Bug 13910: Prevent delete of one's own patron account

This patch adds a check to prevent deleting the user's own account.
Additionali it fixes a "missing link" in moremember.pl and wrong comparisions in moremember.tt regarding other forbidden deleting.

To test:
- Apply patch
- Create a user with sufficient privileges to delete users
- Log in as this new user
- Try to delete this user. Confirm message box "Are you sure..."
- Confirm that you get a message "Not allowed to delete own account" and that the user still exists.

Bonus test:
Try to trigger other forbidden deletions (see members/deletemem.pl): 'CANT_DELETE_STAFF', 'CANT_DELETE_OTHERLIBRARY', 'CANT_DELETE'
(You can fake it by using an URL like: /cgi-bin/koha/members/moremember.pl?borrowernumber=115&error=CANT_DELETE_STAFF  etc.)
Without patch, no message appears. With patch, messages appear as appropriate.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

NOTE: Attempted all CANT combinations. From reading the code,
this is kind of an important patch, because I'm not sure
deleting error messages work at all right now based on what
I read.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>

koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt

@@ -140,22 +140,27 @@ function validate1(date) {
 	<div id="yui-main">
 	<div class="yui-b">
 [% INCLUDE 'members-toolbar.inc' %]
+
 [% IF ( error ) %]
 <div class="dialog alert">
-    [% IF ( AUTH_UPDATE_FAILED ) %]
+    [% IF ( error == 'AUTH_UPDATE_FAILED' ) %]
         <h3>Userid / Password update failed</h3>
         <strong>Insufficient privileges.</strong>
         <p>Other fields updated.</p>
     [% END %]
-    [% IF ( CANT_DELETE_STAFF ) %]
+    [% IF ( error == 'CANT_DELETE_STAFF' ) %]
         <h3>Unable to delete staff user</h3>
         <p>Insufficient privileges.</p>
     [% END %]
-    [% IF ( CANT_DELETE_OTHERLIBRARY ) %]
+    [% IF ( error == 'CANT_DELETE_YOURSELF' ) %]
+        <h3>Not allowed to delete own account</h3>
+        <p>Deleting your own account would lock you out of Koha.</p>
+    [% END %]
+    [% IF ( error == 'CANT_DELETE_OTHERLIBRARY' ) %]
         <h3>Unable to delete patrons from other libraries with current settings</h3>
         <p>Insufficient privileges.</p>
     [% END %]
-    [% IF ( CANT_DELETE ) %]
+    [% IF ( error == 'CANT_DELETE' ) %]
         <h3>Unable to delete patron</h3>
         <p>Insufficient privileges.</p>
     [% END %]

members/deletemem.pl

@@ -50,6 +50,12 @@ my ($template, $borrowernumber, $cookie)
 #print $input->header;
 my $member       = $input->param('member');
 
+#Do not delete yourself...
+if ($borrowernumber == $member ) {
+    print $input->redirect("/cgi-bin/koha/members/moremember.pl?borrowernumber=$member&error=CANT_DELETE_YOURSELF");
+    exit 1;
+}
+
 # Handle deletion from the Norwegian national patron database, if it is enabled
 # If the "deletelocal" parameter is set to "false", the regular deletion will be
 # short circuited, and only a deletion from the national database can be carried

members/moremember.pl

@@ -112,6 +112,8 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     }
 );
 my $borrowernumber = $input->param('borrowernumber');
+my $error = $input->param('error');
+$template->param( error => $error ) if ( $error );
 
 my ( $od, $issue, $fines ) = GetMemberIssuesAndFines($borrowernumber);
 $template->param( issuecount => $issue );