Bug 17780 - When choose an author in authority results new window shows a blank screen

Select2 (Bug 13501) introduced divs and inputs that broke some assumptions about the expected HTML structure.
This patch checks if input has name attribute, because some inputs in Select2 have not.

To test:
Try to add info from the authorities to field that has subfield with Select2 (subfield with authorised values on Koha 16.11+)

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Bug 15503 (QA Followup)

Fix tabs
Dereference hash for each

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15503 - Populate the order prices

Signed-off-by: Benjamin Daeuber <bdaeuber@cityoffargo.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15503 [QA Followup] - Use Koha::AuthorisedValues and fetch notforloan values.

Signed-off-by: Benjamin Daeuber <bdaeuber@cityoffargo.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15503 [QA Followup] - Set itype and ccode properly

Signed-off-by: Benjamin Daeuber <bdaeuber@cityoffargo.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15503 - DBRev 16.12.00.008

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15503 [QA Followup] - Display "uneven number of fields" error only in relevant biblios

Signed-off-by: Benjamin Daeuber <bdaeuber@cityoffargo.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15503 [Followup] - Add replacementprice and itemcallnumber

Signed-off-by: Benjamin Daeuber <bdaeuber@cityoffargo.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15503 [QA Followup] - Remove the use of GetBranchesLoop

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Benjamin Daeuber <bdaeuber@cityoffargo.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15503 - Fix adding multiple items in multiple biblios.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Benjamin Daeuber <bdaeuber@cityoffargo.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 15503: Grab Item Information from Order Files

The goal of this development is to automatically generate items in Koha with
populated information based on a 9XX field and subfield, with the new syspref
MarcItemFieldsToOrder.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Benjamin Daeuber <bdaeuber@cityoffargo.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Bug 18095: Batch item modification: Better message if no item is modified

If no item is modified, the result page of Batch item modification says:
"item(s) modified (with fields modified)."
The message should be: "No items modified"

To reproduce:
- Go to Tools -> Batch item modification
- Put a barcode in and click Continue
- Do not make any changes and/or deselect all item(s)
- Click "Save"
=> Result message reads: "item(s) modified (with fields modified)."

To test:
- Apply patch
- Repeat steps above
- Verify that message makes sense.

NOTE: Also tested positive case with actual field change.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17935: Follow up for C4::Plugin...

TEST PLAN
---------
-- apply first patch
git grep "C4::Plugin"
-- still two references
perldoc Koha::Plugins::Base
perldoc Koha::Plugins::Handler

-- apply this patch
git grep "C4::Plugin"
-- no references
perldoc Koha::Plugins::Base
perldoc Koha::Plugins::Handler
-- should look fixed

 Please enter the commit message for your changes. Lines starting

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17935: Adjust some POD lines, fix a few typos

This patch does the following:

[1] Move some POD lines from Cache to Caches.
[2] Correct C4::Plugins to Koha::Plugins in POD line of Koha::Plugins
[3] POD Koha/AuthorisedValue.pm: lib_opac moved to opac_description
[4] The POD in Koha/Patron.pm uses head2 and head3 inconsistently.
    Ran s/^=head2/=head3/ on those lines (7 substitutions on 7 lines)
[5] Correct a copied POD line from reports/issues_stats.pl in
    reports/reserve_stats.pl.
[6] Correct a test description in t/db_dependent/Koha/Authorities.t.
    You should never delete the library :)
[7] Correct typo shouild in a comment of rebuild_zebra.pl

Test plan:
[1] Read the patch. Does it make sense?
[2] Run perldoc Koha/Cache.pm and Koha/Caches.pm
[3] Run t/db_dependent/Koha/Authorities.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15584 - Staff client list errors are incorrectly styled

To Test-
1. In the Staff Client, go to Lists
   (/cgi-bin/koha/virtualshelves/shelves.pl) and create a new list with
   the same name as an existing one. --note that it has some red in it
   like an error
2. apply patch
3. In the Staff Client, go to Lists
   (/cgi-bin/koha/virtualshelves/shelves.pl) and create a new list with
   the same name as an existing one. --note that now it should be just
   yellow with black writing as an alert

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18047 - JavaScript error on item search form unless LOC defined

If LOC is not present, the item search form will raise a JS error:
SyntaxError: expected expression, got '}'

This patch fixes it by handling this specific case.

Note that the "Status" column is still displayed.

Test plan:
Remove your LOC authorised values
Go on the item search form
=> You will not get the JS error and the "Shelving location" bloc is no longer
displayed. There is no need to display it if empty.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 8306: Patrons statistics, fix for patron activity choice

The "inactive" for "patron activity" choice is now effective.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17982: Fix the use of uniq in sub themelanguage

Doing uniq( \@themes ) is useless. It will just return to you the only
reference you gave it.
List::MoreUtils::uniq requires a list instead of an arrayref.
So it is a trivial fix that makes sub themelanguage return one theme instead
of three themes like [ 'prog', 'prog',  'prog' ].
Note that Template->new inserts one or two include paths to TT for each of
these three identical themes.

Test plan:
[1] Run t/db_dependent/Templates.t (should no longer fail)
[2] Run t/db_dependent/Auth.t (triggering themelanguage)
[3] Open a page on OPAC or intranet. (Did you restart Plack?)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
EDIT (Marcel): Amended test plan for additional unit test.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17982: Expose wrong use of uniq

This test should fail without the patch fixing the uniq calls.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18089: Remove warnings from tests using DBIx::Class fixtures

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18089 - All XSLT testing singleBranchMode = 0 fails to show even if install has only 1 branch

Due to the way it has been implemented, singleBranchMode is set to an
empty string rather than 0 if there is only one branch. This causes any
block that tests for singleBranchMOde to be 0 to never appear.

Test Plan:
1) Apply this patch set
2) prove t/XSLT.t

Signed-off-by: Jenny Schmidt <jschmidt@switchinc.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18089 - Unit test

Signed-off-by: Jenny Schmidt <jschmidt@switchinc.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17838 Availability limit broken until an item has been checked out.

TEST PLAN

1. Make sure you have no items checked out.
2. Run sudo koha-rebuild-zebra -f -v kohadev.
3. Go to search the catalog and search.
4. Check items availability and then click on limit to currently
available items.
5. This should return no results.
6. Apply patch and reload.
7. Results should show.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Attribute 14: " Specifies whether un-indexed fields should be ignored. A
zero value (default) throws a diagnostic when an un-indexed field is
specified. A non-zero value makes it return 0 hits."
From http://www.indexdata.com/zebra/doc/querymodel-zebra.html

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18014: QA follow-up: Use ok() instead of is() for '>' comparison

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18014: AddAuthority should respect AUTO_INCREMENT

Instead of using the MAX(authid)+1 logic, AddAuthority should just save
the record and get the new id. The authid column is an autoincrement.

This eliminates problems where a newly assigned authid also refers to a
previously deleted record. (And it will not cause problems when refining
the dontmerge functionality on report 9988.)

Note: ModAuthority also calls AddAuthority to update an existing record; in
that case we should not create a new record even if the record should not
be found any more (which should be exceptional).

This patch also simplifies handling of 001 in the authority record: in all
cases this field is updated now; no need to check its contents.

Test plan:
[1] Run t/db_dependent/AuthoritiesMarc.t
[2] Add a new authority record via the interface

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18014: Add test to AuthoritiesMarc.t to expose problem in AddAuthority

Since AddAuthority uses max(id)+1 logic to produce the next authid,
authority id's will be reused when you delete the last record. This may
be a source of problems and will be addressed on the next patch.

This patch add a test to expose the problem.

Test plan:
[1] Run t/db_dependent/AuthoritiesMarc.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18014: General update of AuthoritiesMarc.t

Modern::Perl, Koha::Database, etc.

Test plan:
Run t/db_dependent/AuthoritiesMarc.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 4126 - Exit bulkmarcimport if -a and -b given

Currently it is possible to spceify both --biblios and --authorities
as command line switches to bulkmarcimport.pl. This does not make sense
so we should exit early and explain that these switches are mutually
exclusive.

To test:
- Run one of these and check that there is no complaint about missing
  options:
  perl misc/migration_tools/bulkmarcimport.pl -a -b
  sudo koha-shell -c "perl misc/migration_tools/bulkmarcimport.pl -a -b"
  kohadev
- Observe that this displays the perldoc, but does not complain about
  mutually exclusive switches.
- Apply the patch
- Rerun the command(s) from earlier.
- Verify that the script is now halted and a small explanation given.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18009 - IssueSlip.t test fails if launched between 00:00 and 00:59

to test patch...

1/ set date between 00:00 and 00:59
$ sudo date -s 'Sun Jan 29 00:41:55 NZDT 2017'

2/ run prove, see fail
$ prove -v t/db_dependent/Members/IssueSlip.t
...
t/db_dependent/Members/IssueSlip.t (Wstat: 65280 Tests: 1 Failed: 0)
Result: FAIL

3/ apply patch

4/ run prove, see pass
$ prove -v t/db_dependent/Members/IssueSlip.t
...
All tests successful.
Result: PASS

NOTE: for code obscurity you could have also done a modulus 24. ;)

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17788: (MARC21) Add $9 fields to Koha-Auth-Number:w index

Looking at the default framework's fields that are linked to authority
records, there's a divergence with the Zebra index definitions.

This yields to authority usage count be incorrect for users searching
for authority records.

MariaDB [koha_kohadev]> SELECT tagfield,tagsubfield,authtypecode FROM
marc_subfield_structure WHERE authtypecode IS NOT NULL AND
authtypecode<>'' AND frameworkcode='' GROUP BY
tagfield,tagsubfield,authtypecode ;
+----------+-------------+--------------+
| tagfield | tagsubfield | authtypecode |
+----------+-------------+--------------+
| 100      | a           | PERSO_NAME   |
| 110      | a           | CORPO_NAME   |
| 111      | a           | MEETI_NAME   |
| 130      | a           | UNIF_TITLE   |
| 440      | a           | UNIF_TITLE   |
| 600      | a           | PERSO_NAME   |
| 610      | a           | CORPO_NAME   |
| 611      | a           | MEETI_NAME   |
| 630      | a           | UNIF_TITLE   |
| 648      | a           | CHRON_TERM   |
| 650      | a           | TOPIC_TERM   |
| 651      | a           | GEOGR_NAME   |
| 654      | a           | TOPIC_TERM   |
| 655      | a           | GENRE/FORM   |
| 656      | a           | TOPIC_TERM   |
| 657      | a           | TOPIC_TERM   |
| 658      | a           | TOPIC_TERM   |
| 662      | a           | GEOGR_NAME   |
| 690      | a           | TOPIC_TERM   |
| 691      | a           | GEOGR_NAME   |
| 696      | a           | PERSO_NAME   |
| 697      | a           | CORPO_NAME   |
| 698      | a           | MEETI_NAME   |
| 699      | a           | UNIF_TITLE   |
| 700      | a           | PERSO_NAME   |
| 710      | a           | CORPO_NAME   |
| 711      | a           | MEETI_NAME   |
| 730      | a           | UNIF_TITLE   |
| 796      | a           | PERSO_NAME   |
| 797      | a           | CORPO_NAME   |
| 798      | a           | MEETI_NAME   |
| 799      | a           | UNIF_TITLE   |
| 800      | a           | PERSO_NAME   |
| 810      | a           | CORPO_NAME   |
| 811      | a           | MEETI_NAME   |
| 830      | a           | UNIF_TITLE   |
| 896      | a           | PERSO_NAME   |
| 897      | a           | CORPO_NAME   |
| 898      | a           | MEETI_NAME   |
| 899      | a           | UNIF_TITLE   |
+----------+-------------+--------------+

This patch adds the missing ones to the authority number index as it is
done for the rest of the fields.

To test:
- Verify that
etc/zebradb/marc_defs/marc21/biblios/biblio-koha-indexdefs.xml
contains intries pointing the $9 subfield of all the fields in the
'tagfield' column above, to the Koha-Auth-Number:w index.
- Sign off :-D

Signed-off-by: Hugo Agud <hagud@orex.es>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17512: Improve handling dates in C4::Items

This is a follow-up on the internal server error on 0000-00-00 in the items
column onloan. This patch deals with preventing to have such dates at all
in the date fields of items.

It is accomplished by:
[1] Adding a (private) subroutine _mod_item_dates. It takes an item hash
    and replaces date values if needed.
[2] AddItem and ModItem call _koha_new_item resp. koha_modify_item. In these
    routines a call to the new _mod_item_dates is inserted.
[3] Although the routine is actually private, I have added some unit tests
    to Items.t.

Test plan:
[1] Add a new item. Fill a correct date in dateaccessioned and an invalid
    date in Price effective from (=replacementpricedate).
[2] Verify that dateaccessioned is saved correctly and replacementpricedate
    is still null (does not contain 0000-00-00).
[3] Edit the item again. Fill some text in dateaccessioned and put a correct
    date in replacementpricedate. Verify the results.
[4] Run t/db_dependent/Items.t

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17988: Add a comment to explain the line

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17988 - Select2 prevents correct tag expand/minimize functionality

Overview:
Select2 (Bug 13501) introduced divs and inputs that broke some assumptions about the expected HTML structure.
Because of that, expanding fields to show all hidden subfields does not work properly.

Steps to Reproduce:
1. Open some book in the editor or create new (cataloguing/addbiblio.pl)
2. Try to minimize or expand fields, that have among subfields the following:
— Thesaurus driven subfield → subfield with Select2
— Hidden subfield.

Actual Results:
 — some fields become hidden, some not, and vice versa
 — in the console, you'll see «Uncaught TypeError: Cannot read property 'match' of null»

Expected Results:
 — all subfields should minimize/maximize completely

Additional Information:
This happens because Select2 adds some divs, that do not have ID property.
The following patch adds check for the needed attribute existance.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17134: Replace item types codes with category in facets (opac)

To test:
-Search in OPAC for two or more items
-Note that item types display category codes rather than names
-Make change to file and test in OPAC

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 16984: Do not clone the item block for standing orders

If AcqCreateItem is set to ordering and the basket is marked as
"standing orders", when ordering a JS error is raised:
additem.js:176 Uncaught TypeError: window[events[i]] is not a function

The item block should not be displayed in that case.

Test plan:
- Set AcqCreateItem to "ordering"
- Create a basket and tick the "Standing orders" checkbox
- Add an order to this basket
=> Without this patch you get the JS error
=> With this patch applied you will not get it

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17940: (follow-up 14695) Fix - Mark holds as waiting when transfer is done

When an item from Library A is reserved and set to be picked up at
Library B, the hold buttons fail to confirm or cancel during check in at
Library B when the item is transferred from Library A.

Test plan:
* Create a hold for item at Library A to be picked up at Library B.
* Check in item at Library A to trigger the transfer.
=> item shows in transit
* Switch to Library B and check in item.
* Confirm the hold.
=> item shows waiting

Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18076: Replace holds_to_place_count with an input type=text

From http://www.template-toolkit.org/docs/manual/Directives.html#section_WHILE

"""
The Template Toolkit uses a failsafe counter to prevent runaway WHILE loops which
 would otherwise never terminate. If the loop exceeds 1000 iterations then an undef
exception will be thrown, reporting the error:

WHILE loop terminated (> 1000 iterations)

The $Template::Directive::WHILE_MAX variable controls this behaviour and can be set
to a higher value if necessary.
"""

I do not think we want to increase this value, and I do not think we want to display a
dropdown list with 1000 entries.

This patch replaces the dropdown list with an input text.

Test plan:
- Set circulation conditions - holds per record = 999
- Search for record with items
- Go to the holds tab
- Search for a patron
- Verify that when you send your search, the 'internal server error' is not shown
and you see the input text.
You should be able to enter a value > than 999 and < 1

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18079: Holds to pull cleanup

Changes made:

  - remove obsolete comment in pendingreserves.pl
  - use Modern::Perl in circ/pendingreserves.pl
  - get rid of unusable param run_report - followup for bug 8454
  - get rid of references to hold status - followup for bug 9320
  - remove unused data from SQL and reservedata structure

Test plan:
1) Apply patch from bug 18073
2) Apply patch on this bug
3) Enable on shelf hold in administration -> circulation and fines rules
4) Create some holds on avalaible items
5) Confirm that circulation -> holds to pull page works as expected
6) Try to find any regression

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18073: Followup - don't use CONCAT_WS

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18073: Holds to pull table enhancement

Test plan:
0) apply the patch
1) enable on shelf hold in administration -> circulation and fines rules
2) create some holds on avalaible items
3) go to administration -> columns settings and confirm there is new holds-to-pull table in circulation section
4) go to circulation -> holds to pull page and confirm that
    4a) that the page does work as before
    4b) there is ne "Column visibility" button in datatable toolbar
    4c) the column configuration does work as expected
    4d) there is new column "First patron" with link to patron which is
        first in holds queue for given record
    4e) sorting works ax expected
    4f) filters (in teh bottom of table) work as expected

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Works nicely!

https://bugs.koha-community.org/show_bug.cgi?id=18079

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 16115: Remove JS error on item search if NOT_LOAN values do not exist

If NOT_LOAN is not present, the item search form will raise a JS error:
SyntaxError: expected expression, got '}'

This patch fixes it by handling this specific case.

Note that the "Status" column is still displayed.

Test plan:
Remove your NOT_LOAN authorised values
Go on the item search form
=> You will not get the JS error and the "Status" bloc is no longer
displayed. There is no need to display it if empty.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 11450: Hold Request Confirm Deletion

==TEST PLAN==
1) Go to an item with a hold and click on the holds tab on the
left
2) Click the red 'X'
3) The hold will be deleted immediately
4) Apply patch
5) Return to an item with a hold and click the 'X'
6) There will now be a confirmation dialog
7) Click cancel and the dialog will disappear and the hold will not be
deleted
8) Click OK and the hold will be deleted

Restored indentations - Mark Tompsett

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17927: (QA followup) Fix timestamp nullable in hold.json

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17927: (QA followup) Fix boolean types

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17927: (followup) Fix /cities cityid type

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17927: Fix /holds and /patrons data types

This patch changes current Swagger definitions for patrons and holds to have
data types corresponding to column data types in their database tables.

To test:
1. GET http://yourlibrary/api/v1/patrons/YYY where YYY is existing borrowernumber
2. Observe that numbers / integers are in string data type.
3. Apply this patch
4. Repeat step 1.
5. Observe that numbers / integers are now actually numbers / integers.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17782: Fix tests

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17782 - (QA Followup)

Fix tests

prove t/db_dependent/Koha/Patrons.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17782 - Patron updated_on field should be set to current timestamp when borrower is deleted

To test:
01 Find a patron
02 Get the updated_on value from the db in borrowers table
03 Delete the patron
04 Get the update_on value from the db on deletedborrowers table
05 Values from 02 and 04 are the same
06 Apply patch
07 Repeat 01-04
08 Values should now be different

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 16387: Fix default shortened loan period time

When a loan period is shortened due to using decreaseLoanHighHolds* the time is
always set to the current time in X days, even if the original loan period is
given in days and not in hours.

It should default to 23:59 as is normal for loan periods given in days.

As original due date time defaults to 23:59 when given in days, this patch
modifies the hours and minutes of shortened due date to be equal to original due
date.

To test:
1. prove t/db_dependent/DecreaseLoanHighHolds.t

Signed-off-by: Grace McKenzie <grace.mcky@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17929 - You can't edit indicators in the cataloging screen

Test plan:
0. Do not apply the patch
1. Edit a biblio record, note you can't edit an indicator (in fact you edit it, but can't see the value)
2. Edit an authority record, note you can't edit an indicator (in fact you edit it, but can't see the value)
3. Apply the patch, you may need clear the browser cache (in Firefox Ctrl+F5 is often enough)
4. Repeat steps 1 and 2 - but now you will be able to edit the indicator

Signed-off-by: J Schmidt <jschmidt@switchinc.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17922: Use correct number of digits when replacing date placeholders

This patch also fixes a typo ("<<MM><" should be "<<MM>>")

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18015 - On shelf holds allowed > "If all unavailable" ignores notforloan

If in the circ rules matrix you set "On shelf holds allowed" to "If all unavailable",
items with status "Not for loan" are considered available and break the functionality.

Test plan:

- Set "On shelf holds allowed" to "If all unavailable" for your patron and item
  category (or everyone and everything)
- Have two items for a record. Check out one
- Set 7 - Not for loan: "Not For Loan" for the second item
- Try to place a hold. Does not work.

- Apply the patch
- Try to place a hold. Should work now.

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17871: (followup) Remove zebra::* from the packages templates

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17871: Remove zebra::snippet to allow access to facets in YAZ 5.8.1+

This patch restores access to zebra facets (or zebra::snippet) with YAZ 5.8.1 or higher.

It was failing due to The <retrieval syntax="xml" name="zebra::*" /> entry in
retrieval-info-bib-dom.xml which IndexData said it wasn't even needed to
get that access.

Edit: I amended the commit message (tcohen)

Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I tested on kohadevbox and found no regression or behaviour change. I
will provide a followup for the packages.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18005: Re-styled pagination on search results with Bootstrap

Test plan:
0. Don't apply path
1. Make catalogue search in staff client with more then 20 results,
    scroll down to see that pagination is broken
2. Apply the patch
3. Make similar search and confirm, the pagination looks OK with new
style

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18013 - acqui/transferorder.pl typo in find method

This typo was introduced in Bug 13726 and has obvious fix

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18044: Add a test

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18044: Label Batches not displaying

SQL expects lists to be comma separated. A trailing comma must also
be avoided.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17775 - Add new user with LDAP not works under Plack

This patch fixes internal server error:

Undefined subroutine &C4::Auth_with_ldap::AddMember called at /srv/koha_ffzg/C4/Auth_with_ldap.pm line 213.

It occurs only under plack, and it's strange since C4::Members
does EXPORT AddMember and we are importing it into Auth_with_ldap.pm
(and it does work under CGI).

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
I did not test but trust author and signoffer. The change cannot hurt.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15030: Add tests

This test will prevent regression on the lost of data when
items.itemcallnumber is linked with a plugin.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15030 - continue. The enumchron value was overwritten by 'header' even when value supplied

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15030 - Fixes the serials fields associated with a plugin, to not overwrite the previously saved value

This fixes the remaining fields from serials-edit.pl that were seeing their previously entered values
be oblitarated with each new edit.  The fields associated to a plugin (dateaccessioned and barcode) were
always displaying <empty> with each new edit, losing the previous effort.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 15030 - Certain values in serials' items are lost on next edit

When editing serials subscription, we can edit them but some values are not pulled from the DB correctly to be put in the edit box.  If not noticed, the value will be overwritten on the next save.

Test:
- Create a subscription
- Edit itemcallnumber (952o?) and make sure to have a different value than the default one.
- Save.
- Edit it again
- The saved value is not there.

This is true for itemcallnumber and a few other fields.

This was caused by calls to ->field($subfield).  This would always fail, of course.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17255 - Upgrade Elastic Search code to work with version 5.1

Builds on top of commit:
    Bug 17255 - Upgrade Elastic Search code to work with version 2.4+ - rebased wip

-Fix data type 'string' to 'keyword' and 'text'
-index: not_analyzed deprecated, replaced with type: keyword which is equivalent
-store: yes was deprecated, use store: true

TODO: Installer bindings to both the debian package install and the raw developer install.
A taster in Buug 17851

ZE TEST PLAN

0. Remove existing ES and reinstall ES 5.1
   apt-get purge elasticsearch
   Follow instruction here:
   https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html

1. Reset Elasticsearch index since facets are hard coded to dynamic search_marc_mappings.
1a. perl -e 'use Koha::SearchEngine::Elasticsearch; Koha::SearchEngine::Elasticsearch->reset_elasticsearch_mappings();'
1b. If you get trouble, simply DELETE FROM [search_fields|search_marc_to_fields|search_marc_mapping];
    and retry 1a.
1c. Destroy elasticsearch index
    curl -XDELETE localhost:9200/koha_biblios
    so it can be recreated

2. Recreate the index:
   perl misc/search_tools/rebuild_elastic_search.pl
2a. Add something to index if your koha.biblio-table is empty

3. Fetch all indexed records and the facet for subject__facet

curl -XGET localhost:9200/koha_biblios/data/_search?pretty -d '{
  "aggregations": {
    "my_agg": {
      "terms": {
        "field": "subject__facet"
      }
    }
  }
}'

4. Run the included tests:
   perl t/db_dependent/Koha_Elasticsearch_Indexer.t
   perl t/db_dependent/Koha_Elasticsearch.t
   perl t/db_dependent/Koha_SearchEngine_Elasticsearch_Search.t

Have fun with your new ES 5.1 cluster!

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17255 - Upgrade Elastic Search code to work with version 2.4+ - rebased wip

-Changed deprecated facets to aggregations
-Fixed boolean datatypes not allowing analyzers to be specified
-Fixed deprecated '_id' to 'es_id'. Now the ES-index has the correct id==biblionumber

ZE TEST PLAN

1. Reset Zebra index since facets are hard coded to dynamic search_marc_mappings.
2. perl misc/search_tools/rebuild_elastic_search.pl
3. Fetch all indexed records and the facet for subject__facet

curl -XGET localhost:9200/koha_biblios/data/_search?pretty -d '{
  "aggregations": {
    "my_agg": {
      "terms": {
        "field": "subject__facet"
      }
    }
  }
}'

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 18033: Remove duplicate code in paycollect.pl

Test plan:
0) apply the patch
1) try to pay individual fee, with full amount and partial amount
   it should work the same as before patch

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17960 - DBRev 16.12.00.007

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17960: Replace missing occurrences

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17960: Add opac_news.content values in tests

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17960: DBIC Schema changes for opac_news.content

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17960: Update installed files

  git grep opac_news.new installer
should not return any occurrences in sql files

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17960: Rename opac_news.new with opac_news.content

The field opac_news.new is very confusing and should be renamed.
If you want to access it via Koha::NewsItem you will have trouble:

  use Koha::News;
  my $news_item = Koha::News->next;
  say $news_item->new;

=> Attempt to bless into a reference at /home/vagrant/kohaclone/Koha/Object.pm line 78.

This patchset is going to rename this DB field to opac_news_content instead.

Since the opac_news.new can be used in notice templates, we need to warn the
user during the update DB process that some templates must be updated.

Test plan:
0/ Apply the first patch "Add a test to highlight the issue" and confirm that
the test fail
1/ Apply this second patch
2/ Execute the DB entry
3/ Confirm that you get a warning if at least one of your notice templates is
using opac_news.new
4/ Confirm that the test new pass
5/ Add/update and delete a news
6/ Confirm that the RSS new feed still works as expected

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17960: Add a test to highlight the issue

With only this patch applied, proving t/db_dependent/Koha/News.t
will return
  "Attempt to bless into a reference at /home/vagrant/kohaclone/Koha/Object.pm line 78."

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17610 - Allow the number of plack workers and max connections to be set in koha-conf.xml

It would be nice if we could control the number of workers and max
requests on a per instance basis, rather than the numbers being
hardcoded in the plack startup script.

Test Plan:
1) Build a new package of Koha with this patch applied ; )
2) Verify koha-plack still works
3) Add the following to the config section of your koha-conf.xml:
 <plack_max_requests>75</plack_max_requests>
 <plack_workers>4</plack_workers>
4) Stop plack
5) Start plack
6) Verify the number of works and max requests worked!

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Larry Baerveldt <larry@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Rebased against master and added a description for the new configuration
entries

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17902: Follow-up fixing SQL statement

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Revert "Bug 17902: Fix possible SQL injection in serials editing"

This reverts commit 904716f581102887c27d5bfc727430564cc12284.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Revert "Bug 17902: Fix possible SQL injection in serials editing"

This reverts commit 8924439054fec94acabef6045f21369117e528f0.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 9569: Security patch for AutoLocation

If a patron is not allowed to access the staff interface because its IP
address in the authorised range of IPs, the cookie should not contain
the CGISESSID.
If it is, the patron is logged in and will be able to access the staff
interface if he reload the page (or hit another one).

Test plan:
Confirm the that AutoLocation feature is now working as expected.

Note: It seems that this feature has never really worked as intended.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 9569: Update warning message

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 9569: Do not check the IP for login at the OPAC

At the OPAC, the AutoLocation feature should not be taken into account:
login to the OPAC from outside the IP range should work

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 9569: Remove unused occurrence of AutoLocation

`git grep ManualLocation` does not return any results

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 9569: AutoLocation should not depend on IndependentBranches

Those 2 prefs can be independent and it does not make sense to consider
AutoLocation only if IndependentBranches is set.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 9569: Fix AutoLocation - handle .* for subnets

The example in branches.tt is:
  Can be entered as a single IP, or a subnet such as 192.168.1.*

But actually the regex in C4::Auth does not handle subnets.

Test plan:
0/ Apply all the patches
1/ Switch AutoLocation on
2/ Define a subnet (192.168.0.* if your ip is like 192.168.0.X) in the IP
range of your library
3/ Log in on the staff interface
=> Should work

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17905: FIX CSRF in member-flags

If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible

The exploit can be simulated triggering
    /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian

Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17904: Fix possible SQL injection in late orders

To recreate:
/cgi-bin/koha/acqui/lateorders.plop=send_alert&ordernumber=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0

Notice the delay.

The SQL query is not constructed correctly, placeholders must be used.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17903: Fix possible SQL injection in serial claims

To recreate:
/cgi-bin/koha/serials/claims.pl?serialid=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0

Notice the delay.

The SQL query is not constructed correctly, placeholders must be used.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17901: Force context to scalar

See bug 15809 for more references.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17901: Fix possible SQL injection in shelf editing

It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1

Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.

However it would be good to limit the possible values for sortfield.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17900: Update the tests to the new API

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17900: Fix possible SQL injection in patron cards template editing

To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20

Look at the Profile dropdown list.

To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.

Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.

This vulnerability has been reported by MDSec.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17986: Perl dependency evaluation incorrect

It looks like I made a copy/paste error in a previous patch.

While the fix was working when you pass the param "module" to
version_info, it wasn't populating the version correctly
for the "all" param, which causes koha_perl_deps.pl to
think all OK modules actually need an upgrade.

TEST PLAN

0) Be on a system where you know your Koha Perl dependencies are
mostly up-to-date

1) Run ./koha_perl_deps.pl -a -c
2) Note that most modules say they need an upgrade even when
the installed version is the same as the minimum version

3) Apply patch

4) Run ./koha_perl_deps.pl -a -c
5) Note that most moduls say they're OK, especially when the
installed version is the same or greater than the minimum version

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Running koha_perl_deps.pl -u convinced me.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17588: ->get_issues has been replaced with ->checkouts

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17588: get_account_lines->get_balance has been replace with account->balance

On previous bugs

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17588: Koha::Patrons - Move GetMemberIssuesAndFines

The GetMemberIssuesAndFines subroutine used to retrieve the issues,
overdues and fines for a given patron. Most of the time, only 1 or 2 of
these values were used.
This patch removes this subroutine and uses the new get_issues,
get_overdues and get_balance method from Koha::Patron and Koha::Account::Lines.

Test plan:
1/ Add overdues, issues and fines to different patrons
2/ On the checkout, checkin and patron search result and the patron
detail pages, these 3 informations, if displayed before this patch, must be
correctly displayed.
3/ Use the batch patron deletion tool and make sure that patrons with a
balance > 0 are not deleted

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17824: Remove C4::Members::GetBorrowersWhoHaveNeverBorrowed

This subroutine is no longer in used and can be removed.

Test plan:
  git grep GetBorrowersWhoHaveNeverBorrowed
must not return any results

NOTE: grep -i getborrowerswhohave `find . -type f`
      works well enough to find the cleanborrowers.pl too.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 17501: [Follow-up] QA Requests

This patch makes the following changes, as requested by QA:

[1] UploadedFile->delete always calls SUPER::delete.
    The return value normally comes from SUPER::delete; if removing the
    file failed, we return false. Two warns are kept.
    Since delete does no longer return the filename, a few changes were
    needed in tools/upload.pl.
[2] Method getCategories is moved to UploadedFiles. Script tools/upload.pl
    now only contains one call. Added a use C4::Koha.
[3] Calls UploadedFiles->delete as class method. As a result I removed
    method delete_errors for now; may be reconsidered on a new report.
[4] Adjusted three ->search calls for id and public to ->find calls.
[5] If you pass no id to upload.pl when deleting, you don't get an alert.

All by all, we got rid of 15 lines !

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>