Bug 18136: Fix ExportRemoveFields pre-fill behaviour

Looks like it's caused by bug 13190.
Variable export_remove_fields is not sent to the template, let's
retrieve the syspref's value using the TT plugin.

Test plan:
Fill ExportRemoveFields with something (100a for instance)
Go on a checkout list page
At the bottom, the "do not export fields" input box should be pre-filled
with the content of the syspref

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit c6e09ca3877ced4afb05ea27175c46aa134dc3b3)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18025: Simplify logic and avoid 1 call to ValidateBorrowernumber

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
This is fine with me.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a471ad80bb70ed790cf7f544a45cdd3e61672ff4)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18025: Fix test

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Seems to work fine

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 01f69eb8a258cead5f448c70e1efddc87a341299)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18025 - Expired password recovery links cause sql crash

When a user gets an email, but doesn't act or visit it within two days,
     attempting to create a new one causes a collision. We should just
     delete the old one, assuming they still want to reset their
     password.

To test:
create yourself a borrower with a userid and password.
Attempt a password recovery on the OPAC
update the entry in the database for that user to have an expired token
e.g. update borrower_password_recovery set valid_until = '2017-01-25
03:25:26' where borrowernumber = 12;
Attempt another password recovery operation - should error
apply the patch
Try it again - no error, new token is generated and additional email
with new link is sent.

Issue reproduced - is resolved by patch
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit e87dab6411a40ae0eba3d56032760d705ef62eaf)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18119: Fix comment in cataloguing.js

Test plan:
Go to cataloging, and try something which depends on javascript -
collapse/uncollapse fields, open authority search window, ...
    -> without patch it is not working
    -> with patch it is working correctly

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7698f6453c6c14b4986d573c33f0e49cd73652c6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17988: Add a comment to explain the line

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit e9cd82e4ca754024009608242d7c9930ac248cff)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17780: Add a comment to explain the line

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 762188646904156e4b1c12bb4d2e04a060674e59)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17780 - When choose an author in authority results new window shows a blank screen

Select2 (Bug 13501) introduced divs and inputs that broke some assumptions about the expected HTML structure.
This patch checks if input has name attribute, because some inputs in Select2 have not.

To test:
Try to add info from the authorities to field that has subfield with Select2 (subfield with authorised values on Koha 16.11+)

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
(cherry picked from commit 444bdcc2a50c64037c0f463200683009d8ae0b6e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18026 - URL to database columns link in system preferences is incorrect (16.11.x)

Here's a patch for the 16.11.x branch

modified:   koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/acquisitions.pref
modified:   koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref
modified:   koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref

Bug 17913: Database update - Add system preference AuthorityMergeMode

Bug 17913: [16.11.x] followup

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Bug 17913: [16.11.x] Authority merge fix

[PUSHED_17.05]

Squashed into one patch for 16.11.x

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Bug 18095: Batch item modification: Better message if no item is modified

If no item is modified, the result page of Batch item modification says:
"item(s) modified (with fields modified)."
The message should be: "No items modified"

To reproduce:
- Go to Tools -> Batch item modification
- Put a barcode in and click Continue
- Do not make any changes and/or deselect all item(s)
- Click "Save"
=> Result message reads: "item(s) modified (with fields modified)."

To test:
- Apply patch
- Repeat steps above
- Verify that message makes sense.

NOTE: Also tested positive case with actual field change.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit adca73545e75c31198e3d094512da7961460ed02)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 15584 - Staff client list errors are incorrectly styled

To Test-
1. In the Staff Client, go to Lists
   (/cgi-bin/koha/virtualshelves/shelves.pl) and create a new list with
   the same name as an existing one. --note that it has some red in it
   like an error
2. apply patch
3. In the Staff Client, go to Lists
   (/cgi-bin/koha/virtualshelves/shelves.pl) and create a new list with
   the same name as an existing one. --note that now it should be just
   yellow with black writing as an alert

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4bd2188affee568de81342d0af24fcf0239d9f01)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18047 - JavaScript error on item search form unless LOC defined

If LOC is not present, the item search form will raise a JS error:
SyntaxError: expected expression, got '}'

This patch fixes it by handling this specific case.

Note that the "Status" column is still displayed.

Test plan:
Remove your LOC authorised values
Go on the item search form
=> You will not get the JS error and the "Shelving location" bloc is no longer
displayed. There is no need to display it if empty.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit da3ccdc14379816ea849eeb56ab321d8e7db59a2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 8306: Patrons statistics, fix for patron activity choice

The "inactive" for "patron activity" choice is now effective.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 680e6ce7d1aa53e716ea9fdab9c67e621fb828e2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18089: Remove warnings from tests using DBIx::Class fixtures

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 2e315c0cc6f31991868b17276807f28cdcce4306)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18089 - All XSLT testing singleBranchMode = 0 fails to show even if install has only 1 branch

Due to the way it has been implemented, singleBranchMode is set to an
empty string rather than 0 if there is only one branch. This causes any
block that tests for singleBranchMOde to be 0 to never appear.

Test Plan:
1) Apply this patch set
2) prove t/XSLT.t

Signed-off-by: Jenny Schmidt <jschmidt@switchinc.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit ed5cb5fc9727ca09deb392f4392c1aa35b4e47a5)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18089 - Unit test

Signed-off-by: Jenny Schmidt <jschmidt@switchinc.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 99cc3bdd0ec676d29205fb09d1a4e4b1e8889df0)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17838 Availability limit broken until an item has been checked out.

TEST PLAN

1. Make sure you have no items checked out.
2. Run sudo koha-rebuild-zebra -f -v kohadev.
3. Go to search the catalog and search.
4. Check items availability and then click on limit to currently
available items.
5. This should return no results.
6. Apply patch and reload.
7. Results should show.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Attribute 14: " Specifies whether un-indexed fields should be ignored. A
zero value (default) throws a diagnostic when an un-indexed field is
specified. A non-zero value makes it return 0 hits."
From http://www.indexdata.com/zebra/doc/querymodel-zebra.html

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 543dc8e0365240441114359b7ddfa74863a318b6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 4126 - Exit bulkmarcimport if -a and -b given

Currently it is possible to spceify both --biblios and --authorities
as command line switches to bulkmarcimport.pl. This does not make sense
so we should exit early and explain that these switches are mutually
exclusive.

To test:
- Run one of these and check that there is no complaint about missing
  options:
  perl misc/migration_tools/bulkmarcimport.pl -a -b
  sudo koha-shell -c "perl misc/migration_tools/bulkmarcimport.pl -a -b"
  kohadev
- Observe that this displays the perldoc, but does not complain about
  mutually exclusive switches.
- Apply the patch
- Rerun the command(s) from earlier.
- Verify that the script is now halted and a small explanation given.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit dbada67196818834f158890c0c348c0259085f7e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18009 - IssueSlip.t test fails if launched between 00:00 and 00:59

to test patch...

1/ set date between 00:00 and 00:59
$ sudo date -s 'Sun Jan 29 00:41:55 NZDT 2017'

2/ run prove, see fail
$ prove -v t/db_dependent/Members/IssueSlip.t
...
t/db_dependent/Members/IssueSlip.t (Wstat: 65280 Tests: 1 Failed: 0)
Result: FAIL

3/ apply patch

4/ run prove, see pass
$ prove -v t/db_dependent/Members/IssueSlip.t
...
All tests successful.
Result: PASS

NOTE: for code obscurity you could have also done a modulus 24. ;)

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit add15799229df7a1910d759f487c0006bf3f30ae)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17788: (MARC21) Add $9 fields to Koha-Auth-Number:w index

Looking at the default framework's fields that are linked to authority
records, there's a divergence with the Zebra index definitions.

This yields to authority usage count be incorrect for users searching
for authority records.

MariaDB [koha_kohadev]> SELECT tagfield,tagsubfield,authtypecode FROM
marc_subfield_structure WHERE authtypecode IS NOT NULL AND
authtypecode<>'' AND frameworkcode='' GROUP BY
tagfield,tagsubfield,authtypecode ;
+----------+-------------+--------------+
| tagfield | tagsubfield | authtypecode |
+----------+-------------+--------------+
| 100      | a           | PERSO_NAME   |
| 110      | a           | CORPO_NAME   |
| 111      | a           | MEETI_NAME   |
| 130      | a           | UNIF_TITLE   |
| 440      | a           | UNIF_TITLE   |
| 600      | a           | PERSO_NAME   |
| 610      | a           | CORPO_NAME   |
| 611      | a           | MEETI_NAME   |
| 630      | a           | UNIF_TITLE   |
| 648      | a           | CHRON_TERM   |
| 650      | a           | TOPIC_TERM   |
| 651      | a           | GEOGR_NAME   |
| 654      | a           | TOPIC_TERM   |
| 655      | a           | GENRE/FORM   |
| 656      | a           | TOPIC_TERM   |
| 657      | a           | TOPIC_TERM   |
| 658      | a           | TOPIC_TERM   |
| 662      | a           | GEOGR_NAME   |
| 690      | a           | TOPIC_TERM   |
| 691      | a           | GEOGR_NAME   |
| 696      | a           | PERSO_NAME   |
| 697      | a           | CORPO_NAME   |
| 698      | a           | MEETI_NAME   |
| 699      | a           | UNIF_TITLE   |
| 700      | a           | PERSO_NAME   |
| 710      | a           | CORPO_NAME   |
| 711      | a           | MEETI_NAME   |
| 730      | a           | UNIF_TITLE   |
| 796      | a           | PERSO_NAME   |
| 797      | a           | CORPO_NAME   |
| 798      | a           | MEETI_NAME   |
| 799      | a           | UNIF_TITLE   |
| 800      | a           | PERSO_NAME   |
| 810      | a           | CORPO_NAME   |
| 811      | a           | MEETI_NAME   |
| 830      | a           | UNIF_TITLE   |
| 896      | a           | PERSO_NAME   |
| 897      | a           | CORPO_NAME   |
| 898      | a           | MEETI_NAME   |
| 899      | a           | UNIF_TITLE   |
+----------+-------------+--------------+

This patch adds the missing ones to the authority number index as it is
done for the rest of the fields.

To test:
- Verify that
etc/zebradb/marc_defs/marc21/biblios/biblio-koha-indexdefs.xml
contains intries pointing the $9 subfield of all the fields in the
'tagfield' column above, to the Koha-Auth-Number:w index.
- Sign off :-D

Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 21d63c8fb0c2ae3a8ca7caaf0d4041b7189213c3)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17512: Improve handling dates in C4::Items

This is a follow-up on the internal server error on 0000-00-00 in the items
column onloan. This patch deals with preventing to have such dates at all
in the date fields of items.

It is accomplished by:
[1] Adding a (private) subroutine _mod_item_dates. It takes an item hash
    and replaces date values if needed.
[2] AddItem and ModItem call _koha_new_item resp. koha_modify_item. In these
    routines a call to the new _mod_item_dates is inserted.
[3] Although the routine is actually private, I have added some unit tests
    to Items.t.

Test plan:
[1] Add a new item. Fill a correct date in dateaccessioned and an invalid
    date in Price effective from (=replacementpricedate).
[2] Verify that dateaccessioned is saved correctly and replacementpricedate
    is still null (does not contain 0000-00-00).
[3] Edit the item again. Fill some text in dateaccessioned and put a correct
    date in replacementpricedate. Verify the results.
[4] Run t/db_dependent/Items.t

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 137cbd8d09be549c9ae97dfad746a9c52d27b9a6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17988 - Select2 prevents correct tag expand/minimize functionality

Overview:
Select2 (Bug 13501) introduced divs and inputs that broke some assumptions about the expected HTML structure.
Because of that, expanding fields to show all hidden subfields does not work properly.

Steps to Reproduce:
1. Open some book in the editor or create new (cataloguing/addbiblio.pl)
2. Try to minimize or expand fields, that have among subfields the following:
— Thesaurus driven subfield → subfield with Select2
— Hidden subfield.

Actual Results:
 — some fields become hidden, some not, and vice versa
 — in the console, you'll see «Uncaught TypeError: Cannot read property 'match' of null»

Expected Results:
 — all subfields should minimize/maximize completely

Additional Information:
This happens because Select2 adds some divs, that do not have ID property.
The following patch adds check for the needed attribute existance.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 317abac238147cf20f09d2aa0b0dc069c12b0892)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17134: Replace item types codes with category in facets (opac)

To test:
-Search in OPAC for two or more items
-Note that item types display category codes rather than names
-Make change to file and test in OPAC

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 908163754010df8d78acf463d6777ba2c4c3a2e9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 16984: Do not clone the item block for standing orders

If AcqCreateItem is set to ordering and the basket is marked as
"standing orders", when ordering a JS error is raised:
additem.js:176 Uncaught TypeError: window[events[i]] is not a function

The item block should not be displayed in that case.

Test plan:
- Set AcqCreateItem to "ordering"
- Create a basket and tick the "Standing orders" checkbox
- Add an order to this basket
=> Without this patch you get the JS error
=> With this patch applied you will not get it

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit ba89de5837bbe3055a8b0a04517332d8aee68da7)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17940: (follow-up 14695) Fix - Mark holds as waiting when transfer is done

When an item from Library A is reserved and set to be picked up at
Library B, the hold buttons fail to confirm or cancel during check in at
Library B when the item is transferred from Library A.

Test plan:
* Create a hold for item at Library A to be picked up at Library B.
* Check in item at Library A to trigger the transfer.
=> item shows in transit
* Switch to Library B and check in item.
* Confirm the hold.
=> item shows waiting

Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit ae2c1e6a83fab8b76606cc84a306b37d3b7403e4)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18076: Replace holds_to_place_count with an input type=text

From http://www.template-toolkit.org/docs/manual/Directives.html#section_WHILE

"""
The Template Toolkit uses a failsafe counter to prevent runaway WHILE loops which
 would otherwise never terminate. If the loop exceeds 1000 iterations then an undef
exception will be thrown, reporting the error:

WHILE loop terminated (> 1000 iterations)

The $Template::Directive::WHILE_MAX variable controls this behaviour and can be set
to a higher value if necessary.
"""

I do not think we want to increase this value, and I do not think we want to display a
dropdown list with 1000 entries.

This patch replaces the dropdown list with an input text.

Test plan:
- Set circulation conditions - holds per record = 999
- Search for record with items
- Go to the holds tab
- Search for a patron
- Verify that when you send your search, the 'internal server error' is not shown
and you see the input text.
You should be able to enter a value > than 999 and < 1

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit ac99f64010c6bdbe40abc2b823c2180b9b223425)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 16115: Remove JS error on item search if NOT_LOAN values do not exist

If NOT_LOAN is not present, the item search form will raise a JS error:
SyntaxError: expected expression, got '}'

This patch fixes it by handling this specific case.

Note that the "Status" column is still displayed.

Test plan:
Remove your NOT_LOAN authorised values
Go on the item search form
=> You will not get the JS error and the "Status" bloc is no longer
displayed. There is no need to display it if empty.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 27a4149625252e4c28dc97df998d82fd6f2652b8)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 11450: Hold Request Confirm Deletion

==TEST PLAN==
1) Go to an item with a hold and click on the holds tab on the
left
2) Click the red 'X'
3) The hold will be deleted immediately
4) Apply patch
5) Return to an item with a hold and click the 'X'
6) There will now be a confirmation dialog
7) Click cancel and the dialog will disappear and the hold will not be
deleted
8) Click OK and the hold will be deleted

Restored indentations - Mark Tompsett

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 6ce97d9b06843fa65d6fb4a6d7c8cecd322bc8d6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17731: Remove noxml option from rebuild_zebra.pl

The removal of the noxml is a logical follow-up of bug 16506 (which
make xml the default).

Actually this option should have been removed by bug 10455 (it removes
the biblioitem.marc field).

Test plan:
Make sure the rebuild_zebra.pl script works as before.

Signed-off-by: Emma Smith <emma.nakamura.smith@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7a2cbfba1f271d307045d867654ff0d7de939aa6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17782: Fix tests

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 185256deba961c2595ce934afbb910cf3ad952e0)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17782 - (QA Followup)

Fix tests

prove t/db_dependent/Koha/Patrons.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b68557148d17295557cae449e5617166950ac47f)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17782 - Patron updated_on field should be set to current timestamp when borrower is deleted

To test:
01 Find a patron
02 Get the updated_on value from the db in borrowers table
03 Delete the patron
04 Get the update_on value from the db on deletedborrowers table
05 Values from 02 and 04 are the same
06 Apply patch
07 Repeat 01-04
08 Values should now be different

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 92a4e0e5f36fd4c5c817db96f8206b3ad903436e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 16387: Fix default shortened loan period time

When a loan period is shortened due to using decreaseLoanHighHolds* the time is
always set to the current time in X days, even if the original loan period is
given in days and not in hours.

It should default to 23:59 as is normal for loan periods given in days.

As original due date time defaults to 23:59 when given in days, this patch
modifies the hours and minutes of shortened due date to be equal to original due
date.

To test:
1. prove t/db_dependent/DecreaseLoanHighHolds.t

Signed-off-by: Grace McKenzie <grace.mcky@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 21ac9fcdc2ca449a491cc79e68cc854ee248d911)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17922: Use correct number of digits when replacing date placeholders

This patch also fixes a typo ("<<MM><" should be "<<MM>>")

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 95e94766af653de4bc721af64981140cacecf567)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18015 - On shelf holds allowed > "If all unavailable" ignores notforloan

If in the circ rules matrix you set "On shelf holds allowed" to "If all unavailable",
items with status "Not for loan" are considered available and break the functionality.

Test plan:

- Set "On shelf holds allowed" to "If all unavailable" for your patron and item
  category (or everyone and everything)
- Have two items for a record. Check out one
- Set 7 - Not for loan: "Not For Loan" for the second item
- Try to place a hold. Does not work.

- Apply the patch
- Try to place a hold. Should work now.

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 844cf7a748c2b4f567bec2e5088665a9edf94468)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17871: (followup) Remove zebra::* from the packages templates

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 58e7a0a5d510de6a035329ea86a130996dda5849)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17871: Remove zebra::snippet to allow access to facets in YAZ 5.8.1+

This patch restores access to zebra facets (or zebra::snippet) with YAZ 5.8.1 or higher.

It was failing due to The <retrieval syntax="xml" name="zebra::*" /> entry in
retrieval-info-bib-dom.xml which IndexData said it wasn't even needed to
get that access.

Edit: I amended the commit message (tcohen)

Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I tested on kohadevbox and found no regression or behaviour change. I
will provide a followup for the packages.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0eb5d8491ebbf44f213d0cbe05695521dafc6dd9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18044: Add a test

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 80a43833f89ea1f31753245cb2d6f20acb7216a4)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 18044: Label Batches not displaying

SQL expects lists to be comma separated. A trailing comma must also
be avoided.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 544cf17d6f3279d95835ba42d40d49982e97f0a2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17775 - Add new user with LDAP not works under Plack

This patch fixes internal server error:

Undefined subroutine &C4::Auth_with_ldap::AddMember called at /srv/koha_ffzg/C4/Auth_with_ldap.pm line 213.

It occurs only under plack, and it's strange since C4::Members
does EXPORT AddMember and we are importing it into Auth_with_ldap.pm
(and it does work under CGI).

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
I did not test but trust author and signoffer. The change cannot hurt.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4740438b41573d24c6e83d182e2ce1cf6fc54545)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 15030: Add tests

This test will prevent regression on the lost of data when
items.itemcallnumber is linked with a plugin.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit eee1f23bc49d233bca6c8a8004dd6e79e2425484)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 15030 - Fixes the serials fields associated with a plugin, to not overwrite the previously saved value

This fixes the remaining fields from serials-edit.pl that were seeing their previously entered values
be oblitarated with each new edit.  The fields associated to a plugin (dateaccessioned and barcode) were
always displaying <empty> with each new edit, losing the previous effort.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 1017edad1c27d2624fb8ed6f8fb0018985b33295)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 15030 - Certain values in serials' items are lost on next edit

When editing serials subscription, we can edit them but some values are not pulled from the DB correctly to be put in the edit box.  If not noticed, the value will be overwritten on the next save.

Test:
- Create a subscription
- Edit itemcallnumber (952o?) and make sure to have a different value than the default one.
- Save.
- Edit it again
- The saved value is not there.

This is true for itemcallnumber and a few other fields.

This was caused by calls to ->field($subfield).  This would always fail, of course.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4cdcdb3cb5ebefedcb44766745078a949227f0a5)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 7533: Add a warning to the about page if template_cache_dir is not set

We need to tell the administrators that it would be great for them to
set this config entry.

Test plan:
- Do not set template_cache_dir and confirm that you see the warning
- Set template_cache_dir and confirm that you do not see the warning

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Both templates for koha-conf.xml are updated. After applying the
patach a warning was correctly displayed. After adding
template_cache_dir to koha-conf.xml and restarting memcached it
went away.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7d140258a051921d78f46ac1d9e9443cbcfbd51b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 7533: Add the template_cache_dir entry to koha-conf.xml

And comment it, as we don't know what are the sysop's preferences

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 819cea62f222286b016941d8ba08da0996289668)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17487: Styling moved from style attribute into staff-global.css

Test plan:
1) Apply patch
2) Display Z39.50 search dialogs:
   - cataloguing / new from Z39.50
   - authorities / new from Z39.50
   - acquisition / new from an external source
3) Select all / Clear all should be placed below "Search targets" header
4) [Optionally] Set some style in IntranetUserCSS for class z3950checks

https://bugs.koha-community.org/show_bug.cgi?id=17487

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit aaf6b6724f5c7c6e29433600d55b9f1e8836a77b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17487: Links to "select/clear all" moved below the header tag

Test plan:
1) Apply patch
2) Display Z39.50 search dialogs:
   - cataloguing / new from Z39.50
   - authorities / new from Z39.50
   - acquisition / new from an external source
3) Select all / Clear all should be placed below "Search targets" header

https://bugs.koha-community.org/show_bug.cgi?id=17487

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f05b2986da26717f70134b07020c509821aeb3f7)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17726: [QA Follow-up] Add test descriptions

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit ddf1d9bcdde4790b713eca8040f0c9fce8fdcf6a)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17726: TestBuilder - Add default values

The items.more_subfields_xml is set to random data (generated by
TestBuilder), and so GetMarcBiblio does not manage to embed items (if
needed).

The error is:
  :1: parser error : Start tag expected, '<' not found

More precisely it explodes in
C4::Items::_parse_unlinked_item_subfields_from_xml when
MARC::Record->new_from_xml is called with an invalid xml

This patch adds a default values mechanism to TestBuilder to avoid
modifying all the existing calls.

Test plan:
Set SearchEngine to ElasticSearch
prove t/db_dependent/Circulation.pl
should return green with this patch

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 41358176e1d276e47d3034a37bd089b7e6c7e846)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 8361 (QA Followup) Add warnings

 - Added message to circulation.tt to warn if rule undefined for
patron/itemtype combination

To test:
1 - Remove all circ rules
2 - Add one rule
3 - Checkout to patron an itemtype that is outside of rule
defined above
4 - Note explanation that no rule is defined

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 63f7cbc777521c33f8ada3e1068be01b98da9050)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 8361: Do not allow checkouts if no rules are defined

We should require a circulation rule to allow checkouts and reject them
if no rules are defined.

Test plan:
- Delete all issuing rules
- Check an item out
=> Without this patch the checkout is allowed
=> With this patch applied it is rejected

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 11dfb2e0b2d32c313f556b623ee8522b4342af26)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17823: Add label for MARC 583 - Action note

test plan
Edit a record
Edit field 583a to add an action note
Save the record and confirm that the note does not show up in staff
client or opac
Apply patch and refresh page
Action note should now show up in staff client and opac

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 16dcea233008c0560c5a9783a3e6dd60470b06b1)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Add release notes for the 16.11.03 security release

Bug 17902: Follow-up fixing SQL statement

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 40cb8e3b7579987d0d461e8da6e350228722727c)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f42dbd67d1b960906fd2b98560e7e3724452bce9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Increment version for 16.11.03 security release

Bug 9569: Security patch for AutoLocation

If a patron is not allowed to access the staff interface because its IP
address in the authorised range of IPs, the cookie should not contain
the CGISESSID.
If it is, the patron is logged in and will be able to access the staff
interface if he reload the page (or hit another one).

Test plan:
Confirm the that AutoLocation feature is now working as expected.

Note: It seems that this feature has never really worked as intended.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 93cc0956a923e94663ae74d1f435604844536571)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 9569: Update warning message

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7afddcb157a8d8e27cfdee3cdbeb0eae483aa24c)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 9569: Do not check the IP for login at the OPAC

At the OPAC, the AutoLocation feature should not be taken into account:
login to the OPAC from outside the IP range should work

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit af0af36bb9a520c31c31067b9b68fd565eef0e63)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 9569: Remove unused occurrence of AutoLocation

`git grep ManualLocation` does not return any results

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 936b23e17a4b7d76d94be276ed1ceb9be8872299)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 9569: AutoLocation should not depend on IndependentBranches

Those 2 prefs can be independent and it does not make sense to consider
AutoLocation only if IndependentBranches is set.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit acabdc87c9a883e36def78dcff6fccb4980d35ab)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 9569: Fix AutoLocation - handle .* for subnets

The example in branches.tt is:
  Can be entered as a single IP, or a subnet such as 192.168.1.*

But actually the regex in C4::Auth does not handle subnets.

Test plan:
0/ Apply all the patches
1/ Switch AutoLocation on
2/ Define a subnet (192.168.0.* if your ip is like 192.168.0.X) in the IP
range of your library
3/ Log in on the staff interface
=> Should work

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a8fdac38d8a1cf9e996195c5b04702d1d2eaa106)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17905: FIX CSRF in member-flags

If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible

The exploit can be simulated triggering
    /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian

Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0c3c162f767f5587f5fad7375151f8efca3689b3)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17904: Fix possible SQL injection in late orders

To recreate:
/cgi-bin/koha/acqui/lateorders.plop=send_alert&ordernumber=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0

Notice the delay.

The SQL query is not constructed correctly, placeholders must be used.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b0bb1b0aa60071950a39b1c1b9e9ec145b304086)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17903: Fix possible SQL injection in serial claims

To recreate:
/cgi-bin/koha/serials/claims.pl?serialid=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0

Notice the delay.

The SQL query is not constructed correctly, placeholders must be used.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 179ff58b0980f348821c727c2fa79a5eca310901)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17901: Force context to scalar

See bug 15809 for more references.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit cb4fa17a2712d04590d218635913bfe794510615)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17901: Fix possible SQL injection in shelf editing

It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1

Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.

However it would be good to limit the possible values for sortfield.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 45cffd874c62c7b090390c5fb3c955c31f524608)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17900: Update the tests to the new API

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 42460b871472d2a408bc38a747fd375062af4d7e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17900: Fix possible SQL injection in patron cards template editing

To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20

Look at the Profile dropdown list.

To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.

Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.

This vulnerability has been reported by MDSec.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a70980d8255a66c33539926796c06b29b26fbb40)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17986: Perl dependency evaluation incorrect

It looks like I made a copy/paste error in a previous patch.

While the fix was working when you pass the param "module" to
version_info, it wasn't populating the version correctly
for the "all" param, which causes koha_perl_deps.pl to
think all OK modules actually need an upgrade.

TEST PLAN

0) Be on a system where you know your Koha Perl dependencies are
mostly up-to-date

1) Run ./koha_perl_deps.pl -a -c
2) Note that most modules say they need an upgrade even when
the installed version is the same as the minimum version

3) Apply patch

4) Run ./koha_perl_deps.pl -a -c
5) Note that most moduls say they're OK, especially when the
installed version is the same or greater than the minimum version

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Running koha_perl_deps.pl -u convinced me.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4ff78a9a0da486d7f267d1e252f3628ec1a5f149)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Add release notes for the 16.11.02 release

Fix broken ar-Arab staff po file

Set one string fuzzy in the file and on pootle.

misc/translator/po/ar-Arab-staff-prog.po:8944: 'msgstr' is not a valid C format string, unlike 'msgid'.
Reason: The character that terminates the directive number 18 is not a valid conversion specifier.

Increment version for 16.11.02 release

Translation updates for Koha 16.11.02

(cherry picked from commit dfc3e1db682b9fbb7c3046f6432f1b74a3fca29b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17899 - Show only mine does not work in newordersuggestion.pl

Bug 12775 added a link "Show only mine" in newordersuggestion.pl.
This does not work, no results.

Also corrects the fact that click must not do default action by adding e.preventDefault().

Test plan :
- You must have suggestions you have accepted
- Create a new order from suggestion : /cgi-bin/koha/acqui/newordersuggestion.pl
- Click on Show only mine
=> Without patch the table is empty showing "No matching records found"
=> With patch you see only suggestions you have accpeted

Signed-off-by: Zoe Schoeler <crazy.mental.onion@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 1104e61635e2d567c89587c28fd9a24b4f262037)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17920: t/db_dependent/Sitemapper.t fails because of permissions

The directory it attempts to create an xml file may not be writable for
the user running the test. By changing the directory from the current
directory to a temporary one, the test runs. After all 'chmod 777
t/db_dependent' is a bad idea.

TEST PLAN
---------
1) sudo koha-shell "prove t/db_dependent/Sitemapper.t" kohadev
   -- fails
2) apply patch
3) sudo koha-shell "prove t/db_dependent/Sitemapper.t" kohadev
   -- succeeds
4) run koha qa test tools

Tested without qa tools
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7401d9422be26c5ff900269a10e70c9ca4364de6)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17808: Fix behavior when editing a circ rule

The original behavior is broken, see https://stackoverflow.com/questions/21410484/jquery-selector-to-find-out-count-of-non-empty-inputs

Test plan:
Edit a circ rule
=> Without this patch you get a useless message
=> With this patch, no message
Edit a circ rule with content in inputs
=> With or without this patch you get a useful message

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5a9ffa92cecf69ec44450da9676cfbdb0f7d9fa1)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17909: QA followup: remove unused var and move global var

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit e3a12e517a9039fa93b8b57e0adedbad5f0e9153)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17909: [Follow-up] Quick fix for UNIMARC

UNIMARC inserts field 100. This interferes the field count and order
in the test.
Note: This is a quick fix. Will polish it after bug 17913.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 9510b023300cfdd3a560d06b0bdb5944d43d3d5c)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17909: Followup - fix typos

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
EDIT:

Adjusted three small typos that did not disturb the test in its current
form, but do when we are fixing bugs on bug 17913.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b5a95937e695dec4a7ecbff6f65d795af9ee029b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17909: Additional polishing

No spectacular things:

[1] Move the framework modifications to a sub. Use same style to create auth types and linked fields.
[2] Change some new Object occurrences to Object->new.
[3] Add tests for field count and field order in the first two subsets.
[4] Few whitespace changes (sorry) and comment lines.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4457d2e64c30f95fc79e306023e271ee7274b740)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17909: Add tests for merging with another authtype

Originally aimed for bug 9988. Adjusted in line with other subtests.
Will polish the three subtests a little more on a follow-up.

Test plan:
Run t/db_dependent/Authorities/Merge.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a7c2fc75054e81ca8909e05b6c2cfd6b9ba7293b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17909: Adding tests from bug 11315

Based on original patch from Maxime Beaulieu on bug 11315.
Amended by Marcel de Rooy on report 17909.

EDIT:

Original tests have been adjusted in view of:
[1] Test on bug 11315 heavily leaned on DBD::Mock. Since we are
    using Test::DBIx::Class on such tests now, this would need attention.
    Moreover, the advantage of mocking the database in this case is at
    least arguable.
[2] Matching the first (somewhat older) subtest of 11700.
[3] Simplification and readability.
    Look e.g. at the use of $MARCto and $MARCfrom on 11315.

This made me merge them in the db_dependent counterpart.

Also note that this subtest adds another needed test case: the merge from
auth1 to modified auth1, while 11700 tested auth1 to auth2.

Test plan:
Just run t/db_dependent/Authorities/Merge.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b89be0d72fb24752bf5a2d939b15f90e6f23017d)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17909: Add unit tests for C4::AuthoritiesMarc::merge

Original patch from Julian Maurice on bug 11700.
With sign offs by:
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Amended by Marcel de Rooy on report 17909.

EDIT (January 2017):
Removed some tests not related to merge.
Put remaining tests in a subtest, made them working on current merge.
Slightly revised the mocking.

Note: I plan to move the zebra retrieval stuff outside merge in one of
the next stages, and replace it by calling Koha::SearchEngine. This will
reduce mocking complexity here.

Test plan:
Just run t/db_dependent/Authorities/Merge.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d4de65c21f4671b3fbbaf6d00904fe1753a8ae9a)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17880 - Use version.pm to parse version numbers in C4::Installer::PerlModules

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b732963e2f91a54894f12cd5fd964c21e1c6f533)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17880 - Add test to check version number comparison

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 2321ae0d796fa6b13cde8f321b6c697cc48a5437)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17917: [AMENDED] Fix path issue in t/db_dependent/check_sysprefs.t

EDIT (from Marcel):

Previous patch fixes issue caused by Search.t.
This patch still adds some small changes to check_sysprefs.t.

Signed-off-by: Grace McKenzie <grace.mcky@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 743dbe3e6423f51ae93477ef58a9d696661bf2cd)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17917: [QA Follow-up] Reprove Search.t

The config tweaks from Search.t break check_sysprefs.t later on.
Clearing the cache resolves that.

Test plan:
[1] Run prove t/db_dependent/Search.t t/db_dependent/check_sysprefs.t (in
    one statement) before and after applying this patch.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
A prove t/db_dependent did not fail check_sysprefs.t (only skipping two
tests: 00-strict.t and Koha/IssuingRules.t; not enough patience)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b5c2b6510761dad352c814d801cda47aa6161ae8)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17615 - Fix unit tests

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 6d2ce70a479367530ef7973251e799e7be6f44db)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17615 - Fix updating borrower attributes in checkpw_ldap

Signed-off-by: Oliver Bock <oliver.bock@aei.mpg.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit e331a9c0d061f586f50db7ac27390417c74aec48)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 7143: [QA Follow-up] Handling tabs

Editing spaces before releases and developer:
876,$s/  \+releases$/^Ireleases/ (20 substitutions)
876,$s/  \+developer$/^Ideveloper/ (7 substitutions on 7 lines)

Editing spaces between date and text:
876,$s/2016  \+/2016^I/
876,$s/2017  \+/2017^I/
Fixed a few single spaces too.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Display on Timeline tab looks good now.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d379be5de02b60b55408b42394c2ff1dae0113c5)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 7143: [QA Follow-up] Correcting dates for first patch pushed

The date first patch pushed is not the date the patch was written. The
Bugzilla reports tell us when the patch got actually pushed.
Adjusting the developer numbers accordingly.
Authors radiuscz and Radek Siman are actually the same person.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d7e01a8c33b480a9faef027397d04fde0d8e37e2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 7143: Update about.tt with new devs

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a9f883456bee020737e38004de3386d3f617c866)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 7143: Update history file

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5d333a80925473d3b9943f7de37cd8eb224263c8)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17469: Fix number of values

Will fix
  ERROR 1136 (21S01) at line 57: Column count doesn't match value count at row 2

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 2ce4b1635d24179fb3d5b11459045d86b9cf977e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17469: Follow-up adding hold print notice

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit c7dc340d639bf53abc204c96d3ffc8154db16069)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Bug 17469: Add missing sample notices to fr-CA web installer

Adds missing notices to the fr-CA web installer:
- MEMBERSHIP_EXPIRY
- PASSWORD_RESET
Renames RESERVESLIP to HOLD_SLIP

TEST PLAN
---------
1) Apply the first patch
2) prove xt/sample_notices.t
   -- it should fail for fr-CA.
3) Apply the second patch
4) prove xt/sample_notices.t
   -- it should pass.
5) run all tests (prove t; prove xt)
   -- they should generally pass
6) run koha qa test tools

NOTE: Split test patch from fix patch, so could prove problem
      exists easily.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Caitlin Goodger <caitlingoodger.student@wegc.school.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b37b22a4fd7aa3f4a59a1c541aae2fcd5b9cbd1f)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>