17909: [Follow-up] Quick fix for UNIMARC

UNIMARC inserts field 100. This interferes the field count and order
in the test.
Note: This is a quick fix. Will polish it after bug 17913.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit db708b9f37378656621e4d73e8a36c146730db5e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17909: Followup - fix typos

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
EDIT:

Adjusted three small typos that did not disturb the test in its current
form, but do when we are fixing bugs on bug 17913.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit f61451ff0ff5ca4bde8f5e1425caf37b501fb8ba)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17909: Additional polishing

No spectacular things:

[1] Move the framework modifications to a sub. Use same style to create auth types and linked fields.
[2] Change some new Object occurrences to Object->new.
[3] Add tests for field count and field order in the first two subsets.
[4] Few whitespace changes (sorry) and comment lines.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit cac98af1f40c753d094b4f1b69a638455c31d26f)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17909: Add tests for merging with another authtype

Originally aimed for bug 9988. Adjusted in line with other subtests.
Will polish the three subtests a little more on a follow-up.

Test plan:
Run t/db_dependent/Authorities/Merge.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit 1d8d9161fa0f917e7e974d0fe76ca400e7119658)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17909: Adding tests from bug 11315

Based on original patch from Maxime Beaulieu on bug 11315.
Amended by Marcel de Rooy on report 17909.

EDIT:

Original tests have been adjusted in view of:
[1] Test on bug 11315 heavily leaned on DBD::Mock. Since we are
    using Test::DBIx::Class on such tests now, this would need attention.
    Moreover, the advantage of mocking the database in this case is at
    least arguable.
[2] Matching the first (somewhat older) subtest of 11700.
[3] Simplification and readability.
    Look e.g. at the use of $MARCto and $MARCfrom on 11315.

This made me merge them in the db_dependent counterpart.

Also note that this subtest adds another needed test case: the merge from
auth1 to modified auth1, while 11700 tested auth1 to auth2.

Test plan:
Just run t/db_dependent/Authorities/Merge.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit 7859ea37b2bc2c9ae36b2e2f2907cade573ccaae)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17909: Add unit tests for C4::AuthoritiesMarc::merge

Original patch from Julian Maurice on bug 11700.
With sign offs by:
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Amended by Marcel de Rooy on report 17909.

EDIT (January 2017):
Removed some tests not related to merge.
Put remaining tests in a subtest, made them working on current merge.
Slightly revised the mocking.

Note: I plan to move the zebra retrieval stuff outside merge in one of
the next stages, and replace it by calling Koha::SearchEngine. This will
reduce mocking complexity here.

Test plan:
Just run t/db_dependent/Authorities/Merge.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit 1fb7d9a869987b0e8de6cd7316ee78741a69c65f)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18136: Fix ExportRemoveFields pre-fill behaviour

Looks like it's caused by bug 13190.
Variable export_remove_fields is not sent to the template, let's
retrieve the syspref's value using the TT plugin.

Test plan:
Fill ExportRemoveFields with something (100a for instance)
Go on a checkout list page
At the bottom, the "do not export fields" input box should be pre-filled
with the content of the syspref

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit c6e09ca3877ced4afb05ea27175c46aa134dc3b3)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 34eff6378614572735d768824695b104564ce76f)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18026 - URL to database columns link in system preferences is incorrect (3.22.x)

Here's a patch for the 3.22.x branch

Signed-off-by: Baptiste Wojtkowski <baptiste.wojtkowski@biblibre.com>

Bug 18047 - JavaScript error on item search form unless LOC defined

If LOC is not present, the item search form will raise a JS error:
SyntaxError: expected expression, got '}'

This patch fixes it by handling this specific case.

Note that the "Status" column is still displayed.

Test plan:
Remove your LOC authorised values
Go on the item search form
=> You will not get the JS error and the "Shelving location" bloc is no longer
displayed. There is no need to display it if empty.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit da3ccdc14379816ea849eeb56ab321d8e7db59a2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit b441c89f4f71bb6036dcb9d2ac5a4e24392714bc)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 8306: Patrons statistics, fix for patron activity choice

The "inactive" for "patron activity" choice is now effective.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 680e6ce7d1aa53e716ea9fdab9c67e621fb828e2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 7e3ffc7f87b09c0b33c2f82ba04fee89e789c2d2)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17838 Availability limit broken until an item has been checked out.

TEST PLAN

1. Make sure you have no items checked out.
2. Run sudo koha-rebuild-zebra -f -v kohadev.
3. Go to search the catalog and search.
4. Check items availability and then click on limit to currently
available items.
5. This should return no results.
6. Apply patch and reload.
7. Results should show.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Attribute 14: " Specifies whether un-indexed fields should be ignored. A
zero value (default) throws a diagnostic when an un-indexed field is
specified. A non-zero value makes it return 0 hits."
From http://www.indexdata.com/zebra/doc/querymodel-zebra.html

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 543dc8e0365240441114359b7ddfa74863a318b6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 448f6f5127812e23e6c9f44dda2e0228b20cb941)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 4126 - Exit bulkmarcimport if -a and -b given

Currently it is possible to spceify both --biblios and --authorities
as command line switches to bulkmarcimport.pl. This does not make sense
so we should exit early and explain that these switches are mutually
exclusive.

To test:
- Run one of these and check that there is no complaint about missing
  options:
  perl misc/migration_tools/bulkmarcimport.pl -a -b
  sudo koha-shell -c "perl misc/migration_tools/bulkmarcimport.pl -a -b"
  kohadev
- Observe that this displays the perldoc, but does not complain about
  mutually exclusive switches.
- Apply the patch
- Rerun the command(s) from earlier.
- Verify that the script is now halted and a small explanation given.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit dbada67196818834f158890c0c348c0259085f7e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 83ec31965824b4d632bb62f5569fde430fa3858e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18009 - IssueSlip.t test fails if launched between 00:00 and 00:59

to test patch...

1/ set date between 00:00 and 00:59
$ sudo date -s 'Sun Jan 29 00:41:55 NZDT 2017'

2/ run prove, see fail
$ prove -v t/db_dependent/Members/IssueSlip.t
...
t/db_dependent/Members/IssueSlip.t (Wstat: 65280 Tests: 1 Failed: 0)
Result: FAIL

3/ apply patch

4/ run prove, see pass
$ prove -v t/db_dependent/Members/IssueSlip.t
...
All tests successful.
Result: PASS

NOTE: for code obscurity you could have also done a modulus 24. ;)

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit add15799229df7a1910d759f487c0006bf3f30ae)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit f45cd420d1bed73b9a85c5260ae4a781041a6626)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17788: (MARC21) Add $9 fields to Koha-Auth-Number:w index

Looking at the default framework's fields that are linked to authority
records, there's a divergence with the Zebra index definitions.

This yields to authority usage count be incorrect for users searching
for authority records.

MariaDB [koha_kohadev]> SELECT tagfield,tagsubfield,authtypecode FROM
marc_subfield_structure WHERE authtypecode IS NOT NULL AND
authtypecode<>'' AND frameworkcode='' GROUP BY
tagfield,tagsubfield,authtypecode ;
+----------+-------------+--------------+
| tagfield | tagsubfield | authtypecode |
+----------+-------------+--------------+
| 100      | a           | PERSO_NAME   |
| 110      | a           | CORPO_NAME   |
| 111      | a           | MEETI_NAME   |
| 130      | a           | UNIF_TITLE   |
| 440      | a           | UNIF_TITLE   |
| 600      | a           | PERSO_NAME   |
| 610      | a           | CORPO_NAME   |
| 611      | a           | MEETI_NAME   |
| 630      | a           | UNIF_TITLE   |
| 648      | a           | CHRON_TERM   |
| 650      | a           | TOPIC_TERM   |
| 651      | a           | GEOGR_NAME   |
| 654      | a           | TOPIC_TERM   |
| 655      | a           | GENRE/FORM   |
| 656      | a           | TOPIC_TERM   |
| 657      | a           | TOPIC_TERM   |
| 658      | a           | TOPIC_TERM   |
| 662      | a           | GEOGR_NAME   |
| 690      | a           | TOPIC_TERM   |
| 691      | a           | GEOGR_NAME   |
| 696      | a           | PERSO_NAME   |
| 697      | a           | CORPO_NAME   |
| 698      | a           | MEETI_NAME   |
| 699      | a           | UNIF_TITLE   |
| 700      | a           | PERSO_NAME   |
| 710      | a           | CORPO_NAME   |
| 711      | a           | MEETI_NAME   |
| 730      | a           | UNIF_TITLE   |
| 796      | a           | PERSO_NAME   |
| 797      | a           | CORPO_NAME   |
| 798      | a           | MEETI_NAME   |
| 799      | a           | UNIF_TITLE   |
| 800      | a           | PERSO_NAME   |
| 810      | a           | CORPO_NAME   |
| 811      | a           | MEETI_NAME   |
| 830      | a           | UNIF_TITLE   |
| 896      | a           | PERSO_NAME   |
| 897      | a           | CORPO_NAME   |
| 898      | a           | MEETI_NAME   |
| 899      | a           | UNIF_TITLE   |
+----------+-------------+--------------+

This patch adds the missing ones to the authority number index as it is
done for the rest of the fields.

To test:
- Verify that
etc/zebradb/marc_defs/marc21/biblios/biblio-koha-indexdefs.xml
contains intries pointing the $9 subfield of all the fields in the
'tagfield' column above, to the Koha-Auth-Number:w index.
- Sign off :-D

Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 21d63c8fb0c2ae3a8ca7caaf0d4041b7189213c3)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit c4f977b76f171130d7f9c370ef6e27b6c0fd2384)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17512: Improve handling dates in C4::Items

This is a follow-up on the internal server error on 0000-00-00 in the items
column onloan. This patch deals with preventing to have such dates at all
in the date fields of items.

It is accomplished by:
[1] Adding a (private) subroutine _mod_item_dates. It takes an item hash
    and replaces date values if needed.
[2] AddItem and ModItem call _koha_new_item resp. koha_modify_item. In these
    routines a call to the new _mod_item_dates is inserted.
[3] Although the routine is actually private, I have added some unit tests
    to Items.t.

Test plan:
[1] Add a new item. Fill a correct date in dateaccessioned and an invalid
    date in Price effective from (=replacementpricedate).
[2] Verify that dateaccessioned is saved correctly and replacementpricedate
    is still null (does not contain 0000-00-00).
[3] Edit the item again. Fill some text in dateaccessioned and put a correct
    date in replacementpricedate. Verify the results.
[4] Run t/db_dependent/Items.t

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 137cbd8d09be549c9ae97dfad746a9c52d27b9a6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit cb1bc00361bf3e468470b8e1500a4e752e60d161)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 16115: Remove JS error on item search if NOT_LOAN values do not exist

If NOT_LOAN is not present, the item search form will raise a JS error:
SyntaxError: expected expression, got '}'

This patch fixes it by handling this specific case.

Note that the "Status" column is still displayed.

Test plan:
Remove your NOT_LOAN authorised values
Go on the item search form
=> You will not get the JS error and the "Status" bloc is no longer
displayed. There is no need to display it if empty.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 27a4149625252e4c28dc97df998d82fd6f2652b8)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit e0b64c0f4ae29eae1a7c71d3d9e328683aa51317)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 11450: Hold Request Confirm Deletion

==TEST PLAN==
1) Go to an item with a hold and click on the holds tab on the
left
2) Click the red 'X'
3) The hold will be deleted immediately
4) Apply patch
5) Return to an item with a hold and click the 'X'
6) There will now be a confirmation dialog
7) Click cancel and the dialog will disappear and the hold will not be
deleted
8) Click OK and the hold will be deleted

Restored indentations - Mark Tompsett

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 6ce97d9b06843fa65d6fb4a6d7c8cecd322bc8d6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 2d363f136d8d9c4b35dfac455ea4f877fac7905d)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17782: deletedborrowers.updated_on should be set to current timestamp

Bug 16387: Fix default shortened loan period time

When a loan period is shortened due to using decreaseLoanHighHolds* the time is
always set to the current time in X days, even if the original loan period is
given in days and not in hours.

It should default to 23:59 as is normal for loan periods given in days.

As original due date time defaults to 23:59 when given in days, this patch
modifies the hours and minutes of shortened due date to be equal to original due
date.

To test:
1. prove t/db_dependent/DecreaseLoanHighHolds.t

Signed-off-by: Grace McKenzie <grace.mcky@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 21ac9fcdc2ca449a491cc79e68cc854ee248d911)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 090f2885b7a910ee84212fa5bb0141611121eb77)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17922: Use correct number of digits when replacing date placeholders

This patch also fixes a typo ("<<MM><" should be "<<MM>>")

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 95e94766af653de4bc721af64981140cacecf567)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit fdf1f974770247dc4b8decfb3318e31b940be48d)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17871: (followup) Remove zebra::* from the packages templates

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 58e7a0a5d510de6a035329ea86a130996dda5849)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 0e50ef7c2afad535a42e428c3a3f92341465ae83)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17871: Remove zebra::snippet to allow access to facets in YAZ 5.8.1+

This patch restores access to zebra facets (or zebra::snippet) with YAZ 5.8.1 or higher.

It was failing due to The <retrieval syntax="xml" name="zebra::*" /> entry in
retrieval-info-bib-dom.xml which IndexData said it wasn't even needed to
get that access.

Edit: I amended the commit message (tcohen)

Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I tested on kohadevbox and found no regression or behaviour change. I
will provide a followup for the packages.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0eb5d8491ebbf44f213d0cbe05695521dafc6dd9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 62848b134c30dbd980be7d2658832c2a18f804c8)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18044: Add a test

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 80a43833f89ea1f31753245cb2d6f20acb7216a4)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit d13835de10ecc8e7035931c4eab8c358d63c49f4)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 18044: Label Batches not displaying

SQL expects lists to be comma separated. A trailing comma must also
be avoided.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 544cf17d6f3279d95835ba42d40d49982e97f0a2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit b61ff540611f0dfd28dd7818dc1d03062cb4c159)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17775 - Add new user with LDAP not works under Plack

This patch fixes internal server error:

Undefined subroutine &C4::Auth_with_ldap::AddMember called at /srv/koha_ffzg/C4/Auth_with_ldap.pm line 213.

It occurs only under plack, and it's strange since C4::Members
does EXPORT AddMember and we are importing it into Auth_with_ldap.pm
(and it does work under CGI).

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
I did not test but trust author and signoffer. The change cannot hurt.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4740438b41573d24c6e83d182e2ce1cf6fc54545)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit e005d17bb6a6181a8b7d00a8e9bb7d75e9b2c071)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Add missing 'use' in C4/Items.pm

Bug 15030: Add tests

This test will prevent regression on the lost of data when
items.itemcallnumber is linked with a plugin.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit eee1f23bc49d233bca6c8a8004dd6e79e2425484)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 6f959cd149c0484417056f50b0fb6590c837c428)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 15030 - Fixes the serials fields associated with a plugin, to not overwrite the previously saved value

This fixes the remaining fields from serials-edit.pl that were seeing their previously entered values
be oblitarated with each new edit.  The fields associated to a plugin (dateaccessioned and barcode) were
always displaying <empty> with each new edit, losing the previous effort.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 1017edad1c27d2624fb8ed6f8fb0018985b33295)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 18ad4150eadff0f229c1cc73950f8e53568ed249)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 15030 - Certain values in serials' items are lost on next edit

When editing serials subscription, we can edit them but some values are not pulled from the DB correctly to be put in the edit box.  If not noticed, the value will be overwritten on the next save.

Test:
- Create a subscription
- Edit itemcallnumber (952o?) and make sure to have a different value than the default one.
- Save.
- Edit it again
- The saved value is not there.

This is true for itemcallnumber and a few other fields.

This was caused by calls to ->field($subfield).  This would always fail, of course.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4cdcdb3cb5ebefedcb44766745078a949227f0a5)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 3f084924e6df501e4256089c7a641911f378286f)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17487: Styling moved from style attribute into staff-global.css

Test plan:
1) Apply patch
2) Display Z39.50 search dialogs:
   - cataloguing / new from Z39.50
   - authorities / new from Z39.50
   - acquisition / new from an external source
3) Select all / Clear all should be placed below "Search targets" header
4) [Optionally] Set some style in IntranetUserCSS for class z3950checks

https://bugs.koha-community.org/show_bug.cgi?id=17487

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit aaf6b6724f5c7c6e29433600d55b9f1e8836a77b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 2cf8c4b3c22a73b9a7d1429aeb7ba07d7f78c27b)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17487: Links to "select/clear all" moved below the header tag

Test plan:
1) Apply patch
2) Display Z39.50 search dialogs:
   - cataloguing / new from Z39.50
   - authorities / new from Z39.50
   - acquisition / new from an external source
3) Select all / Clear all should be placed below "Search targets" header

https://bugs.koha-community.org/show_bug.cgi?id=17487

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f05b2986da26717f70134b07020c509821aeb3f7)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 5089001faa40c42e5d90e1e76059c3b5d3a0ab1f)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 8361 (QA Followup) Add warnings

 - Added message to circulation.tt to warn if rule undefined for
patron/itemtype combination

To test:
1 - Remove all circ rules
2 - Add one rule
3 - Checkout to patron an itemtype that is outside of rule
defined above
4 - Note explanation that no rule is defined

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 63f7cbc777521c33f8ada3e1068be01b98da9050)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 9b23c350862a3215671aca173330dd25a92b78af)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 8361: Do not allow checkouts if no rules are defined

We should require a circulation rule to allow checkouts and reject them
if no rules are defined.

Test plan:
- Delete all issuing rules
- Check an item out
=> Without this patch the checkout is allowed
=> With this patch applied it is rejected

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 11dfb2e0b2d32c313f556b623ee8522b4342af26)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 32c8bf4a3dbcd1b15de5221589c974ef78b6b1e6)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17823: Add label for MARC 583 - Action note

test plan
Edit a record
Edit field 583a to add an action note
Save the record and confirm that the note does not show up in staff
client or opac
Apply patch and refresh page
Action note should now show up in staff client and opac

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 16dcea233008c0560c5a9783a3e6dd60470b06b1)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 36685a439a438dd12bd12e65287cc3f0c1b6c198)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Increment version for 3.22.16 release

Update release notes for 3.22.16 release

Bug 17902: Follow-up fixing SQL statement

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 40cb8e3b7579987d0d461e8da6e350228722727c)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit dea3bc855d011b47541ed664566940c08ca52ceb)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f42dbd67d1b960906fd2b98560e7e3724452bce9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 14e2c2e5f70dc24a0621545aac8a1f8c568331d3)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17901: Force context to scalar

See bug 15809 for more references.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit cb4fa17a2712d04590d218635913bfe794510615)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17901: Fix possible SQL injection in shelf editing

It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1

Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.

However it would be good to limit the possible values for sortfield.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 45cffd874c62c7b090390c5fb3c955c31f524608)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17900: Update the tests to the new API

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 42460b871472d2a408bc38a747fd375062af4d7e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17900: Fix possible SQL injection in patron cards template editing

To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20

Look at the Profile dropdown list.

To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.

Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.

This vulnerability has been reported by MDSec.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a70980d8255a66c33539926796c06b29b26fbb40)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 9569: Security patch for AutoLocation

If a patron is not allowed to access the staff interface because its IP
address in the authorised range of IPs, the cookie should not contain
the CGISESSID.
If it is, the patron is logged in and will be able to access the staff
interface if he reload the page (or hit another one).

Test plan:
Confirm the that AutoLocation feature is now working as expected.

Note: It seems that this feature has never really worked as intended.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 93cc0956a923e94663ae74d1f435604844536571)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 9569: Update warning message

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7afddcb157a8d8e27cfdee3cdbeb0eae483aa24c)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 9569: Do not check the IP for login at the OPAC

At the OPAC, the AutoLocation feature should not be taken into account:
login to the OPAC from outside the IP range should work

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit af0af36bb9a520c31c31067b9b68fd565eef0e63)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 9569: Remove unused occurrence of AutoLocation

`git grep ManualLocation` does not return any results

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 936b23e17a4b7d76d94be276ed1ceb9be8872299)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 9569: AutoLocation should not depend on IndependentBranches

Those 2 prefs can be independent and it does not make sense to consider
AutoLocation only if IndependentBranches is set.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit acabdc87c9a883e36def78dcff6fccb4980d35ab)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 9569: Fix AutoLocation - handle .* for subnets

The example in branches.tt is:
  Can be entered as a single IP, or a subnet such as 192.168.1.*

But actually the regex in C4::Auth does not handle subnets.

Test plan:
0/ Apply all the patches
1/ Switch AutoLocation on
2/ Define a subnet (192.168.0.* if your ip is like 192.168.0.X) in the IP
range of your library
3/ Log in on the staff interface
=> Should work

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a8fdac38d8a1cf9e996195c5b04702d1d2eaa106)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Bug 17903: Fix possible SQL injection in serial claims

To recreate:
/cgi-bin/koha/serials/claims.pl?serialid=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0

Notice the delay.

The SQL query is not constructed correctly, placeholders must be used.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 179ff58b0980f348821c727c2fa79a5eca310901)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>