Release notes for 3.20.15

Bumping version number to 3.20.15

Translation updates

Bug 17025: Fix XSS in serials-search.pl

Test plan:
Hit
  /serials/serials-search.pl?ISSN_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1
  /serials/serials-search.pl?title_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 1ea1504c30c5c34dd763027caee55dcf359e94cf)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit d432c5bba836601b809a9f807af05ef85e952453)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 422eeb01fe83e3e9166406cfb244e3053ad72bd6)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 17021: Fix XSS in circ/returns.pl

Test plan:
Enter the following in the barcode input:
<script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 12b4c83f5a5c11af635cae83e6837ff80dc02da7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 4f5121a99e063fc05fb19caac89e5a56b1ff0afb)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit f4a9e942424524da9251f4d55dd01fd08e05846f)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16969 cgi->param used in list context in opac-memberentry.pl

To test
1/ Hit the page, notice the warning in the log
2/ Apply patch
3/ Hit page, notice no warning in the log
4/ Test functionality all still works

Works as expected. (Note: See Bug 16960 for updating patron details).
Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Release notes for 3.20.14

Bumping version number to 3.20.14

PO file updates

Bug 17029: Fix XSS in catalogue/*detail.pl

Hit
  /cgi-bin/koha/catalogue/detail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/ISBDdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/MARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/moredetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/labeledMARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Bug 17036: Fix XSS in circulation.pl

Test plan:
Enter the following in the "Check out" tab:
"><script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Bug 17038: Fix XSS in catalogue/search.pl

Test plan:
Search for something like:
  \";alert(1)//135

=> Without this patch you will see the alert
=> With this patch, no more alert

Note that this fix the parameters idx, q and op

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

FIxing a typo that was busting the upgrade

Bug 17022: Fix XSS in acqui/z3950_search.pl

Test plan:
Enter the following in the different inputs:
<script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 17023: Fix XSS in cataloguing/z3950_search.pl

Test plan:
Enter the following in the different inputs:
<script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16975 : @INC should not have '.' as its last entry

To Test
1/ Try using a plugin
2/ Apply patch
3/ Test plugin still works

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 28eae42d2d09c14d0bb1bd3e1655714b33711ab3)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 1cf1c89f304fd2d84a1264041e8834444d1c8bf3)
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Bug 17022: Fix XSS in circ/branchtransfers.pl

Test plan:
Enter the following in the barcode input:
    <script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit c63d0b311b5e7ba882d19b9b8a71838256de98cf)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 46322ffc6e683d0583283e7485548d46c9586019)
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Bug 17026 XSS in checkexpiration.pl

Bug 17028: Fix XSS in reserve/request.pl

Test plan:
Hit
  /cgi-bin/koha/reserve/request.pl?biblionumber=1"><script type="text/javascript">alert("XSS")</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 66f81fc2101f194d39592bc28f3e2ff69764bc00)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 542c0dbbaa8bff5a101058e0e2397e21edf8f192)
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Bug 16587: Same fixes for the staff interface

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 16587 opac-sendshelf.pl is vulnerable to XSS

To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendshelf.pl?email=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&shelfid=4
2/ Notice you get a js alert
3/ Apply patch
4/ Notice the js is now escaped

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 16587 - opac-sendbasket.pl is open to XSS

To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendbasket.pl?email_add=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&bib_list=3

Where bib_list is a valid basket number
2/ Notice you get a javascript alert showing
3/ Apply patch
4/ Notice the text is now escaped

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Bug 16593: Do not allow patrons to delete search history of others patrons

A malicious user can delete the search history of all other users by
correctly guessing the ID value assigned to the victim's search. As
searches are assigned values sequentially, an attacker could quickly
remove the searches belonging to all of the application's users.

To reproduce:
Login with patron A
launch a search
Note the id generated for this search history:
select id from search_history order by id desc limit 1;
Login with patron B
Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
Note that the row is deleted in the DB

Test plan
Confirm that this patch fixes the issue.
The same test can be made at the staff interface

Reported by Alex Middleton at Dionach

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16958: Fix XSS in opac-imageviewer.pl

Test plan:
Trigger
/opac-imageviewer.pl?biblionumber=14&imagenumber=7"><sCrIpT>alert(42)<%2fsCrIpT>

=> Without this patch you will see the JS alert
=> With this patch applied you won't see it

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16476: Do not call CGI->param in list context, some more

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Release notes for 3.20.13

Updating version number to 3.20.13

PO file updates for 3.20.13

Bug 16720: Remove DBIx ActionLogs.pm

The update_dbix_class_files.pl script generates ActionLog.pm instead, which is
already on the source tree.

To test:
- Apply the patch
=> SUCCESS: Koha/Schema/Result/ActionLogs.pm is removed
- Run:
  $ mysql -uroot
  > CREATE DATABASE dbic; \q
  $ mysql -uroot dbic < kohaclone/installer/data/mysql/kohastructure.sql
  $ misc/devel/update_dbix_class_files.pl --db_name dbic --db_user root
=> SUCCESS: Koha/Schema/Result/ActionLogs.pm is not re-generated
- Run:
  $ git grep ActionLogs
=> SUCCESS: There's no code using it
- Sign off

Signed-off-by: Srdjan <srdjan@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit b8c950a4c1b1ead8a58686b27c95f9891cdccbae)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit c0d3e6db1191e2bb63da70cf1d3280f25efe7bfa)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit ffd86f218e50124ff0090bb4e41fc4a32cb51b99)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16502: Replace a few other ok-calls by is-calls

Trivial changes that speak for themselves..

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Srdjan <srdjan@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 8204024f1c21102c0649dec70d10398131aab953)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 2b7a9479b601e224ff6cdbdcc3162426a4727406)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit b58e8642b0d6b98a9e59a6e53d21472cb38a1e42)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16502: Adjust test for GetPlugins

The current test assumes that GetPlugins will return the test plugin
as the first one in the array. This is not correct.
This patch adjusts the test to a grep.

Test plan:
Run the test.
Bonus: Add additional plugins. Run the test again.

Signed-off-by: Srdjan <srdjan@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 6ad5770786c6646ce68ffdfec9080645fc25772e)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 64382be0d45ad6d43bb86bda095ca1a3699d1265)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit d1dff4c3bde88c2b7c2bb6722ef07d1fcf5f5cce)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16502: Add additional test to Plugins.t

In order to verify if the delete now really works, we add one test
in Plugins.t.

Test plan:
[1] Run the test.
[2] Bonus: Comment line 63 in Plugins.t where delete is called.
    Run the test again. It should fail now.

Signed-off-by: Srdjan <srdjan@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 959d69fa0107423ed31e20f4a6afb46d1e5c771c)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 0632256c1aca919ec055dd5f170ac10d84cc8ec7)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit e41863bfa9bf73066d2ec43a3b8e843fa1f0222f)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16502: Table koha_plugin_com_bywatersolutions_kitchensink_mytable not always dropped after running Plugin.t

If you run Plugin.t, the above table will still be present (when you
did not enable UseKohaPlugins). This would trigger a warning when
running the test a second time.

Why? The uninstall call does its work not completely due to a small
inconsistency in Koha::Plugins::Handler::delete when calling run
without the enable_plugins parameter.

This patch resolves that inconsistency and also removes an unneeded skip
in Plugin.t in case the KitchenSink module already exists.
Note: This is a small fix. But I wonder if the Handler routines run and
delete should not have been implemented in Koha::Plugins::Base.
Also note that plugins/plugins-uninstall.pl will not be affacted by this
change, since it checks whether the pref is enabled before calling the
delete method.

Test plan:
[1] Do not yet install this patch.
[2] Verify that plugins are enabled in koha-conf.xml.
[3] Disable UseKohaPlugins in System Preferences!
[4] Run t/db_dependent/Plugins.t.
[5] Verify that table koha_plugin_com_bywatersolutions_kitchensink_mytable
    still exists. (It should have been deleted.) Remove it manually.
[6] Apply this patch.
[7] Run the test again.
[8] Verify that the table does not exist.
[9] Run the test again (without warnings).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Srdjan <srdjan@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4263ac2b92737024d8d620a751babf72b904b73a)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 4ebe7b489c9798d2456bd3de1d95ec6e027b2b21)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 752e31425efa34fa6f21446fb18cf34ba31fc441)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Release notes for 3.20.12

Bumping version number for release

Translation updates for 3.20.12

Merge tag 'v3.20.11' into fix_3.20.x

Koha release 3.20.11

Bug 16597: Fix XSS in opac-shareshelf

To test
1/ Go to /cgi-bin/koha/opac-shareshelf.pl?op="><script>alert('XSS')</script>&shelfnumber=5
2/ Notice you see a js alert
3/ Apply patch
4/ It is gone

Reported by
Alex Middleton at Dionach

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit c47c835672a8fcd8c7df79663443f01639fc7657)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 8d6486013b504fa652b43b2a20c3bb4da25034fd)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16599: Fix other potentials XSS for shelfname

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit bb4543f7db62836b048c632a0a184acb021286ad)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit dd94d1bc4ca68d8466b4d7fb154c6714a7782b58)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16599: Fix XSS in opac-shareshelf.pl

Test plan:
- Create a list with the name "<script>alert(1)</script>"
- On the shelf list, click on share
=> Without this patch you will see the JS alert
=> With this patch applied you won't see it

Reported by Kaybee at Dionach

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit a44a930c076fceca0f7193f488e187d9849f89b6)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 858e3b2043e0eb1ce5bb9a6c36b3b87afb69ae22)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16220 : Updated minified css

Bug 16220 - The view tabs on opac-detail.pl are not responsive

When looking at the detail page for a bibliographic record, there are
tabs linking to the "Normal," "MARC," and "ISBD" views. These tabs need
to be styled responsively so that they work well at all browser widths.

This patch makes some slight markup changes to the templates and updates
the LESS files to add responsive styling.

This patch does not include the compiled CSS file, so the follow-up is
required to test the visual changes.

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 0fcbf1efe10a4269e3705dce10ef632e1739dbb1)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c760866e237b758bd34d3a6cb6283592bf7c3416)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16159 - guarantor section missing ID on patron add form

In the patron entry form template most <fieldset> and <legend> tags have
unique ids. This patch adds ids to fieldsets and legends which lack
them.

To test apply the patch and view the patron entry form. There should be
no visual changes. There should be no HTML validation errors triggered
by this change.

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 553d06073b8af0ab6ed33393b22a953e3feca1e6)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit eba902ced599bce927c59c48ae930fd7d62cafb5)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16407: Simplify comments

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 671f81e877a3e23127a2e8078921760e9b449a27)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 4b0c36846117212cff4db09f06f719be5aea308e)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16407: Fix Koha_borrower_modifications.t

This test was using hardcoded borrower number, assuming they should be
present. Now we use TestBuilder.

Test plan:
Run the test.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Test pass before and after patch.
No errors

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d8d4277471908bf046d04b4e94eed6cd4c94f63b)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 9112e88901c419f54ba34ff4eab0a6a744b31990)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16709: Followup of bug 11038 for 3.20.x only

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
  Good catch, bad bug

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amended patch: remove space and apply same order than in master (CSS then
JS)

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Fixing number of tests in t/db_dependent/Members.t

Bug 16315 - OPAC Shelfbrowser doesn't display the full title

This patch adds subtitle information to the display of titles in the
OPAC's shelf browser.

To test, apply the patch and make sure OPACShelfBrowser is enabled.

- View the detail page for any title in the OPAC which has items.
- Click the "Browse shelf" link next to any item in the holdings table.
- The titles in the shelf browser should display with all subtitle
  information as defined in Keywords to MARC mapping.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Adding 245a and c as 'subtitle' in Keywords to Marc make them
show on shelf browser.
No errors.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 67f91f24e537ef93d0c121b68681dcdec9f417e1)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit b47e87d0820c3f2e1afa4679c13234abc4d86517)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 15682 - Only allow merging of 2 or more records form lsits (for consistency)

Test as above but on shelves.pl

Signed-off-by: Chris Cormack <chrisc@catalyst.net.z>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 9550e37fc66402500adf8bca7a1c90ee0104cdd0)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 9f1e23735f46a8b014d4a8983796f1b8b37cc9b4)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 15682 - Merging records from cataloguing search only allows to merge 2 records

To test:
1 - Perform a cataloging search
2 - Attempt to merge 0 results - should fail
3 - Attempt to merge 1 resutls - should fail
4 - Attempt to merge 2 results - should succeed
5 - Attempt to merge 3 results - should succeed
6 - Test any other amount of records and if more than 1 it should
succeed

**Note: On shelves.pl you can merge a single record.  I think that is
incorrect so made this only work for 2. Will add a followup to fix
shelves.pl

Signed-off-by: Chris Cormack <chrisc@catalyst.net.z>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 8f1e5ad95fd78cbf09028e3d2dfe0b2b77d4dd21)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit aa8b468a13760b23c6ea29fddd43ade34e594af0)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 15194 - Drop-down menu 'Actions' has problem in 'Saved reports' page with language bottom bar

This patch changes the direction of the "actions" menu on the saved
reports page so that it popup up instead of down.

To test, apply the patch and go to Reports -> Saved reports.

- Click the "Actions" menu for any report and confirm that the menu
  displays above the button instead of below it.

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit de98a936751efc00d893f6e74e440416d66140b4)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 1e494ae15ed819512a9b04a3b7ffd76c38a36018)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 14632: Add Copyright for the Koha Dev Team

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

https://bugs.koha-community.org/show_bug.cgi?id=14362

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 68dbe8415f17801798fea26803b9bd9fd5e713bb)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit ac49b0fc706764f823d46aa7514e793beef98301)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 14362: Regression tests

This should trigger the error. Attempts to shift system time
zones did not make sense as to the number of failures.

Added Time::Fake dependency, if it isn't installed these extra
tests don't run. There is a nice skip message about it.

Added License text.

TEST PLAN
---------
 1) apply test patch
 2) sudo dpkg-reconfigure tzdata
    -- set your system time to GMT (Africa/Abidjan)
 3) prove t/Circulation/AgeRestrictionMarkers.t
    -- should not fail, even if you change system
       time to any time.
 4) sudo dpkg-reconfigure tzdata
    -- set your timezone to Eastern
 5) sudo date -s"2015-06-18 21:15:00"
 6) date
    -- should be past 9pm Eastern timezone
 7) prove t/Circulation/AgeRestrictionMarkers.t
    -- kaboom!
 8) sudo date -s"2015-06-18 12:00:00"
 9) date
    -- should be noon Eastern timezone
10) prove t/Circulation/AgeRestrictionMarkers.t
    -- success?! Time sensitive tests are bad tests.
11) sudo apt-get install libtime-fake-perl
12) prove t/Circulation/AgeRestrictionMarkers.t
    -- kaboom!
    -- changing timezone to anything other than GMT
       should trigger a kaboom.
13) apply fix patch
14) prove t/Circulation/AgeRestrictionMarkers.t
    -- should work all the time.
15) less t/Circulation/AgeRestrictionMarkers.t
    -- the license text should be similar to
       http://wiki.koha-community.org/wiki/Coding_Guidelines#Licence
16) koha qa test tools.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a2aba3c86f106603212eb2c5beb52c3cdfe49857)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Conflicts:
C4/Installer/PerlDependencies.pm

(cherry picked from commit 975f7bb9aa32f47f61ab0afd67f537d8d24ea9d6)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 14362: PEGI15 Circulation/AgeRestrictionMarkers test fails

It is best to test when UTC date is a date in the future compared
to your timezone. I'm in Eastern, so right now, I expect this
test to fail for another 2.5 hours.

TEST PLAN
---------
1) prove t/Circulation/AgeRestrictionMarkers.t
   -- fails for PEGI 15 after 9pm.
2) Apply patch
3) prove t/Circulation/AgeRestrictionMarkers.t
   -- works.
4) koha qa test tools

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 73f55165bef229668a135bee7e8c90a2c9c3f0a7)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c894bd4ab5401aec642089f00c9e6b3909e01d2b)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 13877 - Fix QA issues

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No koha-qa errors

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit b84aa1779e0aa09c1a307e195908a205ea82aa88)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 3cbbf6b8edd963d44c602279555364c2a9fdbf16)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 13877 - Make serialseq season name translatable regardless its position in a string

Signed-off-by: Chris Cormack <chrisc@catalyst.net.z>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit adb8d41053357eeb68fa148a04c2202df6e54974)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit e0f8aff8a958a0ce3b47e94939bb6d467c69ad1b)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 13041: Fix add of basket's manager when name contains a single quote

If you are trying to add a user as a manager of a basket in
acquisitions, a JavaScript error will be triggered if that user has a
single quote in their name (e.g. "O'Neil"). This patch corrects the
issue.

Also changed by this patch: Increased the size of the patron search
popup and made a correction to some invalid HTML.

To test you should have a patron whose name contains a single quote who
is also a user with permission to manage acquisitions.

- Apply the patch and go to Acquisitions.
- Locate an open basket and view the details for that basket.
- In the "Managed by" section, click the "Add user" button to trigger
  the patron search popup.
  - Search for the patron described above and click the "Add" button.
  - In the parent window, the patron you chose should have been added to
    the "Managed by" section.

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 964a1888138e276a78be5d84a70559ace6418e79)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 12721: (followup) Replace mysqlism by DBIx::Class

This patch removes the mysqlism (see comment #18)

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Fixed QA tools complaints about missing lines before
and after =cut in POD.

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit ef97b6b301a5c1a9ef5c63cc93933bf7442513fc)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 8fb9837adeecce2896085d9f3d463633a2cbb8ae)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 12721 - Prevent software error if incorrect fieldnames given in sypref StatisticsFields

To reproduce issue:
See comment #1

To test:
- Apply patch
- Leave syspref StatisticsFields empty
- Display statistics for an author

  => Result: Table displays Shelving location, Collection code, Item type
           (as before)

- Change syspref to any combination of location|itype|ccode
  => Result: Table displays columns as appropriate

- Change syspref to some garbage
  => Result: Same as with empty syspref (was crashing without patch)

- Change syspref to valid combination with trailing |
  => Result: Table displays columns as appropriate (was crashing
     without patch)

- Change syspref to a combination of valid and invalid fields
  (location|blah|ccode)
  => Result: Table displays column of valid fields only (was crashing
     without patch)

Signed-off-by: Aleisha <aleishaamohia@hotmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 5fc93bce9b786797724539bea1a1689e959078e6)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 36392d8a0cc07c3d5de51ec53c529d3a7d777508)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 12721 - Syspref StatisticsFields: Warning on About page and text change in System preferences

This patch adds a warning to the about page if the syspref 'StatisticsFields' is misconfigured.
Additionally, the text on Home > Administration > SystemPreferences for 'Statistics Fields'
is changed.

To test:
- Apply patch
- Edit syspref 'StatisticsFields'. Verify that the explanation makes sense.
- Leave field empty
  => verify that no message appears on About page, tab System information
- Insert valid field names, e.g. location|itype
  => verify that no message appears on the About page
- Add trailing char
  => verify that the warning message appears on the About page
- Fill in some garbage or misspell a field name
  => verify that the warning message appears on the About page

Signed-off-by: Aleisha <aleishaamohia@hotmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 95f492b4d2505103269b295a34bab74804df9746)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit f6694ce92ff4b60aea1234e9a138853fb0406f18)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16426: follow-up of bug 15840 - correctly manage userid while inserting patrons

Bug 15840 tried to fix a bug but makes things more complicated than it
was before.
If an userid is not provided for 1 or more rows of the csv file, it
should not be updated. However, if a userid is provided and it already
used by an other patron, the import should fail for this row (but not
crash!).

Test plan:
0/ Create a patron with a userid=your_userid
1/ Use the import patron tool to update this userid
=> userid should have been updated
2/ Update another data and do not provide the userid
=> data should have been updated and not the userid
3/ Update another data and provide the userid, but set it to an empty
string, or '0'
=> data should have been updated and not the userid
4/ Update another patron, and set userid=your_userid
=> Update should fail and an error whouls be displayed ("already used by
another patron")

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 7b76b24fad305b0253eb1d779f074d265087ca73)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit b53075b58df01e65371e13dee0b6848d12a181f2)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 16426: Add tests for ModMember - do not update userid

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit e883c19f3778c0247c11e6bdd3f27bbdd927468d)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit ea45e3f39ebdd2a33b7ea00730ef278ba0f461a7)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Bug 12752: FIX letter names in 3.15.00.041

3.15.00.041 was wrong, the name of the letter should not always been the
name of the first HOLD notice.
PREDUE_PHONE should be updated with the first name of the PREDUE notice,
same for OVERDUE_PHONE and OVERDUE

Signed-off-by: Chris Cormack <chrisc@catalyst.net.z>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 6d52cd63f351cd56f36492b80c10c0d8568ef03d)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 6ca552c2e86a4459ba8a68903b7ac60c614731af)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Translation for 3.20.11

Version 3.20.11

Bug 15930: Make patron searches defaulting on 'contain'

The default patron search types has changed from 'contain' to
start_with. Users consider it as a bug.
This patch revert the previous changes to default on 'contain'.

Test plan:
Search for patrons in different places (guarantor, checkout, patron
module, acquisition module, etc.) and confirm that the default is always
'contain'

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit a8491dc156db9d746b0f5ddd6175b66bf1bfa4ab)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit f2c5b7b036a47289a069f89bf3e63ede548058d8)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 1750 - Report bor_issues_top erroneous and truncated results.

Signed-off-by: Mason James <mtj@kohaaloha.com>

TEST PLAN
---------
1) Ensure you have some checkouts
2) Home -> Reports
        -> Patrons with the most checkouts
3) Click 'Submit'
   -- you get a list
4) Click a patron name.
5) Note the borrower number.
6) In MySQL run something like:
   > UPDATE borrower SET firstname=NULL WHERE borrowernumber=####
7) Refresh the report page
   -- name goes totally blank
8) apply patch
9) Refresh the report page
   -- only first name is lost
10) run koha qa test tools

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit b859739c2a6dc899176276022782ac3af7a0ad0c)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 8f4df78bd46e9e9c02f2841ef6bd1bba2bb39c6c)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places

The login page should not be displayed if the page is displayed in a
frame.

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 6efa491d1b2f92fa407aa49c7b678f9b642fc83f)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 7729ace7fa6fae2aec48abe80ea36d4f81197cbe)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16210: Revert OPAC changes from Bug 15111

This patch reverts the changes made at the OPAC from the following
patches:

Do not include the antiClickjack legacy browser trick for greybox"

Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox"
This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe.

Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN"
This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df.

Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks"
This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929.

Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

The antiClickjack trick should be removed at the OPAC as we want to keep
the OPAC usable even if the user has disabled JS.
That means the OPAC will be vulnerable to XFS if a user is navigating
with a prehistoric browser:
Firefox 3.6.9 September 2010
IE 8    March 2008
Opera 10.5  March 2010
Safari 4  February 2009
Chrome 4.1.…  somewhen 2010

Test plan:
Confirm that there are no regression of bug 15111 with modern browsers

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit d496d03e8aa3079e0d29837b27b31b9a55afd02e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 57fc49475db35b965ea50e5b60114fa46b2be37f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15111: Do not include the antiClickjack legacy browser trick for greybox

Most of the scripts called via greybox (which uses iframe) don't include
doc-head-close. But some do.
This patch adds a popup parameter for these templates, not to include
the legacy browser trick and avoid the replacement of the location.

Test plan:
1/ Export patroncard and label
2/ translate itemtypes
3/ click on a idref link at the OPAC

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit fc640d2a86f395ad392f84314bce22e8b4dab1fe)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 45e39882432dd9fdae0fc1b1ef7b7b8b09a9480a)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15111: Change X-Frame-Options with SAMEORIGIN

There are some places where frames are used, the greybox JS plugin for
instance.

We need either to allow them from Koha or replace this plugin.
The easier for now is to switch the value from DENY with SAMEORIGIN.

Test plan:
- modify a record in a batch (tools/batch_record_modification.pl)
- click on preview marc
=> With only the previous patch you will get a blank page.
=> With this patch apply, it will work as expected.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 201e1f239728f3656f5f71792a7d5ce9b5a05144)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks

Web pages that can be embedded in frames are vulnerable to cross-frame
scripting attacks. Cross-frame scripting is a type of phishing attack
that involves instructions to an unsuspecting user to follow a specific
link to update confidential information in an online application.
Because the link leads to a legitimate page from the online application
that is embedded in a frame hosted by the attackers' server, the
attackers can capture all the information that the user enters.

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c97a01e1330ab5b1b1df7029d2149efa0deb19a4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16179: Do not crash if "rate me" is clicked and not rate selected

If JS is disabled and a user clicks on the "Rate me" button, Koha will
crashes with:
DBIx::Class::ResultSet::create(): Column 'rating_value' cannot be null
at /usr/share/koha/lib/C4/Ratings.pm line 208

To avoid that, opac-ratings.pl will check if a rate has been selected.

Test plan:
Disable JS
On a record detail page, click on the "Rate me" button

TESTED PLAN:
1) go to /cgi-bin/koha/opac-ratings.pl?biblionumber=1
   -- kaboom as above.
2) apply patch
3) refresh
   -- either login screen (don't know why)
   -- or if already logged in, detail page.
4) koha qa test tool

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

I tested successfully by temporarily removing the modification made by
Bug 16210.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit b679cac96409b7248f8e224e10c73dafa4c82890)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit a965702c08f84d8d770fb81e09f13bee8e922bba)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15832: Remove empty string from the filters

On each cell, the split will generate a new empty entry.
This patch removes that entry.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 1931ff465317aa2bf8d31c0c817ff0c4d75ea8dc)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit ef6c60d8ccc93832f87f7b6fe1f3daa5ce48dda9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15832 - Fix filter and items split-up in pendingreserves.tt

Test plan:

- Go to circ/pendingreserves.pl (Ensure that there are biblios with many
  items on different branches),
- Check the libraries filter at the bottom of datatable. There should be
  duplicates.
- Apply this patch and return to circ/pendingreserves.pl,
- check that libraries filter should not contain duplicate,
- check that the filter works.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 82be93af1ccbd3544646a6345ab51183a62d05cb)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 4f699275a76107f3a210a199dc9cadd5da2560f3)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15113: koha-rebuild-zebra should check USE_INDEXER_DAEMON and skip if enabled

This patch changes the behaviour of the koha-rebuild-zebra script in the following way:

USE_INDEXER_DAEMON=no
- Keeps the current behaviour

USE_INDEXER_DAEMON=yes
- It skips incremental indexing to avoid races.

Caveats:
- A --force option is introduced for useing in a specific situtation that might need it
 (i.e. the administrator knows what he's doing).
- If --full is passed, the reindexing is not skipped.

The documentation files and messages are adjusted accordingly.

This patch should help users that want to use the indexing daemon, in which case they wouldn't need
to change their default 5 min cronjob (it will be just skipped). Ultimately, koha-common could have
USE_INDEXER_DAEMON = yes by default, but that's subject for another bug report.

To test:
- Play with the different option switches and USE_INDEXER_DAEMON
- Things work as expected
- Sign off

Regards

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as expected

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Your Full Name <your_email>
(cherry picked from commit 997ad166c6ea53d47e3e15e7720d63da9f3b0a80)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 67dd96545bf8fdabdc98428438cbd92a5ae33c9f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 14816: Fix multiple selection in item search

Send each selected value as a separate parameter. Otherwise DataTables
(or jQuery ?) joins all values with a comma

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

I could not reproduce the bug when selecting multiple home libraries,
but I could by selecting multiple item types or collection codes. The
patch allowed those queries to complete correctly.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit 9aa8bf46f6b45ebcd342c09bd3a09ae55f3dd4a8)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 47ebb4ffb1869b52f1c011e3a6b236b85b0e51ab)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15928 - Show unlinked guarantor

To test:
1 - Add guarantor data to patron account by typing it in but do not 'Set to patron'
2 - Note it is not displayed on patron details
3 - Apply patch
4 - Note the info is displayed
5 - Test that linked guarantors show as expected

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit bebb61739f4460295151a37d44cc1a2d6f956d26)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15962: Block the currency deletion if used

A currency should not be deleted if used by a vendor or a basket.

Test plan:
1/ Add a new currency
2/ Create a vendor using this currency
3/ Create a basket using this currency
4/ Try to delete the currency
5/ Delete the basket
6/ Try to delete the currency
7/ Delete the vendor
8/ Delete the currency

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c20496aea938e1faaa53daff5e2cf3d697b0eac9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16133: Translatability of database administrator account warning

This patch removes sentence splitting of the database administrator warning with
a button styled link.

Additionally, it uses the same wording as in the warning on the 'About' page.

To test:

- Apply patch
- Log in to Staff client as database administration user
- Verify that the wording of the warning is the same as on the About page (Tab
  'System information')
- Verify that the link to the patron administration page is styled as a button
  and behaves correctly

NOTE: Actually, the category is irrelevant. But I like the improved message.
      Categories may or may not be set up at the initial log in.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit e53b80dedf91617f9eecb9defd2d6f5222f03d65)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c6a049167f9f1b4d4df81520900b23d2b9e0ea46)

Bug 16191: t/Ris.t is noisy

TEST PLAN
---------
1) prove t/Ris.t
   -- very noisy
2) apply patch
3) prove t/Ris.t
   -- just one confusing noise.
4) run koha qa test tools

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 5b909a82693d452d233e95d7598092aa5ee14c17)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit af42fd5e81c7ce2764dc9796293e9815f9809b54)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16047 [Follow-up] Software error on deleting a group with no category code

This follow-up take the original patch a little further, making category
name required on the entry form as well. Without a category name there
is no label in the interface when selecting a category. That doens't
make any sense.

Also changed on the group entry form:

- Added "required" attribute to labels on required fields.
- Changed "Update" submit button label to "Submit."
- Added a "Cancel" link.
- Added the "validated" class to the form so that our built-in
  validation script will process it (not strictly necessary but makes
  the validation appearance more consistent).

Followed test plan, form displays and behaves as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit df127ebad814ad1710b161b85a69d408de95de85)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c514e1fee2890660caa36c1dae62bcfbc6f72fc3)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16047: Making category code a required field on creating a group

This will prevent users from creating a group without a category code,
which causes a software error when you try to delete it

To test:
1) Go to Admin -> Libraries and groups
2) Create new group without category code
3) Attempt to delete the group you just created and notice software
   error
4) Apply patch
5) Create new group without category code
6) Notice you now cannot save the group without putting in a category
  code

Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 577aa86eb96160088c70008bfe85ae2c0820f547)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 730cfb59258841572d19ffd9eedf36571edc100a)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16029: Hide patron toolbar if patron does not exist

To test:
1) Create a patron, take note of the borrower number
2) Delete the patron
3) Navigate to the page of the patron you just deleted by typing the url (ie /cgi-bin/koha/members/moremember.pl?borrowernumber=X)
4) Confirm that the patron toolbar is not showing on the page
5) The message now has a link that says 'Find another patron?'. Click this link and confirm you are taken to the member home pgae.

Sponsored-by: Catalyst IT

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 1870141874667d854f9b5508c563169baefb2328)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit e0ad205512af9dba2a9d5cad70bf6fdffecc6e17)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15984 - Correct templates which use the phrase "issuing rules"

This patch corrects two places in the templates where the phrase
"issuing rules" is used instead of "circulation and fine rules."

To test, apply the patch and view the help pages for Administration ->
Circulation and fine rules; and Tools -> Automatic item modification by
age. Confirm that the term "circulation and fine rules" is used instead
of "issuing rules."

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 98a9e30f040661e0a67a594f72abd8ab02cf9ad6)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 1c1d9558eb6df6f44e96d204e8e6683e3ae04491)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 14076: Do not use CGI->param in list context - opac-authorities-home.pl

See bug 15809 for more info on why we should not use CGI->param in list
context.

Note: I have not found any places where several values for the same
params are passed to this script but, just in case, this patch won't
change this ability.

Test plan:
Do an authority search at the OPAC
Test with several values of the form.
Confirm that the results are always the same before and after this
patch.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 3fa2b10150a9ea2db2897be1246cba3785c55e55)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 182838a54498b4a00a4077779458cf005f5ec444)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15809: Redefine multi_param is CGI < 4.08 is used

On debian Jessie, the CGI version is >= 4.08
Since this version, the param method raise a warning
"CGI::param called in list context".
Indeed, it can cause vulnerability if called in list context

https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/

There is a long journey to get rid of these warnings.
First I suggest to redefine the multi_param method when the CGI version
 installed is < 4.08, it will allow us to move the wrong ->param calls to
 ->multi_param without waiting for everybody to upgrade.

The different ways to call these 2 methods are:

my $foo = $cgi->param('foo'); # OK

my @foo = $cgi->param('foo'); # NOK, will raise the warning
my @foo = $cgi->multi_param('foo'); #OK

$template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning
                                               # and vulnerable
$template->param( foo => scalar $cgi->param('foo') ); # OK

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested a call to multi_param with CGI < 4.08.
With reference to the comments on Bugzilla, this workaround is arguable,
but provides a base to move to multi_param. If we come up with a better
solution, it should be easy to adjust.

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 94dde6b48d6e20a5260ea49f9b98ec884c2c25b5)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 279732365eb07bf9f9929402aadd837c16f131b6)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16184 - Report bor_issues_top shows incorrect number of rows

TEST PLAN
---------
1) Have at least 6 patrons with checkouts and some checkins.
2) Reports -> Patrons with the most checkouts
3) Click 'Submit' (default is 5)
   -- more than 5 entries listed.
4) Apply patch
5) Refresh page
   -- only 5 entries listed.
6) Run koha qa test tools

NOTE: While this works, I'd be much happier with a refactor
      as it would also speed up the report. See comment #5.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 2c68980467009a9d19116440d4f28356707e9e7c)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit bd4659d09f92135a7956496c44af555b5938c8c3)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16171 - Show many media in html5media tabs

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit c2f92f68d84753d62880e17e9d1bd19c8b9bff47)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 0c37ebee17b81f31838c28f0690cea07b314a893)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15888 - Syndetics Reviews preference should not enable LibraryThing reviews

To test:
1 - Enable Syndetics Reviews without a LibraryThing ID
2 - Check page source and note you have a stanza for LTFL tabbed reveiws
3 - Apply patch
4 - Reload page and note LTFL tabbed reviews are not present
5 - Enter a LibraryThing ID and not the tab is restored.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 541a03cf6daace451f78e614b8019382dcd52acc)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 9a7c37473042cbc0c533ea12e95273b7471d22a3)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15868: Ask for confirmation when deleting a MMT action

Test plan:
Create marc modification template
Add an action
Delete it
With this patch you must get a confirmation mesg

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 9fddbc045da2dc25389e924262bd8f6e2bc99bfd)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15866: Add confirm message for deleting rotating collection from toolbar

To test:
1) Go to Tools -> Rotating Collections
2) Click on any rotating collection ('Add or remove items' from drop down menu)
3) Click 'Delete' from toolbar. Validate you are now asked to confirm your deletion. Check that cancel works, then check that confirm works.

Sponsored-by: Catalyst IT

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
I've added the word 'rotating' before collection, to make
it clear for translators what is meant here.

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit a48d166bbf506287355c9fceea2633159308c530)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 887bb8c92fbda53713dd0862124b533ce64ece1f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15838 - Subscription duplicating: Reset fields from SubscriptionDuplicateDroppedInput syspef by getting them using name instead of id

How I tested:
Verified bug with start and end date (were not cleared without patch).
After applying the patch all fields defined in SubscriptionDuplicateDroppedInput
were cleared as expected.

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 873a49f13b79bf1f5f7163f217cfc3a317ce602f)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 702002129787ceb2cdae61f6dc2352dff1afa84d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 16214: Fix typo 'To.jon' -> 'To.json'

Bug 15722 introduces a regression in serials patron search results,
causing the surname to not be displayed

To reproduce:
1. Create a routing list for a subscription
2. Click on "Add recipients" button
3. Run a search
4. Check that surname is not displayed

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit e916ded09756ba4902a25e9e68fe536614419c87)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 11ba21369dc99ba2b1ae4d4fbe4af572e6af40e4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15722: Escape patron infos for JSON in patron searches

If patron infos contain invalid JSON chars (\t for instance), the
results won't appear.
The solution is to escape these info.

Test plan:
Edit patron infos in DB (update borrowers set surname="foobar\t" where
borrowernumber=42)
Search for foobar (you should have more than 1 result)
Without this patch, DT retrieves a bad formatted JSON and the results
won't appear.
With this patch, the table result appears

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit cd20b61a7c845110e518e6dedc12ac50efebe4aa)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit eba74c8e51a52432362150c38d674f661a6228e8)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15773: Fix and standardise checkboxes code in framework

When creating a new subfield for an authority framework, the checkboxes
don't behave as they should.
If you click on the 'repeatable', 'mandatory' or 'is url' checkbox's
label, the checkbox from the second tab will be checked/unchecked.
This is caused by a non-unique id of the input element.

I have found this bug when working on the removal of CGI::checkbox in
both admin/auth_subfields_structure.pl and
admin/marc_subfields_structure.pl scripts.

This patch remove the use of CGI::checkbox as well as the generation of
html code from these 2 pl scripts (which should be avoided).
The code these scripts are now pretty similar.

Test plan:
Add/modify/remove subfield for a MARC framework and an Authority
framework.
Use as many field as possible and confirm that the values are correctly
inserted/displayed.

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 39597b86ae299a9b4c0c1e8221f51f9e8dd300ed)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 60e601bf5f485a46b36bf14d2145adf9c25fe098)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15745: C4::Matcher gets CCL parsing error if term contains ? (question mark)

Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>

Also fixes ! and +
Rebased to master
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
It makes perfect sense and works as expected. This part of the code is too
under-tested so no point requiring a regression test for such a simple change.

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit fcbd81049f590e5fc0c31030bcdb1311951c1444)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 7212c9f41e635a3be54dc2356696b1e9ce6a370f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15741: Fix rounding in total fines calculations

C4::Members::GetMemberAccountRecords wrongly casts float to integer
It's common to use sprintf in Perl to do this job.

% perl -e 'print int(1000*64.60)."\n"';
64599
% perl -e 'print sprintf("%.0f", 1000*64.60)."\n"';
64600

Test plan:
1) Create manual invoice for 64.60 (or 1.14, 1.36, ...)
2) Try to pay it using "Pay amount" or "Pay selected" buttons

Signed-off-by: Sally Healey <sally.healey@cheshiresharedservices.gov.uk>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 92fbb1f3d0f2bdb070a1b647c96edbce5b28a377)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 40507ce1529a237ec5c51837805100e89e96db9c)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 15323: Use fixtures for the active currency

  prove t/Prices.t
fails after bug 15084 has been pushed
It's caused by
  commit 1538e9ecf47642c4974693ff499c3e95e4d71977
    Bug 15084: Replace C4::Budgets::GetCurrencies with
    Koha::Acquisition::Currencies->search

Koha::Number::Price->_format_params calls
Koha::Acquisition::Currencies->get_active, which requests the DB.
The currency data should be mocked.

Test plan:
sudo service mysql stop
prove t/Prices.t
 should return green

Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Patch works as expected and passes the qa-tools tests.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 0a14e22d59343475ed6970b82b474a80e43d8e29)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit c4c7ea475b813d97595a6114ef2e31028ec6efe5)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 14441: TrackClicks cuts off/breaks URLs (XSLT)

Same test plan as previous patch, but for opac defail and result using
the XSLT views.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
I am amazed!

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit ee0abde76e78713233a9fcd31fbb6f80b5a9610c)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 97de8be7046833a3a1e6ced3e3d512c89ca8cb85)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>