From 79c37dc8ed3efd1886d6c5619b2d1eb004a19713 Mon Sep 17 00:00:00 2001 From: Joe Atzberger Date: Fri, 7 Mar 2008 01:09:42 -0600 Subject: [PATCH] basket.pl and template - Many fixes including SQL injection security check, Signed-off-by: Joshua Ferraro --- acqui/basket.pl | 106 ++++++++++-------- .../prog/en/modules/acqui/basket.tmpl | 48 +++++--- 2 files changed, 94 insertions(+), 60 deletions(-) diff --git a/acqui/basket.pl b/acqui/basket.pl index 0baae792c4..0e2947328e 100755 --- a/acqui/basket.pl +++ b/acqui/basket.pl @@ -29,12 +29,7 @@ use C4::Acquisition; use C4::Bookfund; use C4::Bookseller; use C4::Dates qw/format_date/; - -use vars qw($debug); - -BEGIN { - $debug = $ENV{DEBUG} || 1; -} +use C4::Debug; =head1 NAME @@ -43,8 +38,8 @@ basket.pl =head1 DESCRIPTION This script display all informations about basket for the supplier given - on input arg. Moreover, it allow to add a new order for this supplier from - an existing record, a suggestion or from a new record. + on input arg. Moreover, it allows us to add a new order for this supplier from + an existing record, a suggestion or a new record. =head1 CGI PARAMETERS @@ -52,7 +47,7 @@ basket.pl =item $basketno -this parameter seems to be unused. +The basket number. =item supplierid @@ -67,7 +62,28 @@ the supplier this script have to display the basket. my $query = new CGI; my $basketno = $query->param('basketno'); my $booksellerid = $query->param('supplierid'); -my $order = $query->param('order'); +my $sort = $query->param('order'); + +my @sort_loop; +if (defined $sort) { + foreach (split /\,/, $sort) { + my %sorthash = ( + string => $_, + ); + # other possibly valid tables for later: aqbookfund biblio biblioitems + if ( + (/^\s*(aqorderbreakdown)\.(\w+)\s*$/ and $2 eq 'bookfundid' ) or + (/^\s*(biblioitems)\.(\w+)\s*$/ and $2 eq 'publishercode') + ) { + $sorthash{table} = $1; + $sorthash{field} = $2; + } else { + $sorthash{error} = 1; + } + push @sort_loop, \%sorthash; + } +} + my ( $template, $loggedinuser, $cookie ) = get_template_and_user( { template_name => "acqui/basket.tmpl", @@ -81,6 +97,7 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( my $basket = GetBasket($basketno); +# FIXME : what about the "discount" percentage? # FIXME : the query->param('supplierid') below is probably useless. The bookseller is always known from the basket # if no booksellerid in parameter, get it from basket # warn "=>".$basket->{booksellerid}; @@ -115,44 +132,31 @@ else { "loggedinuser: $loggedinuser; creationdate: %s; authorisedby: %s", $basket->{creationdate}, $basket->{authorisedby}; - my @results = GetOrders( $basketno, $order ); + my @results = GetOrders( $basketno, $sort ); my $count = scalar @results; - my $line_total; # total of each line my $sub_total; # total of line totals - my $gist; # GST my $grand_total; # $subttotal + $gist - my $toggle = 0; # my $line_total_est; # total of each line my $sub_total_est; # total of line totals my $sub_total_rrp; # total of line totals - my $gist_est; # GST my $grand_total_est; # $subttotal + $gist my $qty_total; my @books_loop; for ( my $i = 0 ; $i < $count ; $i++ ) { my $rrp = $results[$i]->{'listprice'}; + my $qty = $results[$i]->{'quantity'}; $rrp = ConvertCurrency( $results[$i]->{'currency'}, $rrp ); - $sub_total_rrp += $results[$i]->{'quantity'} * $results[$i]->{'rrp'}; - $line_total = $results[$i]->{'quantity'} * $results[$i]->{'ecost'}; + $sub_total_rrp += $qty * $results[$i]->{'rrp'}; + my $line_total = $qty * $results[$i]->{'ecost'}; + # FIXME: what about the "actual cost" field? $sub_total += $line_total; - $qty_total += $results[$i]->{'quantity'}; - my %line; - %line = %{ $results[$i] }; - - if ( $toggle == 0 ) { - $line{color} = '#EEEEEE'; - $toggle = 1; - } - else { - $line{color} = 'white'; - $toggle = 0; - } - $line{order_received} = - ( $results[$i]->{'quantity'} eq $results[$i]->{'quantityreceived'} ); - $line{publishercode} = $results[$i]->{'publishercode'}; + $qty_total += $qty; + my %line = %{ $results[$i] }; + ($i%2) and $line{toggle} = 1; + $line{order_received}= ( $qty eq $results[$i]->{'quantityreceived'} ); $line{basketno} = $basketno; $line{i} = $i; $line{rrp} = sprintf( "%.2f", $line{'rrp'} ); @@ -161,16 +165,22 @@ else { $line{odd} = $i % 2; push @books_loop, \%line; } - my $prefgist = C4::Context->preference("gist"); - $gist = sprintf( "%.2f", $sub_total * $prefgist ); - $grand_total = $sub_total; - $grand_total_est = $sub_total_est; - unless ( $bookseller->{'listincgst'} ) { + my $prefgist = C4::Context->preference("gist") || 0; + my $gist = $sub_total * $prefgist; + my $gist_rrp = $sub_total_rrp * $prefgist; + $grand_total = $sub_total_est = $sub_total; + $grand_total_est = $sub_total_est; # FIXME: Too many things that are ALL the SAME + my $temp; + if ($temp = $bookseller->{'listincgst'}) { + $template->param(listincgst => $temp); + $gist = 0; + } else { $grand_total += $gist; - $grand_total_est += sprintf( "%.2f", $sub_total_est * $prefgist ); + $grand_total_est += $sub_total_est * $prefgist; # same thing as += gist } - my $grand_total_rrp = sprintf( "%.2f", $sub_total_rrp ); - $gist_est = sprintf( "%.2f", $sub_total_est * $prefgist ); + if ($temp = $bookseller->{'discount'}) { + $template->param(discount => sprintf( "%.2f", $temp )); + } $template->param( basketno => $basketno, creationdate => format_date( $basket->{creationdate} ), @@ -186,14 +196,18 @@ else { address4 => $bookseller->{'address4'}, entrydate => format_date( $results[0]->{'entrydate'} ), books_loop => \@books_loop, + sort_loop => \@sort_loop, count => $count, - sub_total => sprintf( "%.2f", $sub_total ), - gist => $gist, + gist => $gist ? sprintf( "%.2f", $gist ) : 0, + gist_rate => sprintf( "%.2f", $prefgist * 100) . '%', + gist_est => sprintf( "%.2f", $sub_total_est * $prefgist ), + gist_rrp => sprintf( "%.2f", $gist_rrp), + sub_total => sprintf( "%.2f", $sub_total ), grand_total => sprintf( "%.2f", $grand_total ), - sub_total_est => $sub_total_est, - gist_est => $gist_est, - grand_total_est => $grand_total_est, - grand_total_rrp => $grand_total_rrp, + sub_total_est => sprintf( "%.2f", $sub_total_est), + grand_total_est => sprintf( "%.2f", $grand_total_est), + sub_total_rrp => sprintf( "%.2f", $sub_total_rrp), + grand_total_rrp => sprintf( "%.2f", $sub_total_rrp + $gist_rrp), currency => $bookseller->{'listprice'}, qty_total => $qty_total, GST => $prefgist, diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tmpl index db774fe5e4..173b48ccc3 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tmpl +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tmpl @@ -12,7 +12,10 @@ } //]]> - + + @@ -46,6 +49,17 @@

Order Details

+ + + +
ERROR: Illegal sort requested by "". +
You will need to use valid sort criteria to return valid results.
+ +
Sorted by "".
+ + + + @@ -67,7 +81,7 @@ - + - - --> + + + - + - + - - - + + + + + - - - + + + + - + @@ -133,9 +151,11 @@
(rcvd) @@ -101,28 +115,32 @@ " /> " /> SubTotalSubTotal -->      
GST
GST () -->    
**
TOTAL ()TOTAL ()  
Basket empty
+ + ** Vendor's listings already include GST.
- +

Add To Order

-- 2.39.5