From 1293980793ceac2801591a5ee59851c44389426f Mon Sep 17 00:00:00 2001
From: Jan Kissig <jkissig@th-wildau.de>
Date: Wed, 31 Jul 2024 14:40:16 +0200
Subject: [PATCH] Bug 37535: Adding a debit via API will show the belated
 patron as the librarian that caused the debit

This patch fixes the addPatronDebit route so that the librarian that caused the debit is taken from either the requests payload user_id or if not set from the api user.

Test plan:

 a) enable system preference RESTBasicAuth
 b) use a REST client to send a POST request with the following JSON body to http://localhost:8081/api/v1/patrons/5/account/debits

{
  "amount": 1.23,
  "description": "some description",
  "internal_note": "internal_note",
  "type": "MANUAL"
}

 Authentication username and password is "koha"
 c) verify that "user_id" is the same as patron_id in response.
 d) send a different request including user_id to the same endpoint
{
  "amount": 1.23,
  "description": "some description",
  "internal_note": "internal_note",
  "type": "MANUAL",
  "user_id": 19
}

 e) verify that "user_id" is the same as patron_id in response.
 f) apply patch and repeat step b) and d)
 e) verify that user_id in b) is now 51 (which is the borrowernumber of koha user)
 f) verify that user_id in d) is now 19 as defined in request
 g) recheck on http://localhost:8081/cgi-bin/koha/members/accountline-details.pl?accountlines_id=<account_line_id> (from response) that column Librarian now says the user from user_id

 h) sign off :)

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 Koha/REST/V1/Patrons/Account.pm | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/Koha/REST/V1/Patrons/Account.pm b/Koha/REST/V1/Patrons/Account.pm
index ab8676d98d..b80217b4bb 100644
--- a/Koha/REST/V1/Patrons/Account.pm
+++ b/Koha/REST/V1/Patrons/Account.pm
@@ -207,14 +207,14 @@ sub add_debit {
     my $c = shift->openapi->valid_input or return;
 
     my $patron = Koha::Patrons->find( $c->param('patron_id') );
+    my $user   = $c->stash('koha.user');
 
     return $c->render_resource_not_found("Patron")
-        unless $patron;
+      unless $patron;
 
     return try {
         my $data =
-          Koha::Account::Debit->new_from_api( $c->req->json )
-          ->unblessed;
+          Koha::Account::Debit->new_from_api( $c->req->json )->unblessed;
 
         $data->{library_id}       = delete $data->{branchcode};
         $data->{type}             = delete $data->{debit_type_code};
@@ -223,11 +223,10 @@ sub add_debit {
         $data->{transaction_type} = delete $data->{payment_type};
         $data->{interface}        = 'api'
           ; # Should this always be API, or should we allow the API consumer to choose?
-        $data->{user_id} = $patron->borrowernumber
-          ; # Should this be API user OR staff the API may be acting on behalf of?
+        $data->{user_id} = delete $data->{manager_id} || $user->id;
 
         my $debit = $patron->account->add_debit($data);
-        $debit = Koha::Account::Debit->_new_from_dbic($debit->{_result});
+        $debit = Koha::Account::Debit->_new_from_dbic( $debit->{_result} );
 
         $c->res->headers->location(
             $c->req->url->to_string . '/' . $debit->id );
@@ -248,13 +247,13 @@ sub add_debit {
             }
             elsif ( $_->isa('Koha::Exceptions::Account::AmountNotPositive') ) {
                 return $c->render(
-                    status => 400,
+                    status  => 400,
                     openapi => { error => $_->description }
                 );
             }
             elsif ( $_->isa('Koha::Exceptions::Account::UnrecognisedType') ) {
                 return $c->render(
-                    status => 400,
+                    status  => 400,
                     openapi => { error => $_->description }
                 );
             }
-- 
2.39.5